Security Issues and Solutions for Connected and Autonomous Vehicles in a Sustainable City: A Survey

Abstract

Connected and Autonomous Vehicles (CAVs) combine technologies of autonomous vehicles (AVs) and connected vehicles (CVs) to develop quicker, more reliable, and safer traffic. Artificial Intelligence (AI)-based CAV solutions play significant roles in sustainable cities. The convergence imposes stringent security requirements for CAV safety and reliability. In practice, vehicles are developed with increased automation and connectivity. Increased automation increases the reliance on the sensor-based technologies and decreases the reliance on the driver; increased connectivity increases the exposures of vehicles’ vulnerability and increases the risk for an adversary to implement a cyber-attack. Much work has been dedicated to identifying the security vulnerabilities and recommending mitigation techniques associated with different sensors, controllers, and connection mechanisms, respectively. However, there is an absence of comprehensive and in-depth studies to identify how the cyber-attacks exploit the vehicles’ vulnerabilities to negatively impact the performance and operations of CAVs. In this survey, we set out to thoroughly review the security issues introduced by AV and CV technologies, analyze how the cyber-attacks impact the performance of CAVs, and summarize the solutions correspondingly. The impact of cyber-attacks on the performance of CAVs is elaborated from both viewpoints of intra-vehicle systems and inter-vehicle systems. We pointed out that securing the perception and operations of CAVs would be the top requirement to enable CAVs to be applied safely and reliably in practice. Additionally, we suggested to utilize cloud and new AI methods to defend against smart cyber-attacks on CAVs.

1. Introduction

CAVs effectively combine technologies of sensor-based autonomous vehicles and communication-based connected vehicles, and it is anticipated that the convergence will greatly improve safety and reduce cost, emissions, and energy consumption, and change the way they are operated today. Currently, vehicles are being developed with increasing levels of connectivity and automation. Many new vehicles and aftermarket systems are already at Level 2 and approaching Level 3 and provide partially autonomous capability [1]. However, with the ascendance of CAVs, drivers undertake less control and management of the vehicle; increased automation exacerbates the security risk by increasing the possibilities for adversaries to implement a successful attack. Meanwhile, the increased connectivity of the vehicles increases the exposure of potential vulnerabilities and paves avenues for cyber-attacks. The development of CAV is inevitably facing great security threats and attack risks.

In early stages, manual vehicles are not equipped with much connectivity to the outside, therefore, hackers must have physical access to the vehicle, which causes great difficulty for hackers to perform the attack. In [2,3], the researchers showed that they could use wired connections to the vehicle to manipulate the vehicle, such as controlling the display dashboard, killing the engine, disturbing the steering, etc. However, the demonstrations do not attract much attention from the audience. In recent years, the advancement in AV technology allows diverse types of sensors to be installed on the vehicle to assist human driving. For example, Google’s driverless car utilizes more than 10 types of sensors to move autonomously on the road. However, sensors are easily affected by noise and fooled by malicious attacks, which can cause danger and accidents [4,5]. Due to people’s concerns regarding the AV reliance, many efforts have been dedicated to the studies of AV security and safety issues.

As AVs have evolved, many types of wireless connectivity technologies have been installed on the vehicle, such as Bluetooth, keyless remote entry, telematics connected to the internet, and VANET, etc. The increased connectivity not only provides more convenience and better safety for the driver, but also speeds up the development of subsequent automation. However, the expansion of vehicle connectivity exposes more vulnerabilities of the vehicle and increases the opportunities for attackers to implement cyber-attacks. Paper [6] showed that a vehicle can be compromised through a Bluetooth connection meters away from the vehicle. In [3], the authors showed that the attackers successfully hacked an unaltered Jeep Cherokee through the cellular network and then controlled the vehicle’s critical functions remotely, such as disabling the brakes and steering, etc. In [4], the authors investigated potential cybersecurity threats to both individual automated vehicles and cooperative automated vehicles. In [5], the authors surveyed cyber threats facing CAVs from three aspects of vehicles, human, and connection infrastructure. Recently, with the flourishing and advancement of IoT and sensing networks, the CAV and even Internet of Vehicles are deeply involved in intelligent transportation and smart city development. Thus, Paper [7] provided detailed analyses on characteristics, architecture, and challenges of intelligent transportation systems. Paper [8] comprehensively investigated how the smart city development imposes precedented security and privacy challenges on intelligent transportation and intelligent infrastructures, such as smart parking, intelligent navigation, and electrical vehicle charging, which illustrates the obstacles of widely deploying CAVs.

Clearly, CAVs face great security risks. Although much effort has been dedicated to identifying security vulnerabilities and recommending potential mitigation techniques for AVs and CVs, respectively, there is still an absence of in-depth and comprehensive research to study how cyber-attacks can exploit the vulnerabilities of CAVs to negatively impact the physical operation and performance of CAVs. Therefore, the purposes of the work are to thoroughly investigate the potential vulnerabilities and security issues of CAVs from the viewpoints of individual autonomous vehicle technologies (e.g., sensors, in-vehicle systems) and connected vehicle technologies, and accordingly, to identify the negative impacts of cyber-attacks on the physical operation and performance of CAV from the perspectives of intra-vehicle systems and inter-vehicle systems. The work aims to create a future roadmap for CAV development and deployment. Figure 1 shows the cyber-attacks on CAV. The main contributions of the paper are as follows:

(1)

A summary of the security issues and solutions for AVs associated with different sensors, controllers, and in-vehicle networks.

(2)

An investigation of the connectivity technologies of CVs and analysis of their advantages and applications in CAVs, as well as identifying the security issues of each type.

(3)

An analysis of the impact of cyber-attacks on CAVs: cyber-attacks on intra-vehicle systems to impact the individual CAVs and cyber-attacks on vehicle connectivity to impact the cooperative CAV.

(4)

Proposed future directions to enhance the CAV security.

The paper is organized as follows. As AVs highly depend on the various sensor technologies and in-vehicle systems to perform perceptions and actions, these sensors and in-vehicle systems expose vulnerabilities to malicious agents. Thus, we first summarized the security issues and solutions of sensors and in-vehicle systems in Section 2. Then, besides the individual AV technologies, CAVs also utilize various communication and connection technologies to achieve autonomous driving and cooperative driving. Thus, we extended the investigation of the main connectivity technologies in CVs and analyzed the security issues exposed by these various types of connectivity technologies in Section 3. With AV and CV technologies further converging and composing the entire CAV to constitute a vehicular cypher-physical system (VCPS), including intra-vehicle and inter-vehicles systems, we deeply analyzed cyber-attacks on VCPSs in Section 4. Finally, in Section 5, we discussed the future work and directions. Section 6 concludes the work.

2. Security Issues Facing AVs and Solutions

For a manual vehicle, the driver perceives the environment and takes control actions, while an autonomous vehicle mainly relies on diverse types of sensors to perceive the environment. Specific types of sensors include cameras, lidar, radar, GPS, tire pressure measure sensors (TPMSs), inertial measurement units (IMUs), engine control sensors, etc. Currently, some of these sensors have been installed on manual vehicles to assist drivers and achieve partially autonomous driving. However, all these sensors have vulnerabilities and can be attacked by malicious adversaries. Due to the high reliance on sensors, AV faces great security threats. In addition, a vehicle used to be separated from the outside world, thus, almost no security mechanisms have been adopted for the in-vehicle system (i.e., in-vehicle networks and electronic control units (ECUs)). In this section, we mainly investigate the security issues facing an AV, including sensors, in-vehicle networks and ECUs and summarize existing workable solutions. Figure 2 presents the security issues facing an individual AV.

2.1. Sensors

The type and functionality of a sensor determines the extent to which it could contribute to scoping out secure threats, as well as the extent to which it could inform potential implications should it be compromised [5]. Table 1 summarizes the applications, security issues, and the corresponding solutions for common sensors mounted on AVs.

For partially autonomous vehicles, sensors only assist the driver to obtain some information and the vehicle is still monitored and controlled by the driver. Even for Google’s driverless car that operates autonomously at most times, the driver will take over of control immediately if the automation system cannot process dangerous situations. Therefore, the impact of attacks on these sensors may be mitigated by the driver’s surveillance or management. Even so, autonomous vehicles significantly depend on these various types of sensors to perceive the surroundings and the status of the vehicles to assist driving or automatically drive by itself. For example, Paper [9] utilized multiple sensors such as radar, LIDAR, and cameras to perform autonomous lane changing. Paper [10] reviews vision-based autonomous driving systems. Paper [11] proposes an effective empirical formula solution to assist autonomous driving in a GPS-denied environment. Paper [12] provide a survey on intelligent tires for tire–road interaction recognition. Paper [13] proposed a localization system for autonomous driving using gyroscopes and accelerometers. In the future, fully autonomous vehicle will completely operate without driver involvement. Thus, attacks on these sensors will cause serious issues, and calls for more attention.

Table 1. Security issues and solutions of sensors mounted on AVs.

Type	Application	Security Issues	Solutions	References
Camera	Interprets objects/signs. An array of cameras to provide 360 views, while stereo-cameras can extract extra depth information.	Extra light from other sources may decrease the sensitivity of the sensors; intense light (e.g., laser, IR LEDs) can directly blind/blaze the sensors.	(1) Camera filter to prevent blinding. (2) Installation of multi-cameras to improve the detection. (3) Fuse with other sensors to improve the accuracy of detection.	[4,5,9,10,14,15,16,17]
Lidar, radar, and ultrasonic	Lidar provides a “3D” map of the surrounding environment and depth perception. Radar detects obstacles and measures distances in bad weather conditions/low light situations. Ultrasonic assists short-range detection.	Spoofing, jamming, saturation, cancellation attacks, and replay attacks.	(1) Tunable wavelength emission and random probing to disturb the attacker. (2) Data fusion from other sources, such as V2V communication, to correct the measurement errors.	[4,5,9,18,19,20]
GPS	Provides real-time position data of the vehicle through the connection with multiple satellites.	Spoofing, jamming.	(1) Validation to prevent spoofing. (2) Other types of sensors are integrated to correct the data or maintain reliable navigation services, such as IMU.	[11,21,22]
TPMS	Measures the pressure of each tire and provides real-time information to the vehicle system.	Eavesdropping, packet spoofing, vehicle tracking, message forgery.	(1) Encrypting packets to defend against eavesdropping and spoofing. (2) Reliable software design and detection mechanisms.	[12,23]
Inertial measurement units	Includes gyroscopes, accelerometers, etc., to provide velocity, acceleration, and orientation data to the control system.	Data modification and injection attacks, DoS. Typically, attacks need physical access to the sensor to interfere with its readings, or alternatively to intercept communication between the sensor and control unit.	(1) Using encrypted communication on a vehicle’s network. (2) Monitor signals within regular tolerance. (3) Using secondary sensor data to correct measurements. (4) Implementation of cryptographic solutions to ensure data integrity and its authenticity.	[2,5,13,18]
Engine control sensor	Includes temperature, air flow sensors, etc., to acquire performance data to adjust engine conditions.

Table 1. Security issues and solutions of sensors mounted on AVs.

Type	Application	Security Issues	Solutions	References
Camera	Interprets objects/signs. An array of cameras to provide 360 views, while stereo-cameras can extract extra depth information.	Extra light from other sources may decrease the sensitivity of the sensors; intense light (e.g., laser, IR LEDs) can directly blind/blaze the sensors.	(1) Camera filter to prevent blinding. (2) Installation of multi-cameras to improve the detection. (3) Fuse with other sensors to improve the accuracy of detection.	[4,5,9,10,14,15,16,17]
Lidar, radar, and ultrasonic	Lidar provides a “3D” map of the surrounding environment and depth perception. Radar detects obstacles and measures distances in bad weather conditions/low light situations. Ultrasonic assists short-range detection.	Spoofing, jamming, saturation, cancellation attacks, and replay attacks.	(1) Tunable wavelength emission and random probing to disturb the attacker. (2) Data fusion from other sources, such as V2V communication, to correct the measurement errors.	[4,5,9,18,19,20]
GPS	Provides real-time position data of the vehicle through the connection with multiple satellites.	Spoofing, jamming.	(1) Validation to prevent spoofing. (2) Other types of sensors are integrated to correct the data or maintain reliable navigation services, such as IMU.	[11,21,22]
TPMS	Measures the pressure of each tire and provides real-time information to the vehicle system.	Eavesdropping, packet spoofing, vehicle tracking, message forgery.	(1) Encrypting packets to defend against eavesdropping and spoofing. (2) Reliable software design and detection mechanisms.	[12,23]
Inertial measurement units	Includes gyroscopes, accelerometers, etc., to provide velocity, acceleration, and orientation data to the control system.	Data modification and injection attacks, DoS. Typically, attacks need physical access to the sensor to interfere with its readings, or alternatively to intercept communication between the sensor and control unit.	(1) Using encrypted communication on a vehicle’s network. (2) Monitor signals within regular tolerance. (3) Using secondary sensor data to correct measurements. (4) Implementation of cryptographic solutions to ensure data integrity and its authenticity.	[2,5,13,18]
Engine control sensor	Includes temperature, air flow sensors, etc., to acquire performance data to adjust engine conditions.

2.2. In-Vehicle Network

In-vehicle networks are composed of diverse types of bus systems, mainly including CAN, LIN, FlexRay, and MOST. Due to the specific characteristics of each type of bus system, each type possesses distinct vulnerabilities [24]. These bus systems connect diverse types of ECUs together, therefore, any type of bus controller can send messages to any other existing ECU. Among these bus systems, the CAN bus works as the backbone of the in-vehicle network to receive many control messages and deliver them to the corresponding ECU. Therefore, we analyzed the security issues of CAN. Typically, the CAN bus can be categorized into two types: CAN-C and CAN-HIS buses; each of them is designed with distinct functions. Due to the lack of encryption, authentication, and authorization on the CAN bus, all messages on the bus are transmitted in plaintext; neither source or destination address is included in the message format. Therefore, attacks on the CAN bus include eavesdropping and traffic analysis, jamming and DoS, and malicious modification or injection. For attacks aimed at manipulating certain functions of a vehicle, such as steering and braking, the attacker needs access to the CAN bus and to modify messages on the CAN bus or directly inject malicious messages into the bus. In the past, the in-vehicle system was sealed from the outside and the CAN bus can only be accessed on special occasions with the help of special tools; for example, the maintenance technician uses an OBD-II scanner to diagnose the system. Recently, the increased connectivity of vehicles increased the chances that the in-vehicle network is accessed, which exposed the CAN bus to more types of attacks. For example, the attack successfully accessed the CAN bus and sent messages on the bus remotely from the cellular connection [3].

Much work has been undertaken to boost CAN bus security. Generally, these measures can be categorized into two types: (1) cryptography [24,25,26,27], which originated from (a) controller authentication and (b) message encryption; and (2) firewall and physical separation.

(1a) Authentication requires that only authorized controllers can communicate over the bus systems. A general way to ensure authentication combining unsymmetrical and symmetric keys is presented in [24]. (1b) Encryption of the CAN message typically involves the data field [27]. The sender and receiver ECUs synchronously manage a sequence number. The sender can use the number and encryption algorithm, such as AES-128, to generate cipher text. After receiving the message, the receiver can decrypt the message and verify the source. In practice, implementing a real-time cryptographic solution can cause an overhead of extra computation and data transfer time. Thus, a clear trade-off between security, functionality, and efficiency should be taken into consideration.

(2) Firewall and physical separation. An effective way to prevent malicious attacks through an OBD-II port is to set up a firewall on the central gateway to filter the outside communication between the port and inside network [28,29]. However, implementation of a firewall usually requires more cost, and results in communication overhead, which should be within the consideration of the design. Physically separating the infotainment system from the main system inside networks can prevent certain types of attacks. The messages as well as the multimedia interfaces should be forbidden from interfering with the main system during normal driving operation. However, considering that several functions and components cooperate with each other to implement a complicated module, concerns regarding separation exist that the complicated operations on vehicles will be impacted.

2.3. Electronic Control Unit (ECU)

The ECU is a kind of embedded system in a vehicle used to monitor the real-time state of the corresponding component and feedback the status parameters to the bus system. Meanwhile, the ECU processes the information exchanged from the bus system and takes control of operations to adapt the vehicle’s behavior. The number of ECUs ranges from about 40 in compact cars to about 90 in luxury cars. According to their functions, ECUs are loosely categorized into four types: powertrain, chassis, infotainment, and body control [30]. There are some key ECUs, such as EBCM, playing a critical role in manipulating a vehicle’s behavior; compromising them will directly kill the vehicle and endanger the driver’s safety [31]. In practice, many ECUs are coupled with each other to achieve some complicated control functions [5]. Thus, attacking a single ECU has the potential to impact large control functionality of the vehicle.

Attacks on ECUs might result from compromising a vehicle’s sensor network or exploiting the control module directly through diverse types of connectivity. As Paper [32] provided, a comprehensive guide of ECU vulnerabilities regarding different attack surfaces exist in many popular vehicles in the U.S. Specific attacks on ECUs include fuzzing, phishing, DoS [5], etc. A fuzzing attack aims at finding vulnerabilities by sending random packets to the ECU. Phishing attacks involve masquerading a trusted entity to gain sensitive information and compromise the system. The driver might be tricked by the phisher into flashing the firmware, which will cause permanent damage. In most cases, a fuzzing attack is the first step in creating a phishing attack. Typically, ECUs are configured when a vehicle is manufactured, and have a long lifetime. Therefore, other exploits on ECUs involve overwriting firmware and flashing ECU [31]. The firmware can be modified or replaced by performing a physical and valid update via an OBD port. Recently, an ECU update over the air (OTA) has been proposed [33,34], which would expose more security risks.

Table 2. Summary of the security issues and solutions for the CAN bus and ECUs.

Components	Application	Security Issues	Solutions
CAN bus	(1) CAN-C: high-speed bus that connects the engine, brakes, airbags etc. (2) CAN-HIS: low-speed bus that connects the comfort systems and climate controls.	(1) Eavesdropping and traffic analysis. (2) Jamming and DoS. (3) (3) Malicious modification and injection.	(1) Strong authentication between different entities, including exterior devices. (2) Message encryption.
ECUs	(1) Powertrain. (2) Chassis. (3) Infotainment. (4) Body control.	(1) Monitor the real-time state of the corresponding component. (2) Control the components.	(1) Fuzzing, phishing, DoS, etc. (2) Overwriting firmware and flashing ECUs.

also lists the security mitigations: (a) The use of Message Authentication Codes (MACs) and other cryptography solutions are investigated in [6]. (b) In practice, a dedicated hardware for encryption purposes, known as a hardware secure module (HSM), can be used to perform sophisticated cryptography [30]. HSM usually cannot be tampered with or harmed by external attacks. Therefore, it can be adopted in each ECU to securely store confidential private keys, to trustworthily calculate the reputation of other ECUs, to perform digital signature generation and verification, or to manage the certificate. (c) In the future, if updating ECUs over the air is widely adopted in various models, the mitigation of vulnerabilities in the process should be implemented in each step from the update center, wireless transmission path, and target vehicle.

Table 2 summarizes the security issues and solutions for the CAN bus and ECU. As we mentioned, either the CAN bus or the ECU was well sealed from the outside in the past. Attackers must have physical access to the in-vehicle system to implement the attacks, which is not an easy task. However, increased connectivity exposes the vulnerabilities of these components to remote cyber-attacks and imposes severe security threats on the in-vehicle system.

3. Security Issues Facing CVs and Solutions

CVs adopt wireless communication to allow vehicles, roadside units, and mobile devices to communicate with each other and exchange critical information. In essence, CV is a kind of distributed system and imposes severe security and privacy challenges. It is anticipated that vehicle connectivity coupled with AV will revolutionize transportation systems, improve safety, and reduce costs, emissions, and energy consumption. In fact, the adoption of diverse types of vehicle connectivity on AV enables the exposure of potential vulnerabilities of the vehicle and results in a heightened risk of cyber-attacks on the CAV.

CVs incorporate multiple specific types of wireless communication to provide the information needed to implement vehicle-to-everything (V2X) applications, such as vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), vehicle-to-pedestrian (V2P), vehicle-to-sensor (V2S), etc. Figure 3 shows the various communications of CV in the future. The Vehicular Ad Hoc Network (VANET) adopts Dedicated Short Range Communication (DSRC) to enable V2V and V2I. The cellular network is gradually standardized using 3GPP to support Cellular-V2X (C-V2X) services [35]. Bluetooth can be considered in V2P due to its energy-saving properties. Wi-Fi also satisfies some types of V2X communications with the advantages of low cost and the ease of deployment. However, all these communications have their own vulnerabilities and face some security issues. Therefore, in this subsection, we investigate the security issues facing these communications of CVs and identify some open issues for these communications if any of them are applied in CAVs.

3.1. Bluetooth

Bluetooth is a type of short-range communication (typically tens of meters) and was proposed to be applicable for the communications of CVs in some certain situations. For example, at a traffic intersection, Bluetooth can be used for connecting vehicle communication to avoid potential accidents [36]. Another scene is that Bluetooth may be applicable to V2P communication due to its low energy consumption, considering that pedestrian users in V2P usually have the limit on power saving of the device. However, as Bluetooth is natively developed for short-range low-speed transmission, it would be challenging when it is applied in highly mobile vehicles’ communication, which has the requirements of high transmission data.

In recent years, a few techniques have even been used to enhance the security of Bluetooth communication, including frequency hopping, a pre-shared key for authentication, and encryption [37]. Even so, some security risks cannot be avoided, yet, when Bluetooth is used in vehicles’ connectivity. Table 1 lists the applications and potential security issues of Bluetooth. In nature, how to handle the native security risks caused by the frequent iteration, various versions of Bluetooth, and pairing methods would be challenging. As a matter of fact, the reason why Bluetooth is so convenient to use in the first place is that it constantly broadcasts information such that nearby devices can be alerted to its presence. Thus, setting the Bluetooth device to “undiscoverable” mode would be a securer measure.

Bluetooth devices can form piconets, and multiple piconets through sharing the same devices can join to form a scatternet. If an entity is compromised, it is possibly going to infect other piconets or the scatternet, which finally damages multiple entities in the V2X connection. In addition, the MAC address of a Bluetooth device is usually unique and traceable, which may expose the vehicle to traceability attacks [6]. Even though a Bluetooth PIN is used between the paired Bluetooth devices to implement authentication, it is vulnerable to brute-force decryption, interception, and injection of a fake PIN [38]. What is worse, the compromised device can inject malicious messages into the paired vehicle and damage its functions. In [39], the authors showed how a user device connected to a vehicle through Bluetooth launches an attack on the vehicle. In [40,41], the authors investigated how Bluetooth-enabled devices are extremely vulnerable within and beyond the vehicle domain.

3.2. Wi-Fi

As another type of short range communication, Wi-Fi satisfies some types of V2X communications with the advantages of low cost and the ease of deployment [42]. In [43], Wi-Fi and WiMax provide viable solutions for V2V and V2I communications. Some researchers even suggested using Wi-Fi directly to facilitate the relaying of information from one vehicle to another [44,45,46]. The built-in Wi-Fi module or Wi-Fi enabled mobile device in a vehicle allows the vehicle to approach the internet when it is moving into the coverage of Wi-Fi hotspots, which is referred as the Drive-Through Internet. With the increasing deployment of the urban-scale WLAN (i.e., Google Wi-Fi in the city of Mountain View), the Drive-Through Internet would rapidly increase, which could provide a complementary solution to V2X with low cost. In actual design, some technologies are applied to enhance Wi-Fi capabilities to fit the high-speed and secure requirements of vehicular communications, such as Multiple-Input Multiple-Output (MIMO). Recent advances in Passpoint/Hotspot 2.0 provide Wi-Fi with some secure connectivity [47], which makes Wi-Fi more competitive in V2X communications.

Even so, Wi-Fi was not originally designed for a high-mobility environment; the stringent V2X service requirements impose some challenges on the reliability, robustness, and security of Wi-Fi-based V2X connectivity [48,49].

Table 3. Comparison of Bluetooth and Wi-Fi in connected vehicles.

	Application	Attacks	Existing Enhancement	Open Issues
Bluetooth	V2P and specific scenarios with low density and low speed of vehicles (e.g., rural roads).	Pin interception. Injection of fake pin. Traceability attack. Infection attack.	Strong PIN authentication. Frequency hopping. Pre-shared key for authentication and encryption.	Security risks caused by frequent iterations of versions. Security risks caused by different pairing modes.
Wi-Fi	Built-in or brought-in. Scenarios: V2V, V2I, V2P, etc.	DoS, cracking, rekeying, karma attack, etc.	MIMO to improve transmission. Passpoint/Hotspot 2.0 provide Wi-Fi with security, WPA 2.	Long establishing time, including association, authentication, etc. Unsecure mode (e.g., WPA 2 is cracked).

lists the applications and potential security issues of Wi-Fi. In terms of security, high vehicle mobility yields a very short connect time to the AP, while Wi-Fi communication usually requires a long establishing procedure. Time spent in Wi-Fi association, authentication, and IP configuration before actual data transmission cannot be negligible. For instance, if cryptography (i.e., Wi-Fi Protected Access, WPA) is applied in Wi-Fi communication, it will generate a considerable delay, up to 250ms, which is fatal to the safety-related application in VANET. In addition, Wi-Fi is typically set as the “discoverable” mode for users’ search and connection as Bluetooth, thus, it requires a large bandwidth to guarantee the high transmission, which provides opportunities for attackers to launch attacks such as cracking, DoS, and karma attack [50]. Especially, with security-enhanced WAP2 being cracked recently [28], it must raise more attention and research efforts to enable Wi-Fi in connected vehicles’ communication.

3.3. Cellular Network

Cellular networks are considered a potential source that can guarantee the mobility and seamless connection in V2V and V2I. Existing solutions to connect vehicles together through widely deployed cellular infrastructure can be divided into two modes: brought-in and built-in [49]. The brought-in connectivity refers to that users in a vehicle tether their own smart phone to the vehicle’s infotainment system such that the vehicle gains immediate access to the internet and some duplicate functions of a smartphone. Incidentally, built-in connectivity integrates the cellular module into a vehicle’s on-board infotainment system, and the internet connection relies on a built-in module. C-V2X is a part of the overall 3GPP process to advance cellular systems from 4G to 5G technologies. Starting from Release 14 published by 3GPP, the LTE Direct and LTE broadcast laid the foundation for C-V2X, while after Release 16+, the 5G technology built new capabilities for C-V2X networks and augmented C-V2X direct communications over time [51,52]. As Khanh, Quy Vu et al. highlighted in [53], the power of 5G enables cellular and mobile communication networks to connect to hundreds of billions of devices with extreme-high throughput and extreme-low latency, including IoT, smart-connected vehicles, smart cities, smart agriculture, smart retail, and intelligent transportation systems. Built on many existing cellular infrastructures, the C-V2X service covers large areas, and has a high penetration rate and low cost to potentially support the high-bandwidth demands and QoS-sensitive requirements of vehicular applications.

C-V2X defines multi-types of services, including V2V, V2P and V2I, and V2N, and two modes of transmission, including network-based communication and direct communication [54]. It is also designed for both in-coverage and out-of-coverage services. C-V2X direct communications can support active safety and enhance situational awareness by detecting and exchanging information using low-latency transmission in the 5.9 GHz ITS band for vehicle-to-vehicle (V2V) as well as V2I and V2P scenarios. In practice, C-V2X needs to address some technical challenges, such as a high Doppler effect, resource scheduling, and synchronization [55].

Concerning security, C-V2X imposes some specific requirements on current cellular networks [56,57]. Currently, the security key in cellular networks is priori-configured. Future direct communication between two vehicles should communicate without having to be provisioned with a shared key; D2D communications cannot rely on pre-shared pairwise keys. More importantly, pre-shared keys alone cannot provide a non-repudiation service. Therefore, the receiver needs a way to verify whether the received message was transmitted from a trusted entity. Secondly, no integrity protection on application layer messages is provided in current communication between the user and network or D2D communication. Confidentiality for safety messages can be ignored, but strong integrity is paramount. Hence, none of the measures implemented in current cellular security are applicable. Thirdly, user privacy in C-V2X must be well considered. As cellular infrastructure and core networks are under different operators’ domains, privacy from the network entities needs attention. On one hand, the link between user and network is established based on its cellular subscriber identifier; on the other hand, the messages sent by vehicle devices usually contain application layer data, such as the exact geographical coordinates, the granularity of which is much finer than the cellular-site level device tracking presently. Therefore, it is possible that the operator can correlate the exact location with the vehicle’s cellular subscriber identifier. Therefore, a solution that allows no network entity to be able to correlate the V2X messages with a vehicle is needed.

Table 4. Features of V2X communications and potential issues.

	Services	Transmission Mode	Advantages	Open Issues
C-V2X	V2V, V2P, V2I, V2N	(1) Network-based communication. (2) Direct- communication.	(1) Large coverage and support for high mobility. (2) High market penetration. (3) High capacity and bit rate.	(1) Direct secure communication without a priori configuration of keys by the network is needed. (2) Integrity protection on application layer messages. (3) Privacy protection of location.

summarizes the C-V2X features and security issues.

3.4. VANET

VANET (vehicular ad hoc network) is built on Wireless Access for Vehicle Environment (WAVE) and specifies a 5.85~5.925 GHz frequency band dedicated for vehicle communication. VANET natively supports V2V and V2I communications in the ad hoc mode, and enables efficient information exchange among vehicles, other end devices and public networks, and thus it plays a critical role in road safety and infotainment, self-driving systems, and intelligent transportation systems [58]. However, the drawbacks of VANET also include the prohibitive cost to construct new infrastructures, scalability issues, and the lack of deterministic quality of service guarantees, etc. Due to the high mobility of vehicles, there is a short communication time between a vehicle and the other entity. Therefore, VANET requires low communication delay and low tolerance for errors. Much work has been dedicated to the specific security vulnerabilities of VANET and possible solutions due to its importance to the improvement in traffic safety [59,60,61], which is shown in Figure 4. Thus, we will focus on the remaining issues.

3.4.1. Efficient Authentication with Privacy Preservation and Key Management in Group Signature

Authentication is the primary step to ensure security in VANET, and much existing work proposed different techniques to provide authentication in VANET [29,62,63,64]. Usually, the symmetric key method is significantly faster than the digital signatures; however, the symmetric key method cannot provide non-repudiation [65]. Unsymmetrical keys can provide authentication and non-repudiation, but they may cause computation complexity and communication overhead [66], as well as privacy exposure [67]. Therefore, efficient unsymmetrical authentication with privacy preservation is needed. In recent years, group signature has been applied in VAENT to protect a vehicle’s anonymity besides authentication [68,69]. The main limitation of this approach is the computation complexity and communication overhead to distribute group keys [69,70]. In addition, a manager is needed to distribute the key to a new member when it joins the group or revoke the key when the member leaves. Invalid and malicious signers should be identified in time, while forward privacy should be protected at the same time [71,72]. Therefore, how to manage the key in a group signature is still challenging.

3.4.2. Privacy Protection and Effective Pseudonym Change Strategy

Privacy protection (e.g., vehicle’s location and trajectory) has been a top challenge in VANET [73]. Many approaches have been proposed to implement effective strategies of pseudonym changing [74,75,76,77,78]. However, the simple changing of a pseudonym is not sufficient to defend against pseudonym linking attacks, especially semantic linking, which can predict the next position of a vehicle and link the vehicle’s new pseudonym and the original one [79]. Currently, encryption or radio silence is suggested to defend against the semantic linking attack. However, encryption is ineffective against internal passive adversaries [74], and radio silence may negatively affect safety-related applications in VANET [80]. Therefore, a highly effective and reliable pseudonym change strategy is still needed to protect a vehicle’s privacy from semantic linking attack. In addition, a unified framework and metric is needed to quantify the privacy protection level, which will contribute to evaluating new privacy protection mechanisms [81,82,83].

3.4.3. Trust Management and Enhancement

Trust usually works as a complementary defense to cryptography in some specific situations. Specifically, trust mainly deals with inside attackers (e.g., passive attacks) and has little negative impact on message treatment and transmission delays, and thus, can be applied in both delay-sensitive and delay-tolerant traffic [84,85]. Even so, some issues should be considered when applying trust management in VANET security. Most exiting models assume that the adversary has stable and continuous behavior. However, smart attacks (e.g., an insider user becomes malicious) may become aware of the trust rule and can alternate between legal and illegal behaviors. Therefore, new trust models should adaptively detect such types of ‘unstable’ dishonest behaviors or entities. On the other hand, how to handle the location and identity privacy while ensuring efficient and reliable message dissemination is still one of the open issues in existing models [84].

3.4.4. RSU Assisted Security and RSU Power Abuse

Within the communication range of an RSU, multiple vehicles nodes may communicate with its neighbors via V2V or via V2I through RSU. As a result, the nodes will contend for the radio resources of the single RSU. When traffic density and message dissemination increase, the RSU may become saturated. Therefore, it is critical to make the communication near the RSU both secure and scalable. In practice, a challenging scheduling problem arises when RSU serves as a centralized scheduler for all the nodes within its coverage. On the other hand, RSU will possess great power to allocate resources to different nodes. It registers much private and secure information of each node within its range. Therefore, valid measures should be taken to block the power abuse of RSU, to prevent RSU from unfairly allocating resources to a certain node, and to maliciously invade or disclose the privacy of a node within its range.

Either C-V2X or VANET represents a promising solution to support V2X communication. At the moment, VANET has the advantage. The 5.9 GHz band made available in the U.S. more than a decade ago remains reserved for it, the EU also intended to make 802.11p the basis of the radio standard for safety-related messages between vehicles within ITS-G5. However, Qualcomm, which supports DSRC and offered second-generation 802.11p DSRC chips in the past, introduced its first C-V2X commercial solution in 2017; China appears ready to mandate C-V2X for C-ITS and safety-related services. No matter which one will become the standard to support V2X finally, the security issues in both types of networks should be well considered before they are widely developed to support CAV application.

Table 5. Comparisons of features and security issues between C-V2X and VANET.

Feature	C-V2X	VANET
Capacity	High	Medium
Mobility	Very high (support speed up to 350 km/h)	Medium
Coverage	Ubiquitous	Medium
Delay	Goal is 100ms (C-plane) and 10 ms round-trip and 5 ms (U-plane)	Goal is 100ms (safety-critical application) and 500ms (non-safety-critical application)
V2I support	Native, due to the centralized architecture with enhancements	Yes, only intermittent and short-lived connectivity
V2V support	Potential, through D2D extension	Native, through extensions in MAC protocols
Network infrastructure	Adopting existing cellular infrastructure for V2I communications	Requiring high investment on network backbone devices
Security issues	(1) Direct secure communication without a priori configuration of keys by the network is needed. (2) Integrity protection on application layer messages. (3) Privacy protection of location and operator power abuse.	(1) Efficient authentication with privacy preservation and key management in group signature. (2) Privacy protection and effective pseudonym change strategy. (3) Trust management and enhancement. (4) RSU assisted security and RSU power abuse.

summarizes the features and security issues of C-V2X and VANET. As analyzed above, they possess different features and face different security issues accordingly. For example, as C-V2X potentially supports direct V2V communication, the direct secure communication without a priori configuration of the keys network is needed to benefit the network’s security and efficiency. On the contrary, VANET natively supports V2V and V2I, but requires efficient authentication with privacy preservation and key management in group signature to achieve multi-vehicles’ secure and efficient communication. Meanwhile, due to the risk of C-V2X being exposed to operators, the privacy protection (e.g., vehicle’s location) and defense against operator power abuse will be indispensable. Accordingly, as VANET deep involves RSU or other infrastructure in its deployments, the security and power abuse of RSU or infrastructure need to be well considered. Moreover, since vehicular connectivity significantly increases, VANET produces an ever-increasing amount of data and it will impose significant challenges on the efficient, reliable, and secure data transmissions and processing in VANET and calls for further attention [58].

4. Security Issues and Solutions for CAVs

With the convergence of AV and CV technologies, the future CAV is essentially the most complex large-scale cyber physical system composed of advanced sensing, computing, communication, and control systems. The security vulnerabilities and implications of both AV and CV technologies and their combination impose significant challenges in such a safety-critical system. Although the general security issues facing AVs and CVs have been relatively well studied in the previous two sections, there is still an absence of systematic analysis to indicate the impact of cyber-attacks on the physical performance and operations of CAV. In the subsection, we will focus on how cyber-attacks exploit the vulnerabilities of vehicles and impact the performance of CAV.

Cyber-attacks on CAVs can be analyzed from two angles: the intra-vehicle and the inter-vehicle. Typically, the intra-vehicle system focuses on individual vehicles and combines the in-vehicle networks with other components (e.g., actuators) into a tight system to improve the kinetic performance of the single vehicle, while the inter-vehicle networks involving multiple vehicles and the traffic flow are designed to optimize traffic dynamics and inter-vehicle networking performances based on their tight interaction with each other. For intra-vehicle systems, increased connectivity exposes the inherent vulnerabilities of the system. Therefore, cyber-attacks can exploit the vulnerability to impact the operation of the vehicle. For example, cyber-attacks can inject malicious messages into the in-vehicle network remotely to directly manipulate certain functions of the vehicle, such as braking and steering, which may directly threaten the vehicle’s safety. For inter-vehicle systems, the control performance and dynamics of the system highly depend on the communication performance. Cyber-attacks can impact cooperative vehicle dynamics and traffic flow by jamming or spoofing the inter-vehicle communication. Therefore, we will analyze these two types of cyber-attacks and their impact on the performance of CAV as well as identify some open issues in current research.

4.1. Cyber-Attacks on Intra-Vehicle Systems

4.1.1. Models of the Attacks

Cyber-attacks indicate that the attacks on the vehicle are launched through physical/wireless connection to the vehicle. Some entry ports on vehicles to the intra-vehicle system to enable a wide range of services exist, including support for self-diagnostics, media play, etc. In the early stage, attacks must have physical connectivity to the vehicle, such as using a USB stick or an OBD-II scanner [2,6,27], which limits the implementation of the attacks.

CVs enable diverse types of wireless connectivity on intra-vehicle systems; thus, cyber-attacks can be implemented remotely. In [2], two vehicles are connected through the wireless communication of two laptops. In the victim vehicle, the laptop running CARSHARK is connected to the vehicle’s CAN bus through an OBD-II port; in the attack vehicle, another laptop transmits commands to the victim vehicle to manipulate its body control module, engine control module, etc. Most modern vehicles provide Bluetooth ports or Wi-Fi hotspots to outside devices. Cyber attackers can directly pair with the vehicle or crack a device which has joined the Wi-Fi hotspot. Typically, the range of such cyber-attacks is quite short, approximately tens of meters. Due to the large coverage areas and high-penetration-rate cellular networks, some researchers exploited the cellular networks to perform remote cyber-attacks. In [3], the researchers provided a “super-remote” connection (between Pittsburgh and St. Louis) to compromise an unaltered vehicle through a cellular network. Currently, vehicles are gradually installed with VANET communication modules, which allows vehicles to communicate with other vehicles or infrastructure even without a base station. This would provide much convenience for attackers to launch cyber-attacks on inter-vehicle systems in the future.

Figure 5 presents the general model of cyber-attacks on intra-vehicle systems. Essentially, cyber-attacks on intra-vehicle systems involves manipulating messages on intra-vehicle networks, especially the CAN bus, to control the physical functions of the vehicle remotely. Therefore, the attacker needs to identify the address of the vehicle first and has access to a communication module on the system via physical/wireless connectivity. Then, the attacker needs to compromise the communication module, typically by modifying the files on the module. For certain types of vehicles, the compromised communication module is connected to the CAN bus, which allows an attacker to manipulate a CAN message to affect the control functions of the vehicle. For some types of vehicles, the communication module does not connect to the CAN bus, which will require more efforts of the attacker to compromise another module which has the ability to send messages to the CAN bus. After all these things are achieved, attackers can launch a real cyber-attack on the intra-vehicle system [32]. The remote attack surfaces, internal network structure, and computer-controlled features of several popular vehicles’ patterns on the U.S market were investigated.

4.1.2. Attack Impacts on Intra-Vehicle Systems

It is typically the first step that cyber-attacks remotely compromise a module of a vehicle. To successfully manipulate specific operation functions of the vehicle, attackers need to further determine the proprietary nature of different messages on the network, which usually involves the reverse engineering of ECU firmware. This is also why attacks on intra-vehicle systems can cause considerable damage to the vehicle. They directly tampered the control message on the system and manipulated the control modules (ECUs) of the system, which would quickly kill some functions of the vehicle. In [3,27], the researchers provided the packet analysis results and their effects on different control modules of the vehicle, which are partially presented in

Table 6. Different packets of in-vehicle networks and their effects on control modules.

Control Message Code	Controlled Function	Impacted Control Module
07 AE...1F 87	Continuously activates lock replay	Body control module
07 AE...CE 32	Temporary RPM increase	Engine control module
07 AE...25 2B	Engages front-left brake	Electronic brake control
00 00...00 00	Falsify speedometer reading	Other modules

.

After attackers know the nature of different communication packets on intra-vehicle system and their effects on the corresponding control modules well, they can implement diverse types of attacks on the intra-vehicle system remotely. Specific attacks include (a) Denial of Service (DoS) [86] and fuzzing attack [87]; (b) code modification and injections [2]; (c) replay attack [6,23]; and (d) malware injection. Even though these types of attacks may be presented in the previous section, this section focuses on the direct impact of the attacks on intra-vehicle systems. In addition, a type of smart attack, malware, is considered considerably threatening in the future [88] because it can modify itself to look different each time it replicates, such as polymorphic and metamorphic malware. Many existing defense approaches become fragile and unresisting to polymorphic and metamorphic malware [88,89,90]. To effectively defend against smart malware, some intelligent analysis and detection methods are needed [63].

Table 7. Cyber-attacks on intra-vehicle systems and the defenses.

Type	Description	Attacks/Consequences	Defenses
DoS	Introduce the topmost priority nonsense message frequently to systems.	(1) Cause flooding. (2) Hinder regular services. (3) Detect existing security loopholes of system.	(1) Identify security loopholes earlier. (2) Verify the fix/update files. (3) Combination of authentication and integrity verification.
Fuzzing attack	Massive amounts of random data can be inputted to the system.	(1) Crash the system. (2) Exploit vulnerabilities for further attacks.
Code modification and injections	Carry out malicious modifications of code; inject malicious messages to the bus system.	(1) Override certain functions. (2) Compromise the system.	(1) Authorize connected devices. (2) Intrusion detection.
Replay attack	Retransmit eavesdropped packer to system.	(1) Activate/Disactivate certain functions maliciously.	(1) Encryption on messages. (2) Ensure the freshness and validness of input data.
Malware injection	Malware codes can modify themselves to look different each time they replicate and deceive the system to download them into system.	(1) Execute damage. (2) Approach privacy information. (3) Eavesdrop communication.	(1) Intrusion detection. (2) Network separation. (3) Message obfuscation. (4) Cloud-based defense.

summarizes the different interfaces and types of attacks on the intra-vehicle system.

4.1.3. Open Issues of Intra-Vehicle System Security

In practice, there are many limits to successfully launching a cyber-attack on CAVs. For example, when the attacker tries to compromise the communication module, the attack needs to bypass the verification or integrity check of the system, which may activate the alarm. Moreover, some patterns of vehicles do not allow outside devices to send a message to the bus system when the vehicle is moving. Even so, security must be built into the system before the manufacturing of a vehicle and the wide deployment of CAVs.

On one hand, to maintain the various connectivity to vehicle systems without exposing vulnerabilities of the system, effective access control must be implemented on the system to guarantee secure information input. The system must grant selective access to its components. For example, when a vehicle is moving, the module which can send messages to the CAN bus should forbid any reboot. Furthermore, the system must ensure that only authorized devices can gain limited access to certain types of its components. Each time a new connectivity is created between the system and an outside device, integrity and verification must be implemented [27]. The principle of least privilege should be applied while providing access to the connected device. In addition, in terms of software design of the system, buffer overflow, string format vulnerabilities should be avoided to prevent connected devices from modifying the system when the situations occur.

On the other hand, network monitoring and intrusion detection should be implemented on intra-vehicle systems. Typically, attacks on the system last for several minutes or more, therefore, it is essential to monitor the network and to detect possible attacks as soon as possible. For this purpose, real-time intrusion detection and response on the system could be adopted on the system. Currently, most intrusion detection for the system is either based on misuse or based on anomaly detection. Compared the misuse detection, anomaly detection can not only identify specific attacks, but identify some unknown attacks by discovering abnormal frames transmitted on the traffic [91]. To develop intrusion detection for intra-vehicle systems, some issues should be considered. Firstly, the detector should be appropriately deployed in the system. Usually, the detector could be host-based or network-based. Secondly, the detecting methodologies should be carefully considered. The abnormal detection may capture the abnormal patterns according to predefined ones [92], or analyze the unusual frequency or time interval [93]. In the last example, the accuracy of detection matters a lot. Compared with existing methods, machine-learning-based detection can extract the features of intrusion well and decrease the error rate [94]. However, due to the limited computing power, memory, and communication capacities of current vehicles, it is impractical to implement sophisticated machine learning detection on individual vehicles. CAV essentially is a large-scale distributed system composed of safety-critical individual vehicles that demand reliable real-time operations. Therefore, besides performing core intrusion detection primarily on each intra-vehicle system in distributed manner, cooperative neighboring vehicles within same cluster (e.g., a physical platoon) or cloud platform can provide further verification of the local detection results within the time constraint imposed by different applications.

4.2. Cyber-Attacks on Inter-Vehicle Systems

CAVs typically cooperate with each other to form a certain type of driving pattern with some common interests in the traffic, which can significantly improve road capacity and traffic efficiency. The cooperative driving pattern effectively integrates computing, communication, and control technologies to achieve the stability, reliability, and efficiency of the inter-vehicle system. A representative pattern is a platoon, which is shown in Figure 6. Multiple vehicles form a string in one lane; a vehicle follows the preceding vehicle with a small and nearly constant distance. In the early stage, the platoon relies on the Adaptive Cruise Control (ACC) function, which mainly utilizes local sensor measurements to maintain the string pattern. Currently, the platoon is mainly achieved with Cooperative Adaptive Cruise Control (CACC) functions, which enables each vehicle in the platoon to directly obtain state information of the leading vehicle through wireless communication to maintain shorter spaces and stronger string stability of the platoon [95,96]. Due to the reliance on vehicular communication, the performance of communication, such as delay and packet delivery loss, has a considerable impact on platoon vehicles’ dynamics [97]. Therefore, attackers can utilize reliance to impact the performance of a platoon. Typically, cyber-attacks can degrade the string stability and control performance of a platoon by influencing vehicular communication in the platoon. As a result, cyber-attacks can directly damage the mobility pattern and cause unsafe operation of inter-vehicle systems [98]. In this subsection, we use a platoon to illustrate how cyber-attacks impact the performance of inter-vehicle systems by compromising vehicle connectivity.

4.2.1. Models of Attacks on Platoon

Due to the dependence of platoon dynamics and control on inter-vehicle communications, the imperfections of communication, such as transmission delay, packet loss, channel interference, etc., will directly impact the performance of platoon mobility and vehicle dynamics. Firstly, we quantitatively analyze how the networking performances impact platoon dynamics and control.

Xu et al. used a three-car-platoon model to illustrate the platoon safety performance under different information content (e.g., distances, speeds, and driver actions) and different communication uncertainties (e.g., delay, Doppler effects) [99].They pointed out that the data rates and PDR, transmission distances with/without obstacles, and multi-hops all significantly impact the communication delay, and finally affect the safety distance between vehicles and platoon performance. Compared with the inter-vehicles distances of platoons only relying on ACC functions, the transmitted distance or speed information through vehicular communications can effectively shorten the inter-vehicle distance.

Essentially, string stability stands for the platoon dynamics from the perspective of vehicle control, which is defined as the spacing error between the desired and actual inter-vehicle spacing not amplifying to the upstream of the platoon [100]. It is analyzed in the frequency domain, and the specific steady-state error transfer function is defined as

$$H_i\left(s\right)=\left|\frac{E_i\left(s\right)}{E_{i-1}\left(s\right)}\right|$$

(1)

$E_i\left(s\right)=ℒ\left(e_i\right)$, $E_{i-1}\left(s\right)=ℒ\left(e_{i-1}\right)$, is the Laplace transformation of the spacing error. Theoretically, platoon stability is guaranteed if the following condition is satisfied:

$${\left|\left|H_i\left(s\right)\right|\right|}_{\infty }\le 1$$

(2)

Oncu et al. designed a CACC system from the perspective of a Networked Control System (NCS) and considered the effect of communication sampling, hold, and delays [101]. They analyzed the string stability of the platoon, which follows a constant time headway spacing policy based on these imperfections in vehicular communication. A feed-back/feedforward controller is included in the CACC model: the feedback controller C_i,ACC (s) constitutes the ACC part and is a PD-type controller that acts on locally sensed data, while the vehicular communication is introduced as an addition to the ACC part to constitute the CACC operation. Given the spacing policy, a time-domain representation of the CACC feedback/feedforward control input is expressed as

$$u_i=u_{fb,i}+u_{ff,i}=K_{i,i-1}{x}_{i-1}+K_{i,i}{x}_i, 1\le i \le n$$

(3)

They considered each vehicle in the platoon to be an individual closed-loop CACC model. For an individual closed-loop CACC model, the i-th CACC-equipped vehicle dynamics ($2\le i \le n$) in an n-vehicle string is described by,

$${\dot{x}}_i=A_{i,i}{x}_i+A_{i,i-1}{x}_{i-1}+B_{s,i}{\check{u}}_i+B_{c,i}{\widehat{u}}_{i-1},$$

(4)

$x_i^T=\left[e_{i, } v_i, a_i, u_{ff,i}\right]$ represents the state variables, ${\check{u}}_i\left(t\right)=u_i\left(t-{\tau }_{a,i}\right)$ accounts for the delays in throttle actuation; ${\widehat{u}}_{i-1}$ denotes that $u_{i-1}$ is transmitted over the network, which includes network-induced effects (e.g., sampling, hold, and delays). Furthermore, they lumped the n models in the platoon to derive a complete discrete-time CACC NCS model for the string stability analysis,

$${\xi }_{k+1}= {\overline{A}}_{\xi }\left(\tau ,h\right){\xi }_k+{\Gamma }_r\left(h\right)u_{r,k}$$

(5)

Their experiment results show how string stability is compromised by delays and other imperfections in wireless communications.

Clearly, CACC-based platoon stability highly depends on communication performance. Therefore, cyber-attacks mainly utilize the dependence to impact platoon dynamics and safe operations by degrading the networking performances. Fanid et al. analyzed the stability and safety of a platoon according to a model including Rician fading channels and jamming attacks [102]. When the attacker launches the jamming signal over the platoon, with the assumption of Rician fading, the probability density function of the instantaneous signal-to-interference-plus-noise ratio (SINR) of the received signal of the i-th vehicle at time k, ${\gamma }_i^k$, is derived by

$$f_i^k({\gamma }_i^k)=\frac{1+K}{\overline{{\gamma }_i^k}}\exp \left(-K-\frac{\left(1+K\right){\gamma }_i^k }{\overline{{\gamma }_i^k}}\right)*I_0\left(2\sqrt{\frac{K\left(K+1\right)}{\overline{{\gamma }_i^k}}}\right)$$

(6)

The state space representation of the platoon under the Rician fading channel and jamming attacks is derived as

$$x_n\left[k+1\right]={\stackrel{=}{A}}_n{x}_n\left[k\right]+{\stackrel{=}{B}}_c{\overline{u}}_{n-1}\left[k\right]+{\stackrel{=}{B}}_s{\mu }_l\left[k\right]$$

(7)

Considering various scenarios with different settings, including various attacker’s locations and vehicle signal transmission power, they proved that platoon stability and safety are highly sensitive to jamming attacks. They also derived the best location and best time to launch the jamming attacks to destabilize the platoon. In addition, they computed the minimum transmission power to maintain string stability and advised that the minimum transmission power needs to increase with the increase in jamming signal power.

Currently, much work has been undertaken investigating the string stability under imperfect communication performances [98,103,104,105]. There is little work to consider how cyber-attacks utilize the imperfections of communications to impact the performance of the platoon. The most common one is jamming, which causes severe damage to the safety of the platoon and is hard to prevent. Besides string stability, platoon management involving platoon formation, merging, and splitting is another fundamental issue. It is still challenging to form the stable cluster or platoon, especially in heterogeneous and drastically changing scenarios. In this process, traffic dynamics, communication behavior, and security are supposed to be considered. In addition, a platoon typically consists of a master and multiple following vehicles and operates within one lane, while another cooperative pattern, convoy, which has no master vehicle and operates on multi-lanes, considerably relies on vehicles to self-organize a more complex cooperative pattern. It would be challenging to model such a pattern under a communication.

4.2.2. Diverse Types of Cyber-Attacks

Various types of cyber-attacks may have been discussed in previous sections. Here, we systematically summarize these types of cyber-attacks and mainly consider their impact on the platoon. Miao et al. analyzed the different attacks on a platoon, including replay attack, jamming attack, DoS attack, and provided an SDN solution to mitigate these types of attacks [103]. Amir et al. performed the string stability analysis of CACC under jamming attacks [104]. Petrillo et al. provided a collaborative control strategy for platoons to defend against falsification attacks [105].

Table 8. Summary of common cyber physical attacks on cooperative vehicles.

Cyber Physical Attacks	Workable Solutions
Message tampering	(1) Data correction. (2) Challenge response authentication.
Forgery attacks	(1) Use vehicular PKI for authentication. (2) Sign warning message. (3) Establish group communication. (4) Use non-cryptography checksum and plausibility check per message.
Message saturation	(1) Limit message traffic. (2) Build location-based grouping and aggregation signature.
Replay attack	(1) Use time stamping technique. (2) Include sequence number in message. (3) MAC via ARAN routing protocol.
Node impersonation	(1) Use variable MAC and IP addresses. (2) Authentication via digital certificates. (3) Use cryptographic certificates via ARAN routing protocol.
Routing attack (i.e., Black hole, Grey hole, Worm hole, and Tunneling)	(1) Digital signature of software and sensors. (2) Cryptographic certificate, symmetric cryptography, MAC, and one-way hash in routing protocol. (3) Enhance the trust among different nodes.
Spoofing and jamming attack	(1) Switch the transmission channel. (2) Use the frequency hopping technique. (3) Switch between different wireless technologies.

summarizes the cyber-attacks on platoons and workable solutions.

4.2.3. Open Issues of Inter-Vehicle System Security

Although the diverse types of cyber-attacks on a platoon and the corresponding solutions have been well studied, some open issues to be considered still exist.

Presently, the platooning probability on the road is low. Most existing work either assumes an individual driving pattern or considers cooperative driving (e.g., platoon) only in the design of inter-vehicle message dissemination. Furthermore, in most cases, several vehicles can communicate through V2V to form/maintain a platoon without much involvement of infrastructure, such as RSU. The capabilities of the infrastructure have not been fully exploited, yet. However, a report from USDOT indicated that platooning probability on highway could be higher than 70% in the future [106]. In this case, the cooperative driving frequently exchanges periodic safety beacons to maintain the pattern, while individual driving may broadcast event-driven messages. The heterogenous driving patterns would impose a great burden on vehicle communication and stringent requirements on transmission scheduling. Given that cyber-attacks on inter-vehicle systems mainly decease the communication availability or reliability, how to effectively allocate the communication resources and improve the communication reliability for the heterogeneous driving patterns would be a key problem. Currently, some work has studied the strategy of allocating resources, avoiding collision, and ensuring communication availability and reliability under the assistance of infrastructure (e.g., RSU, cloud). For example, the authors of [107] utilized the capability of infrastructure to combine TDMA and CSMA/CA scheduling to guarantee the timely and reliable message delivery for the heterogeneous driving patterns. In [108], cloud was introduced to assist safety massage dissemination in VANET-cellular heterogeneous networks. In fact, infrastructure would play a critical role in channel allocation, caching, content download, data aggregation/dissemination, hands-off, location, routing, and security of vehicular communication in the future [109,110]. If the infrastructure was compromised by cyber-attacks, it would cause large-scale damage. Meanwhile, the infrastructure may adopt different architecture besides incorporating existing devices, such as the cooperative architecture, virtual architecture, etc., which leaves it vulnerable to many cyber-attacks, too. Therefore, defending infrastructure against cyber-attacks will be a great challenge.

Cyber-attacks on inter-vehicle systems can be from either the outside or inside of the platoon. In most cases, the cyber-attacker is outside the platoon. In [102], the jammer was mounted on a drone flying over the platoon. Theoretically, it is not very difficult to recognize attacks from the outside. Some state-of-the art measures can effectively detect and limit the capabilities of an outside attacker, but it is still challenging to effectively defend against inside attackers. In addition, due to the coupling of physical and cyber aspects of the inter-vehicle system, the co-attacks of a malicious vehicle inside the platoon which takes disturbing accelerations and an attacker outside the platoon would be greatly threatening. It is considerably challenging to identify the attacks sources, to cut off the cooperation of two attackers, and to eliminate the insider vehicle as well as re-stabilize the platoon. Some researchers proposed maintaining a lower and upper bound of inter-vehicle spacing to possibly mitigate the impact of cyber-attacks [102], which is a trade-off between traffic efficiency and safety. However, given that the message within a platoon contains control parameters, if an insider attacker directly tampers the message content when the message is transmitted from head to the end, it would directly cause collisions without noticeably degrading the communicate quality. Therefore, security mechanisms are urgently needed to detect and defend against insider attacks and co-attacks.

5. Discussion and Future Works

As for future work, we believe that our study highlights some directions in this area. On one hand, for fully autonomous vehicles, the reliable and secure perception, functioning, and operation are the top requirement and concern for the CAV system. On the other hand, with the evolvement of vehicular connectivity and the occurrence of IoV (Internet of Vehicles), cloud can be integrated in vehicle connectivity and fully exploited to defend against cyber-attacks under the CAV environment [111,112].

5.1. Secure the Perception and Operation of CAVs

Fully autonomous vehicles operate without driver assistance or monitoring. Accurately perceiving the surroundings and understanding the context, such as the road conditions [113] and the weather status, would be the prerequisite for the safe driving of CAVs. The accurate perception lies in the robust sensing of its surrounding environments and the reliable fusion of information. For CAVs, the sensing ability is possibly impacted by malicious attacks via spoofing/deception attacks (e.g., faked GPS signals) to generate fraud or unreliable data. Additionally, attackers can delay the acquisition and transmission of the data vis DoS attacks to disable the delay-sensitive applications, and thus, threaten the vehicle safety. Recently, due to the development of artificial intelligence (AI) technology, the perceiving capabilities of sensors can be enhanced to improve the detection rate and decrease the error rate [114,115]. A typical example is that the detection accuracy of cameras can be improved using neural network tools and methods [116,117,118]. Therefore, the advancement in AI technology, to an extent, can make the sensors more robust to malicious attacks.

On the other hand, coupling different sensors and fusing multi-sources data would be indispensable for a CAV to accurately perceive the surrounding environment [118]. For instance, stereo vision uses an overlapping region of two cameras to determine depth; Google Driverless Car fuses LiDAR with stereo-vision and Enhanced Maps (E-maps) for road scenery understanding. Besides multiple sensors, with the introduction of vehicle connectivity, vehicle communication provides another information source for data fusion. In [119], data from long-range radar and the VANET network are associated and fused to provide accurate data of tracked objectives in front of the vehicle. Traditionally, the Kalman filter and particle filter can be used for data fusing of multiple sources [120,121]. Presently, some machine learning methods are also applied in data fusion processes, such as SVM classification, unsupervised clustering, etc. However, these methods are usually time/resource-consuming. Meanwhile, received data from multiple sources are within different coordinate systems and use unsynchronized clocks. Spatial and temporal alignment of incoming data is needed before data is further fused [38,118]. Therefore, a “lightweight” and efficient fusion algorithm is still needed. In addition, multi-modality fusion needs to deal with some issues in practice when they are implemented. For example, information from the GPS was not available when the vehicle was under tunnels or bridges; information from one sensor source is possibly blocked by malicious attackers. Therefore, reliable fusion is needed to handle these situations.

Furthermore, attack-aware and error-tolerant end-to-end learning can be developed for fully autonomous operations.

Currently, autonomous vehicles mainly utilize module-based learning to achieve some functions, such as object detection and pattern recognition. Recent efforts have been dedicated to applying end-to-end learning in autonomous driving. Typically, the operation mode of autonomous driving goes through three steps: perception, understanding, and planning [122,123,124]; one level up, end-to-end learning can be used to innovatively update the operation mode, which shortens the process with perception and action [113,125,126]. It indicates that the new driving mode takes the raw data as input, such as the image, and outputs control commands directly. In [127], Karol trained a convolutional neural network to map raw pixels from a single front-facing camera directly to steering commands. Undoubtedly, the application of end-to-end learning in autonomous vehicles shows great advantages in enhancing vehicular operations and reducing the perception-control period. However, neural networks are proven to be easily fooled or perturbed by interferences [128]. The end-to-end learning built on a neural network would be susceptible to the complex environment. For example, the adversarial image may be captured by the network as regular input; the noise and uncertainty of the input data cannot be effectively filtered, and thus, distract the output command. Therefore, reliable end-to-end learning is needed for future fully autonomous operations.

5.2. CAV Integrated with the Cloud

Recently, much work has considered integrating the cloud with CAV systems [129,130]. On one hand, the cloud provides resourceful information to CAVs; on the other hand, the cloud can provide powerful resources to support large storage and fast computation, which is indispensable for implementing some sophisticated AI algorithms. Therefore, the cloud shows great advantages to secure CAVs. In essence, a CAV integrated with the cloud is a large-scale hybrid platform composed of a remote centralized infrastructure cloud and distributed nodes with fog/edge computing. The architecture of the platform is shown in Figure 7. Locally, each vehicle and RSU/BS are enhanced with extra computing units and storage to process some data/information to meet the requirement of time-sensitive applications. Meanwhile, multiple types of commercial clouds, such as Microsoft Azure and AWS, are readily available to cooperate with the possible automaker clouds and traffic center clouds in the future, to support some advanced functions with heavily computing overload.

Typically, data collected from local sensors have a direct impact on the vehicle’s safety by providing obstacle detection and navigation operation. With the assistance of the cloud, these data can be processed and explored remotely to provide complementary measures to enhance vehicle security and safe operations. In the future, enormous volumes of diverse types of messages will be transmitted through vehicular communication channels. Due to the limited capacities of the communication channels, all messages will compete for the temporal and spatial resources, which can be easily utilized by malicious attackers to launch resource-availability attacks. Meanwhile, it is inevitable that many messages are collected by vehicles from the same region, which indicates that great duplication and redundancy exists in the messages. With cloud involvement, these messages can be merged and pruned through data relevance analysis before they are re-transmitted to a region or a certain number of vehicles. By transmitting compact but useful messages the communication channels utility can be improved. Cyber-attacks, such as DoS/spoofing, may be prevented.

Furthermore, the cloud can collect information from multiple vehicles in a region to generate reports about traffic flow, traffic density, and traffic speed of that region. This way, the cloud can provide vehicles with reference and surveillance for safe driving. For example, being aware of the average traffic speed provided by cloud reports, autonomous vehicles can recognize the obviously abnormal behaviors of some vehicles in time to avoid malicious operations or potential dangers. Another good example is that, in bad weather (e.g., heavy rain or storm), the perception of local sensors is easily susceptible, even completely disabled. In this case, the transmitted messages can provide navigation and guidance to the vehicle for safe movement. However, there are some issues which should be well considered when the cloud is deployed in practice. Typically, the preliminary aggregation and fusion of the raw data can be achieved within local fog/vehicular nodes, which is applicable to the low-delay applications, such as emergency navigation and obstacle recognition. Considering high-level fusion, either feature fusion or decision fusion, it typically has a loss of information and needs co-relation through complicated algorithms (e.g., support vector machine or kernel-based clustering), which are time/resource-consuming. Therefore, it can be achieved on the remote cloud to meet the requirements of delay-tolerant applications. It is still an open issue how to assign the assignments to local fog/edge computing and remote cloud computing.

On the other hand, as we mentioned in cyber-attacks on intra-vehicle systems, malware would be a type of smart attack, which will be greatly threatening to CAVs in the future. A good example is polymorphic and metamorphic malware, which changes itself each time it replicates. It has been proven that individual vehicles are fragile when they face such powerful attacks [88]. Therefore, taking some defense measures on the cloud will provide extra security to protect CAVs from smart attacks.

Basically, intrusion detection can protect CAVs from security issues. Traditional intrusion detection uses some static analysis approaches, such as comparing programs to known malware based on the program code, looking for signatures, or using other heuristics, which gradually expired to defend against the deformation of these attacks because they still expose some security loopholes [88,131]. Incidentally, the cloud platform presents tremendous advantages for implementing new types of AI-based detection methods [128,132,133,134]. With the management of the cloud, large volumes of data can be captured from the internet and collected from traffic situations by setting up some honeypot and trapping, and sufficiently powerful hardware can be provided to support these sophisticated algorithms. This way, the components relevant to the reliable driving operations of each vehicle can be monitored by the cloud. In practice, the local vehicle can collect anomaly data in the first time. Each vehicle primarily performs core intrusion detection in a distributed manner, which is referred to as local layer intrusion detection. If a local vehicle cannot decide whether the data is malicious, it transmits the data to the cloud for further detection. The remote cloud can provide further verification of the local detection results within the time constraint, which is referred to as outer layer intrusion. Therefore, how to relieve the delay in communication in the multi-layer detection process to meet the requirements imposed by some applications is challenging.

6. Conclusions

In this survey, we reviewed a substantial number of studies on CAV security since the AV was developed. In the beginning, attacks mainly aimed at individual vehicles and were implemented through physical connectivity. With the increase in wireless connectivity of the vehicle, such as Bluetooth, VANET, and cellular networks, potential vulnerabilities of vehicles are increasingly exposed, and cyber-attacks are possibly implemented to exploit the vulnerabilities to impact the performance and operation of CAVs. We analyzed the impact of cyber-attacks on CAVs from the viewpoints of intra-vehicle systems and inter-vehicle systems. For both, the operation of the CAV will be severely impacted if the vehicle connectivity is compromised, which may further cause damage to the vehicle or accidents directly. In the future, to employ fully autonomous vehicles in practice, a vehicle’s perception and operation must be well secured, which is the top requirement for CAV applications. In addition, with the development of IoV, some powerful detection and defense measures can be carried out on the cloud, which possesses enormous amounts of information and powerful resources, to protect CAVs from some types of smart attacks. In a word, the security of CAVs must be well considered and built before the CAV is fully developed and deployed in practice.