6240 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO.

7, JULY 2022

A Survey on Cyber-Security of Connected and

Autonomous Vehicles (CAVs)
Xiaoqiang Sun, F. Richard Yu , Fellow, IEEE, and Peng Zhang

Abstract— As the general development trend of the automotive the 2020s and 2030s with the improvements of infrastructure
industry, connected and autonomous vehicles (CAVs) can be and communication technologies. The global CAVs market is
used to increase transportation safety, promote mobility choices, becoming one of biggest markets in the world. It is expected to
reduce user costs, and create new job opportunities. However,
with the increasing level of connectivity and automation, mali- reach $7 trillion by 2050. Furthermore, many big automotive
cious users are able to easily implement different kinds of attacks, manufacturers and high-tech giants are racing against the
which threaten the security of CAVs. Hence, this paper provides a clock to bring practical CAVs to the market. Considering
comprehensive survey on the cyber-security in the environment broad market prospects of CAVs, several ambitious research
of CAVs with the aim of highlighting security problems and programs have been established around the globe. In the near
challenges. Firstly, based on the types of communication networks
and attack objects, it classifies various cyber-security risks future, CAVs may be used widely by the public.
and vulnerabilities in the environment of CAVs into in-vehicle Although CAVs have potential benefits, there are various
network attacks, vehicle to everything network attacks, and other security and privacy challenges [3]. In particular, the security
attacks. Next, it regards cyber-risk as another type of attacks risk is escalating with the increasing level of connectivity
in the environment of CAVs. Then, it describes and analyzes and automation. There exists a risk that an adversary can
up-to-date corresponding defense strategies for securing CAVs.
In addition, it concludes several available cyber-security and control a vehicle or its surrounding devices. For example,
safety standards of CAVs, which is helpful for the practical appli- based on a vulnerability in the vehicle’s entertainment system,
cation of CAVs. Finally, several challenges and open problems Charlie Miller and Chris Valasek demonstrated that they had
are discussed for the future research. hacked into a Jeep Cherokee successfully using a laptop via
Index Terms— Connected and autonomous vehicles, cyber- the Internet in 2015 [4]. Then, they can remotely control
security, attacks, defense strategies, standards. steering wheel, accelerator, air-conditioning, radio, windshield
wipers, and even brakes, which may put the driver’s human
I. I NTRODUCTION life in the risk. Hence, Chrysler had to recall for 1.4 million
vehicles to manually install the patch for this leak. This
B ASED on incorporating many different technologies,
connected and autonomous vehicles (CAVs) [1] have
been envisioned to enhance transportation efficiency, reduce
attack is a watershed for the automotive industry. Before this
attack, many automotive manufacturers argued that it was
accidents, improve safety, offer great mobility service options, impossible to implement remote attacks on the vehicles. In
and alleviate environmental damage [2]. The CAVs paradigm addition, the driver often listens to the downloaded music on
will continue to unfold steadily and progressively throughout the car stereo. However, the downloaded music may include
the malware codes, for example buffer overflow codes, which
Manuscript received 16 June 2020; revised 27 December 2020; accepted can get into the vehicle’s entertainment system and make its
12 February 2021. Date of publication 7 June 2021; date of current
version 8 July 2022. This work was supported in part by the National way into other systems, including those that control the engine
Natural Science Foundation of China under Grant 61802118, in part or brakes.
by the Science and Technology Innovation Projects of Shenzhen under For the widespread deployment of CAVs in intelligent
Grant JCYJ20190809152003992, in part by the China Postdoctoral Science
Foundation under Grant 2019M653042, in part by the Government of transportation systems, the potential cyber-security risks and
Canada’s National Crime Prevention Strategy, and in part by the Natural vulnerabilities need to be addressed. Hence, there is a need
Sciences and Engineering Research Council of Canada (NSERC) Collabo- to research how to defend and mitigate these security issues.
rative Research and Training Experience (CREATE) Program for Building
Trust in Connected and Autonomous Vehicles (TrustCAV). The Associate In this paper, we endeavor to survey the cyber-security in the
Editor for this article was H. L. Vu. (Corresponding author: F. Richard Yu.) environment of CAVs. Eventually, we make following four
Xiaoqiang Sun is with the Guangdong Key Laboratory of Intelligent contributions.
Information Processing, College of Electronics and Information Engineer-
ing, Shenzhen University, Shenzhen 518060, China, and also with the Key • In the environment of CAVs, based on the types of
Laboratory of Optoelectronic Devices and Systems, Ministry of Education communication networks and attack objects, we classify
and Guangdong Province, College of Physics and Optoelectronic Engineering, the existing cyber-security risks and vulnerabilities
Shenzhen University, Shenzhen 518060, China (e-mail: [email protected]).
F. Richard Yu is with the School of Information Technology, Carleton into in-vehicle network attacks, vehicle to every-
University, Ottawa, ON K1S 5B6, Canada (e-mail: [email protected]). thing network attacks, and other attacks. Because the
Peng Zhang is with the Guangdong Key Laboratory of Intelligent Infor- research of cyber-risk is helpful for ranking potential
mation Processing, College of Electronics and Information Engineering,
Shenzhen University, Shenzhen 518060, China (e-mail: [email protected]). risks and forecasting future vulnerabilities, we regard
Digital Object Identifier 10.1109/TITS.2021.3085297 cyber-risk as another type of attacks in the environment
1558-0016 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6241

Fig. 2. The status of the papers related to the cyber-security in CAVs based
on the countries.

Fig. 1. The status of the papers related to the cyber-security in CAVs based
on the research directions.

of CAVs, which is different from the previous

work.
• In order to resist and mitigate potential cyber-security
risks and vulnerabilities, we analyze the corresponding
defense solutions, which are helpful for securing CAVs.
• Most of the research of CAVs remains at the theoretical
level. In order to realize the leap from theory to appli- Fig. 3. The status of the papers related to the cyber-security in CAVs based
on the publication years.
cation, we conclude existing cyber-security and safety
standards in the environment of CAVs. There are several surveys [5]–[13] related to the
• We present several challenges and open problems that can cyber-security of CAVs. But, most of them focused on the par-
be considered as future research directions. tial cyber-security risks and vulnerabilities in the environment
The remainder of this paper is organized as follows. of CAVs. As shown in Table I, the attacks in the environment
In Section II, we provide a status of the papers related to of CAVs were classified in [5]–[11], [13]. Defense strategies
the cyber-security in the environment of CAVs. In Section III, for potential attacks were pointed in [5]–[9], [11]–[13]. How-
we present an overview of CAVs. Existing cyber-security risks ever, the impacts of the potential attacks were only discussed in
and vulnerabilities are surveyed and classified in Section IV. [7]–[9], [12]–[14]. The features of potential attacks were only
In addition, the cyber-risk assessment in the environment discussed in [8], [9]. Unfortunately, other attacks, which are
of CAVs is summarized. Then, up-to-date corresponding important cyber-security attacks in the environment of CAVs,
defense strategies are presented in Section V. Section VI are not mentioned in the above surveys. In addition, the above
describes several related security and safety standards for surveys do not summarize the cyber-risk, which is vital for
CAVs. In Section VII, we present challenges and open prob- CAVs. Furthermore, cyber-security and safety standards can
lems. Finally, we conclude this paper in Section VIII. subsequently be used to motivate a roadmap for addressing the
potential cyber-risks and vulnerabilities in the environment of
CAVs. They should be discussed in the above surveys. There is
II. R ELATED W ORK an absence of a survey, which can utilise available literature to
Scholars over the world have carried out the research on identify other important attacks, cyber-risk, and cyber-security
the cyber-security in the environment of CAVs. By using and safety standards in the environment of CAVs.
the statistics related to the cyber-security in the environment
of CAVs from January 1, 2013 to November 30, 2020 on III. A N OVERVIEW OF C ONNECTED AND
Web of Science,1 we have drawn Figs. 1, 2, and 3 based AUTONOMOUS V EHICLES
on the research directions, countries, and publication years In this section, we describe wireless access technologies,
respectively. As can be seen from Fig. 1, most of papers framework of CAVs, and vehicles automation, which are
focused on the aspects of computer science, engineering, shown as follows.
telecommunications, and transportation for the cyber-security
in the environment of CAVs. From Fig. 2, it can be observed A. Wireless Access Technologies
that USA, UK, and China are the top three countries that
Nowadays, there exist lots of usable wireless access
contribute to the papers related to the cyber-security in the technologies, which can be used for vehicle-to-vehicle and
environment of CAVs. We can observe from Fig. 3 that there vehicle-to-infrastructure communications. In the environment
is an increasing number of papers related to the cyber-security of CAVs, common wireless access technologies include dedi-
in the environment of CAVs since 2013. cated short range communications, cellular networks, WLAN,
1 https://apps.webofknowledge.com/UA_GeneralSearch_input.do?product= worldwide interoperability for microwave access (WiMAX),
UA&search_mode=GeneralSearch&SID=7AXLTD1C7ABZjZg6YU3& Bluetooth, and satellite communication, which are described
preferencesSaved= as follows.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6242 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

TABLE I
C OMPARISON OF E XISTING S URVEY A RTICLES

•IEEE 802.11p media access control layer protocol:

According to the type of traffic, this protocol adopts the
enhanced distributed channel access with the quality of
service management.
• IEEE 1609.0 protocol: This protocol defines the structure
of IEEE 1609 standards family.
• IEEE 1609.1 protocol: This protocol specifies data flows,
Fig. 4. The 75 MHz spectrum of dedicated short range communications.
data resources, fundamental components, device types
which are supported by on board unit (OBU), command
messages, and storage formats.
• IEEE 1609.2 protocol: This protocol depicts the security
and privacy of the vehicle.
• IEEE 1609.3 protocol: This protocol describes routing
service, addressing service, WAVE short messages, and
management information base.
Fig. 5. The protocol stack of dedicated short range communications. • IEEE 1609.4 protocol [16]: This protocol defines wireless
multi-channel radio operations, which are relied on the
1) Dedicated Short Range Communications: Most vehicular IEEE 802.11p protocol.
communications are based on dedicated short range communi- • IEEE 1609.11 protocol: This protocol is utilized to sup-
cations (DSRC) [15]. It is particularly designed for achieving port electronic payment formats.
low latency and high reliability in vehicle-to-vehicle (V2V) 2) 4G/5G Cellular Networks: In 4G cellular networks [17],
and vehicle-to-infrastructure (V2I) communications. they can provide service of mobile ultra-broadband internet
In different countries and regions, spectrums and standards access. Users have the access to various networks without
are different. In this paper, we only focus on those that changing one network to another network manually. In order
are adopted in North America. DSRC is initially allocated to realize the fast transmission in some specified regions,
75 megahertz (MHz) of spectrum at 5.9 gigahertz (GHz) there exist some available technologies, which include long
band by United States Federal Communication Commission term evolution-advanced mobile communication systems and
in 1999. As shown in Fig. 4, the spectrum is divided into microcell base stations. As supported by internet protocol
one control channel and six service channels. The volume of version 6, its data transmission speed can be one gigabit
every channel is 10 MHz. The channel number begins from per second in the communication with low mobility. In addi-
172 to 184. The control channel is the channel 178, which tion, the transmission cost per bit of multimedia service is
can be used specially for secure communications. In addition, low. Due to users’ various requirements, the service should be
channels of 172 and 184 are retained for some secure appli- more differentiated. Users can enjoy the benefits of different
cations. Other service channels can be used for secure and kinds of services simultaneously.
non-secure applications. The range of DSRC is at most one In 2018, the organization of third generation partnership
kilometre (km). The data rate of DSRC is up to 27 megabits project defined 5G cellular networks [18], which are the exten-
per second (Mbps) for the 10 MHz channel. For the 20 MHz sions of 4G cellular networks. In 5G cellular networks, a large
combined channel, its maximum data rate is 54 Mbps. amount of multi-input multi-output antennas are integrated
As shown in Fig. 5, DSRC protocol stack mainly consists into base stations. For wireless transmission, the technique of
of the IEEE 802.11p family, which is called wireless access millimeter wave communication is used to offer the bandwidth,
in vehicular environments (WAVE) and IEEE 1609 family. which frequency is hundreds of MHz. There are several
Detailed protocols are listed and described as follows. advantages in 5G cellular networks. The main advantage
• IEEE 802.11p physical layer protocol: In this protocol, is that its data transmission rate can be up to 10 gigabits
each channel is 10 MHz. It is based on orthogonal per second, which is 100 times faster than that of 4G cellular
frequency division multiplexing. The alternate frequency networks. Another advantage is that its network latency is less
between control channel and service channel is 10 Hz. than one millisecond, which is less than that of 4G cellular

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6243

networks. Above 4G/5G cellular networks are helpful for the

construction of CAVs.
3) WLAN: WLAN [19] is a wireless communication tech-
nology, which can provide a link to the wider internet by
access points with high flexibility. In WLAN, the coverage of
each access point is about 100 meters. The range of a WLAN
can easily be extended by adding one or more repeaters.
WLAN is not limited by the number of physical ports on the
router. Therefore, it can support dozens or even hundreds of
devices. The data transmission rate of WLAN is tens of million
bits per second. However, WLAN is naturally not secure. Any
wireless device can attempt to connect to a WLAN, so it is
important to authenticate its access to the network by using Fig. 6. The framework of connected and autonomous vehicles.
the WiFi protected access or other techniques.
4) WiMAX: WiMAX [20] is a wireless broadband commu- include a random access memory for storing and retrieving
nication technology, which is designed based on the IEEE data. OBU can provide services, including wireless radio
802.16 standard. In WiMAX, the coverage range of wireless access, ad hoc and geographic routing, regulation of network
broadband access is at most 50 km for fixed stations. For congestion, dependable message transmission, data safety, and
mobile stations, the coverage range of wireless broadband internet protocol mobility.
access is between 5 km and 15 km. The frequency of WiMAX 2) Application Unit: Application unit is usually embedded
is between 2 GHz and 66 GHz. It can offer the wireless in a vehicle. It can be a special device, which is used for
broadband access for two fixed mobile networks. some secure applications. It can also be a general device, for
5) Bluetooth: Bluetooth is a widely used standard for short example, personal digital assistant. Application unit can com-
range communications. It was first invented by Ericsson for municate with the network only by the road side unit, which
replacing RS-232 cable connections. Bluetooth works con- is in charge of the whole mobility and network functions. The
ventionally between 2402 MHz and 2480 MHz. The proper communication between the application unit and road side unit
operating range for Bluetooth is 10 meters. It can extend up to is based on a wired or wireless channel. It may co-exist with
100 meters at the price of higher complexity or lower quality the road side unit in a physical cell.
of service. However, there are some security challenges in 3) Road Side Unit: As a wave device, the road side unit is
Bluetooth. For example, the pairing pin can be eavesdropped often equipped along two sides of the road or in some special
in Bluetooth. places, such as road junctions and neighbouring parking lots.
6) Satellite Communication: Satellite communication [21] On the one hand, it can be used to expand the communication
can transmit and magnify telecommunication signals. It can scope of CAVs by redistributing messages to other on-board
establish communication channels between signal senders and units and transmitting messages to other road side units. On the
receivers, which are distributed at different places on earth. other hand, it can be used in some secure applications, for
In satellite communication, the data rate of downlink is at example, early warning of traffic accidents or low bridges.
most 1000 gigabits per second. And the maximum data rate Furthermore, it also can be used to connect the internet.
of uplink is 1000 mbps. Its coverage range is between 100 km 4) Sensor: Common sensors include ultrasonic sensor,
and 6000 km. In the environment of CAVs, satellite commu- radar, and lidar, which are described as follows.
nication is usually connected with 4G/5G cellular network, The ultrasonic sensor uses high-frequency sound waves to
WLAN, etc. It may result in some major security issues. For measure the vehicle distance. The sensor head first releases
example, the broadcast nature of satellite communication is sound waves, which frequencies are usually 50 kHz. Then,
a security threat. In addition, satellite messages are prone it listens for reflected sound waves from the target vehicle.
to burst errors. Hence, the security patch needs to be robust If it receives the reflected sound waves, the distance can
enough for coping with burst errors. be computed by using the transmission time between the
ultrasonic sensor and target vehicle.
Radar is a sensor, which consists of a transmitter, a transmit-
B. Framework ting antenna, a receiving antenna, a receiver, and a processor.
As shown in the framework of CAVs (Fig. 6), existing The radar is usually set around the vehicle. In the process
entities include OBU, application unit, road side unit (RSU), of detecting the target vehicle, the transmitter first generates
and sensors. They are described as follows. electromagnetic waves in the domain of radio or microwaves.
1) On-Board Unit: Based on the IEEE 802.11p radio pro- Next, they are emitted and spread in all directions. Then, they
tocol [22], OBU is used to exchange messages with road reflect off the target vehicle and return to the receiver. Finally,
side units or other OBUs. It is often equipped in a vehicle. according to the received electromagnetic waves, the processor
In an OBU, there exists a resource command processor, a user analyzes the range, angle, position, and velocity of the target
interface, a special interface that can be used to communicate vehicle.
with other OBUs, and a network facility that can be used for In the lidar, in order to compute the distance of the target
short distance wireless communication and resources, which vehicle, its brightness is measured by the pulsed laser light.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6244 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

Fig. 7. The potential attack surfaces in connected and autonomous vehicles.

In addition, the reflected pulses are measured for the creation IV. C YBER -ATTACKS IN C ONNECTED AND
of the 3D area map. Lidar is helpful for the detection of the AUTONOMOUS V EHICLES
boundaries of roads and identification of lane markings by In the environment of CAVs, we classify existing
using active pulses of light around the vehicle. cyber-attacks into in-vehicle network attacks, vehicle to every-
C. Vehicles Automation thing network (V2X) attacks, and other attacks. In addition,
we summarize the cyber-security risks and vulnerabilities in
The concept of autonomous vehicle is visualized and
the environment of CAVs. As shown in Fig 7, we first identify
innovated by science fiction writers firstly. Then, Houdina
the attack surfaces of the vehicle for the implementation of
Radio Control Company created the first autonomous vehicle
these cyber-attacks. Attack surfaces of a system are the sum
American Wonder in 1925. Since then, vehicle manufac-
of different attack points, where the adversary can try to inject
tures, high-tech companies, and researchers began to study
or extract data from the system for compromising the vehicle
autonomous vehicle. Up to now, autonomous vehicle has
security. For example, remote sensor attacks can be imple-
arrived at Level 4, which means that the vehicle can perform
mented by using the compromised radar, which is considered
all the driving functions under some certain conditions, even
as an attack surface. Then, these attacks are summarized
sometimes the driver does not reply to a request.
in Table II, which is described as follows.
In vehicles automation [23], necessary components include
sensors, global positioning system (GPS), and camera, which
are described as follows. A. In-Vehicle Network Attacks
GPS can provide an accurate location-based service which Existing in-vehicle network attacks include remote sensor
ranges from centimeter to meter. The navigation and localiza- attacks, GPS spoofing attacks, location trailing attacks, close
tion of vehicles can be achieved by GPS and predefined road proximity vulnerabilities, controller area network (CAN) and
maps. There exist some factors, which may affect the quality society of automotive engineers (SAE) J1939 buses vulnerabil-
of the received GPS signal. For example, the wideband radio ities, electronic control units (ECUs) software flashing attacks,
frequency interference can reduce the effective GPS signal to and integrated business services attacks, which are described
noise ratio. Namely, the received GPS signal is attenuated. as follows.
There are various approaches, including the advanced antenna 1) Remote Sensor Attacks: In the environment of CAVs,
design and signal processing techniques, such as beam steer- one of the central challenges is that various electrical com-
ing, null forming, and adjusting radio frequency front-end ponents, which include ultrasonic radar, lidar, camera, and
gains, which can be used for GPS receivers to enhance the other sensors, are connected by an in-vehicle network. Each
ability of tracking weak, attenuated, or corrupted GPS signals. type of sensor has its own strength and weakness in terms
The images, which are collected by the camera, include a of range, detection capabilities, and reliability. Furthermore,
large array of the values of individual pixels. The collected external entities can establish the connection with sensors by
images are used to detect real-time obstacle, check lane depar- existed wireless access technologies. Hence, compared with
ture, and track roadway information. In addition, in order to the environment of autonomous vehicles, the adversary in
understand low-level images, they are converted into high-level CAVs is easier to gain access to a vulnerable and peripheral
images by using computer vision algorithms, which consist of sensor. Then, the adversary will be able to take control of the
segmentation, classification, and 3D reconstruction. sensor and implement remote sensor attacks.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6245

TABLE II
S UMMARY OF VARIOUS ATTACKS IN CAVs

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6246 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

attack the vehicle’s engine control units. However, the driver

does not aware of the attack. In addition, many secure
Bluetooth protocols have been designed by cryptographic
algorithms. However, due to the inefficiency of these secure
protocols, most of commercial solutions are not implemented
by them. Furthermore, these secure protocols cannot prevent
the implementation of malicious code by memory exploitation.
Fortunately, they can be used to prevent the implementation
of open source tools, which are used for the analyzation of
packets in the public domain.
a) Tire Pressure Monitoring System: TPMS communi-
cations are usually relied on standard modulation schemes
and simple protocols. Because these protocols do not rely on
Fig. 8. The model of GPS spoofing attacks.
cryptographic mechanisms, TPMS communications may be
reverse-engineered. In addition, spoofing attacks and battery
drain attacks [26] may cause TPMS to malfunction. TPMS
2) GPS Spoofing Attacks: CAVs rely heavily on GPS, which messages can be received correctly up to 10 meters from the
provides location and time information. It is the basis of vehicle with a cheap antenna and up to 40 meters by a basic
many key processes, such as pseudonym certificates, basic low noise amplifier. This means the adversary can overhear
safety messages, and timestamps in messages. Truthfulness or spoof transmissions from a nearby vehicle. Every in-tire
and accuracy are critical for CAVs. In GPS spoofing attacks sensor module includes a 32-bit fixed identifier [27] in each
[24], the adversary manipulates the received GPS signal arbi- message. The length of the identifier field renders the identities
trarily in the attacked area. It provides fake information to of the tire sensor module sufficiently unique to track vehicles
receivers. In addition, the adversary broadcasts the fake GPS in a low-cost way.
signal, which signal strength is higher than the true GPS b) Key Fob and Keyless Entry: In order to entry the
signal. Hence, GPS receivers ignore the true GPS signal. These vehicle, there are two ways, namely key fob entry and keyless
attacks usually happen in the physical layer. car entry. The adversary may block the signals of the key fob
As shown in the model of GPS spoofing attacks (Fig. 8), the when the driver attempts to lock his vehicle by using a number
adversary is easy to interfere or replace the low-powered GPS of different devices, including garage door openers and house
signal by its stronger fake signal. Thereby, the adversary can light controllers/dimmers. Once these devices are hidden in
provide any fake time or location to the vehicle in the attacked bushes and activated for long periods of time, the signals of
range. Then, the vehicle drifts out the desired trajectory. the key fob will be blocked in the whole areas of car parks or
3) Location Trailing Attacks: In location trailing attacks, streets.
the adversary can obtain drivers’ private information through The adversary cannot block the signal for a vehicle with
locating and tracking their vehicles. With the help of loca- the keyless entry. However, this unchanging signal can be
tion information, the adversary can discover behaviors and captured and replicated to gain access to a vehicle. And the
activities of vehicles, even obtain the profile of the driver and alarm and immobilizer can be disabled for allowing thieves to
match to personal privacy in the real world. These attacks may start and steal vehicles. For example, it has been reported that
damage to the transportation-based cyber-physical systems, for the adversary can build an inexpensive and small electronic
example, the increasing number of congested roads. device, which can be concealed on or near a locked vehicle.
In order to protect the privacy, messages are anonymously This device can capture a single keyless entry code for
transmitted. In addition, pseudonyms are changed frequently. unlocking the vehicle at a later time. It transmits a jamming
However, it has been proved that a single pseudonym is not signal to block the vehicle’s reception of rolling code signals
sufficient to resist location trailing attacks [25]. Specifically, from the owner’s fob, while recording these signals from both
pseudonymous position samples can be collected and com- of his two attempts which are needed to unlock the vehicle.
bined into pseudonymous location profiles. Then, an adversary In addition, some alarms and immobilizers are relied on very
can easily relate them to specific vehicles. For example, weak secret keys. They can be cracked in just a few minutes
profiles, which include the same starting/ending location on by using a laptop.
weekday mornings, may reveal home and work addresses. 5) CAN and SAE J1939 Buses Vulnerabilities: Automotive
4) Close Proximity Vulnerabilities: Close proximity vulner- buses include CAN and SAE J1939 buses, which have follow-
abilities are exposed by the short-range communication mech- ing vulnerabilities.
anisms. These vulnerabilities may happen by coincidence. The main problem of CAN bus is the lack of authentication
They can be executed by Bluetooth, tire pressure monitoring and encryption [28]. The lack of authentication means that
system (TPMS), or keyless entry and ignition systems. any unauthorized nodes can join the network and participate
Bluetooth: It has been proved that the Bluetooth control in the communication. The unauthorized nodes can listen to
code contains a potential memory exploit, which allows the any messages in the CAN bus. Because these messages are not
execution of code from any paired Bluetooth device. A com- encrypted, the adversary can sniff the CAN bus and illegally
promised device, which has been paired with a vehicle, may collect the driver’s personal information, including mobile

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6247

phone, location, and address book. In addition, the adversary B. Vehicle to Everything Network Attacks
can insert the unauthorized CAN frame to the network.
CAN bus is also vulnerable to the DoS attacks [29]. In CAN Vehicle to everything network enables data exchange among
bus, the arbitration mechanism allows the node with the a connected vehicle, other vehicles and the infrastructure of
higher priority to speak first. If a malicious node that has CAVs. The adversary exploits this type of communication
the highest priority is active all the time, the other nodes to expose network access points. Communicating channels
cannot communicate with each other. In addition, DoS attacks between a vehicle and external devices, for example smart-
will misuse the error confinement mechanism. If the adversary phones, are established through WiFi, Bluetooth, and global
generates an error during the communication, it will increase system for mobile communication protocols. Once the vehicles
the error counters and eventually cause the elimination of the are connected by the communicating channels, they are vul-
node. nerable to the network attacks, which are described as follows.
Because SAE J1939 bus is designed based on the CAN 1) DoS Attacks: DoS attacks [36] happen when the adver-
bus, it inherits all the specific vulnerabilities of CAN bus. sary blocks the whole communication channel with inter-
One important vulnerability is a consequence of the arbitration ference signals. The adversary inserts useless messages or
mechanism [30] that allows to implement DoS attacks by creates some issues on the network nodes. Hence, authentic
continuously transmitting the frames with the identifier field users cannot access network services. Correct messages cannot
set to the value that is as low as possible. In addition, in SAE reach their destinations. DoS attacks can cause delay and
J1939 bus, when a message is sent to a specific destination in interfere the receiver’s response. In the environment of CAVs,
the connection mode, the connection can be broken by both some delay may affect the driving security of the vehicle.
the sender and the receiver. The adversary can interrupt the Even one second can cause or avoid an accident. In addition,
connection by sending an abort message, which is directed to the request for response time is comparatively high [37]. DoS
either the sender or the receiver. attacks are dangerous and fatal for CAVs.
6) ECUs Software Flashing Attacks: ECUs are the embed- 2) Impersonation Attacks: Every vehicle has an unique
ded systems, which can control gear shift, servosteering, identification, which can help to recognize the vehicle and
ignition system, electronic window lift, climate controls, etc. the messages. Impersonation attacks [38] are implemented
In addition, ECUs are reprogrammable, which is helpful for by using another identity or a fake identity. There are two
correcting bugs and integrating new functionalities without kinds of impersonation attacks, namely node impersonation
replacing ECUs. ECU software flashing includes the develop- attacks and sybil attacks. In the node impersonation attacks,
ment, delivery, and installation of software. However, possible a single identity is spoofed at a time. Different identities
attacks on ECU software flashing [31] include reverse engi- are spoofed simultaneously in the sybil attacks. In addition,
neering, code modification, fuzzing attacks [32], and phlashing the sybil adversary can carry out several malicious operations,
attacks [33]. Reverse engineering may disclose information. such as sending fake messages, spreading modified received
Code modification may corrupt information and degrade hard- messages, and dropping critical messages.
ware performance. Fuzzing attacks can find vulnerabilities 3) Replay Attacks: In replay attacks [39], the adversary
in the embedded systems. Phlashing attacks can trick a basically records and retransmits early valid packets at a later
remote device into allowing you to flash its firmware. Hence, time. It often occurs in the network or transport layer. It may
the machine can never be rebooted. It must be pulled out and confuse the authorities, mislead the entire traffic, or even
replaced. Phlashing attacks may use unpatched vulnerabilities damage the transportation safety. In order to impersonate a
in the embedded systems to gain access. legitimate vehicle or RSU, replay attacks usually happen in
7) Integrated Business Services Attacks: In many vehicles, some authorization and key agreement protocols.
the embedded systems can be connected with the back-end 4) Routing Attacks: Routing attacks exploit the draw-
network of the manufacturers. Then, the driver can use back and vulnerability of routing protocols. In these attacks,
the services that are provided by the manufacturers, such the adversary can disturb the normal routing process or drop
as remote telediagnosis, entertainment, and remote software passing packets. Routing attacks include black hole attacks
update. However, there exist several attacks in the integrated [40], grey hole attacks [41], and wormhole attacks [42]. Black
business services, namely gaining the client-level access to the hole attacks can be launched by a single compromised node or
business platform in the vehicle, gaining access to the vehicle some cooperative nodes. In the grey hole attacks, the adversary
system, and gaining access to the user data. drops packets in a selective manner. In addition, it can switch
The adversary can gain the client-level access to the busi- from correct behaviors to the behaviors that are performed as
ness platform by launching phish attacks [34] or using mali- if by a black hole. Due to its occasional correct behaviors,
cious codes. In addition, the adversary can use the client-level grey hole attacks are difficult to be detected. In the wormhole
access to implement another attack, which can obtain the attacks, there are at least two cooperative nodes, which can
system-level access to the business platform. If the adversary form a private high speed tunnel. The adversary captures
can run the arbitrary software on the business platform in packets at a location. Then, they are tunneled to another
the vehicle, he will control the embedded system and may location.
gain access to the other vehicle systems. The user may have 5) Data Falsification Attacks: For guaranteeing road safety
personal data risk [35], which is related to a third-party and avoiding accidents, one essential requirement of vehicular
application, for example online banking. communication is truthfulness. The fake information will

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6248 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

mislead receivers’ reaction and result in fatalities. In the data system. The authors argued that many vehicles were locked
falsification attacks [43], the adversary can send or broad- in a specific area for a long time. The advanced density-based
cast false information and safety alerts. Message tampering, attacks can achieve better performance with fewer compro-
suppression, fabrication, and alteration may produce the fake mised vehicles to disrupt the whole network.
message. For example, Jie et al. [44] pointed that data falsifica- In the environment of CAVs, the vehicle is connected to
tion attacks can effectively disrupt route guidance mechanisms, the infrastructure, it can send a signal phase and timing
cause significant traffic congestion, increase traveling time, message to the vehicle for knowing the status of the light and
and result in the imbalanced usage of transportation resources when it is going to change. If the adversary takes control of
in transportation-based cyber-physical systems. the infrastructure, false messages will be sent to the vehicle
6) Eavesdropping Attacks: Eavesdropping attacks [45] are for threatening its security. Furthermore, CAVs applications
implemented by overhearing the wireless medium. These require interactions with the cloud server. Cloud service will
attacks are also known as stealth attacks. In these attacks, introduce cyber-security concerns, including data theft, cyber
the adversary monitors the traffic of network and the par- attacks, compliance with data protection, and privacy regula-
ticular victim’s current positions and activities silently. Then, tions. For example, cloud service will add some vulnerabilities
the adversary can gather private information of CAVs. The to the infrastructure of CAVs [48]. The adversary can use the
difficulty of detecting these attacks is that the victim is not vulnerability, which is related to message transfer, to cut off
conscious of it. There is no direct impact in the network. the communication in the infrastructure of CAVs.
7) Password and Key Attacks: Password and key attacks are Hence, more detailed reference architectures and threat
quite complicated to be performed. They usually need some models should be used to analyze cloud in depth. Juliadotter
special hardwares and softwares. These attacks are possible to and Choo [49] pointed that the top level of the cloud attack tax-
be executed for some financial reasons. In password and key onomy is comprised of five dimensions. Alhebaishi et al. [50]
attacks [7], the mechanism is tested by different values until conducted comprehensive threat modeling exercises based
it can be compromised. Finally, the password or key may be on two representative cloud infrastructures by using several
cracked. These attacks can be classified into three categories, popular threat modeling methods, including attack surfaces,
namely dictionary attacks, rainbow table attacks, and brute attack trees, attack graphs, security metrics based on attack
force attacks. In the dictionary attacks, the adversary uses trees, and attack graphs, respectively.
a list of words to crack the password repeatedly. Other two 2) Slight Attacks: Ye et al. [51] first proposed the concept
kinds of attacks are similar with dictionary attacks. However, of slight attacks for CAVs. In these attacks, the communicated
in the rainbow table attacks, the adversary uses a list of data are randomly deviated from the actual ones. In addition,
precomputed hashes, which are computed from all the possible deviations do not exceed the threshold. If the error between
passwords and the given algorithm. The brute force attacks expected and measured behaviors exceeds a predetermined
can identify non-dictionary words by working through all the threshold, a security scheme will be activated. In this case,
alpha-numeric combinations. the predetermined security mechanism may be useless. Even
slight attacks may cause hazardous conditions and result in
serious safety problems for all the vehicles in a CAVs fleet.
C. Other Attacks The authors pointed that when CAVs are under slight attacks,
Other attacks include infrastructure attacks, slight attacks, it is more dangerous if communicated positions are attacked
and attacks on machine learning systems, which are described than speeds. It is possible that a situation with more vehicles
as follows. under attack at a low severity may be more dangerous than
1) Infrastructure Attacks: CAVs are likely to require the that with fewer vehicles but under attack at a high severity.
development of new transportation infrastructure. In addition, 3) Attacks on Machine Learning Systems: In the environ-
vehicle manufacturers should cope with the resulting com- ment of CAVs, machine learning systems can be used for some
patibility issues between the infrastructure and autonomous security-sensitive tasks, including security monitoring and
vehicles. In the infrastructure of CAVs, existed entities include vulnerability detection. However, machine learning systems
road side unit, on board unit, cloud server, intelligent traffic have limitations [52], and may be attacked in the phases of data
light and signal, traffic camera, traffic management center, etc. collection, training, and prediction. There are some attacks on
It is worthy to consider the interactions among these entities the machine learning systems, including data poisoning attacks
for studying the attack surface of autonomous vehicles. In [46], [53], attacks on the learning algorithm and its libs [54], escape
it has been pointed that there exist multiple connections among attacks [55], model steal attacks [56], and model inference
autonomous vehicles and the infrastructure in the environment attacks [57].
of CAVs. Then, there are many entry points, which can be In data poisoning attacks, the adversary can modify the
exploited for the adversary. These connections can increase original training data or insert some malicious data, which will
the risk of intrusion. Because an issue in a vehicle can involve affect the decision of the machine learning algorithm. In the
accidents with other vehicles that are communicating with attacks on the learning algorithm and its libs, the adversary
this vehicle, it will also increase the risk that a coding bug can modify the training algorithm and leak the user’s private
can cause widespread damage. Based on the compromised information without affecting the accuracy and generalization
traffic lights and on board units, Liu et al. [47] simulated of the machine learning model. The main idea of escape
several attacks on the vehicle traffic in the smart transportation attacks is to craft inputs that will be misclassified by a machine

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6249

learning model. In the model steal attacks, the adversary can Modulated Continuous Wave radar. In [65], the sensor fusion
obtain the internal parameters of the machine learning model, technique, which intelligently combines data from various
some pre-knowledge of training data, or a machine learning sensors to improve performance, is used to defend lidar
model that is very close to the targeted model. Based on the spoofing attacks. The influence of remote sensor attacks can
combination of the output result and black-box access, model be reduced by modifying the internal sensing structure of the
inference attacks can extract some private information about lidar.
the training data. 2) Against GPS Spoofing Attacks: In order to defend GPS
spoofing attacks, there exist several strategies, including bias
estimation range check [67], velocities consistency check
D. Cyber-Risk
[68], statistical test [69], least absolute shrinkage and selec-
Cyber-risk is defined as the risk of financial loss, disruption tion operator [70], and global navigation satellite system
or damage to the reputation of an organization from some sort augmentation [71].
of failure of its information technology systems [58]. Due In [67], bias estimation range check and the backtracking
to persistent digital innovations, intensifying global connec- mechanism are used for the detection and mitigation of GPS
tivity, and increasing sophistication of hackers, cyber-risk is spoofing attacks. Based on the consistency check of velocities,
actually dynamic. Because of the fast pace of technological Tao et al. [68] proposed an efficient GPS spoofing detection
innovations, potential risk exposure, and the lack of historical mechanism, which does not need any other aids. In [69], a sta-
claims data, cyber-risk becomes a complex phenomenon for tistical test strategy is used to defend GPS spoofing attacks.
CAVs. Hence, a comprehensive cyber-risk analysis and assess- Based on the least absolute shrinkage and selection operator,
ment method should be designed to discover, understand, and Schmidt et al. [70] proposed a detection and classification
address any vulnerability in each component [59]. In addition, mechanism for single antenna receivers. Based on the global
Sheehan et al. [60] pointed that traditional risk assessment navigation satellite system augmentation, Jeong et al. [71]
techniques are not effective. Maple et al. [61] found that proposed a GPS spoofing detection method, which has the
existing approaches are either too simple for sufficiently advantage that it can be used for a receiver directly.
detailed modelling or require too many details to be specified 3) Against Location Trailing Attacks: In order to defend
for analyzing the attack surface of CAVs. location trailing attacks, there are several methods, including
k-anonymity [72], mix-zone [73], software defined networks
V. D EFENSE S TRATEGIES [74], location perturbation [75], and perturbation-hidden [76].
In this section, in order to resist above cyber-security risks In [72], the k-anonymity technique is used to obfuscate
and vulnerabilities in the environment of CAVs, we analyze the user’s physical locations, which can enhance the user’s
corresponding defense strategies. These strategies are summa- location privacy and can also enjoy the accurate location
rized in Table III, which is described as follows. services. Zhou and Zhang [73] proposed a mix-zone frame-
work for protecting the actual locations of mobile users.
Boualouache et al. [74] proposed a cost-efficient vehicular
A. Against In-Vehicle Network Attacks location privacy zones placement method, which is based
In order to defend in-vehicle network attacks, based on the on the concept of software defined networks. In order to
types of these attacks, there are following strategies. protect the location privacy of location-based services in
1) Against Remote Sensor Attacks: In order to defend vehicular networks, Luo et al. [75] designed an improved
remote sensor attacks, there are several efficient solutions, location perturbation mechanism. A new privacy definition,
including authentication [62], [63], consistency check [62], namely perturbation-hidden, is proposed [76] to provide a
sensor fusion [64], [65], and spatio-temporal challenge- stricter privacy guarantee for location-based services than
response [66]. geo-indistinguishability [118].
In order to improve the security of ultrasonic sensors, 4) Against Close Proximity Vulnerabilities: In order to
Xu et al. [62] proposed two defense strategies, namely single defend close proximity vulnerabilities, there are several avail-
sensor-based physical shift authentication which is used for able strategies, including encryption and cryptographic check-
verifying signals on the physical level, and multiple sen- sum, which are described as follows.
sor consistency check that multiple sensors are employed a) Bluetooth: Several secure Bluetooth protocols have
to verify signals on the system level. In order to defend been developed by cryptographic techniques. However, most
sensor spoofing attacks, Matsumura et al. [63] proposed a of commercial products do not adopt these secure protocols,
solution that authentication fingerprint is superimposed onto which have adverse effects on the usability. These secure
light wave itself. In order to counter sensor interference [116], protocols use the cryptographic algorithm to establish trust.
sensor fusion and backup cameras [64] are used to verify They will defend the attack of using some open source tools,
the legality and precision of ultrasonic sensor measurements. for example, Bluesniff [119]. Unfortunately, they do not take
Kapoor et al. [66] used the technique of spatio-temporal measures to prevent the execution of malicious nodes by
challenge-response to detect and stop sensor spoofing attacks memory exploitation.
by verifying physical signals in the analog domain. In 2019, b) Tire Pressure Monitoring System: There are several
Miura et al. [117] used random-chirp modulation to defend a methods that can improve the dependability and security
low-cost distance-spoofing attack on a mmWave Frequency of TPMS. Firstly, the software that runs on TPMS should

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6250 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

TABLE III
S UMMARY OF D EFENSE S TRATEGIES IN CAVs

obey basic reliable design principles [120]. Secondly, TPMS c) Key Fob and Keyless Entry: Once the key fob has been
packets should be encrypted by a light-weight cryptographic activated, the driver needs to ensure the lights have flashed,
algorithm. In addition, an extra sequence number field should which indicates the vehicle has received the signal. Then,
be added to the packet for insuring the freshness of the packet. the driver checks whether the vehicle is locked by lifting a
Furthermore, in order to prevent message forgery, an extra door handle. In premium Audi RS4 vehicles, if the adversary
cryptographic checksum should be added prior to the Cyclic gains the physical access to vehicles, it is able to add a new
Redundancy Check checksum. key into the system [121]. Although this is a premeditated

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6251

sophisticated attack, Audi has dismissed any liability. Scholars is helpful for tracking the software version that has been
from University of Birmingham [122] developed techniques installed, installation time, and who installed the software.
of cracking mechanisms, which can be used for keyless entry. Then, the adversary is difficult to implement malicious soft-
However, they were prevented from publishing their research ware flashing.
result by united kingdom government. 7) Against Integrated Business Services Attacks: In order to
5) Against Can and SAE J1939 Buses Vulnerabilities: defend integrated business services attacks, there exist several
In order to defend the vulnerabilities in the CAN and SAE strategies, including content filtering [82], data separation and
J1939 buses, there are some solutions, including network trusted path, and software or hardware virtualization [83].
segmentation, encryption [77], and authentication [78], [79]. Based on the usage of a program, content filtering can block
The network segmentation is an easy way to provide secu- the access to some items, which may be harmful if they are
rity for the CAN bus. Then, critical and non-critical ECUs are opened or accessed. It can be used to defend malicious codes
separated. The adversary cannot access critical ECUs easily. and phish attacks. Data separation provides a boundary among
The connection between networks is based on a gateway applications. Then, the implementation of malicious codes is
ECU. However, the gateway ECU may be manipulated. If the limited to a single domain. Data separation involves either high
gateway ECU is programmed to transmit related identities reliability software development or machine virtualization. The
to the subnetwork, it can be fooled by passing a malicious security level is based on the quality of data separation. The
CAN frame with an identity of a node that belongs to the trusted path should be implemented in a manner, which is
subnetwork. Besides, the network segmentation may increase outside of the applications control. Software or hardware vir-
the difficulty of maintenance. tualization is an useful tool for maintaining secure separation.
There are various software-based encryption mechanisms, Software virtualization’s reliability level is less than that of
for example, Trillium [77]. However, some mechanisms are hardware virtualization. However, software virtualization may
not secure. Because ECUs do not have the strong computa- be subjected to safety risks and performance degradation. One
tional capability, software-based encryption mechanism may benefit of software virtualization is that it does not need a
cause latency. It will not be acceptable for the safety-critical special hardware.
vehicle. In addition, it may be restricted by the limited band-
width. Software-based encryption mechanism may be suitable B. Against Vehicle to Everything Network Attacks
for a limited CAN traffic. In order to defend vehicle to everything network attacks,
Some scholars have studied on authentication mechanisms. based on the types of these attacks, there are following
Based on an ordered Cypher-based Message Authentication strategies.
Code buffer, Groza et al. [78] authenticated the identifiers of 1) Against DoS Attacks: DoS attacks are difficult to be
CAN frames and checked whether the sender is a legal node corrected even though they can be detected. Early detection
while remaining unchanged arbitration on the bus. In order to will be helpful to thwart the attacks or alert the driver to take
mitigate the weaknesses in the existing frame-level authenti- some efficient measures. To resist DoS attacks, there are some
cation mechanism, Palaniswamy et al. [79] proposed a new strategies, including sliding mode and adaptive estimation
protocol suite, which provides the security of session key. [84], bandwidth and entropy [85], and similarity of sliding
In order to defend the shortcomings in the SAE J1939 bus, windows [86].
Murvay and Groza [30] proposed an authentication scheme A real-time mechanism [84], which includes a set of
and evaluated its effects by using the CAN with flexible observers that are designed by the usage of sliding mode
data-rate frames to transmit the additional authentication data. and adaptive estimation theory, can be used to detect the
There are some available intrusion detection methods. occurrence of DoS attacks, and estimate the effect of these
Desta et al. [123] proposed an intrusion detection system for attacks on the connected vehicle system. Inspired by the
CAN bus by analyzing arbitration identity sequences. Based on port-hopping mechanism, Jie et al. [126] designed a simple but
the usage of a trained Long Short Term Memory, this system effective defense mechanism, which has the advantage that the
can predict an arbitration identity, which will appear in the detection and filtering out of malicious packets can be imple-
future by reviewing the last twenty packet arbitration identities. mented without any change in the existing protocol. Based on
Olufowobi et al. [124] proposed a specification-based intrusion the usage of bandwidth and entropy, Kumar and Mann [85]
detection system by the usage of anomaly-based supervised proposed an algorithm for the detection of DoS attacks in
learning with the input of the real-time model. vehicular networks. Then, the authors proposed a packet detec-
6) Against ECUs Software Flashing Attacks: In order tion algorithm that can be used for preventing DoS attacks.
to defend ECUs software flashing attacks, there are some Based on the similarity of sliding windows, an improved DoS
strategies, including encryption [80], authentication [81], and attacks detection strategy [86] is designed to detect each type
integrity check. of DoS attacks.
Reverse engineering may destroy the confidentiality of ECU 2) Against Impersonation Attacks: In order to defend imper-
data, ECU data should be encrypted [80]. Therefore, the adver- sonation attacks, there are some available strategies, includ-
sary cannot read them. Authentication [81] can identify the ing secure transmission [87], [88], integrity verification [89],
origin of the software correctly. Integrity [125] is important authentication [90], [91], and secure key agreement [92].
for preventing software modification by unauthorized users. Limbasiya and Das [87] designed a secure geo-data trans-
Hence, every ECU should check the integrity. Nonrepudiation mission mechanism for vehicular ad-hoc network, in which

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6252 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

vehicles can transmit data with the higher probability. This data filtering [44], reputation threshold [101], and information
mechanism is protected against impersonation attacks. In [89], sharing [102].
the proposed hash-based integrity verification mechanism can Boeira et al. [100] studied that how a location detection
defend impersonation attacks effectively in vehicular cloud mechanism can be used to alleviate the location falsification
computing. Li et al. [90] proposed a certificate-less condi- attacks before it can result in a crash among an array of
tional privacy-preserving authentication protocol, which sup- coordinating vehicles. Based on the usage of dynamic time
ports both privacy and security requirements in the internet window, Shukla and Sengupta [43] proposed an anomaly
of vehicles system. It has been proved that this protocol is detection strategy. In [44], the forged data filtering mechanism,
secure against impersonation attacks. Park et al. [92] designed in which the falsified traffic state data can be removed during
a dynamic secure and lightweight key agreement protocol data transmission in vehicular networks, is used to mitigate
for vehicle-to-grid in social Internet of Things. Limbasiya’s the data falsification attacks. Based on the obtained reputation
secure V2V data transfer protocol [88] uses a one-way hash threshold, a novel cooperative spectrum sensing mechanism
function to transmit valuable data at the receiver side quickly. [101] is designed to be robust against the data falsification
Sutrala et al. [91] designed a novel conditional secure authen- attacks under the imperfect common control channel. In
tication mechanism by using Elliptic Curve Cryptography in order to improve the reliability and support the detection
the internet of vehicles. of anomalous behaviors, Alotibi and Abdelhakim [102]
3) Against Replay Attacks: In order to thwart replay attacks, applied the information sharing technique in the cooperative
available strategies include noisy control signal method and adaptive cruise control model, which allows vehicles and fixed
cross correlator [93], reset controller [94], and techniques of infrastructure to obtain and share information about platoon
timestamping and XOR encoding [95]. leaders.
Based on the usage of noisy control signal method and 6) Against Eavesdropping Attacks: In order to pre-
cross correlator, Merco et al. [93] used a decentralized diag- vent the eavesdropping attacks, there are some strate-
nosis algorithm to detect the replay attacks for a cooperative gies, including anonymization [103], resource management
adaptive cruise control connected vehicles system. In order [104], trust-based recommendation [105], and scheduling
to defend replay attacks in the unmanned aerial vehicles, mechanism.
Sànchez’s [127] frequency-based detection mechanism utilizes In order to defend the eavesdropping attacks on the vehicles’
a sine wave with the time-varying frequency as the authentica- queries, a fog server with the fog anonymizer [103] is used to
tion signal. In order to preserve the oscillation damping ability anonymize the messages from the fog node. In order to defend
and improve the speed tracking ability of a connected car the eavesdropping attacks on vehicular users’ computation
under a replay attack, combined with a robust reset controller, offloading over radio frequency channels, based on the
Xu et al. [94] proposed a dynamic output-feedback robust con- measurement of the physical layer security, Wu et al. [104]
troller. In Oza’s alternative threshold-based detection method researched the resource management that has secrecy provi-
[128], the detector observes the occupancy sensor data over sioning. Li et al. [130] designed a Nash equilibrium method of
time. Greene et al. [95] proposed an improved remote keyless the game under the imperfect channel estimation for maximiz-
entry system by using timestamping and XOR encoding. This ing the efficiency of the transmitter and suppressing the eaves-
system can countermeasure the replay attacks. dropping attacks from the unmanned aerial vehicle. To ensure
4) Against Routing Attacks: In order to defend the routing real-time data transmission and security in a vehicular cyber
attacks, there are some strategies, including ant colony opti- physical systems network, a new trust-based recommendation
mization [96], swarm algorithms of artificial intelligence [97], mechanism [105] is proposed to defend the eavesdropping
variable control chart [98], and trust calculation [99]. attacks.
Based on the ant colony optimization method, Panda and 7) Against Password and Key Attacks: In order to defend
Kumar Pattanayak [96] proposed a multi-path intelligent password and key attacks, there are some available solutions,
routing protocol, which can find an optimal path from the including secure cryptographic mechanisms and multifactor
sender to the receiver along with the increasing lifetime of authentication [106].
the network. Based on the usage of swarm algorithms of One solution is relied on the secure cryptographic mech-
artificial intelligence, Krundyshev’s new method [97] is used anisms, such as keys with large sizes, secure algorithms,
for providing security for vehicular ad hoc networks and other and secure passwords. Although some cryptographic algo-
kinds of networks that are related to transportation. In order rithms are secure now, they may be cracked easily by the
to defend the routing attacks in CAVs, Hassan et al. [129] powerful computational ability in the future. Instead of rely-
proposed an intelligent detection scheme. Based on a vari- ing on the secure cryptographic mechanisms, another solu-
able control chart, a new detection mechanism [98] is tion is the multifactor authentication, which puts different
designed for vehicular ad hoc networks. Bhawsar et al. [99] layers of identity security on every account. Multifactor
proposed a mechanism by using the ad hoc on-demand authentication monitors diverse factors, including time of
distance vector routing protocol that is relied on trust access request and geolocation. In addition, it can incor-
calculation. porate biometric authentication and hard tokens. Multifactor
5) Against Data Falsification Attacks: For the detection of authentication can mitigate the effectiveness of password
data falsification attacks, there are various strategies, including and key attacks. It may not prevent all password and key
location detection [100], dynamic time window [43], forged attacks.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6253

C. Against Other Attacks Hunt et al. [131] used a system, which is called Chiron,
to conceal the training data from the service operator. The
In order to defend other attacks, based on the types of these passive defense or active defense strategy can be used to
attacks, there are following strategies. defend the escape attacks. The passive defense strategy is
1) Against Infrastructure Attacks: In order to defend to detect the adversarial example after the construction of
the infrastructure attacks, there are several efficient strate- the machine learning system. The active defense strategy is
gies, including cyber-security architecture [107], secure to construct a robust machine learning system before the
aggregation [108], software defined security [109], and generation of the adversarial example. In order to defend the
authentication [110]. model steal attacks, one method is to restrict the model user
In [48], the cloud-based method is used to detect that only has the black-box access. The user who provides the
and mitigate cyber-attacks in the infrastructure of CAVs. training data can inquiry the model and obtain the prediction
Islam et al. [107] designed a new vehicle-to-infrastructure result. In order to defend the model inference attacks, available
cyber-security architecture, which can detect and prevent techniques include homomorphic encryption [112] and differ-
cyber-attacks on the vehicle-to-infrastructure applications. ential privacy [113]. Homomorphic encryption can guarantee
However, there are some key challenges of designing this that data are encrypted in the training phase. Based on the
architectures, such as scalability, resiliency, and future usabil- usage of differential privacy, the machine learning algorithm
ity. In [108], a light-weight and secure aggregation protocol is carefully adds noise to protect the security of data.
designed for the fog computing-based vehicle-to-infrastructure
communication. By using the proposed protocol, the road side
unit can securely obtain the data that are collected by the D. Cyber-Risk Assessment
vehicles. In order to provide sufficient levels of protection for In order to assess cyber-risk in the environment of CAVs,
the infrastructure of CAVs, software defined security [109] can there are several efficient solutions, including vulnerabili-
be used by abstracting security mechanisms from the hardware ties assessment [114], dynamic risk management [115], and
layer to a software layer. Based on the bilinear map, Ali and cyber-attacks classification [60].
Li [110] designed an efficient and secure identity-based con- An available mechanism, which can be used for assessing
ditional authentication signature mechanism for the vehicle- the vulnerabilities in the environment of CAVs, is called
to-infrastructure communication. common vulnerability scoring system (CVSS) [114]. In 2011,
2) Against Slight Attacks: In order to resist slight attacks, CVSS version 2.0 is regarded as an international standard
Li et al. [51] focused on the influence of slight attacks for assessing vulnerabilities by International Telecommuni-
on the longitudinal safety of CAVs. More specifically, the cations Union. The U.S. National Institute of Standards and
authors considered the communicated position and speed data Technology provided National Vulnerability Database (NVD),
from preceding CAVs. An empirical model is first utilized which includes a large repository of known vulnerabilities.
to describe dynamics of CAVs. Then, a rear-end collision In [115], a profile-driven approach is proposed to manage
risk index is introduced to establish the relation between internet of things data in the context of CAVs by a dynamic
longitudinal safety and vehicles’ dynamic data. Parameters risk management framework. Unlike the current inflexible
are also investigated via sensitivity analysis. Furthermore, the risk assessment strategies, this framework encourages more
authors pointed that slight attacks on communicated position flexible investigation of risks by different risk profiles. Based
have more serious effects on longitudinal safety than on speed. on a Bayesian network model, Sheehan et al. [60] designed
The defenses may focus on how to detect the imprecise a proactive cyber-attacks classification method for CAVs by
position data. Although vehicle equipped sensors can also incorporating existed software vulnerabilities, which are con-
detect preceding vehicles’ position, the time delay of current tained within NVD, into model building and testing phases.
sensors is much larger than that of wireless communication. Maple et al. [61] proposed a reference architecture by using
The defense scheme should be considered over the whole a hybrid functional-communication viewpoint for cyber-risk
CAV fleet instead of on individuals. A coordinated defending surface analysis of CAVs.
method, which regards all vehicles, is more robust than iso-
lated defenses. The defending scheme should not be the same VI. C YBER -S ECURITY AND S AFETY
in the whole driving period. It is evident that the deceleration S TANDARDS OF CAV S
period has more risks. Hence, more rigorous schemes should Except for the above defense strategies, several
be utilized in this period. A multi-period defending method is cyber-security and safety standards have been designed
more suitable in that case. for CAVs, including International Organization for
3) Against Attacks on Machine Learning Systems: In order Standardization (ISO) 26262 [132]–[134], SAE J3061
to defend attacks on machine learning systems, there are [135], and British Standards Institute’s standard [136], which
several efficient solutions, including data sanitization [111], are described as follows.
algorithm robustness improvement, homomorphic encryption
[112], and differential privacy [113].
Data poisoning attacks can be resisted by using the data A. ISO 26262
sanitization technique [111] or improving the robustness of the ISO 26262 is derived from International Electrotechnical
machine learning algorithm against malicious training data. Commission 61508, which is used for electrical safety-related

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6254 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

systems. This standard provides a safety lifecycle in the phases appropriately and clearly throughout the organization. Aware-
of management, development, production, operation, service, ness and training is embedded into a “culture of security” for
and decommissioning. In addition, it supports tailoring neces- ensuring individuals’ understanding of their role and respon-
sary activities in these phases. It includes ten parts, including sibility in security of CAVs. All aspects of security (physical,
vocabulary, management of functional safety, product develop- personnel, and cyber) should be integrated into the product and
ment, supporting processes, automotive safety integrity level service development process. Secondly, security risk assess-
(ASIL), etc. ASIL is determined by severity classification, ment and management procedures should be in place within
exposure classification, and controllability classification. It can the organization. Appropriate processes for identification, cat-
quantify the severity of an injury, probability of occurrence, egorization, prioritization, and treatment of security risks,
and controllability of the situation. To assess ASIL, available including those from cyber, should be developed. Thirdly,
techniques contain hazard analysis, risk assessment, fault tree incident response plans are in place. Organizations plan for
analysis, failure mode, and effects analysis. how to respond to potential compromise of safety critical
In 2018, ISO 26262 was revised by adding rules for assets, non-safety critical assets, and system malfunctions.
trucks, buses, trailers, semitrailers, and motorcycles [137]. It also should be considered that how to return affected systems
In addition, the revised standard includes the guidance on to a safe and secure state. An active program should be able
model-based development, software safety analysis, dependent to identify critical vulnerabilities. Appropriate systems can
failure analysis, semiconductors, fault tolerance, safety-related mitigate them in a proportionate manner. Organizations should
special features, and software tools. Furthermore, the revised ensure their systems are able to support data forensics and the
standard also contains extended vocabulary, detailed objec- recovery of forensically robust and uniquely identifiable data.
tives, objective-orientated confirmation measures, information In this standard, principles of secure system design include
on managing safety anomalies, references to cyber-security, five aspects, which are shown as follows.
updated values for hardware architecture metrics, and methods • The organizations, which include sub-contractor, suppli-
of evaluating hardware elements. ers, and potential third parties, should work together to
enhance the security of the system. They must be able
to provide assurance, such as independent validation or
B. SAE J3061 certification, of their security processes and products.
Based on ISO 26262, SAE J3061 identifies the growing In addition, they jointly plan for how systems will safely
threat landscape. This standard establishes the terminology of and securely interact with external devices, connections
threat, vulnerability, and risk, which provides an overview and (including the ecosystem), services (including mainte-
distinction between system safety and system cyber-security. nance), operations, or control centers. This may include
In addition, it presents some general guiding cyber-security agreeing standards and data requirements.
principles, which are applicable to any organization within • The security of the system does not rely on single
a company. As with system safety, cyber-security must be points of failure. The security architecture uses defence-
built into features. Hence, it requires an appropriate lifecycle in-depth and segmented techniques to mitigate risks
process from concept phase through production, operation, with complementary controls, such as monitoring, alert-
service, and decommissioning. Furthermore, it provides infor- ing, segregation, reducing attack surfaces (such as open
mation on some common existing tools and methods for internet ports), trust layers, and other security proto-
designing, verifying, and validating cyber-physical vehicle cols. In addition, remote and back-end systems (for
systems. Then, the foundation is presented for further stan- example, cloud server), which might provide access
dards development activities in vehicle cyber-security. Last to a system, have appropriate levels of protection and
but not the least, appendices provide additional information monitoring mechanism for preventing the unauthorized
which may be helpful for improving cyber-security of feature access.
designs. • The security of all software should be managed through-
In SAE J3061, for maintaining consistency between safety out its lifetime. Organizations should adopt secure coding
and cyber-security, there are some suggestions, which include practices to manage risks from known and unknown
building appropriate checkpoints into the product lifecycle of vulnerabilities in the software proportionately. It must be
both processes, using a risk analysis method to address threats, possible to ascertain the status of all software, firmware,
and identifying various paths between safety and cyber- and their configuration, including the version, revision,
security. In addition, it points out that a cyber-security-critical and configuration data of all software components. The
system may be not safety-critical. software should be updated safely and securely. If the
software becomes corrupt, it should be returned to a
known good state. In addition, the software should adopt
C. British Standards Institute’s Standard open design practices.
In 2018, British Standards Institute published a new cyber • Data must be sufficiently secure and can be controlled in
security standard [136]. In this standard, principles of system storage and transmission. Only the intended recipient or
security include three aspects, which are shown as follows. system functions can receive and access them. Incoming
Firstly, personal accountability is held at the board level communications are considered unsecure before valida-
for product and system security. In addition, it is delegated tion. Users are able to delete sensitive data, for example

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6255

personal identifiable data. Furthermore, personally iden- under development, related security attacks may start after
tifiable data must be managed appropriately. a couple of years. The good news is that being-developed
• The system should be able to resist receiving corrupt, 5G security features are well defined and heavily rely on
invalid or malicious data and commands by its exter- authentication and encryption. Nonetheless, its effectiveness
nal and internal interfaces, while remaining available needs to be tested thoroughly before and after CAVs are
for primary use. If safety-critical functions are compro- deployed in the field. In addition, security protocols may need
mised or ceased to work, systems are still resilient and to be updated later.
fail-safe. The mechanism is proportionate to the risk.
If non-safety critical functions fail, the system should E. Testing Standard
respond appropriately. For the cyber-security of vehicle systems, they are tested
strictly before they are used by consumers. However, there
VII. C HALLENGES AND O PEN P ROBLEMS is no unified standard for testing. In addition, manufacturers
In this section, we describe some important and challenging usually choose their own testers. Although there exist some
problems. In addition, we outline several possible research guidelines for testing, they need to be revised for various
directions. complicated situations. Furthermore, testing can only find
some easy vulnerabilities in vehicle systems. An adversary
A. Dynamic Risks may intrude vehicle systems by trying all the possible methods.
As a moving system, the environment of CAVs is changing F. Data Collection and Storage
frequently. As shown in Section V-D, extensive research has
been carried out on cyber-risk assessment of CAVs. However, Based on collected data from vehicles, judicial agencies and
there is little study which can efficiently tackle dynamic risks law enforcers can investigate evidences and guilty parties for
that CAVs are facing with. Besides, given that cyber-risk some traffic accidents. For the effectiveness of investigation,
assessment has the advantage of updating and viewing the data should be collected in a pattern, which can form the intact
risks from different angles, it is interesting to explore that evidence-chain. Then, data should be stored in a format, which
whether it can be used to predict the unknown threats in the can be accessed securely and independently.
future. G. Zero-Knowledge Proof
B. Lightweight Security Model In order to hide trade contents and transaction relationships,
it is interesting to use zero-knowledge proof for the verification
Because the road entities in the V2X communication of vehicle data. However, zero-knowledge proof confronts with
have various capabilities and resources, the security model the issue of inefficient performance. For example, the execu-
should always consider the efficient use of devices’ resources. tion time of the prover algorithm is excessively long. Hence,
An example is the power consumption, because they were some efforts are needed for exploring efficient implementation
implemented on vehicles which have a long life battery, all cur- of zero-knowledge proof in the environment of CAVs.
rent security models did not consider the power consumption
as a challenge. However, in V2X communication, some road
entities, such as mobile phones, have a limited battery. There- H. Blockchain
fore, it is an essential task to achieve the trade-off between As a research hotspot, blockchain can guarantee that trans-
devices’ resources and security level in the environment of action data are impossible to be tampered, forged, or discarded
CAVs. As a result, a lightweight security model is necessary by the adversary. Hence, in the environment of CAVs, the pri-
for V2X communication. vacy of vehicle data can be protected by using the blockchain
technique. However, most blockchains cannot support a large
amount of users. In addition, there is no available standard
C. Trust Levels
for the seamless communication among various blockchains.
In the environment of CAVs, if any single trusted com- Furthermore, the consensus mechanism requires tremendous
ponent exists, single point of failure will manipulate the computation power, which will affect the operating efficiency
whole security of the system. Defenders should put redundant of the system.
security resources in different components to cross-check each
other. However, when attackers manipulate more than one I. Spectrum Sharing
component, they may also be able to compromise the cross-
check. Therefore, it is necessary to design proper trust levels US Department of Transportation used the spectrum sharing
in each component. When there are inconsistencies between method [138] in the 5.9 GHz DSRC band. In this method,
them, designed trust-levels will decide which components are before operating the equipment in that spectrum, an operator
in favour for making security decisions. does not need a license, which can avoid the expensive and
time consuming licensing process. Available spectrum sharing
mechanisms include the detect & vacate mechanism and detect
D. 5G Cellular Based V2X Security & mitigate mechanism [139], which are proposed by the WiFi
The security of 5G cellular based V2X (C-V2X) is another industry in the European Telecommunications Standards Insti-
important research area. Since 5G C-V2X products are still tute. However, these mechanisms are both vulnerable to the

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6256 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

delayed detection problem. That is to say, a WiFi device can [4] A. Greenberg, “Hackers remotely kill a jeep on the highway,” Wired,
usually detect the existence of DSRC transmissions only if it 2015.
[5] S. Boumiza and R. Braham, “Intrusion threats and security solutions
itself is not transmitting, which may affect the communications for autonomous vehicle networks,” in Proc. IEEE/ACS 14th Int. Conf.
among vehicles. Although the detection performance can be Comput. Syst. Appl. (AICCSA), Oct. 2017, pp. 120–127.
improved by adding extra idle periods, due to the unilateral [6] K. Mawonde, B. Isong, F. Lugayizi, and A. M. Abu-Mahfouz, “A sur-
vey on vehicle security systems: Approaches and technologies,” in
hidden terminal problem, the detect & mitigate mechanism can Proc. 44th Annu. Conf. IEEE Ind. Electron. Soc. (IECON), Oct. 2018,
cause up to 30% additional packet loss to DSRC transmissions pp. 4633–4638.
after detecting the existence of DSRC devices, which can [7] S. Parkinson, P. Ward, K. Wilson, and J. Miller, “Cyber threats facing
further decrease the effectiveness of safety applications that autonomous and connected vehicles: Future challenges,” IEEE Trans.
Intell. Transp. Syst., vol. 18, no. 11, pp. 2898–2915, Nov. 2017.
are relied on V2V communications. [8] K. B. Kelarestaghi, M. Foruhandeh, K. Heaslip, and R. Gerdes,
“Survey on vehicular ad hoc networks and its access technologies
security vulnerabilities and countermeasures,” 2019, arXiv:1903.01541.
VIII. C ONCLUSION [Online]. Available: http://arxiv.org/abs/1903.01541
[9] M. S. Sheikh and J. Liang, “A comprehensive survey on VANET
CAVs are helpful to reduce traffic accidents, enhance security services in traffic management system,” Wireless Commun.
quality-of-life, and promote the efficiency of transportation Mobile Comput., vol. 2019, pp. 1–23, Sep. 2019.
systems. However, there are various security and privacy [10] F. Sommer, J. Dürrwang, and R. Kriesten, “Survey and classification
challenges in the environment of CAVs. Hence, this paper has of automotive security attacks,” Information, vol. 10, no. 4, p. 148,
Apr. 2019.
investigated related up-to-date literatures. Based on the types [11] S. Jadhav and D. Kshirsagar, “A survey on security in automotive
of communication networks and attack objects, this paper has networks,” in Proc. 4th Int. Conf. Comput. Commun. Control Automat.
firstly classified various cyber-security risks and vulnerabilities (ICCUBEA), Aug. 2018, pp. 1–6.
[12] T. Yoshizawa and B. Preneel, “Survey of security aspect of V2X
in the environment of CAVs into in-vehicle network attacks, standards and related issues,” in Proc. IEEE Conf. Standards Commun.
vehicle to everything network attacks, and other attacks. Next, Netw. (CSCN), Oct. 2019, pp. 1–6.
it has regarded cyber-risk as another type of attacks in the [13] A. Masood, D. S. Lakew, and S. Cho, “Security and privacy challenges
in connected vehicular cloud computing,” IEEE Commun. Surveys
environment of CAVs. Then, it has described corresponding Tuts., vol. 22, no. 4, pp. 2725–2764, Jul. 2020.
defending strategies to secure CAVs. Finally, several related [14] Y. An, F. R. Yu, J. Li, J. Chen, and V. C. M. Leung, “Edge intelligence
cyber-security and safety standards have been summarized (EI)-enabled HTTP anomaly detection framework for the Internet of
for improving the practical application of CAVs. In addition, Things (IoT),” IEEE Internet Things J., vol. 8, no. 5, pp. 3554–3566,
Mar. 2021.
several challenges and open problems have been presented. [15] X. Zhao, S. Jing, F. Hui, R. Liu, and A. J. Khattak, “DSRC-based rear-
Classified potential cyber-security attacks and summarized end collision warning system—An error-component safety distance
corresponding countermeasures are helpful for the healthy model and field test,” Transp. Res. C, Emerg. Technol., vol. 107,
pp. 92–104, Oct. 2019.
development of CAVs and speeding up its practical [16] M. Alaa, M. A. Abdala, and A. Al-Sherbaz, “Evaluation study of IEEE
deployment for intelligent transportation systems. Specifically, 1609.4 performance for safety and non-safety messages dissemination,”
based on the lessons from the study of these cyber-security Int. J. Enhanced Res. Sci. Technol. Eng., vol. 3, no. 11, pp. 29–36,
2014.
attacks, it may be useful for policymakers, engineers and [17] R. S. Campos, “Evolution of positioning techniques in cellular net-
researchers to cope with unknown security threats of CAVs works, from 2G to 4G,” Wireless Commun. Mobile Comput., vol. 2017,
in the future. In addition, they can obey the important design pp. 1–17, Jan. 2017.
principles in the cyber-security and safety standards of CAVs. [18] R. Li et al., “Intelligent 5G: When cellular networks meet artificial
intelligence,” IEEE Wireless Commun., vol. 24, no. 5, pp. 175–183,
Besides, the policymakers and system operators can analyze Oct. 2017.
the attacks and vulnerabilities in the environment of CAVs [19] J. Deng, J. Li, L. Zhao, and L. Guo, “A dual-band inverted-F MIMO
by using a comprehensive cyber-risk assessment strategy, antenna with enhanced isolation for WLAN applications,” IEEE Anten-
nas Wireless Propag. Lett., vol. 16, pp. 2270–2273, 2017.
which is helpful for understanding and prioritizing strategies [20] N. Rajan and R. Shah, “QoS analysis over WiMAX network with
to mitigate the security risk. In summary, the research on the varying modulation schemes and efficiency modes,” Int. J. Comput.
cyber-security of CAVs is quite broad and many challenges Appl., vol. 162, no. 8, pp. 9–16, Mar. 2017.
lay ahead. Nevertheless, it is in favor of the community to [21] Z. Luo, Z. Pei, and B. Zou, “Directional polarization modula-
tion for secure dual-polarized satellite communication,” in Proc.
swiftly address these challenges and go forward. We hope Int. Conf. Commun., Inf. Syst. Comput. Eng. (CISCE), Jul. 2019,
that our discussion and exploration here may open a new pp. 270–275.
avenue for the cyber-security of CAVs. [22] J. Heinovski, F. Klingler, F. Dressler, and C. Sommer, “A simulative
analysis of the performance of IEEE 802.11p and ARIB STD-T109,”
Comput. Commun., vol. 122, pp. 84–92, Jun. 2018.
R EFERENCES [23] C. W. Axelrod, “Autonomous vehicles meet inhospitable roadways,” in
Proc. IEEE Long Island Syst., Appl. Technol. Conf. (LISAT), May 2019,
[1] Y. Fu, F. R. Yu, C. Li, T. H. Luan, and Y. Zhang, “Vehicular blockchain- pp. 1–6.
based collective learning for connected and autonomous vehicles,” [24] J. Nunez, V. Tran, and A. Katangur, “Protecting the unmanned aerial
IEEE Wireless Commun., vol. 27, no. 2, pp. 197–203, Apr. 2020. vehicle from cyberattacks,” in Proc. Int. Conf. Secur. Manage., 2019,
[2] X. Jiang, F. R. Yu, T. Song, and V. C. M. Leung, “Intelligent pp. 154–157.
resource allocation for video analytics in blockchain-enabled Internet [25] Z. Li, Q. Pei, I. Markwood, Y. Liu, M. Pan, and H. Li, “Location
of autonomous vehicles with edge computing,” IEEE Internet Things privacy violation via GPS-agnostic smart phone car tracking,” IEEE
J., early access, Sep. 24, 2020, doi: 10.1109/JIOT.2020.3026354. Trans. Veh. Technol., vol. 67, no. 6, pp. 5042–5053, Jun. 2018.
[3] A. Nanda, D. Puthal, J. J. P. C. Rodrigues, and S. A. Kozlov, “Internet [26] Q. Kang, X. Huang, Y. Li, Z. Xie, Y. Liu, and M. Zhou,
of autonomous vehicles communications security: Overview, issues, “Energy-efficient wireless transmissions for battery-less vehicle tire
and directions,” IEEE Wireless Commun., vol. 26, no. 4, pp. 60–65, pressure monitoring system,” IEEE Access, vol. 6, pp. 7687–7699,
Aug. 2019. 2018.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6257

[27] K. T. Sterne, J. M. Ernst, D. K. Kilcoyne, A. J. Michaels, and [50] N. Alhebaishi, L. Wang, S. Jajodia, and A. Singhal, “Threat modeling
G. Moy, “Tire pressure monitoring system sensor radio frequency for cloud data center infrastructures,” in Proc. Int. Symp. Found. Pract.
measurements for privacy concerns,” Transp. Res. Rec., J. Transp. Res. Secur., 2017, pp. 302–319.
Board, vol. 2643, no. 1, pp. 34–44, Jan. 2017. [51] Y. Li, Y. Tu, Q. Fan, C. Dong, and W. Wang, “Influence of cyber-
[28] M. Bozdal, M. Samie, and I. Jennions, “A survey on CAN bus pro- attacks on longitudinal safety of connected and automated vehicles,”
tocol: Attacks, challenges, and potential solutions,” in Proc. Int. Conf. Accident Anal. Prevention, vol. 121, pp. 148–156, Dec. 2018.
Comput., Electron. Commun. Eng. (iCCECE), Aug. 2018, pp. 201–205. [52] F. R. Yu, “From information networking to intelligence networking:
[29] A. Palanca, E. Evenchick, F. Maggi, and S. Zanero, “A stealth, Motivations, scenarios, and challenges,” IEEE Netw., 2021.
selective, link-layer denial-of-service attack against automotive net- [53] N. Baracaldo, B. Chen, H. Ludwig, A. Safavi, and R. Zhang, “Detecting
works,” in Proc. Int. Conf. Detection Intrusions Malware, Vulnerability poisoning attacks on machine learning in IoT environments,” in Proc.
Assessment, 2017, pp. 185–206. IEEE Int. Congr. Internet Things (ICIOT), Jul. 2018, pp. 57–64.
[30] P.-S. Murvay and B. Groza, “Security shortcomings and countermea- [54] N. Papernot, M. Abadi, L. Erlingsson, I. Goodfellow, and K. Talwar,
sures for the SAE J1939 commercial vehicle bus protocol,” IEEE Trans. “Semi-supervised knowledge transfer for deep learning from private
Veh. Technol., vol. 67, no. 5, pp. 4325–4339, May 2018. training data,” in Proc. Int. Conf. Learn. Represent., 2017, pp. 1–16.
[31] R. R. Brooks, S. Sander, J. Deng, and J. Taiber, “Automobile secu- [55] F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and
rity concerns,” IEEE Veh. Technol. Mag., vol. 4, no. 2, pp. 52–64, P. McDaniel, “Ensemble adversarial training: Attacks and defenses,”
Jun. 2009. in Proc. Int. Conf. Learn. Represent., 2018, pp. 1–22.
[32] D. R. Jeong, K. Kim, B. Shivakumar, B. Lee, and I. Shin, “Razzer: [56] M. Juuti, S. Szyller, S. Marchal, and N. Asokan, “PRADA: Protecting
Finding kernel race bugs through fuzzing,” in Proc. IEEE Symp. Secur. against DNN model stealing attacks,” in Proc. IEEE Eur. Symp. Secur.
Privacy (SP), May 2019, pp. 754–768. Privacy (EuroS&P), Jun. 2019, pp. 512–527.
[33] K. J. Higgins. (2009). Permanent Denial-of-Service Attack [57] S. Truex, L. Liu, M. E. Gursoy, L. Yu, and W. Wei, “Demystifying
Sabotages Hardware. [Online]. Available: https://www.darkreading. membership inference attacks in machine learning as a service,”
com/permanent-denial-of-service-attack-sabotages-hardware/d/d- IEEE Trans. Services Comput., early access, Feb. 25, 2019, doi:
id/1129499 10.1109/TSC.2019.2897554.
[34] C. N. Gutierrez et al., “Learning from the ones that got away: Detecting [58] (2018). Institute of Risk Management. [Online]. Avail-
new forms of phishing attacks,” IEEE Trans. Dependable Secure able: https://www.theirm.org/knowledge-and-resources/thought-
Comput., vol. 15, no. 6, pp. 988–1001, Nov. 2018. leadership/cyber-risk/
[35] M. M. H. Onik, C.-S. Kim, and J. Yang, “Personal data privacy [59] T. M. Keller, V. Wright, J. Benjamin, and B. Gold, “Vulner-
challenges of the fourth industrial revolution,” in Proc. 21st Int. Conf. abilities under the surface: Tracking potential vulnerabilities by
Adv. Commun. Technol. (ICACT), Feb. 2019, pp. 635–638. voiding warranties,” in Proc. 5th Cybersecur. Symp., Apr. 2018,
[36] S. Kumar and K. S. Mann, “Prevention of DoS attacks by detection of pp. 1–3.
multiple malicious nodes in VANETs,” in Proc. Int. Conf. Automat.,
[60] B. Sheehan, F. Murphy, M. Mullins, and C. Ryan, “Connected and
Comput. Technol. Manage. (ICACTM), Apr. 2019, pp. 89–94.
autonomous vehicles: A cyber-risk classification framework,” Transp.
[37] Q. He, X. Meng, and R. Qu, “Survey on cyber security of CAV,” Res. A, Policy Pract., vol. 124, pp. 523–536, Jun. 2019.
in Proc. Forum Cooperat. Positioning Service (CPGPS), May 2017,
[61] C. Maple, M. Bradbury, A. T. Le, and K. Ghirardello, “A connected and
pp. 351–354.
autonomous vehicle reference architecture for attack surface analysis,”
[38] A. Appathurai, G. Manogaran, and N. Chilamkurti, “Trusted FPGA-
Appl. Sci., vol. 9, no. 23, p. 5101, Nov. 2019.
based transport traffic inject, impersonate (I2) attacks beaconing in the
[62] W. Xu, C. Yan, W. Jia, X. Ji, and J. Liu, “Analyzing and enhancing the
Internet of vehicles,” IET Netw., vol. 8, no. 2, pp. 106–115, 2018.
security of ultrasonic sensors for autonomous vehicles,” IEEE Internet
[39] A. Mondal and M. Jana, “Detection of fabrication, replay and sup-
Things J., vol. 5, no. 6, pp. 5015–5029, Dec. 2018.
pression attack in VANET—A database approach,” in Proc. Conf.
Advancement Comput., Commun. Electron. Paradigm, 2019, pp. 38–42. [63] R. Matsumura, T. Sugawara, and K. Sakiyama, “A secure
LiDAR with AES-based side-channel fingerprinting,” in Proc. 6th
[40] S. S. Albouq and E. M. Fredericks, “Lightweight detection and
Int. Symp. Comput. Netw. Workshops (CANDARW), Nov. 2018,
isolation of black hole attacks in connected vehicles,” in Proc. IEEE
pp. 479–482.
37th Int. Conf. Distrib. Comput. Syst. Workshops (ICDCSW), Jun. 2017,
pp. 97–104. [64] B. S. Lim, S. L. Keoh, and V. L. L. Thing, “Autonomous vehicle
[41] K. C. Purohit, S. C. Dimri, and S. Jasola, “Mitigation and performance ultrasonic sensor vulnerability and impact assessment,” in Proc. IEEE
analysis of routing protocols under black-hole attack in vehicular 4th World Forum Internet Things, Feb. 2018, pp. 231–236.
ad-hoc network (VANET),” Wireless Pers. Commun., vol. 97, no. 4, [65] Y. Cao et al., “Adversarial sensor attack on LiDAR-based perception
pp. 5099–5114, Dec. 2017. in autonomous driving,” in Proc. Comput. Commun. Secur., 2019,
[42] P. Kumar and S. Verma, “Detection of wormhole attack in VANET,” pp. 2267–2281.
Nat. J. Syst. Inf. Technol., vol. 10, no. 1, pp. 71–80, 2017. [66] P. Kapoor, A. Vora, and K.-D. Kang, “Detecting and mitigating
[43] R. M. Shukla and S. Sengupta, “Analysis and detection of outliers due spoofing attack against an automotive radar,” in Proc. IEEE 88th Veh.
to data falsification attacks in vehicular traffic prediction application,” Technol. Conf. (VTC-Fall), Aug. 2018, pp. 1–6.
in Proc. 9th IEEE Annu. Ubiquitous Comput., Electron. Mobile Com- [67] Y. Liu, S. Li, Q. Fu, and Z. Liu, “Impact assessment of GNSS spoofing
mun. Conf. (UEMCON), Nov. 2018, pp. 688–694. attacks on INS/GNSS integrated navigation system,” Sensors, vol. 18,
[44] J. Lin, W. Yu, N. Zhang, X. Yang, and L. Ge, “Data integrity attacks no. 5, p. 1433, May 2018.
against dynamic route guidance in transportation-based cyber-physical [68] H. Tao, H. Wu, H. Li, and M. Lu, “GNSS spoofing detection based
systems: Modeling, analysis, and defense,” IEEE Trans. Veh. Technol., on consistency check of velocities,” Chin. J. Electron., vol. 28, no. 2,
vol. 67, no. 9, pp. 8738–8753, Sep. 2018. pp. 437–444, Mar. 2019.
[45] S. Balakrishnan, P. Wang, A. Bhuyan, and Z. Sun, “Modeling and [69] A. Kalantari and E. G. Larsson, “Statistical test for GNSS spoofing
analysis of eavesdropping attack in 802.11ad mmWave wireless net- attack detection by using multiple receivers on a rigid body,” EURASIP
works,” IEEE Access, vol. 7, pp. 70355–70370, 2019. J. Adv. Signal Process., vol. 2020, no. 1, pp. 1–16, Dec. 2020.
[46] (2018). Privacy Concerns and Self-Driving Cars: Are we Ready [70] E. Schmidt, N. Gatsis, and D. Akopian, “A GPS spoofing detec-
for Autonomous Vehicles? [Online]. Available: https://blogs. tion and classification correlator-based technique using the LASSO,”
thomsonreuters.com/answerson/privacy-concerns-self-driving-cars- IEEE Trans. Aerosp. Electron. Syst., vol. 56, no. 6, pp. 4224–4237,
ready-autonomous-vehicles/ Dec. 2020.
[47] X. Liu, C. Qian, W. G. Hatcher, H. Xu, W. Liao, and W. Yu, “Secure [71] S. Jeong, M. Kim, and J. Lee, “CUSUM-based GNSS spoofing
Internet of Things (IoT)-based smart-world critical infrastructures: detection method for users of GNSS augmentation system,” Int. J.
Survey, case study and research opportunities,” IEEE Access, vol. 7, Aeronaut. Space Sci., vol. 21, no. 2, pp. 513–523, Jun. 2020.
pp. 79523–79544, 2019. [72] Y. Qiu, Y. Liu, X. Li, and J. Chen, “A novel location privacy-preserving
[48] M. Chowdhury, M. Islam, and Z. Khan, “Security of connected and approach based on blockchain,” Sensors, vol. 20, no. 12, p. 3519,
automated vehicles,” Fall Issue Bridge Cybersecur., vol. 49, no. 3, Jun. 2020.
pp. 46–56, 2019. [73] Y. Zhou and D. Zhang, “Double mix-zone for location privacy in
[49] N. V. Juliadotter and K.-K.-R. Choo, “Cloud attack and risk assessment VANET,” in Proc. 7th Int. Conf. Inf. Technol., IoT Smart City,
taxonomy,” IEEE Cloud Comput., vol. 2, no. 1, pp. 14–20, Jan. 2015. Dec. 2019, pp. 322–327.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
6258 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 7, JULY 2022

[74] A. Boualouache, R. Soua, and T. Engel, “VPGA: An SDN-based [95] K. Greene, D. Rodgers, H. Dykhuizen, Q. Niyaz, K. Al Shamaileh,
location privacy zones placement scheme for vehicular networks,” in and V. Devabhaktuni, “A defense mechanism against replay attack in
Proc. IEEE 38th Int. Perform. Comput. Commun. Conf. (IPCCC), remote keyless entry systems using timestamping and XOR logic,”
Oct. 2019, pp. 1–8. IEEE Consum. Electron. Mag., vol. 10, no. 1, pp. 101–108, Jan. 2021.
[75] L. Luo, Z. Han, C. Xu, and G. Zhao, “A geo-indistinguishable location [96] N. Panda and B. K. Pattanayak, “Energy aware detection and prevention
privacy preservation scheme for location-based services in vehicular of black hole attack in MANET,” Int. J. Eng. Technol., vol. 7, no. 2.6,
networks,” in Proc. Int. Conf. Algorithms Archit. Parallel Process., pp. 135–140, 2018.
2019, pp. 610–623. [97] V. Krundyshev, M. Kalinin, and P. Zegzhda, “Artificial swarm algorithm
[76] X. Li et al., “Perturbation-hidden: Enhancement of vehicu- for VANET protection against routing attacks,” in Proc. IEEE Ind.
lar privacy for location-based services in Internet of vehicles,” Cyber-Phys. Syst., May 2018, pp. 795–800.
IEEE Trans. Netw. Sci. Eng., early access, Jul. 23, 2020, doi: [98] B. Cherkaoui, A. Beni-Hssane, and M. Erritali, “Variable control
10.1109/TNSE.2020.3011607. chart for detecting black hole attack in vehicular ad-hoc networks,”
[77] (2018). Can Bus Can Be Encrypted, Says Trillium | EE Times. J. Ambient Intell. Humanized Comput., vol. 11, no. 11, pp. 5129–5138,
[Online]. Available: https://www.eetimes.com/document.asp?doc_ Nov. 2020.
id=1328081&page_num_ ber=2 [99] A. Bhawsar, Y. Pandey, and U. Singh, “Detection and prevention
[78] B. Groza, L. Popa, and P.-S. Murvay, “Highly efficient authentication of wormhole attack using the trust-based routing system,” in Proc.
for CAN by identifier reallocation with ordered CMACs,” IEEE Trans. Int. Conf. Electron. Sustain. Commun. Syst. (ICESC), Jul. 2020,
Veh. Technol., vol. 69, no. 6, pp. 6129–6140, Jun. 2020. pp. 809–814.
[79] B. Palaniswamy, S. Camtepe, E. Foo, and J. Pieprzyk, “An effi- [100] F. Boeira, M. Asplund, and M. P. Barcellos, “Mitigating position
cient authentication scheme for intra-vehicular controller area net- falsification attacks in vehicular platooning,” in Proc. IEEE Veh. Netw.
work,” IEEE Trans. Inf. Forensics Security, vol. 15, pp. 3107–3122, Conf. (VNC), Dec. 2018, pp. 1–4.
2020. [101] L. Ma, Y. Xiang, Q. Pei, Y. Xiang, and H. Zhu, “Robust reputation-
[80] M. S. U. Alam, S. Iqbal, M. Zulkernine, and C. Liem, “Securing based cooperative spectrum sensing via imperfect common control
vehicle ECU communications and stored data,” in Proc. IEEE Int. Conf. channel,” IEEE Trans. Veh. Technol., vol. 67, no. 5, pp. 3950–3963,
Commun. (ICC), May 2019, pp. 1–6. May 2018.
[81] T. Lenard, R. Bolboac, B. Genge, and P. Haller, “MixCAN: Mixed and [102] F. Alotibi and M. Abdelhakim, “Anomaly detection for cooperative
backward-compatible data authentication scheme for controller area adaptive cruise control in autonomous vehicles using statistical learning
networks,” in Proc. IFIP Netw. Conf., 2020, pp. 395–403. and kinematic model,” IEEE Trans. Intell. Transp. Syst., early access,
Apr. 8, 2020, doi:10.1109/TITS.2020.2983392.
[82] J. Chen and J. Sun, “Platoon separation strategy optimization method
based on deep cognition of a driver’s behavior at signalized intersec- [103] M. Arif, G. Wang, and V. E. Balas, “Secure VANETs: Trusted
tions,” IEEE Access, vol. 8, pp. 17779–17791, 2020. communication scheme between vehicles and infrastructure based on
fog computing,” Stud. Informat. Control, vol. 27, no. 2, pp. 235–246,
[83] Z. Zhang, Y. Cheng, Y. Gao, S. Nepal, D. Liu, and Y. Zou, “Detecting
Jan. 2019.
hardware-assisted virtualization with inconspicuous features,” IEEE
[104] Y. Wu et al., “Secrecy-driven resource management for vehicular com-
Trans. Inf. Forensics Security, vol. 16, pp. 16–27, 2021.
putation offloading networks,” IEEE Netw., vol. 32, no. 3, pp. 84–91,
[84] Z. A. Biron, S. Dey, and P. Pisu, “Real-time detection and estimation May 2018.
of denial of service attack in connected vehicle systems,” IEEE Trans.
[105] W. Liang, J. Long, T.-H. Weng, X. Chen, K.-C. Li, and A. Y. Zomaya,
Intell. Transp. Syst., vol. 19, no. 12, pp. 3893–3902, Dec. 2018.
“TBRS: A trust based recommendation scheme for vehicular CPS net-
[85] S. Kumar and K. S. Mann, “Detection of multiple malicious nodes work,” Future Gener. Comput. Syst., vol. 92, pp. 383–398, Mar. 2019.
using entropy for mitigating the effect of denial of service attack in [106] N. B. Khankari and G. V. Kale, “One time password generation for
VANETs,” in Proc. 4th Int. Conf. Comput. Sci. (ICCS), Aug. 2018, multifactor authentication using graphical password,” Int. J. Eng. Res.
pp. 72–79. Gen. Sci., vol. 3, no. 5, pp. 489–494, 2020.
[86] S. Ohira, A. K. Desta, I. Arai, H. Inoue, and K. Fujikawa, “Normal [107] M. Islam, M. Chowdhury, H. Li, and H. Hu, “Cybersecurity attacks
and malicious sliding windows similarity analysis method for fast in vehicle-to-infrastructure applications and their prevention,” Transp.
and accurate IDS against DoS attacks on in-vehicle networks,” IEEE Res. Rec., J. Transp. Res. Board, vol. 2672, no. 19, pp. 66–78,
Access, vol. 8, pp. 42422–42435, 2020. Dec. 2018.
[87] T. Limbasiya and D. Das, “Secure and effective geo-data transmission [108] Y. Chen, Z. Lu, H. Xiong, and W. Xu, “Privacy-preserving
scheme for vehicle-to-vehicle communication,” in Proc. IEEE Smart- data aggregation protocol for fog computing-assisted vehicle-to-
World, Ubiquitous Intell. Comput., Adv. Trusted Comput., Scalable infrastructure scenario,” Secur. Commun. Netw., vol. 2018, pp. 1–14,
Comput. Commun., Cloud Big Data Comput., Internet People Smart Apr. 2018.
City Innov., Oct. 2018, pp. 389–396. [109] Y. Kim, J. Nam, T. Park, S. Scott-Hayward, and S. Shin, “SODA:
[88] T. Limbasiya and D. Das, “Lightweight secure message broadcasting A software-defined security framework for IoT environments,” Comput.
protocol for vehicle-to-vehicle communication,” IEEE Syst. J., vol. 14, Netw., vol. 163, pp. 106889.1–106889.13, Nov. 2019.
no. 1, pp. 520–529, Mar. 2020. [110] I. Ali and F. Li, “An efficient conditional privacy-preserving authentica-
[89] N. Hegde and S. S. Manvi, “Hash based integrity verification for tion scheme for vehicle-to-infrastructure communication in VANETs,”
vehicular cloud environment,” in Proc. IEEE Int. Conf. Cloud Comput. Veh. Commun., vol. 22, pp. 100228.1–100228.15, Apr. 2020.
Emerg. Markets (CCEM), Sep. 2019, pp. 75–79. [111] P. P. K. Chan, Z.-M. He, H. Li, and C.-C. Hsu, “Data sanitization
[90] J. Li, Y. Ji, K.-K.-R. Choo, and D. Hogrefe, “CL-CPPA: Certificate-less against adversarial label contamination based on data complexity,” Int.
conditional privacy-preserving authentication protocol for the Internet J. Mach. Learn. Cybern., vol. 9, no. 6, pp. 1039–1052, Jun. 2018.
of vehicles,” IEEE Internet Things J., vol. 6, no. 6, pp. 10332–10343, [112] R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks
Dec. 2019. and privacy homomorphisms,” Found. Secure Comput., vol. 4, no. 11,
[91] A. K. Sutrala, P. Bagga, A. K. Das, N. Kumar, J. J. P. C. Rodrigues, pp. 169–180, 1978.
and P. Lorenz, “On the design of conditional privacy preserving [113] K. Mivule, C. Turner, and S.-Y. Ji, “Towards a differential privacy and
batch verification-based authentication scheme for Internet of vehicles utility preserving machine learning classifier,” Procedia Comput. Sci.,
deployment,” IEEE Trans. Veh. Technol., vol. 69, no. 5, pp. 5535–5548, vol. 12, pp. 176–181, Jan. 2012.
May 2020. [114] K. Scarfone and P. Mell, “An analysis of CVSS version 2 vulnera-
[92] K. Park, Y. Park, A. K. Das, S. Yu, J. Lee, and Y. Park, “A dynamic bility scoring,” in Proc. 3rd Int. Symp. Empirical Softw. Eng. Meas.,
privacy-preserving key management protocol for V2G in social Internet Oct. 2009, pp. 516–525.
of Things,” IEEE Access, vol. 7, pp. 76812–76832, 2019. [115] A. Le, C. Maple, and T. Watson, “A profile-driven dynamic
[93] R. Merco, Z. A. Biron, and P. Pisu, “Replay attack detection in a risk assessment framework for connected and autonomous vehi-
platoon of connected vehicles with cooperative adaptive cruise control,” cles,” in Proc. Living Internet Things, Cybersecur. IoT, 2018,
in Proc. Annu. Amer. Control Conf. (ACC), Jun. 2018, pp. 5582–5587. pp. 1–9.
[94] X. Xu, X. Li, P. Dong, Y. Liu, and H. Zhang, “Robust reset speed syn- [116] Z. El-Rewini, K. Sadatsharan, N. Sugunaraj, D. F. Selvaraj,
chronization control for an integrated motor-transmission powertrain S. J. Plathottam, and P. Ranganathan, “Cybersecurity attacks in vehic-
system of a connected vehicle under a replay attack,” IEEE Trans. Veh. ular sensors,” IEEE Sensors J., vol. 20, no. 22, pp. 13752–13767,
Technol., early access, Sep. 1, 2020, doi: 10.1109/TVT.2020.3020845. Nov. 2020.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: SURVEY ON CYBER-SECURITY OF CAVs 6259

[117] N. Miura, T. Machida, K. Matsuda, M. Nagata, and D. Suzuki, “A low- [139] B. Cheng, H. Lu, A. Rostami, M. Gruteser, and J. B. Kenney, “Impact
cost replica-based distance-spoofing attack on mmWave FMCW radar,” of 5.9 GHz spectrum sharing on DSRC performance,” in Proc. IEEE
in Proc. 3rd ACM Workshop Attacks Solutions Hardw. Secur. Workshop, Veh. Netw. Conf. (VNC), Nov. 2017, pp. 215–222.
2019, pp. 95–100.
[118] M. E. Andrs, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi,
“Geo-indistinguishability: Differential privacy for location-based sys-
tems,” in Proc. ACM Conf. Comput. Commun. Secur., 2013,
pp. 901–914.
[119] D. Spill and A. Bittau, “BlueSniff: Eve meets Alice and Bluetooth,” in Xiaoqiang Sun was born in 1989, China.
Proc. 1st USENIX Workshop Offensive Technol., 2007, pp. 1–10. He received the B.S. degree in mathematics and
[120] F. Shao and Y. Wu, “The TPMS module in the vehicle positioning and applied mathematics from Fuyang Normal Univer-
safety warning system,” in Proc. Int. Conf. Appl. Techn. Cyber Secur. sity in 2011 and the Ph.D. degree in informa-
Intell., 2018, pp. 1307–1314. tion and communication engineering from Shenzhen
[121] D. Dolgov, S. Thrun, M. Montemerlo, and J. Diebel, “Path planning University in 2018. He was a Post-Doctoral Fellow
for autonomous vehicles in unknown semi-structured environments,” with the F. Richard Yu’s Group, Carleton Univer-
Int. J. Robot. Res., vol. 29, no. 5, pp. 485–501, Apr. 2010. sity, Ottawa, from 2019 to 2020. He is currently
[122] R. Verdult, F. D. Garcia, and B. Ege, “Dismantling megamos crypto: a Post-Doctoral Fellow with the Guangdong Key
Wirelessly lockpicking a vehicle immobilizer,” in Proc. USENIX Secur. Laboratory of Intelligent Information Processing,
Symp., 2013, pp. 687–702. College of Electronics and Information Engineering,
[123] A. K. Desta, S. Ohira, I. Arai, and K. Fujikawa, “ID sequence Shenzhen University. He has published more than ten academic journal
analysis for intrusion detection in the CAN bus using long short term articles and conference papers. His research interests include cryptography,
memory networks,” in Proc. IEEE Int. Conf. Pervas. Comput. Commun. information security, and fully homomorphic encryption.
Workshops (PerCom Workshops), Mar. 2020, pp. 1–6.
[124] H. Olufowobi, C. Young, J. Zambreno, and G. Bloom, “SAIDuCANT:
Specification-based automotive intrusion detection using controller area
network (CAN) timing,” IEEE Trans. Veh. Technol., vol. 69, no. 2,
pp. 1484–1494, Feb. 2020.
F. Richard Yu (Fellow, IEEE) received the Ph.D.
[125] F. Kohnhauser, D. Pullen, and S. Katzenbeisser, “Ensuring the safe and
secure operation of electronic control units in road vehicles,” in Proc. degree in electrical engineering from the University
IEEE Secur. Privacy Workshops, May 2019, pp. 126–131. of British Columbia (UBC) in 2003.
[126] Y. Jie, M. Li, C. Guo, and L. Chen, “Dynamic defense strategy against He is a registered Professional Engineer in ON,
Canada, and a fellow of the Canadian Academy
DoS attacks over vehicular ad hoc networks based on port hopping,”
IEEE Access, vol. 6, pp. 51374–51383, 2018. of Engineering (CAE), the Engineering Institute of
[127] H. S. Sanchez, D. Rotondo, M. L. Vidal, and J. Quevedo, “Frequency- Canada (EIC), and the Institution of Engineering and
Technology (IET). From 2002 to 2006, he was with
based detection of replay attacks: Application to a quadrotor UAV,” in
Proc. 8th Int. Conf. Syst. Control (ICSC), Oct. 2019, pp. 289–294. Ericsson, Lund, Sweden, and a start-up in California,
[128] P. Oza, M. Foruhandeh, R. Gerdes, and T. Chantem, “Secure traffic USA. He joined Carleton University in 2007, where
lights: Replay attack detection for model-based smart traffic con- he is currently a Professor. His research interests
include connected/autonomous vehicles, security, artificial intelligence, dis-
trollers,” in Proc. 2nd ACM Workshop Automot. Aerial Vehicle Secur.,
Mar. 2020, pp. 5–10. tributed ledger technology, and wireless cyber-physical systems. He received
[129] Z. Hassan, A. Mehmood, C. Maple, M. A. Khan, and A. Aldegheishem, the IEEE TCGCC Best Journal Paper Award in 2019, the Distinguished
Service Awards in 2019 and 2016, the Outstanding Leadership Award
“Intelligent detection of black hole attacks for secure communica-
tion in autonomous and connected vehicles,” IEEE Access, vol. 8, in 2013, the Carleton Research Achievement Awards in 2012 and 2020,
pp. 199618–199628, 2020. the Ontario Early Researcher Award (formerly Premiers Research Excellence
[130] C. Li, Y. Xu, J. Xia, and J. Zhao, “Protecting secure communication Award) in 2011, the Excellent Contribution Award at IEEE/IFIP TrustCom
2010, the Leadership Opportunity Fund Award from Canada Foundation
under UAV smart attack with imperfect channel estimation,” IEEE
Access, vol. 6, pp. 76395–76401, 2018. of Innovation in 2009, and the Best Paper Awards at IEEE ICNC 2018,
[131] E. Hesamifard, H. Takabi, M. Ghasemi, and R. N. Wright, “Privacy- VTC 2017 Spring, ICC 2014, Globecom 2012, IEEE/IFIP TrustCom 2009,
preserving machine learning as a service,” Proc. Privacy Enhancing and Int’l Conference on Networking 2005. He has served as the Technical
Technol., vol. 2018, no. 3, pp. 123–142, Jun. 2018. Program Committee (TPC) Co-Chair for numerous conferences. He has been
[132] P. Sinha, “Architectural design and reliability analysis of a fail- named in the Clarivate Analytics list of Highly Cited Researchers in 2019 and
operational brake-by-wire system from ISO 26262 perspectives,” Rel. 2020. He is an IEEE Distinguished Lecturer of the Vehicular Technology
Society (VTS) and the Communication Society. He is an Elected Member
Eng. Syst. Saf., vol. 96, no. 10, pp. 1349–1359, Oct. 2011.
[133] J. Birch et al., “Safety cases and their role in ISO 26262 functional of the Board of Governors of the IEEE VTS and Editor-in-Chief for IEEE
safety assessment,” in Proc. Int. Conf. Comput. Saf., Rel., Secur., 2013, VTS Mobile World newsletter. He serves on the editorial boards of several
pp. 154–165. journals, including the Co-Editor-in-Chief for Ad Hoc and Sensor Wireless
[134] T. Dittel and H.-J. Aryus, “How to survive a safety case according Networks, the Lead Series Editor for IEEE T RANSACTIONS ON V EHICULAR
to ISO 26262,” in Proc. Int. Conf. Comput. Saf., Rel., Secur., 2010, T ECHNOLOGY, IEEE C OMMUNICATIONS S URVEYS AND T UTORIALS , and
pp. 97–111. IEEE T RANSACTIONS ON G REEN C OMMUNICATIONS AND N ETWORKING.
[135] C. Schmittner, Z. Ma, C. Reyes, O. Dillinger, and P. Puschner, “Using
SAE J3061 for automotive security requirement engineering,” in Proc.
Int. Conf. Comput. Saf., Rel., Secur., 2016, pp. 157–170.
[136] (2018). Principles of Cyber Security for Connected and Automated
Vehicles. [Online]. Available: https://www.gov.uk/government/ Peng Zhang received the M.S. and Ph.D. degrees
publications/principles-of-cyber-secu-rity-for-connected-and- in signal and information processing from Shenzhen
automated-vehicles/the-key-principles-of-vehi-cle-cyber-security-for- University in 2008 and 2011, respectively. She is
connected-and-automated-vehicles currently an Associate Professor with the College of
[137] Road Vehicles—Functional Safety—Part 1: Vocabulary, Standard Electronics and Information Engineering, Shenzhen
ISO 26262-1:2018, 2018. [Online]. Available: https://www.iso.org/ University. She has published more than 30 acad-
standard/68383.html emic journal articles and conference papers. Her cur-
[138] Z. He, H. Shan, Y. Bi, Z. Xiang, Z. Su, and T. H. Luan, “Spectrum rent research interests include cryptography technol-
sharing for vehicular communications in a multi-operator scenario,” ogy and security in the blockchain, cloud computing,
in Proc. 11th Int. Conf. Wireless Commun. Signal Process. (WCSP), and the IoT.
Oct. 2019, pp. 1–6.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on September 02,2023 at 10:23:28 UTC from IEEE Xplore. Restrictions apply.