Vulnerability Assessment of Secured Message and Identity Management Services in ETSI ITS C2C Communications

Abstract

The Cooperative Intelligent Transport Systems (C-ITS) is a set of applications that aim at improving road safety and traffic efficiency as well as providing environmental benefits by enabling vehicles and roadside infrastructures to communicate with each other. This type of communication is mainly based on exchanging messages containing information such as speed, location and direction sent over an ad hoc local area network. However, the privacy of the users could be impaired by an adversary intercepting the information (e.g. location and identity of the driver) used in the messages exchanged between the vehicles and other ITS stations in an ad hoc vehicular network. Further, it is necessary to fulfill security requirements such as authentication and authorization to avoid unauthorized vehicles to get access to particular applications, services or privileges that should be only accessible by authorized vehicles (e.g. claim priority rights for emergency vehicles). As an effort to validate and authorize the ITS stations in a Vehicular Ad hoc Networks (VANET), the European Telecommunication Standards Institute (ETSI) has introduced a security architecture that brings the pseudonymity, confidentiality, authenticity and integrity into the VANET communications by using Certificate Authorities (CAs) and identity management procedures. This master thesis aims at conducting a vulnerability assessment on the ETSI ITS Secured Message and Identity Management Services in ETSI ITS C2C Communications by integrating sign/verification services into an existing implementation of the ETSI ITS communication system. We also propose countermeasures to eliminate the identified vulnerabilities. The vulnerability assessments performed in this thesis identify one major flaw in the design of the ETSI ITS security protocol concerning the location of the signature in a Secured Message. Furthermore, the assessments also identify 6 software vulnerabilities in the implementation of the ETSI ITS Secured Message which can be exploited for different types of attacks such as Denial of Service and buffer overflow.