Threat and Countermeasures Analysis for WAVE Service Advertisement

The WAVE Service Advertisement (WSA) is a key part of the IEEE 1609 family of standards which specify the wireless technology that will be used for Vehicle-to-Anything (V2X) communications in the US. Despite this, it has never received a thorough security analysis, and the security mechanisms in the current version of the standards are ad hoc and have significant management overhead, making it difficult to deploy services quickly or to understand exactly what communications security approach needs to be taken in a given situation. This paper provides summary results of a comprehensive security analysis of the WSA carried out over a period of more than a year. We note numerous potential vulnerabilities in the use of the WSA: the WSA could be used to leave poorly-implemented receivers essentially isolated from the system, and it can also be used to trigger a number of different force-multiplier denial of service attacks. In considering how WSAs can be used to induce "improper" behavior, we note that in the Cooperative Intelligent Transportation Systems (C-ITS) setting in the US there is as yet no complete definition of "proper" behavior. We end by making recommendations for how WSAs may be secured and by identifying the elements that need to be specified as part of a policy that defines "proper" behavior.