Security system and method for protecting a vehicle electronic system

US 10,002,258 B2
Filed: 09/14/2017
Issued: 06/19/2018
Est. Priority Date: 03/29/2012
Status: Active Grant

First Claim

Patent Images

1. An Electronic Control Unit (ECU) for exchanging messages with other ECUs in a vehicle over a vehicle communication bus under control of a data unit, each of the messages is composed of multiple parts, the ECU comprising in a single enclosure:

a first port;

a first transceiver coupled to the first port for transmitting messages to, and for receiving messages from, the first port;

a second physical port for connecting to the communication bus;

a second transceiver coupled to the second physical port for transmitting messages to, and for receiving messages from, the communication bus;

a third physical port for connecting to the data unit;

a third transceiver coupled to the third physical port for receiving from the data unit a rule associated with a part of the message;

a software and a processor for executing the software, the processor is coupled for controlling the first, second, and third transceivers; and

a communication bus emulator coupled to the first transceiver for emulating the communication bus,wherein the ECU is operative to receive messages from the first port, and responsive to the rule received from the data unit via the third physical port, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port, andwherein the ECU is operative to receive messages from the communication bus via the second physical port, and responsive to the rule received from the data unit via the third physical port, to pass, to block, or to change and then pass, the received messages to the first port.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

80 Citations

View as Search Results

69 Claims

1. An Electronic Control Unit (ECU) for exchanging messages with other ECUs in a vehicle over a vehicle communication bus under control of a data unit, each of the messages is composed of multiple parts, the ECU comprising in a single enclosure:
- a first port;
  
  a first transceiver coupled to the first port for transmitting messages to, and for receiving messages from, the first port;
  
  a second physical port for connecting to the communication bus;
  
  a second transceiver coupled to the second physical port for transmitting messages to, and for receiving messages from, the communication bus;
  
  a third physical port for connecting to the data unit;
  
  a third transceiver coupled to the third physical port for receiving from the data unit a rule associated with a part of the message;
  
  a software and a processor for executing the software, the processor is coupled for controlling the first, second, and third transceivers; and
  
  a communication bus emulator coupled to the first transceiver for emulating the communication bus,wherein the ECU is operative to receive messages from the first port, and responsive to the rule received from the data unit via the third physical port, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port, andwherein the ECU is operative to receive messages from the communication bus via the second physical port, and responsive to the rule received from the data unit via the third physical port, to pass, to block, or to change and then pass, the received messages to the first port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 2. The ECU according to claim 1, further operative to receive, and to respond to, multiple rules from the data unit via the third physical port.
  - 3. The ECU according to claim 1, wherein all the messages received from the first port and from the communication bus are associated with a property, and wherein each of the messages includes a value of the property, and wherein the rule identifies the property and one or more values, and a specific received message is passed, blocked, or changed and then passed, in response to a comparison of the specific message value to the one or more rule values.
  - 4. The ECU according to claim 3, wherein the property corresponds to a message header, a message content, a message length, an identification (ID) of a message, a message destination, or any combination thereof.
  - 5. The ECU according to claim 1, wherein all the messages received from the first port and from the communication bus are associated with a timing information, wherein the rule includes one or more timing values, and wherein a specific received message is passed, blocked, or changed and then passed, in response to a comparison of the specific message timing information to the one or more rule timing values.
  - 6. The ECU according to claim 1, wherein the parts comprise a header, a source identification, a destination identification, or content, and the ECU is further operative to limit the rate of transmitting messages to the first port.
  - 7. The ECU according to claim 6, further comprising a buffer coupled between the first and second transceivers for adapting between the messages incoming rate from the communication bus via the second physical port and the messages outgoing rate to the first port.
  - 8. The ECU according to claim 1, wherein a message is transmitted to the first port only a pre-determined time interval after the previous message was transmitted.
  - 9. The ECU according to claim 1, further operative to limit the rate of transmitting messages to the communication bus via the second physical port.
  - 10. The ECU according to claim 9, further comprising a buffer coupled between the first and second transceivers, to adapt between the message incoming rate from the first port and the message outgoing rate to the communication bus via the second physical port.
  - 11. The ECU according to claim 1, wherein a message is transmitted to the communication bus via the second physical port only a pre-determined time interval after the previous message was transmitted.
  - 12. The ECU according to claim 1, further operative to emulate the communication bus to the ECU when the ECU is not connected to the communication bus.
  - 13. The ECU according to claim 1, wherein the communication via the first port is based on, uses, or is according to a protocol, and wherein the communication bus emulator comprises a high-level driver and is operative for protocol abstraction.
  - 14. The ECU according to claim 13, wherein the communication bus emulator is operative to continuously transmit ‘
    - keep-alive’
      
      messages to the first port.
  - 15. The ECU according to claim 1, further comprising a non-volatile memory in the single enclosure coupled to the third transceiver for storing the rule.
  - 16. The ECU according to claim 15, wherein the non-volatile memory is Flash based.
  - 17. The ECU according to claim 15, further operative to fetch the rule from the non-volatile memory, and to pass, to block, or to change and then pass, the received message in response to the fetched rule.
  - 18. The ECU according to claim 1, wherein the communication with the data unit is based on, or using, serial communication, and wherein the third physical port is a serial physical port connection and the third transceiver is a serial data transceiver.
  - 19. The ECU according to claim 18, wherein the serial data transceiver comprises a Universal Asynchronous Receiver Transmitter (UART).
  - 20. The ECU according to claim 18, wherein the serial communication is based on, or using, RS-232.
  - 21. The ECU according to claim 1, further operative to receive a message from the first port or from the communication bus via the second physical port, and to pass the message to the data unit via the third physical port.
  - 22. The ECU according to claim 1, further comprising in the single enclosure:
    - a fourth physical port for connecting to an additional communication bus or to an additional ECU; and
      
      a fourth transceiver coupled to the fourth physical port for transmitting messages to, and for receiving messages from, the respective additional communication bus or the additional ECU,wherein the fourth transceiver is coupled to be controlled by the processor; and
      
      wherein the ECU is operative to receive messages from the fourth physical port, and responsive to the rule received from the data unit via the third physical port, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port, or to the first port.
  - 23. The ECU according to claim 22, wherein the ECU is operative to, responsive to the rule received from the data unit via the third physical port, to pass, to block, or to change and then pass, transmit messages received from the first port or from the communication bus via the second physical port, to an additional communication bus or to an additional ECU via the fourth physical port.
  - 24. The ECU according to claim 1, further operative to append a signature to part of, or all of, the messages received from the first port, and to transmit the signed messages to the communication bus via the second physical port, or is operative to append a signature to part of, or all of, the messages received from the communication bus via the second physical port, and to transmit the signed messages to the first port.
  - 25. The ECU according to claim 24, further operative to calculate a hash value of the content of the part of, or all of, the messages, and wherein the added signature is based on, or according to, the calculated hash value.
  - 26. The ECU according to claim 24, further operative to encrypt the content of the part of, or all of, the messages, and wherein the added signature is based on, or according to, the encrypted content.
  - 27. The ECU according to claim 26, wherein the encryption is based on, or uses, a key.
  - 28. The ECU according to claim 27, wherein the key is shared between the source and destination ECUs.
  - 29. The ECU according to claim 1, wherein the part of, or all of, the messages include a signature, and wherein the ECU is further operative to verify the signature.
  - 30. The ECU according to claim 29, wherein the verification comprises calculating a hash value or encrypting the content of the part of, or all of, the messages, and respectively comparing the hash value or the encrypted content to the signature.
  - 31. The ECU according to claim 29, further operative to pass, to block, or to change and then pass, the messages in response to the signature verification.
  - 32. The ECU according to claim 1, further comprising a buffer coupled to the first transceiver for temporarily storing messages received via the first port.
  - 33. The ECU according to claim 1, further comprising a buffer coupled to the second transceiver for temporarily storing messages received via the second physical port.
  - 34. The ECU according to claim 1, further comprising a buffer coupled to the first transceiver for temporarily storing messages to be transmitted via the first port.
  - 35. The ECU according to claim 1, further comprising a buffer coupled to the second transceiver for temporarily storing messages to be transmitted via the second physical port.
  - 36. The ECU according to claim 1, wherein the first transceiver or the software comprises a physical layer driver adapted to transmit or receive messages respectively to or from the first port.
  - 37. The ECU according to claim 1, wherein the second transceiver or the software comprises a physical layer driver adapted to transmit or receive messages respectively to or from the communication bus.
  - 38. The ECU according to claim 1, further operative to save messages received from the first port or from the communication bus via the second physical port.
  - 39. The ECU according to claim 1, further operative to derive and log statistics associated with the messages received from the first port or from the communication bus via the second physical port.
  - 40. The ECU according to claim 1, further comprising a filter coupled between the first and second transceivers for passing messages therebetween.
  - 41. The ECU according to claim 40, wherein the filter is part of, or comprises, the software, the processor, or any combination thereof.
  - 42. The ECU according to claim 1, wherein the communication bus is according to a first protocol and wherein the ECU is further connectable to an additional communication bus that uses a second protocol, and wherein the ECU is operative to convert between the first and second protocols.
  - 43. The ECU according to claim 1, for use with an authentication scheme with at least one other ECU, the scheme uses a message pair consisting of a challenge message and a challenge response message, wherein the at least one other ECU is determined as authenticated based on using the authentication scheme.
  - 44. The ECU according to claim 43, further operative to transmit to the first port the challenge message, and to receive a response from the first port.
  - 45. The ECU according to claim 44, further operative to compare the received response from the other ECU to the challenge response message, and upon verifying that the received response is identical to the challenge response message, determining that the other ECU as authenticated.
  - 46. The ECU according to claim 43, further operative to receive from the first port the challenge message, and in response to transmit to the first port the challenge response message.
  - 47. The ECU according to claim 43, further operative to responsive to the determining of the other ECU as authenticated, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port.
  - 48. The ECU according to claim 43, further operative to responsive to the determining of the other ECU as authenticated, to pass, to block, or to change and then pass, the received messages to the first port.
  - 49. The ECU according to claim 1, for use with a plurality of ECUs coupled to transmit messages to, and receive messages from, the communication bus, and for use with an authentication scheme that uses a message pair consisting of a challenge message and a challenge response message, wherein the ECU is operative to communicate with the plurality of ECUs over the communication bus, and the ECU is further operative to determine a first ECU from the plurality of ECUs as authenticated based on using the authentication scheme.
  - 50. The ECU according to claim 49, further operative to transmit to the first ECU via the second physical port the challenge message, and to receive a response from the first ECU via the second physical port.
  - 51. The ECU according to claim 50, further operative to compare the received response from the first ECU to the challenge response message, and upon verifying that the received response is identical to the challenge response message, determining the first ECU as authenticated.
  - 52. The ECU according to claim 49, further operative to receive from the first ECU via the second physical port the challenge message, and in response to transmit to the first ECU via the second physical port the challenge response message.
  - 53. The ECU according to claim 49, wherein each of the messages includes identification of the source or destination ECU, and wherein the ECU is further operative to responsive to the determining of the first ECU as authenticated, to pass, to block, or to change and then pass, the received messages that include the first ECU as a source or destination.
  - 54. The ECU according to claim 1, wherein the vehicle communication bus uses, or is compatible with, a multi-master, serial protocol using acknowledgement, arbitration, and error-detection schemes.
  - 55. The ECU according to claim 54, wherein the vehicle communication bus employs, uses, is based on, or is compatible with, a synchronous and frame-based protocol.
  - 56. The ECU according to claim 55, wherein the vehicle communication bus consists of, employs, uses, is based on, or is compatible with, a Controller Area Network (CAN).
  - 57. The ECU according to claim 54, wherein the vehicle communication bus employs, uses, is based on, or is compatible with, a Local Interconnect Network (LIN), FlexRay protocol, or Vehicle Area Network (VAN) bus.
  - 58. The ECU according to claim 1, wherein the vehicle communication bus is based on, uses, or is compatible with, MOD-BUS, MIL-STD-1553, or MIL-STD-1773 (ARINC).
  - 59. A vehicle comprising the vehicle communication bus and the Electronic Control Unit (ECU) according to claim 1 connected thereto.
  - 60. The vehicle according to claim 59, wherein the vehicle comprises, or consists of, a car, a truck, a motorcycle, a train, a tank, an airplane, a missile, a spaceship, a rocket, or a robot.
  - 61. The vehicle according to claim 59, further operative for Vehicle-to-Vehicle (V2V) or Vehicle-to-Infrastructure (V2I) communication.
  - 62. The ECU according to claim 1, further comprising, or consisting of, an Engine Control Unit (EcU), immobilizer, or antitheft unit.
  - 63. The ECU according to claim 1, further comprising, or consisting of, a safety critical ECU.
  - 64. The ECU according to claim 63, further comprising, or consisting of, an Engine Control Unit (EcU), a Transmission Control Unit (TCU), Anti-Lock Braking System (ABS), Electronic Stability Control (ESC), or a brake control module.
  - 65. The ECU according to claim 1, further comprising, consisting of, or is connectable to, an infotainment system, wireless tire pressure sensor (TPMS), Course Computer Unit (CCU), or telematics unit.
  - 66. The ECU according to claim 1, further coupleable or connectable to receive data from a unit that is external to the vehicle.
  - 67. The ECU according to claim 66, further wirelessly coupleable to receive data from the unit that is external to the vehicle.
  - 68. The ECU according to claim 66, further wirelessly coupleable to receive radio or a Radio Data System (RDS) or to receive via cellular communication.
  - 69. The ECU according to claim 1, further operative to encrypt part of, or whole of, the content of the part of, or all of, the messages that are transmitted via the first, second, or third ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sheelds Cyber Limited
Original Assignee
Arliou Information Security Technologies Ltd.
Inventors
Litichever, Gil, Levi, Ziv
Primary Examiner(s)
Simitoski, Michael J

Application Number

US15/704,023
Publication Number

US 20180004964A1
Time in Patent Office

278 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 21/85   interconnection devices, e....

H04L 12/40143   involving priority mechanis...

H04L 12/40169   Flexible bus arrangements a...

H04L 2012/40215   Controller Area Network CAN

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 67/12   specially adapted for propr...

H04W 4/48   for in-vehicle communication

Security system and method for protecting a vehicle electronic system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

Security system and method for protecting a vehicle electronic system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links