PEDRO: Secure Pedestrian Mobility Verification in V2P Communication using Commercial
Off-the-shelf Mobile Devices
RESEARCH OVERVIEW

Vehicle-to-Pedestrian (V2P) communication enables numerous safety benefits such as real-time collision detection and alert, but poses new security challenges. An imminent and probable scenario is where a malicious node claiming to be a legitimate pedestrian within the network broadcasts false observations or phenomena on the roads (e.g., traffic load, road hazard, and false road crossing alarms) in order to impede traffic flow, erode user's trust in alert messages, or even cause traffic accidents. In this work, we propose PEDRO, a pedestrian mobility verification mechanism for pedestrians using commodity hardware, where only legitimate mobile pedestrians can be admitted to the ad hoc network consisting of trustworthy vehicles and pedestrians.
PEDRO PROTOCOL

PEDRO's protocol mainly leverage the round-trip time (RTT) of wireless signal between vehicle and pedestrian's devices, and verify only moving (mobile) ones while rejecting stationary ones, based on the realistic assumption that the adversaries are likely to remotely launch attacks through static malicious devices. In the Measurement stage, V (Verifier) estimates the location region of P (Prover) by measuring the distance between itself by measuring the RTT of a WiFi message. Afterwards, V proceeds to the Verification stage for verifying the mobility of P.
VERIFICATION

At every time instance, i, V obtains d (RTT distance) from the measurement stage. It uses this value to construct a constrained region R, resulting in a series of R for each P. The core idea underlying the verification protocol is that if two R (not necessarily consecutive) do not overlap, then P must have moved between the two measurement instances. Therefore, we two conditions for non-overlap. First, the timestamps of two consecutive R must be less than the time threshold th_t. This condition prevents stale measurements from being used in the verification. Second, for P to be verified, it must have at least one R pair with its minimum distance greater than the distance threshold, th_d. The two conditions are checked every time new R is obtained, and P is verified only if it meets the above requirements.
EVALUATION RESULTS
Road Factors

We implement the Measurement stage as an Android application on: Google Pixel 2 (Android 9.0 on a 2.35-GHz processor) and Pixel 3 (Android 9.0 on a 2.5-GHz processor) and find out the RTT error distribution (Gaussian model with mean of 0.21 m and std. of 1.87 m) for our simulation framework.
Using the framework, we first investigate how different road conditions (i.e., verifier and prover's moving speed, maximum wireless range, etc.) affect the verification stage of a mobile prover. As illustrated in the figure, generally, as distance threshold th_d increases, the mean inter-region time (time to obtain two non-overlapping R) increases due to the greater distance that the prover has to move to get verified. Also, we observe that the inter-region time decreases when the prover (1) moves faster, (2) is seen more frequently, and (3) is visible from further distances. In these circumstances, the verification becomes easier by taking short time since the prover will be more visible.
Adversarial Scenario

Next we evaluate the robustness of PEDRO against the passive attack scenario. In the passive attack, the adversary is fixed to a stationary location and attempts to be verified while complying with the protocol. We first simulate this attack scenario 1000 times under different road factors and obtain its inter-region time. First plot illustrate the distribution of the inter-region times of the passive attacker and mobile prover with respect to varying th_d. If th_d increases above 6 m, the two distributions exhibit more significant differences because the adversarial prover requires greater number of verifiers to leverage the noise/errors in its favor. From this inter-region time, we can choose th_t, which effectively distinguishes between the moving prover against the passive attacker. We experimentally choose 13 s and plot the FAR as well as FRR to obtain EER as shown in second plot. When th_t=13, the EER of 8.5% is achieved with th_d of 7.7 m.
Real-world Case Study

Using the derived thresholds, we conduct a case study under real road conditions to evaluate the usability and feasibility of PEDRO. We conduct five experiments where the pedestrian moves at 1.2 m/s, and the vehicle travels at the speed of 8.4 m/s on average. The figure illustrates one attempt of the verification. In this case, the verifier verifies the prover by observing a region pair with i=1 and 5; the minimum distance between the two exhibits 13.1 m, which exceeds the th_d of 7.7 m and the differences in their timestamps falls under th_t=13 s. In all five cases, the moving pedestrian was all verified through single verifier. The average verification time is 7.4 s, which shows that the PEDRO is able to quickly verify the moving pedestrian even under road conditions where there are not many readily available verifiers.
REFERENCE
Yucheng Yang*, Kyuin Lee*, Younghyun Kim, and Kassem Fawaz, "PEDRO: Secure Pedestrian Mobility Verification in V2P Communication using COTS Mobile Devices," in Proceedings of the Workshop on CPS & IoT Security and Privacy (CPSIoTSec), pp.41–46, Virtual, 2021 (*Equal contribution by Yang and Lee)
[PDF] [Presentation] [ACM link]