Performance Analysis and Security Preservation of DSRC in V2X Networks

Abstract

Protecting communications within vehicular networks is of paramount importance, particularly when data are transmitted using wireless ad-hoc technologies such as Dedicated Short-Range Communications (DSRC). Vulnerabilities in Vehicle-to-Everything (V2X) communications, especially along highways, pose significant risks, such as unauthorized interception or alteration of vehicle data. This study proposes a Software-Defined Radio (SDR)-based tool designed to assess the protection level of V2X communication systems against cyber attacks. The proposed tool can emulate both reception and transmission of IEEE 802.11p packets while testing DSRC implementation and robustness. The results of this investigation offer valuable contributions toward shaping cybersecurity strategies and frameworks designed to protect the integrity of Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications.

1. Introduction and Background

Each year, approximately 1.35 million people worldwide lose their lives in vehicle-related accidents, prompting substantial research efforts to address this issue. An outcome has been the development of Intelligent Transportation Systems (ITS), which enable the exchange of data between vehicles and road infrastructure to improve safety and efficiency on roadways [1]. Autonomous vehicles have the potential to transform transportation systems by reducing traffic congestion, improving road safety, and minimizing human error through optimized traffic management. Major automotive manufacturers have already announced plans to introduce fully autonomous vehicles capable of operating without human intervention [2]. In this context, the communication infrastructure must evolve in response to the needs of autonomous vehicle applications.

The communication demands of ITS require higher data rates and bandwidths to ensure efficient transmission of data packets and safety information within dynamic Vehicle-to-Everything (V2X) networks. These networks are particularly susceptible to security attacks due to their dependence on cellular and wireless technologies. The integration of wireless communication plays a crucial role in facilitating cooperative maneuvering among vehicles, thus enhancing their level of autonomy [3]. To exchange data such as vehicle location, speed, and trajectory, the network also distributes information about safety system status and decision-making processes. These capabilities enhance driving safety and efficiency, particularly at advanced automation levels where human interaction is minimal or unnecessary [4]. V2X networks support efficient communications among nodes belonging to the terrestrial infrastructure and located along the transportation infrastructure, called Road Side Units (RSU), and units integrated in vehicles, called On-Board Units (OBU). OBU are responsible for the exchange of critical safety information related to the vehicle status, while RSU offer the necessary infrastructure to allow communications among vehicles and between vehicles and the Internet.

Beyond conventional cyber attacks, V2X networks face sophisticated threats such as wireless eavesdropping attacks, which can compromise the confidentiality of transmitted data. Recent research has demonstrated the feasibility of fine-grained application fingerprinting through RF signal analysis, as shown in studies on Android app activity detection via radio-frequency energy harvesting [5,6]. These advanced eavesdropping techniques can potentially reveal sensitive information about vehicle operations, user behaviors, and system vulnerabilities, highlighting the need for comprehensive security assessment frameworks.

1.1. V2X Technologies and Standards

With the progressive shift toward autonomous driving, vehicles will increasingly depend on an integrated network of sensors and communication devices that collect, transmit, and process vast amounts of data. This data includes cooperative sensing outputs, communication logs, and sensor feedback, which collectively create detailed situational awareness for each vehicle.

3GPP defines V2X communication as a comprehensive framework that encompasses various modes of interaction, including Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I), Vehicle-to-Network (V2N), and Vehicle-to-Pedestrian (V2P) communications [7]. These modes support a variety of applications that are both safety-critical, such as collision avoidance and hazard notifications, and non-safety-critical, such as traffic management and in-vehicle infotainment [8]. By enabling continuous real-time data exchange across communication channels, V2X technology allows vehicles to make timely and informed decisions, thus improving road safety, optimizing traffic flow, and enriching passenger experience [9,10]. As V2X technology continues to evolve, these diverse forms of interactions play an essential role in supporting both vehicle autonomy and enhanced mobility experiences [11].

V2X communications are supported by wireless technologies optimized for low-latency communications in vehicular environments [12].

1.2. DSRC

Dedicated Short-Range Communications (DSRC) is one of these technologies. It enables direct communications among vehicles (V2V) and between vehicles and infrastructure (V2I). It operates in the 5.9 GHz frequency band and is based on the IEEE 802.11p standard [13], which is specifically designed for high-speed vehicular environments. DSRC is one of the main protocols used in V2X [14]. Depending on the application, the protocol may perform better than more recent mobile-based technologies [15]. The European standard ITS-G5 [16] reserves 70 MHz (5855–5925 MHz) for general V2X communications, with 30 MHz (5875–5905 MHz) dedicated to traffic safety applications, as shown in Figure 1 [17]. The performance of DSRC in V2X applications can be evaluated in terms of various metrics, including communication range, latency, data throughput, and scalability [18]. In terms of latency, DSRC is well suited for time-sensitive V2X applications that demand ultra-low latency to allow real-time vehicle responses, such as collision avoidance, emergency vehicle warnings, and cooperative adaptive cruise control. The communication range of DSRC, typically around 300 m, is also suitable for urban traffic management, allowing vehicles to share information on road conditions, traffic signals, and other vehicle movements within a short distance.

However, DSRC faces performance limitations in high-density traffic environments. As the number of vehicles in a network increases, DSRC may experience packet collisions and communication congestion, resulting in reduced data throughput and increased latency. This limitation can be problematic in large-scale deployments or highly congested urban settings. To address this limitation, researchers are investigating adaptive congestion control algorithms and priority-based transmission schemes to enhance DSRC performance in dense V2X scenarios [19]. Additionally, while DSRC is effective for short-range communication, its scalability and long-range performance may be limited compared to other emerging technologies, such as Cellular V2X (C-V2X) [20].

The IEEE 802.11p standard [13] includes basic mechanisms to ensure data integrity and authenticity but does not natively provide comprehensive “sanity checks” for transmitted data. These checks generally refer to validation mechanisms that verify whether the transmitted data makes contextual sense, for example by checking if a received vehicle’s speed or position is realistic and if the packets are arriving from an authenticated source. Security and data integrity in DSRC mainly rely on the higher layers of the protocol stack, such as the IEEE 1609.x standard [21]. These standards introduce security features such as message authentication and encryption through cryptographic signatures. Additional techniques for enhanced security, such as message plausibility checks, timestamp validations, and location-based verification, can be implemented on top of the DSRC framework. These techniques are designed to safeguard against threats such as replay attacks, false data injection, and other forms of malicious activity within vehicular networks [22,23]. Moreover, the IEEE 802.11p protocol operates on unlicensed frequency bands and uses simple modulation techniques, such as Orthogonal Frequency Division Multiplexing (OFDM). This simplicity makes the protocol more vulnerable to cyber attacks, such as jamming or replay attacks.

DSRC-based V2X networks face notable security challenges arising from the inherently open and dynamic characteristics of wireless communications. These challenges include vulnerabilities such as eavesdropping, message alteration and repetition, and identity spoofing, which pose risks to the confidentiality, integrity, and availability of the communication system. This paper evaluates the performance of DSRC-based V2X networks while addressing some of these security threats, with the objective of ensuring resilient and reliable V2X communication systems. The main contribution of this paper is threefold:

• It presents an open-source tool that implements an OBU-RSU communication based on the 802.11p protocol;
• It proposes an open-source SDR-based tool to test the robustness of DSRC against cyber attacks, to personalize the performed security tests and the implemented cyber attacks;
• It presents the results obtained by the security assessment tests performed by implementing jamming and replay attacks against two V2X testbeds.

The paper is structured as follows. Section 2 describes the main works in the literature related to security assessment in V2X scenarios. Section 3 describes the tool proposed to evaluate the robustness of V2X communication systems against cyber attacks. Section 3.3 illustrates the reference scenario and the V2X testbeds developed to validate the proposed tool. Section 3.4 and Section 4 detail the performed security tests and the obtained assessment results, respectively. Finally, conclusions are drawn in Section 5.

2. Related Works

Wireless integration is fundamental to V2X communication systems, extends across a wide range of sectors and applications, and brings notable advantages, such as improved efficiency and cost savings. On the other hand, it also introduces cybersecurity vulnerabilities that are often underestimated by stakeholders. To mitigate these risks, a structured approach is essential to emphasize the evaluation of possible threats and the formulation of specific attack scenarios within the V2X framework. The methodology in [24] involves the integration of specialized radio interfaces designed to meet the distinct needs of V2X systems. OBU primarily use VANET technology focusing on accident prevention. For example, the ASSJ introduced in [25] leverages GNSS-enabled OBU in vehicles alongside RSU to detect and communicate accident risks to nearby vehicles. The OBU performs this role by collecting vehicle data, calculating potential collision distances, and transmitting this information to the closest RSU or OBU as a proactive accident prevention measure. The in-depth assessment of V2X ecosystems presented in [26] explores the challenges of critical security and privacy, ongoing standardization efforts, and various defense mechanisms proposed within the V2X field. The cyber kill chain-based analysis method presented in [24] develops a formal vulnerability analysis system that incorporates insights from real car hacking studies to propose essential defense measures. Ref. [27] examines various attacks and corresponding countermeasures, underscoring the critical need for strong security protocols to protect communication interfaces, particularly in scenarios where attackers obtain direct access to in-vehicle networks.

OBD interfaces play a crucial role in linking external devices with the vehicle CAN bus (the network for intra-vehicle communications) by facilitating communication among various internal components, including the ECU, infotainment system, and TCU [12]. Although OBD interfaces support crucial functions, such as diagnostics and data exchange, they expose vehicles to cybersecurity risks. Vulnerabilities in the CAN bus can be exploited by attackers to alter sensor data, send unauthorized commands, and disrupt vital vehicle functions, posing severe safety threats [28]. Highlighting the importance of secure communication protocols [29], evaluates cybersecurity resilience by simulating attacks on a SAM testbed, analyzing the robustness of SAM by testing its defenses against possible cyber threats. The interconnected nature of systems in both vehicles and agricultural machinery underlines the urgent need for strong security measures to protect against cyber threats in complex network environments.

Specialized radio interfaces incorporating SDR technology provide an additional method to enhance cybersecurity within V2X systems [30]. SDR technology enables security analysts to receive and transmit signals by flexibly setting key communication parameters, such as modulation schemes. This functionality allows implementing detailed packet inspection at the bit-stream level, facilitated by a single hardware setup combined with open-source software. Leveraging the adaptability of SDR, stakeholders can perform extensive evaluations and simulations to detect and address vulnerabilities in OBU and RSU. Ref. [31] introduces a framework to deduce wireless protocols implemented within the Universal Radio Hacker tool. This tool facilitates the security analysis of proprietary wireless protocols, thereby advancing research in protocol vulnerability assessment [32].

A TARA for mobile applications associated with connected vehicles is presented in [33]. It operates by exploiting existing vulnerabilities to pinpoint common security weaknesses and demonstrates how TARA can be effectively tailored to the context of mobile applications for connected cars. Concurrently, the pressing cybersecurity issues facing V2X communication systems are addressed in [34], examining the efforts made by standardization organizations. Although V2X services are rapidly advancing to improve road safety, traffic efficiency, and user connectivity, facilitating new driving features and enhancing travel experiences, there is still a significant gap in research on security threats to real V2X systems. In particular, the scientific literature has not yet adequately addressed vulnerabilities in the communication between OBU and RSU, which are critical to reliable and secure V2X functionality. The work by Cong et al. [35] addressed the predictability verification problem of fault patterns in bounded and unbounded discrete event systems modeled with labeled Petri nets. By introducing fault pattern predictor nets and predictor graphs, they derived conditions to check predictability without constructing the full reachability graph, offering practical computational advantages. Such predictive approaches are highly relevant for V2X systems, where early recognition of anomalous or faulty communication patterns can improve system resilience and prevent cascading failures in safety-critical scenarios. Recent research on discrete event systems has highlighted the importance of maintaining system observability even under conditions of intermittent data loss. For example, another work by Cong et al. [36] investigated the critical observability of stochastic discrete event systems under intermittent observation loss, presenting necessary and sufficient conditions for detecting fault states despite missing or unreliable observations. This work is highly relevant to vehicular cybersecurity, where jamming, replay, and spoofing attacks often cause intermittent message loss or distortion in Cooperative Awareness Messages (CAMs) and Decentralized Environmental Notification Messages (DENMs). Drawing on these concepts, V2X security frameworks can be improved to ensure that vehicles and infrastructure nodes remain aware of critical states, even when communications are disrupted. Integrating such observability-based approaches could significantly improve resilience, enabling accurate state estimation and anomaly detection despite packet loss or corrupted transmissions caused by cyberattacks.

3. Materials and Methods

3.1. SDR-Based Security Assessment Tool

The main technology employed in designing our security assessment tool is SDR. SDR cards enable the development of a modular and adaptable solution that can be easily configured and operated for multiple communication protocols, including V2X communications. The architecture of the proposed tool and its key hardware and software components are shown in Figure 2. The tool provides comprehensive capabilities for both passive monitoring and active attack generation, enabling thorough security assessment of V2X communication systems under controlled laboratory conditions.

Two SDR cards are connected to two PCs, allowing the tool to simultaneously perform security tests and monitor their results. The tool consists of two components: (i) Attacker, based on an Ettus USRP B210 SDR card, enables various cyber attacks on selected wireless channels, such as jamming and replay attacks; (ii) Monitor, based on a Blade-RF SDR card, enables monitoring of attacked channels to passively intercept data and assess attack effectiveness.

The two PCs runs both Attacker and Monitor software based on GNU Radio Companion and Wireshark. The Attacker is based on GNU Radio Companion that allows configuring the SDR card to implement the selected attack by properly programming signal processing flow graphs. The Monitor exploits GNU Radio Companion to receive signals and Wireshark to visualize the structure of packets over the monitored channel. The used GNU radio flow graphs have been programmed by using the open-source gr-foo (https://github.com/bastibl/gr-foo (29 January 2024)) and gr-ieee802-11 (https://github.com/bastibl/gr-ieee802-11 (29 January 2024)) libraries. They provide pre-built blocks for frame detection, frame decoding, and packet transmission specific for the IEEE 802.11p standard [13] This combination of tools allows a comprehensive understanding of the underlying communication process and offers the ability to inspect data flows, frame structures, and modulation schemes.

Table 1. Experimental parameters for security assessment tests.

Parameter	Emulation Testbed	Industrial Testbed
Center Frequency	5.89 GHz	5.89 GHz
Bandwidth	10 MHz	10 MHz
Sample Rate	20 Msps	N/A (Commercial)
TX Gain (OBU)	30 dB	Auto-controlled
RX Gain (RSU)	40 dB	Auto-controlled
Antenna Type	Omnidirectional	Integrated
Distance (OBU-RSU)	5–50 m	5–50 m
Packet Rate (CAM)	10 Hz	10 Hz
Jammer EIRP	20 dBm	20 dBm
SNR (Normal Operation)	15–20 dB	20–25 dB
INR (During Jamming)	−10 to −5 dB	−5 to 0 dB

provides a comprehensive overview of the key experimental parameters used in our security assessment tests, ensuring reproducibility and facilitating comparison with other research works.

Figure 3 displays the Monitor interface of the proposed tool showing the list of packets, time representation, and constellation plot of the signals received while monitoring the selected channel. The shown constellation exhibits a tightly clustered distribution of points near the origin, with some noticeable spread. This pattern indicates a low-order digital modulation scheme, such as BPSK that is widely employed in the IEEE 802.11p physical layer. The proximity of the points to their ideal locations (nominal constellation points) suggests that the signal retains a relatively high SNR, though some noise or distortion is evident due to the minor dispersion around these points.

3.2. Reproducibility and Open Source Implementation

To ensure full reproducibility of our research findings, we provide comprehensive details about our experimental setup and software implementation. The complete GNU Radio Companion flowgraphs for all essential components are available in a public repository at [repository URL to be added upon publication]. The repository includes the following:

• Core GNU Radio flowgraph files: wifi_tx_RSU.grc (RSU transmitter), wifi_rx_OBU.grc (OBU receiver), jamming_attack.grc (jamming implementation), capture_for_replayattack.grc and transmitter_replay.grc (replay attack phases), and transmitter_108.11p_cohdawireless_replayattack.grc (Cohda Wireless compatibility);
• Environment setup script (setup_env.sh) for GNU Radio 3.8.5 configuration;
• Hardware requirements and system configuration details (checklist.txt);
• Detailed receiver operation instructions (INSTRUCTION_RX.txt).

Our implementation utilizes specific library versions to ensure compatibility and reproducibility: gr-foo and gr-ieee802-11 libraries from github.com/bastibl, GNU Radio Companion v3.8.5.0-6-g57bd109d, and Python 3.8.10. The system was tested on Ubuntu 20.04.6 LTS with the specific hardware configuration described in the repository’s hardware requirements document. The experimental setup requires four USRP B210 SDR units, two BladeRF units, and four dedicated Ubuntu systems as detailed in the provided checklist. The Data Availability Statement has been updated to reflect the public availability of these essential reproducibility resources.

3.3. V2X Reference Scenario and Testbeds

To validate our proposed security assessment tool, we consider a reference scenario with a single V2I link between a vehicle equipped with a DSRC OBU, capable of transmitting and receiving IEEE 802.11p packets, and a DSRC RSU, representing a node of the terrestrial infrastructure capable of exchanging data with the vehicle. We implemented this reference scenario in two different ways, building two different testbeds, whose system architectures are shown in Figure 4.

In the first testbed, called Emulation V2X testbed, two PCs with an SDR cards each are configured to transmit and receive IEEE 802.11p packets, operating as OBU and RSU, respectively, as shown in Figure 4, left side.

Figure 5 shows the developed GNU Radio Companion flow graph (wifi_rx_OBU.grc) that allows the SDR-based OBU to receive IEEE 802.11p packets. The flow graph is structured into two main functional sections: the upper section is responsible for frame detection by ensuring that incoming signals are properly identified and synchronized, while the lower section focuses on frame decoding by interpreting the captured signal into meaningful data that can be analyzed by using Wireshark [37]. The signal source originates from the Osmocom Source block, configured to capture signals at 5.89 GHz, aligned with the bandwidth of the IEEE 802.11p protocol. This source feeds into a series of processing blocks, including the synchronization, equalization, and decoding stages. The WiFi Sync Short and WiFi Sync Long blocks play a critical role in the initial synchronization of the receiver by detecting preambles in the incoming signal to correct both time and frequency offsets. The WiFi Parse MAC and WiFi Decode MAC blocks are needed to precisely reconstruct IEEE 802.11p frames from the air interface. The decoded data can be stored in a file, by using a File Sink block, or forwarded in real-time to Wireshark, by using a Wireshark Connector block, for real-time packet analysis. This modular design facilitates flexible adaptation of the system to various experimental conditions that include tests involving signal interference or packet manipulation. This SDR-based setup is designed to allow dynamically adjusting various wireless communication parameters, including channel selection, gain, and sample rate.

Figure 6 shows the developed GNU Radio Companion flow graph (wifi_tx_RSU.grc), available in Github repository, that allows the SDR-based RSU to transmit IEEE 802.11p packets. The flow graph begins with a Message Strobe block that generates periodic data packets that are processed through the Socket PDU block for network interfacing. The signal is scaled via a Multiply Constant block, aligned by using the Packet Pad2 block, and passed through the WiFi MAC and WiFi PHY Hier blocks to manage the MAC layer frame structure and the PHY layer modulation, respectively, according to the IEEE 802.11p standard [13]. The transmission operates at 5.89 GHz with a bandwidth of 10 MHz compliant with the DSRC protocol. Finally, the processed signal is transmitted via the UHD: USRP Sink (Universal Hardware Driver: Universal Software Radio Peripheral Sink) block, interfacing with the SDR card hardware to convert the digital signal into RF for wireless transmission. Also in this case, the SDR-based setup is designed to allow dynamically adjusting various wireless communication parameters, such as channel selection, transmission power, modulation, and coding schemes.

In the second testbed, called Industrial V2X testbed, the OBU and RSU are commercial MK6 Cohda Wireless OBU and RSU devices, as shown in Figure 4, right side. The industrial testbed is composed of a MK6 Cohda Wireless RSU and OBU and the MK6 SDK software to configure data exchange among them. For compatibility testing with commercial Cohda Wireless devices, we provide a specialized GNU Radio flowgraph (transmitter_108.11p_cohdawireless_replayattack.grc) that enables replay attack implementation specifically optimized for interaction with these industrial-grade V2X systems. These off-the-shelf products support both DSRC and mobile technologies for communication, using DSRC as the default. They include an i.MX8 application processor, DSRC powered by dual NXP RoadLink SAF5400 chipsets, C-V2X with Qualcomm’s SA515 chipset (supporting 3GPP R15 and 5G), and cellular capabilities with 5G NR and fallbacks to 4G/3G/2G.

The Industrial testbed implements comprehensive higher-layer security protections that significantly enhance its resilience against cyber attacks. Specifically, the Cohda Wireless devices employ IEEE 1609.2-based message authentication mechanisms, including digital signatures and certificate validation. The system performs rigorous timestamp validation checks to detect and reject outdated messages, with a configurable validity window typically set to 100–500 milliseconds for safety-critical applications. Additionally, the devices implement plausibility checks that validate message content against realistic physical constraints, such as maximum acceleration values and geographical boundaries.

The OBU transmits Cooperative Awareness Messages (CAM) to send vehicle data (e.g., position and speed), while the RSU broadcasts DENM (e.g., road warnings) and Signal Phase and Timing (SPaT) messages.

3.4. Security Assessment Tests

The security assessment tests performed to validate the proposed tool are based on testing the considered DSRC-based V2X communication testbeds against jamming and replay attacks.

3.4.1. Jamming Attack

The jamming attack strategy is based on generating Gaussian noise with high amplitude to overwhelm the communication channel by simulating strong environmental interference within the target 5.9 GHz frequency band. The mathematical model for the jamming attack can be expressed as follows:

$$P_{jam}\left(t\right)=A·n\left(t\right)·cos(2\pi f_{c}t+\varphi \left(t\right))$$

(1)

where $P_{jam}\left(t\right)$ is the jamming signal power at time t, A is the amplitude scaling factor, $n\left(t\right)$ is the Gaussian noise component with zero mean and variance ${\sigma }^2$, $f_c$ is the center frequency (5.896 GHz), and $\varphi \left(t\right)$ represents the phase modulation component.

The Signal-to-Interference-plus-Noise Ratio (SINR) at the receiver is given by

$$SINR={\displaystyle \frac{P_s}{P_{jam}+P_n}}$$

(2)

where $P_s$ is the legitimate signal power, $P_{jam}$ is the jamming power, and $P_n$ is the background noise power. Successful jamming occurs when $SINR<{\gamma }_{threshold}$, where ${\gamma }_{threshold}$ is the minimum SINR required for successful packet decoding. Figure 7 shows the GNU Radio Companion flow graph (jamming_attack.grc) developed to implement the considered jammer. It is made up of functional blocks that are in charge of noise generation, signal modulation, amplification, and transmission over a specific frequency band. In detail, a high-amplitude Gaussian noise source is at the core of the jammer (Noise Source block) and a cosine waveform is used to introduce modulated interference (Signal Source block). By modulating this waveform (Frequency Mod and Phase Mod blocks), the jammer is able to effectively target and disrupt systems to create a versatile attack vector against different wireless communication protocols. To ensure effective jamming, the signals generated by both the noise source and the modulated signal are amplified by using the Multiply Const block, which ensures that the jamming signal power is sufficient to dominate legitimate signals in the target frequency band. The jammer signal is refined by using a Low Pass Filter block. The low-pass filter is configured with a decimation factor of 1 and a cutoff frequency of 12 MHz, with a transition width of 1k by using a Hamming window. The filter ensures that the transmitted signal remains within the desired bandwidth, focusing the interference on the targeted frequencies while minimizing unnecessary disruption to neighboring channels. The amplified and filtered interference signal is transmitted by the USRP B210 SDR card by using the osmocom Sink block and setting the center frequency of the jammer at 5.896 GHz. The Selector Block is another crucial component of the jammer design because it enables the operator to switch between multiple input signals, such as different modulated waveforms or noise sources, allowing rapid implementations of different jamming techniques. This flexibility is particularly useful in multi-protocol environments, where the jammer may need to switch between targeting systems by using different modulation schemes or frequencies. The QT GUI blocks allow monitoring the target channel. The QT GUI Frequency Sink, QT GUI Waterfall Sink, and QT GUI Time Sink blocks provide real-time visualization of the frequency spectrum, power distribution over time, and time domain representation of the transmitted signal, respectively.

3.4.2. Replay Attack

Replay attacks can exploit vulnerabilities in V2X communication systems by exploiting the lack of robust message authentication and verification processes. The mathematical model for a replay attack can be described as follows:

Let $M\left(t_0\right)$ be a legitimate message transmitted at time $t_0$. The replay attack involves capturing and retransmitting this message at time $t_1>t_0$. The replayed message $M^{\prime }\left(t_1\right)$ can be expressed as

$$M^{\prime }\left(t_1\right)=M\left(t_0\right)·G·e^{j(\omega \Delta t+\varphi )}$$

(3)

where G is the gain factor applied during retransmission, $\omega$ is the angular frequency, $\Delta t=t_1-t_0$ is the time delay between original and replayed transmission, and $\varphi$ is any phase shift introduced during the replay process.

The success probability of a replay attack depends on the temporal validity window $T_{valid}$ and can be modeled as

$$P_{success}=\left\{\begin{array}{cc}1\hfill & \mathrm{if}\Delta t\le T_{valid}\hfill \\ e^{-\lambda \Delta t}\hfill & \mathrm{if}\Delta t>T_{valid}\hfill \end{array}\right.$$

(4)

where $\lambda$ is the decay rate representing the decreasing relevance of outdated messages.

Our replay attack methodology consists of two distinct phases executed with precise timing control. In the capture phase, the SDR-based monitor continuously records IQ samples at 20 MSps using complex64 format, ensuring full bandwidth coverage of the 10 MHz IEEE 802.11p channel. The system maintains sample clock synchronization through GPS disciplined oscillator references to preserve timing accuracy. During the replay phase, captured IQ samples are read from storage and retransmitted with carefully controlled timing intervals ranging from 50 ms to 5000 ms after the original transmission. Frequency and gain alignment are maintained through automatic calibration procedures that compensate for hardware-specific offsets and ensure consistent signal power levels between original and replayed transmissions. A replay attack in V2X systems exploits weak authentication by capturing and retransmitting legitimate messages (e.g., CAM, DENM, IVI, SPaT) at strategic intervals. This injects outdated or false information, causing vehicles or infrastructure to misinterpret traffic conditions, issue false warnings, or perform unsafe maneuvers. Such attacks can disrupt traffic flow, compromise road safety, and undermine the reliability of intelligent transportation systems.

Figure 8 shows the GNU Radio Companion flow graphs developed to implement the two phases of the replay attack: capture_for_replayattack.grc for packet recording and transmitter_replay.grc for packet retransmission. In the recording phase, the SDR card of the Monitor is configured to receive signals at 5.89 GHz. The system samples data at 20 MSps to match the standard’s bandwidth. The captured In-phase and Quadrature (IQ) samples are stored in a file using the File Sink block, making them available for later retransmissions. The QT GUI Frequency Sink block provides a visual representation of the received signal, allowing real-time monitoring. In the transmission phase, the tool reads the previously saved IQ samples from the file and sends them over the air by using the SDR card of the Attacker. Before transmission, the signal is amplified by using a Multiply Const block to enhance its strength.

4. Results

4.1. Jamming Attack

At first, a jamming experiment was conducted on the emulated testbed. Figure 9 shows the Monitor interface of the proposed tool when a jamming attack is ongoing. Looking at the top right window, the flat line indicates a constant signal amplitude, which is characteristic of a continuous jamming signal. The lack of fluctuation suggests that the jammer is transmitting Gaussian noise or a modulated interference waveform, ensuring a steady level of disruption across the communication channel. The bottom right window displays points that are widely scattered across the plot, indicating a severe distortion in the received signal. This scattering is a direct consequence of the interference from the jammer, which scrambles the signal and prevents the receiver from correctly demodulating the transmitted data, in contrast to what was previously shown in Figure 3. The disrupted constellation suggests that legitimate communication signals are overwhelmed by noise or interference, making reliable data transmission impossible and resulting in a complete transmission block. The packet loss ratio, therefore, is $100\%$.

Then, a set of experiments have been done in the Industrial Testbed, by putting the OBU, the RSU, and the jammer at different distances, and with the presence of different obstacles in between. The Industrial testbed demonstrates enhanced resilience to jamming attacks by maintaining operational communications despite interference. The main reason for this improved performance is that Cohda Wireless V2X devices employ sophisticated interference mitigation techniques. Rather than traditional adaptive frequency hopping (which is not part of the IEEE 802.11p standard [13], these devices implement dynamic channel reassignment and interference avoidance mechanisms. When the system detects high interference levels on the current channel, it can rapidly switch to alternative channels within the 5.9 GHz band or adjust transmission parameters to maintain connectivity. Such a feature enhances the system’s resilience to jamming attacks, allowing it to preserve communications. A simple jamming attack leads to a variable packet loss that depends on the speed of the jammer in following the hopping. It is worth noting that, with a very performant responsive jammer, it would be possible to reach a complete packet loss.

On the other hand, the jamming attack was successful on the Emulation testbed, leading to a complete interruption of the received packets. Only implementing the IEEE 802.11p standard [13] protocol, the system lacks the necessary anti-jamming capabilities, making it more susceptible to interference and communication disruption. The receiver sensitivity also plays a crucial role in determining the impact of jamming. The Emulation testbed receiver does not have adequate filtering mechanisms and signal processing capabilities to distinguish between legitimate signals and interference, leading to a total communication block when the jammer is applied. Moreover, the Industrial testbed has more robust interference-avoidance techniques that provide an additional layer of defense, ensuring continuous communication even under jamming conditions. Therefore, the difference in the effectiveness of the jammer in these two systems can be explained by the inherent vulnerabilities of the 802.11p protocol and the interference mitigation strategies employed by the Cohda Wireless devices.

Compared to similar studies in the literature, our results show consistent patterns. For instance, the work by [38,39] demonstrated that basic IEEE 802.11p implementations achieve a 95–100% packet loss under high-power jamming attacks, which aligns with our emulation testbed results. Similarly, the research by Giang, N.T. et al., and karyani et al. [40,41] reported that commercial V2X devices with adaptive frequency hopping maintain 15–25% packet loss under jamming conditions, comparable to our Industrial testbed performance.

4.2. Replay Attack

Figure 10 shows a subset of the packets received from both testbeds, highlighting one of the replayed packets. Notably, the reception time of these packets matches the real-time system synchronization, as shown in the top left part of the figure, and confirms that the system was synchronized with current events. However, the detection time and reference time within the DENM and IVI frames pointed to a past instance. This temporal mismatch confirms that the system was tricked into accepting outdated data as current, posing serious risks to the system’s integrity as it undermines traffic management protocols and threatens vehicle safety by introducing false or outdated information. By injecting such data, attackers can disrupt navigation, decision-making processes, and real-time responses critical for vehicle safety in connected environments. Even if the replayed packets are successfully received in both testbeds, there is a key difference in how the OBU and RSU manage the replayed packets in the two testbeds. In the Industrial testbed, RSU and OBU perform sanity checks on the received messages that determine whether the transmissions are legitimate or should be rejected. The system logs shown in Figure 11 prove that while the RSU receives legitimate packets from the OBU, such as the IVI update message highlighted in green, it also receives the replayed packets, such as the replayed IVI update message highlighted in red. However, while the first message is successfully processed, the second one fails a sanity check, indicating potential data corruption and so leading the system to discard it. A similar behavior is shown in Figure 12. The message highlighted in green displays the OBU’s routine handling of standard DENM received from the RSU, while the message highlighted in red shows a replayed DENM. Also in this case, the first message is successfully processed while the second one fails a timestamp check due to a difference between the current (Now) and expected (Exp) timestamps, preventing the OBU from proceeding with the actions in response to the message reception. This indicates that while lower-layer attacks may succeed in injecting packets, robust security measures at higher layers effectively mitigate the risks associated with such an attack.

On the other hand, the replay attack was successful on the Emulation testbed, where both OBU and RSU were unable to distinguish the replayed packets from the original ones and so proceeded with processing the received replayed packets, considering them as legitimate. Our replay attack results are consistent with findings reported in the recent literature. The study by Soujanya et al. [42] showed that commercial V2X devices with timestamp validation reject 85–90% of replay attacks, which corresponds to our Industrial testbed behavior. In contrast, our Emulation testbed demonstrates that basic SDR-based implementations accept 90–95% of replayed messages, highlighting the vulnerability of systems without comprehensive authentication mechanisms. Our contribution extends these findings by providing detailed analysis of the specific security mechanisms (timestamp checks and sanity checks) that differentiate commercial and research-grade implementations.

5. Conclusions

This paper describes the substantial cybersecurity challenges that DSRC encounter in V2X applications when subjected to cyber attacks. By leveraging the SDR technology, we designed and developed a structured tool to assess the protection level of V2X communication systems by performing cyber attacks and assessing their impact, facilitating an in-depth analysis of the vulnerabilities present in these systems. To validate the proposed tool, we focused on an IEEE 802.11p-based V2X communication scenario testing the impact of jamming and replay attacks on two considered V2X testbeds. Both attacks had a significant impact on one of the testbeds by completely disrupting communications and succeeding in replaying previously captured packets. The impact on the second testbed was instead negligible thanks to the implemented security measurements and checks. This paper shows the vulnerability of the IEEE 802.11p protocol to jamming attacks and emphasizes the need for anti-jamming and anti-replay techniques and secure communication protocols to boost the resilience of V2X networks.

The proposed tool proved to be valuable for evaluating the security of V2X communications and analyzing received messages in detail. In addition, its modular and dynamic structure can allow its use to assess the effectiveness of security protocols not only in vehicular networks but also in other scenarios, such as maritime and aerial communications.

Beyond simple replay attacks, future research could focus on modifying packet data to create falsified messages that appear legitimate or for more sophisticated attacks. By altering the contents of transmitted packets, an attacker could inject misleading information into the network, making it more challenging to detect malicious activity. This approach would help test the resilience of security mechanisms against more sophisticated cyber threats in wireless communication systems.