Vehicle security module system

US 10,124,750 B2
Filed: 04/26/2016
Issued: 11/13/2018
Est. Priority Date: 04/26/2016
Status: Active Grant

First Claim

Patent Images

1. A vehicle security system for a vehicle, the system comprising:

one or more controller area network (CAN) buses;

one or more electronic control units (ECUs) connected to the one or more CAN buses;

a vehicle security module (VSM) connected to the one or more CAN buses; and

an on board diagnostics (OBD) connector connected to the vehicle security module; and

wherein;

the vehicle security module discriminates between authorized and unauthorized signals that are input to the on board diagnostics connector; and

the VSM has a security policy;

the security policy specifies the types of messages that are allowed to flow to and/or from the vehicle to a device plugged into the OBD connector;

the VSM is configured to verify a token in the device plugged into the OBD connector and modify the security policy according to a change specified in the verified token to allow the VSM to classify a signal as an authorized signal when the VSM would otherwise classify the signal as an unauthorized signal and facilitate performing a service on the vehicle that would not otherwise be permitted by the security policy;

authorized signals are forwarded by the vehicle security module to the one or more CAN busses; and

the unauthorized signals are refused entry to the one or more CAN busses.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A vehicle security system having controller area network buses, electronic control units connected to the controller area network buses, a vehicle security module connected to the controller area network buses, and an on board diagnostics connector connected to the vehicle security module. The vehicle security module may according to a policy discriminate between authorized and unauthorized signals that are input to the on board diagnostics connector. Authorized signals may be forwarded by the vehicle security module to the controller area network busses. Authorized signals may affect operation of one or more of the components of the vehicle via the electronic control units. Authorized signals may change the policy used by the vehicle security module. Unauthorized signals may be refused entry to the controller area network busses. The on board diagnostics connector may receive the signals from diagnostic instrumentation, control instrumentation, tracking instrumentation, a dongle, and so forth.

542 Citations

19 Claims

1. A vehicle security system for a vehicle, the system comprising:
- one or more controller area network (CAN) buses;
  
  one or more electronic control units (ECUs) connected to the one or more CAN buses;
  
  a vehicle security module (VSM) connected to the one or more CAN buses; and
  
  an on board diagnostics (OBD) connector connected to the vehicle security module; and
  
  wherein;
  
  the vehicle security module discriminates between authorized and unauthorized signals that are input to the on board diagnostics connector; and
  
  the VSM has a security policy;
  
  the security policy specifies the types of messages that are allowed to flow to and/or from the vehicle to a device plugged into the OBD connector;
  
  the VSM is configured to verify a token in the device plugged into the OBD connector and modify the security policy according to a change specified in the verified token to allow the VSM to classify a signal as an authorized signal when the VSM would otherwise classify the signal as an unauthorized signal and facilitate performing a service on the vehicle that would not otherwise be permitted by the security policy;
  
  authorized signals are forwarded by the vehicle security module to the one or more CAN busses; and
  
  the unauthorized signals are refused entry to the one or more CAN busses.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the device to which the on board diagnostics connector is configured to receive is one or more devices selected from a group comprising diagnostic instrumentation, control instrumentation, and tracking instrumentation.
  - 3. The system of claim 1, wherein:
    - an original equipment manufacturer (OEM) of the vehicle security module creates a public and private key pair;
      
      the vehicle security module creates a public and private key pair;
      
      the OEM embeds the OEM public key into the vehicle security module;
      
      a policy change requestor (PRC) creates a public and private key pair;
      
      the OEM uses its private key to digitally sign a certificate containing an identity of the policy change requestor and the public key of the policy change requestor;
      
      the OEM creates a policy change authorization token to include changes to a security policy and an identification (ID) of one or more dongles associated with the authorization token;
      
      the authorization is signed with the private key of the OEM; and
      
      a public key and a private key are created for the one or more dongles having the ID;
      
      the policy change requestor uses its private key to sign a certificate for the one or more dongles having the ID; and
      
      the policy change requestor loads a copy of the certificate into the one or more dongles.
  - 4. The system of claim 3, wherein when a dongle of the one or more dongles is plugged into to the on board diagnostics connector, the vehicle security module can achieve a confirmation of the ID of the dongle, a confirmation that the authorization token is bound to the dongle, and a confirmation that the authorization token was authorized by the OEM.
  - 5. The system of claim 4, wherein the security policy in the vehicle security module can be changed in a field using a cryptographically protected authorization token that is directly or indirectly associated with the dongle.
  - 6. The system of claim 3, wherein the authorization token specifies one or more changes to be applied to the security policy when the one or more dongles associated with the authorization token are plugged into to the on board diagnostics connector.
  - 7. The system of claim 6, wherein:
    - the security policy can block or allow one or more messages based upon virtually any characteristic of a message; and
      
      a change of security policy can change any characteristic of a message used to block or allow the message.

8. A method for authorizing a policy change in a vehicle security module, comprising:
- plugging a device selected from a group comprising diagnostic instrumentation, control instrumentation, tracking instrumentation, and dongles, into an on board diagnostics connector connected to a vehicle security module that is in turn connected to one or more controller area network (CAN) buses, the vehicle security module having a default security policy that specifies the types of messages that are allowed to flow to and/or from the vehicle to the device plugged into the onboard diagnostics connector;
  
  verifying an authentication token in the device plugged into the on board diagnostics connector;
  
  modifying the default security policy of the vehicle security module according to a change specified in the verified authentication token; and
  
  classifying a signal as authorized under the modified security policy that would otherwise be classified as unauthorized under the default security policy to facilitate performing a service on the vehicle that would not otherwise be permitted by the default security policy; and
  
  wherein;
  
  the one or more CAN buses are connected to one or more electronic control units (ECUs);
  
  the vehicle security module blocks unauthorized signals and allows authorized signals to the CAN buses.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, wherein:
    - the one or more ECUs are connected to components of a vehicle;
      
      authorized signals can affect operation of one or more of the components of the vehicle;
      
      authorized signals can change the policy of the vehicle security module; and
      
      a manufacturer of the vehicle is permitted to manage the policy of the vehicle security module.
  - 10. The method of claim 9, wherein:
    - the manufacturer sets a default version of the policy of the vehicle security module; and
      
      the manufacturer can selectively authorize policy change requestors to override one or more aspects of the policy of the vehicle security module.
  - 11. The method of claim 9, wherein the manufacturer provides the authorization token that identifies changes that a policy change requestor is permitted to make to a vehicle having the vehicle security module.
  - 12. The method of claim 11, wherein:
    - a policy select function is implemented by a switch to select a drive mode or a diagnostics mode for the vehicle security module;
      
      a resulting policy of a drive mode with the authorization token is the drive mode with changes of the policy contained in the authorization token;
      
      the resulting policy of a drive mode without the authorization token is the drive mode absent changes;
      
      the resulting policy of a diagnostic mode with the authorization token is the diagnostic mode with changes of the policy contained in the authorization token; and
      
      the resulting policy of a diagnostic mode without the authorization token is the diagnostic mode absent changes.
  - 13. The method of claim 12, wherein the authorization token is implemented in a cryptographic manner.
  - 14. The method of claim 12, wherein when the vehicle security module is in the diagnostics mode, the vehicle security module emits a signal of an audible or visible nature to inform anyone in a vicinity of the vehicle that the policy of the vehicle security module, which is enforced while the vehicle is in the drive mode, is bypassed.
  - 15. The method of claim 10, wherein a policy change requestor performs a cryptographic handshake with the vehicle to ensure that the policy change request is authorized.

16. A mechanism for providing authorized changes of policy to the vehicle security module, comprising:
- a vehicle security module having a security policy;
  
  an on board diagnostics port connected to the vehicle security module;
  
  one or more controller area network (CAN) buses connected to the vehicle security module; and
  
  one or more electronic control units (ECUs) connected to the one or more CAN buses; and
  
  wherein;
  
  the one or more ECUs are associated with one or more components, respectively, of a vehicle;
  
  the security policy specifies the types of messages that are allowed to flow to and/or from a vehicle to a device plugged into the on board diagnostics port;
  
  the vehicle security module verifies an authorization token in the device plugged into the on board diagnostics port and modifies the security policy according to a change specified in the verified authorization token to allow the vehicle security module to classify a signal as an authorized signal when the vehicle security module would otherwise classify the signal as an unauthorized signal and facilitate performing a service on the vehicle that would not otherwise be permitted by the security policy;
  
  the vehicle security module is configured to forward authorized signals to the one or more CAN buses and refuse entry to the one or more CAN buses to the unauthorized signals.
- View Dependent Claims (17, 18, 19)
- - 17. The mechanism of claim 16, wherein an association with the one or more components comprises one or more items of a group consisting of functions, settings, control and diagnostics of the one or more components.
  - 18. The mechanism of claim 17, further comprising:
    - a dongle plugged into the on board diagnostics port; and
      
      wherein;
      
      the dongle comprises a loaded authorization token; and
      
      the authorization token authorizes a change of policy of the vehicle security module.
  - 19. The mechanism of claim 18, wherein:
    - the authorization token allows the vehicle security module to confirm one or more items of a group comprising an identity of the dongle, the authorization token being bound to the dongle, and the authorization token being validated by a manufacturer of the vehicle; and
      
      the policy in the vehicle security module can be changed in the field by using the authorization token that is cryptographically protected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Garrett Transportation I Inc. (Garrett Motion, Inc.)
Original Assignee
Honeywell International Inc.
Inventors
Markham, Thomas R.
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/138,987
Publication Number

US 20170305368A1
Time in Patent Office

931 Days
Field of Search

726 2
US Class Current
CPC Class Codes

B60R 16/0231   Circuits relating to the dr...

G07C 5/0808   Diagnosing performance data...

H04L 12/40   Bus networks

H04L 12/40169   Flexible bus arrangements a...

H04L 2012/40215   Controller Area Network CAN

H04L 2012/40273   the transportation system b...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 67/12   specially adapted for propr...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04W 12/088   using filters or firewalls

H04W 4/40   for vehicles, e.g. vehicle-...

Vehicle security module system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

542 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Vehicle security module system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

542 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others