Fast Exclusion of Errant Devices from Vehicular Networks

Vehicular networks, in which cars communicate wirelessly to exchange information on traffic conditions, offer a promising way to improve road safety. Yet ensuring the correct functioning of such a system is essential: malicious or faulty devices transmitting inaccurate messages could trigger accidents. Therefore, any errant device, along with the messages it generates, must be identified and ignored as quickly as possible. This task is especially challenging because traditional approaches to revoking credentials use a central authority, causing long delays during which the network is vulnerable. To eliminate this window of vulnerability, we propose that vehicles locally decide whether to exclude errant devices. We describe two ways of doing so: first, LEAVE, an existing protocol which allows devices to vote by exchanging signed claims of impropriety, and second, Stinger, a new protocol where a device unilaterally removes a misbehaving neighbor by agreeing to limit its own participation. We provide detailed simulations that offer insight into the protocols' operations in the context of vehicular networks and enable a powerful comparison between the strategies. We compare the security and performance properties of LEAVE and Stinger while varying attacker capabilities, traffic conditions, and the accuracy of the misbehavior detection mechanisms. We identify several interesting trade-offs: Stinger is significantly faster than LEAVE at removing errant devices, but LEAVE excludes fewer good devices when the attacker has compromised several devices simultaneously; LEAVE is better at handling false positives, but Stinger scales better when the traffic density increases. As a result, we conclude by outlining a combined protocol that balances the security and performance characteristics of both strategies.