Overview on Security Approaches in Intelligent Transportation Systems

Major standardization bodies developed and designed systems that should be used in vehicular ad-hoc networks. The Institute of Electrical and Electronics Engineers (IEEE) in America designed the wireless access in vehicular environments (WAVE) system. The European Telecommunications Standards Institute (ETSI) did come up with the “ITS-G5” system. Those Vehicular Ad-hoc Networks (VANETs) are the basis for Intelligent Transportation Systems (ITSs). They aim to efficiently communicate and provide benefits to people, ranging from improved safety to convenience. But different design and architectural choices lead to different network properties, especially security properties that are fundamentally depending on the networks architecture. To be able to compare different security architectures, different proposed approaches need to be discussed. One problem in current research is the missing focus on different approaches for trust establishment in VANETs. Therefore, this paper surveys different security issues and solutions in VANETs and we furthermore categorize these solutions into three basic trust defining architectures: centralized, decentralized and hybrid. These categories represent how trust is build in a system, i.e., in a centralized, decentralized way or even by combining both opposing approaches to a hybrid solution, which aims to inherit the benefits of both worlds. This survey defines those categories and finds that hybrid approaches are underrepresented in current research efforts.

💡 Research Summary

The paper provides a comprehensive survey of security mechanisms employed in vehicular ad‑hoc networks (VANETs), which form the communication backbone of modern Intelligent Transportation Systems (ITS). It begins by outlining the two dominant standardization efforts—IEEE’s WAVE and ETSI’s ITS‑G5—both of which rely heavily on a centralized trust model based on Public Key Infrastructure (PKI). The authors argue that while PKI offers strong identity verification and cryptographic protection, it also creates a single point of failure: the compromise of certificate authorities or secret keys can jeopardize the entire network, as illustrated by real‑world disclosures involving intelligence agencies and large‑scale cyber‑crime operations.

To contrast this, the paper examines decentralized trust models, chiefly the Web of Trust (WoT) and reputation‑based systems. In these schemes each vehicle can act as its own certificate authority or evaluate the behavior of peers, thereby reducing dependence on a central authority. The authors acknowledge the benefits—greater resilience to targeted attacks and distribution of trust—but also highlight significant challenges: the computational overhead of building trust paths, vulnerability to Sybil and collusion attacks, and difficulty meeting the stringent latency requirements of vehicular communications.

The core contribution of the survey is the introduction of a “hybrid” trust paradigm that seeks to combine the strengths of both centralized and decentralized approaches. In a hybrid design, identity authentication is still anchored in a PKI, providing a legally recognizable credential, while operational trust is managed locally through reputation scores, behavior monitoring, and voting mechanisms. When a node is detected as malicious, the PKI can be invoked to revoke or invalidate its certificates, thereby offering a fallback safety net. The authors note that hybrid solutions are currently under‑represented in the literature, despite their potential to balance security, privacy, and performance.

The paper systematically categorizes eight major attack families that affect VANETs: impersonation and message spoofing, data tampering, routing attacks (including sinkhole and blackhole), Sybil attacks, eclipse attacks, wormhole attacks, denial‑of‑service (DoS), and privacy violations. For each category, it lists representative solutions classified as centralized, decentralized, or hybrid, drawing on a wide range of cited works.

• Impersonation: Centralized solutions store identities in tamper‑proof hardware (e.g., EDR, trusted components). Decentralized approaches rely on self‑generated public‑private key pairs and location‑limited channels such as infrared signaling. Hybrid proposals employ probabilistic key distribution combined with voting‑based revocation protocols.

• Data tampering: Centralized schemes augment identity‑based cryptography with blind signatures and hash‑chain integrity checks. Decentralized methods use reputation‑driven verification and local network models. Hybrid designs (e.g., the “RAISE” protocol) integrate roadside unit (RSU)‑based MAC authentication with PKI as a fallback.

• Routing attacks: Centralized proposals include AODV‑SEC, SPRING, and game‑theoretic incentive mechanisms that depend on PKI‑issued credentials. Decentralized defenses feature cluster‑based intrusion detection and reputation‑driven path management (e.g., CONFIDANT). Hybrid approaches combine misbehavior detection systems with voting‑based local eviction (LEAVE), where a central CA ultimately revokes certificates of offending nodes.

• Sybil and eclipse attacks: Centralized defenses rely on strong certificates and physical security; decentralized defenses use multi‑path verification and reputation; hybrid solutions employ voting thresholds and centralized revocation to limit the impact of large numbers of forged identities.

• Wormhole/Sinkhole: Centralized PKI‑based routing verification, decentralized cluster detection, and hybrid reputation‑plus‑central revocation are discussed.

• DoS and privacy: Centralized access control via PKI, decentralized traffic shaping based on reputation, and hybrid schemes that blend both are presented.

A summary table (Table I) maps each attack to the three trust categories, revealing that the majority of existing research focuses on either purely centralized or purely decentralized methods, while hybrid approaches constitute a small minority. The authors conclude that future ITS security research must prioritize hybrid architectures, develop standardized interfaces between PKI and reputation modules, and conduct large‑scale simulations to evaluate real‑time performance. They also call for legal and privacy‑by‑design considerations, secure hardware integration at the vehicle manufacturing stage, and robust key‑update mechanisms. By addressing these gaps, the authors argue that ITS can achieve its safety, efficiency, and convenience goals without sacrificing robust, adaptable security.