NYC Connected Vehicle Pilot Secures Vehicle Privacy
June 20, 2019

As connected vehicle applications exchange information among vehicles, roadway infrastructure, traffic management centers, and wireless mobile devices, a security system is needed to ensure that users can trust in the validity of information received from other system users -- indistinct users whom they have never met and do not know personally. To fulfill this need, the US Department of Transportation Connected Vehicle Pilot Deployment sites -- Wyoming Department of Transportation, New York City Department of Transportation, and Tampa Hillsborough Expressway Authority -- will be using a commercial Security Credential Management System (SCMS). This commercial SCMS will provide enrollment and operating certificates to manage the security of the exchanges for both vehicle-to-vehicle and vehicle-to-infrastructure in accordance with the IEEE 1609.2 standards.

For privacy reasons, the standards require that the vehicles' security certificates change frequently to avoid the potential for a vehicle's messages to be linked together and tracked over a long period of time. However, during development, the New York City Connected Vehicle Pilot team identified an issue with the SAE J2945/1 Standard's Certificate Change requirement criteria that was potentially putting the privacy of their participants at risk.

The Certificate Change requirement calls for certificates to be changed every five minutes but contains two exceptions -- the first exception involves the "absolute distance" from the previous certificate change location and the second exception involves the setting of critical event flags. The absolute distance exception states that a certificate change does not occur should the system be "separated by less than 2 kilometers (~1.6 miles) in absolute distance from the location at which the last certificate change occurred." A vehicle's certificates are protected, by this exemption, from disclosure to fixed dedicated short-range communications (DSRC) devices should the vehicle be delayed in a small area due to an incident, congestion, or other cause for an extended time period.

This definition poses an issue for grid networks in large urban areas, such as New York City's deployment area that encompasses Midtown Manhattan, where a vehicle traveling within the area would not trigger the certificate change mechanism.

While the Connected Vehicle Pilot sites are required to use existing ITS standards wherever viable, they also agreed to document their experiences with such standards to relay best practices and lessons learned for future deployers. Through the New York City Connected Vehicle Pilot team's experience with the SAE J2945/1 Standard's Certificate Change requirement criteria, the team concluded that the absolute distance is not the proper criteria for an exception, as it is possible for a vehicle to operate in a large area for an extended time period and not be required to change its certificate.

The New York City Connected Vehicle Pilot team documented this issue and their proposed solution of replacing the absolute distance with the system's distance traveled during the time period for consideration by the SAE V2X Core Technical Committee. In doing so, the New York City Connected Vehicle Pilot team hopes to further refine the SAE J2945/1 standard to better accommodate urban networks in support of a nationwide deployment. The committee has included this item within their recently adopted work plan.