By Omar Yang (Senior Threat Researcher, Automotive)
Changes in the telecommunications industry bring promising new developments to the automotive industry. The emergence of Open Radio Access Network (Open RAN or O-RAN) infrastructure, for example, appears to offer direct advantages to vehicle-to-everything (V2X) communications. However, researchers have uncovered potential disadvantages associated with its adoption.
Research recently conducted by the National Taiwan University of Science and Technology (NTUST) in collaboration with Trend Micro and CTOne looked into eXtended Applications (xApps), a crucial facet of Open RAN. xApps have turned up as a potential area of concern as they might be susceptible to vulnerabilities that could affect V2X and, subsequently, vehicle functions.
What is V2X?
V2X facilitates communications between a vehicle and its surroundings, typically consisting of vehicles (V2V), pedestrians (V2P), infrastructure (V2I), and the cloud network (V2N). V2X allows vehicles to exchange real-time data with the elements around them. By accessing information on the status of nearby vehicles and other infrastructure, vehicles can use this data to avoid accidents, navigate around traffic jams, and find quicker routes, among other capabilities.
Figure 1. The different types of vehicle-to-everything (V2X) communications: vehicle-to-vehicle (V2V), vehicle-to-pedestrian (V2P), vehicle-to-network (V2N), and vehicle-to-infrastructure (V2I)
In our previous article, we focused on the security implications of direct communications between vehicles, or vehicle-to-vehicle (V2V) communications. However, some functionalities also depend on the interaction between vehicles and the 5G network. Here are several key applications:
- Extended sensor. This functionality allows a vehicle to enhance its sensory capabilities beyond what its on-board sensors can detect, by utilizing data from other vehicles and infrastructure. It proves especially beneficial in situations where direct line of sight is obstructed, such as at intersections, around blind curves, or near large vehicles. The high bandwidth and low latency of 5G enable vehicles to quickly receive and process data from distant sensors, providing a detailed understanding of their surroundings. This improves safety and aids in decision-making, whether for human drivers or autonomous systems.
- Remote driving. In this scenario, a vehicle is operated by a human driver from a remote location through real-time video and data transmission over 5G networks. This approach is invaluable in situations where autonomous driving systems face challenges, such as in complex urban areas or for remote delivery operations. The critical advantages of 5G — its low latency and high reliability — ensure that the remote driver’s commands are executed by the vehicle instantly and accurately, facilitating precise and secure control.
- Vehicle platooning. This concept involves a convoy of vehicles driving closely together at high speeds, autonomously and efficiently maintaining a short distance from one another to reduce air resistance, conserve fuel, and increase the capacity of roads. Through 5G V2X communications, vehicles in a platoon can instantly share information about acceleration, braking, and positioning, acting as a single cohesive unit. This synchronization means that any action taken by the lead vehicle is immediately followed by the rest, ensuring both safety and efficiency are upheld.
What is Open RAN and why is it key to improved V2X?
While 5G V2X communications make these functionalities possible, its highly dynamic environment challenges the limitations of current radio access network (RAN) infrastructure that supports it. However, an ongoing transformation in telecommunications infrastructure, which aims to achieve lower latency, higher bandwidth, and broader coverage, might just remove some of these limitations. Open RAN or O-RAN architecture is at the heart of this transformation.
Open RAN aims to separate hardware and software components, and establish a set of standardized interfaces. This ensures that hardware and software from different vendors can work together seamlessly, greatly enhancing the network’s flexibility to support a diverse array of V2X applications. Moreover, the virtualized and disaggregated nature of Open RAN simplifies the process of scaling the network according to demand. This adaptability is crucial for V2X communications, which can see fluctuating levels of traffic based on various factors such as time of day, weather conditions, and ongoing events. Open RAN is seen by many experts as an enabler for improved V2X communications.
How can Open RAN introduce vulnerabilities to V2X communications?
Amid the speculated advantages of Open RAN to V2X communications, where have researchers found potential security concerns?
In the realm of Open RAN — particularly within its software component, the RAN Intelligent Controller (RIC) — eXtended Applications (xApps) play a pivotal role. xApps are independent software plug-ins developed or will be developed to empower the near-real-time (near-RT) RIC with the capability to make informed and intelligent decisions. Given the unique demands of cellular traffic management for vehicular user equipment (UE), xApps have emerged as a critical solution. They are expected to originate from a diverse range of vendors, enhancing systems’ versatility and capability.
However, this diversity and openness also introduce potential vulnerabilities. An xApp could be compromised at various stages of deployment, from the supply chain to the on-boarding process. Even a benign xApp could inadvertently cause harm if it were to send out anomalous or unexpected messages.
The NTUST, Trend, and CTOne researchers took a deep dive into the security implications of xApps within Open RAN systems. Their research highlights several threat scenarios that could exploit vulnerabilities, which we summarize here:
- Insufficient access control. This scenario involves a malicious xApp issuing commands to shut down E2 nodes, which are crucial for providing services to users and vehicles. If successful, this attack could disrupt services and affect communications between vehicles and the network.
- Faulty message handling. If messages are processed out of order, it could lead to disruptions in the receiver’s processing flow, resulting in unexpected system behavior. This scenario could be exploited to destabilize the network’s operation.
- ARP (Address Resolution Protocol) spoofing. This form of attack involves linking an attacker’s MAC (Media Access Control) address with the IP address of a legitimate network device. Traffic meant for the legitimate device is rerouted through the attacker’s system, potentially leading to data interception or traffic analysis.
These vulnerability exploitation scenarios pose significant risks, including the potential for denial-of-service (DoS) attacks that could disconnect vehicles from the cellular network. This disconnection could impair a vehicle’s ability to interact with its environment, leading to loss of critical functionality. Moreover, maliciously crafted messages could manipulate vehicle behavior — for example, inducing sudden acceleration or braking, which could cause accidents such as rear-end collisions.
A dual approach to mitigation
This research comes at a time when many developments in the telecommunications and automotive industries are still emerging. It offers both industries the impetus to create security measures in the early stages of development before integrating or implementing them becomes more complicated.
Mitigating risks associated with telecommunications, particularly in ensuring cellular networks’ performance, is crucial for the reliability of V2X communications. However, it’s equally important to address the automotive side of the equation, focusing on strategies to manage situations when the cellular networks underperform or fail. This dual approach is essential for maintaining safety and functionality within automotive systems, especially as vehicles become increasingly dependent on V2X communications for critical functions.