Security system and method for protecting a vehicle electronic system

US 10,534,922 B2
Filed: 03/18/2018
Issued: 01/14/2020
Est. Priority Date: 03/29/2012
Status: Active Grant

First Claim

Patent Images

1. An Electronic Control Unit (ECU) for exchanging messages with other ECUs in a vehicle over a vehicle communication bus under control of a data unit, each of the messages is composed of multiple parts, the ECU comprising in a single enclosure:

a first port;

a first transceiver coupled to the first port for transmitting messages to, and for receiving messages from, the first port;

a second physical port for connecting to the communication bus;

a second transceiver coupled to the second physical port for transmitting messages to, and for receiving messages from, the communication bus;

a processor coupled for controlling the first and second transceivers;

a first memory coupled to the processor and storing a rule; and

a second memory coupled to the processor for storing data,wherein the ECU is operative to receive messages from the first port, and responsive to the rule stored in the first memory, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port,wherein the ECU is operative to receive messages from the communication bus via the second physical port, and responsive to the rule, to pass, to block, or to change and then pass, the received messages to the first port,wherein all the messages received from the first port and from the communication bus are associated with a timing information, wherein the rule includes one or more timing values,wherein a specific received message is passed, blocked, or changed and then passed, in response to a comparison of the specific message timing information to the one or more timing values,and wherein the ECU is operative for logging in the second memory a metadata that pertains to a message received from the first port and an action associated with the received message.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

81 Citations

View as Search Results

70 Claims

1. An Electronic Control Unit (ECU) for exchanging messages with other ECUs in a vehicle over a vehicle communication bus under control of a data unit, each of the messages is composed of multiple parts, the ECU comprising in a single enclosure:
- a first port;
  
  a first transceiver coupled to the first port for transmitting messages to, and for receiving messages from, the first port;
  
  a second physical port for connecting to the communication bus;
  
  a second transceiver coupled to the second physical port for transmitting messages to, and for receiving messages from, the communication bus;
  
  a processor coupled for controlling the first and second transceivers;
  
  a first memory coupled to the processor and storing a rule; and
  
  a second memory coupled to the processor for storing data,wherein the ECU is operative to receive messages from the first port, and responsive to the rule stored in the first memory, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port,wherein the ECU is operative to receive messages from the communication bus via the second physical port, and responsive to the rule, to pass, to block, or to change and then pass, the received messages to the first port,wherein all the messages received from the first port and from the communication bus are associated with a timing information, wherein the rule includes one or more timing values,wherein a specific received message is passed, blocked, or changed and then passed, in response to a comparison of the specific message timing information to the one or more timing values,and wherein the ECU is operative for logging in the second memory a metadata that pertains to a message received from the first port and an action associated with the received message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 2. The ECU according to claim 1, further comprising in the single enclosure:
    - a third physical port for connecting to the data unit; and
      
      a third transceiver coupled to the third physical port for receiving from the data unit the rule associated with a part of the message,wherein first memory is coupled to the third transceiver for receiving the rule and for storing the rule in the first memory.
  - 3. The ECU according to claim 2, wherein the communication with the data unit is based on, or using, serial communication, and wherein the third physical port is a serial physical port connection and the third transceiver is a serial data transceiver.
  - 4. The ECU according to claim 3, wherein the serial data transceiver comprises a Universal Asynchronous Receiver Transmitter (UART).
  - 5. The ECU according to claim 3, wherein the serial communication is based on, or using, RS-232.
  - 6. The ECU according to claim 2, further operative to receive a message from the first port or from the communication bus via the second physical port, and to pass the message to the data unit via the third physical port.
  - 7. The ECU according to claim 1, wherein the parts comprise a header, a source identification, a destination identification, or content, and the ECU is further operative to limit a rate of transmitting messages to the first port.
  - 8. The ECU according to claim 7, further comprising a buffer coupled between the first and second transceivers for adapting between the messages incoming rate from the communication bus via the second physical port and the messages outgoing rate to the first port.
  - 9. The ECU according to claim 1, wherein a message is transmitted to the first port only a pre-determined time interval after the previous message was transmitted.
  - 10. The ECU according to claim 1, wherein a message is transmitted to the communication bus via the second physical port only a pre-determined time interval after the previous message was transmitted.
  - 11. The ECU according to claim 1, further operative to limit the rate of transmitting messages to the communication bus via the second physical port.
  - 12. The ECU according to claim 11, further comprising a buffer coupled between the first and second transceivers, to adapt between the message incoming rate from the first port and the message outgoing rate to the communication bus via the second physical port.
  - 13. The ECU according to claim 1, wherein the first memory stores multiple rules, and wherein the ECU is further operative to respond to the multiple rules.
  - 14. The ECU according to claim 1, further comprising a communication bus emulator coupled to the first transceiver for emulating the communication bus.
  - 15. The ECU according to claim 14, further operative to emulate the communication bus to the ECU when the ECU is not connected to the communication bus.
  - 16. The ECU according to claim 14, wherein the communication via the first port is based on, uses, or is according to a protocol, and wherein the communication bus emulator comprises a high-level driver and is operative for protocol abstraction.
  - 17. The ECU according to claim 16, wherein the communication bus emulator is operative to continuously transmit ‘
    - keep-alive’
      
      messages to the first port.
  - 18. The ECU according to claim 1, wherein the first memory is a non-volatile memory.
  - 19. The ECU according to claim 18, wherein the non-volatile memory is Flash based.
  - 20. The ECU according to claim 18, further operative to fetch the rule from the non-volatile memory, and to pass, to block, or to change and then pass, the received message in response to the fetched rule.
  - 21. The ECU according to claim 1, wherein all the messages received from the first port and from the communication bus are associated with a property, and wherein each of the messages includes a value of the property, and wherein the rule identifies the property and one or more values, and a specific received message is passed, blocked, or changed and then passed, in response to a comparison of the specific message value to the one or more rule values.
  - 22. The ECU according to claim 21, wherein the property corresponds to a message header, a message content, a message length, an identification (ID) of a message, a message destination, or any combination thereof.
  - 23. The ECU according to claim 1, further operative to encrypt part of, or whole of, the content of the part of, or all of, the messages that are transmitted via the first or second ports.
  - 24. The ECU according to claim 1, further comprising, or consisting of, a safety critical ECU.
  - 25. The ECU according to claim 24, further comprising, or consisting of, an Engine Control Unit (EcU), a Transmission Control Unit (TCU), Anti-Lock Braking System (ABS), Electronic Stability Control (ESC), or a brake control module.
  - 26. The ECU according to claim 1, further comprising in the single enclosure:
    - a third physical port for connecting to an additional communication bus or to an additional ECU; and
      
      a third transceiver coupled to the third physical port for transmitting messages to, and for receiving messages from, the respective additional communication bus or the additional ECU,wherein the third transceiver is coupled to be controlled by the processor; and
      
      wherein the ECU is operative to receive messages from the third physical port, and responsive to the rule, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port, or to the first port.
  - 27. The ECU according to claim 26, wherein the ECU is operative to, responsive to the rule, to pass, to block, or to change and then pass, transmit messages received from the first port or from the communication bus via the second physical port, to an additional communication bus or to an additional ECU via the third physical port.
  - 28. The ECU according to claim 1, further operative to append a signature to part of, or all of, the messages received from the first port, and to transmit the signed messages to the communication bus via the second physical port, or is operative to append a signature to part of, or all of, the messages received from the communication bus via the second physical port, and to transmit the signed messages to the first port.
  - 29. The ECU according to claim 28, further operative to calculate a hash value of the content of the part of, or all of, the messages, and wherein the added signature is based on, or according to, the calculated hash value.
  - 30. The ECU according to claim 28, further operative to encrypt the content of the part of, or all of, the messages, and wherein the added signature is based on, or according to, the encrypted content.
  - 31. The ECU according to claim 30, wherein the encryption is based on, or uses, a key.
  - 32. The ECU according to claim 31, wherein the key is shared with an additional ECU that is the recipient of the transmitted signed messages.
  - 33. The ECU according to claim 1, wherein the part of, or all of, the messages include a signature, and wherein the ECU is further operative to verify the signature.
  - 34. The ECU according to claim 33, wherein the verification comprises calculating a hash value or encrypting the content of the part of, or all of, the messages, and respectively comparing the hash value or the encrypted content to the signature.
  - 35. The ECU according to claim 33, further operative to pass, to block, or to change and then pass, the messages in response to the signature verification.
  - 36. The ECU according to claim 1, further comprising a buffer coupled to the first transceiver for temporarily storing messages received via the first port.
  - 37. The ECU according to claim 1, further comprising a buffer coupled to the second transceiver for temporarily storing messages received via the second physical port.
  - 38. The ECU according to claim 1, further comprising a buffer coupled to the first transceiver for temporarily storing messages to be transmitted via the first port.
  - 39. The ECU according to claim 1, further comprising a buffer coupled to the second transceiver for temporarily storing messages to be transmitted via the second physical port.
  - 40. The ECU according to claim 1, wherein the first transceiver comprises a physical layer driver adapted to transmit or receive messages respectively to or from the first port.
  - 41. The ECU according to claim 1, wherein the second transceiver comprises a physical layer driver adapted to transmit or receive messages respectively to or from the communication bus.
  - 42. The ECU according to claim 1, further operative to save messages received from the first port or from the communication bus via the second physical port.
  - 43. The ECU according to claim 1, further operative to derive and log statistics associated with the messages received from the first port or from the communication bus via the second physical port.
  - 44. The ECU according to claim 1, further comprising a filter coupled between the first and second transceivers for passing messages therebetween.
  - 45. The ECU according to claim 44, wherein the filter is part of, or comprises, the processor.
  - 46. The ECU according to claim 1, wherein the communication bus is according to a first protocol and wherein the ECU is further connectable to an additional communication bus that uses a second protocol, and wherein the ECU is operative to convert between the first and second protocols.
  - 47. The ECU according to claim 1, for use with an authentication scheme with at least one other ECU, the scheme uses a message pair consisting of a challenge message and a challenge response message, wherein the at least one other ECU is determined as authenticated based on using the authentication scheme.
  - 48. The ECU according to claim 47, further operative to transmit to the first port the challenge message, and to receive a response from the first port.
  - 49. The ECU according to claim 48, further operative to compare the received response from the other ECU to the challenge response message, and upon verifying that the received response is identical to the challenge response message, determining that the other ECU as authenticated.
  - 50. The ECU according to claim 47, further operative to receive from the first port the challenge message, and in response to transmit to the first port the challenge response message.
  - 51. The ECU according to claim 47, further operative to responsive to the determining of the other ECU as authenticated, to pass, to block, or to change and then pass, the received messages to the communication bus via the second physical port.
  - 52. The ECU according to claim 47, further operative to responsive to the determining of the other ECU as authenticated, to pass, to block, or to change and then pass, the received messages to the first port.
  - 53. The ECU according to claim 1, for use with a plurality of ECUs coupled to transmit messages to, and receive messages from, the communication bus, and for use with an authentication scheme that uses a message pair consisting of a challenge message and a challenge response message, wherein the ECU is operative to communicate with the plurality of ECUs over the communication bus, and the ECU is further operative to determine a first ECU from the plurality of ECUs as authenticated based on using the authentication scheme.
  - 54. The ECU according to claim 53, further operative to transmit to the first ECU via the second physical port the challenge message, and to receive a response from the first ECU via the second physical port.
  - 55. The ECU according to claim 54, further operative to compare the received response from the first ECU to the challenge response message, and upon verifying that the received response is identical to the challenge response message, determining the first ECU as authenticated.
  - 56. The ECU according to claim 53, further operative to receive from the first ECU via the second physical port the challenge message, and in response to transmit to the first ECU via the second physical port the challenge response message.
  - 57. The ECU according to claim 53, wherein each of the messages includes identification of the source or destination ECU, and wherein the ECU is further operative to responsive to the determining of the first ECU as authenticated, to pass, to block, or to change and then pass, the received messages that include the first ECU as a source or destination.
  - 58. The ECU according to claim 1, wherein the vehicle communication bus uses, or is compatible with, a multi-master, serial protocol using acknowledgement, arbitration, and error-detection schemes.
  - 59. The ECU according to claim 58, wherein the vehicle communication bus employs, uses, is based on, or is compatible with, a synchronous and frame-based protocol.
  - 60. The ECU according to claim 59, wherein the vehicle communication bus consists of, employs, uses, is based on, or is compatible with, a Controller Area Network (CAN).
  - 61. The ECU according to claim 58, wherein the vehicle communication bus employs, uses, is based on, or is compatible with, a Local Interconnect Network (LIN), FlexRay protocol, or Vehicle Area Network (VAN) bus.
  - 62. The ECU according to claim 1, wherein the vehicle communication bus is based on, uses, or is compatible with, MOD-BUS, MIL-STD-1553, or MIL-STD-1773 (ARINC).
  - 63. The ECU according to claim 1, further comprising, or consisting of, an Engine Control Unit (EcU), immobilizer, or antitheft unit.
  - 64. The ECU according to claim 1, further comprising, consisting of, or is connectable to, an infotainment system, wireless tire pressure sensor (TPMS), Course Computer Unit (CCU), or telematics unit.
  - 65. The ECU according to claim 1, further coupleable or connectable to receive data from a unit that is external to the vehicle.
  - 66. The ECU according to claim 65, further wirelessly coupleable to receive data from the unit that is external to the vehicle.
  - 67. The ECU according to claim 65, further wirelessly coupleable to receive radio or a Radio Data System (RDS) or to receive via cellular communication.
  - 68. A vehicle comprising the vehicle communication bus and the Electronic Control Unit (ECU) according to claim 1 connected thereto.
  - 69. The vehicle according to claim 68, wherein the vehicle comprises, or consists of, a car, a truck, a motorcycle, a train, a tank, an airplane, a missile, a spaceship, a rocket, or a robot.
  - 70. The vehicle according to claim 68, further operative for Vehicle-to-Vehicle (V2V) or Vehicle-to-Infrastructure (V2I) communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sheelds Cyber Limited
Original Assignee
Arliou Information Security Technologies Ltd.
Inventors
Litichever, Gil, Levi, Ziv
Primary Examiner(s)
Simitoski, Michael

Application Number

US15/924,223
Publication Number

US 20190303588A1
Time in Patent Office

667 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 21/85   interconnection devices, e....

H04L 12/40143   involving priority mechanis...

H04L 12/40169   Flexible bus arrangements a...

H04L 2012/40215   Controller Area Network CAN

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 67/12   specially adapted for propr...

H04W 4/48   for in-vehicle communication

Security system and method for protecting a vehicle electronic system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Security system and method for protecting a vehicle electronic system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links