JP2022129417A - On-vehicle network system - Google Patents

Abstract

To provide an on-vehicle network system in which fault code information cannot be obtained by a fault diagnostic tool via a CAN bus in the event of an action such as cracking.SOLUTION: An on-vehicle network system comprises at least a transmission-side electronic control device 32b, and a reception-side electronic control device 32a that receives a message from the transmission-side electronic control device 32b via a CAN bus. When the reception-side electronic control device 32a detects that the received message has been tampered with by an illegal operation on the CAN bus, the reception-side electronic control device executes control to transfer none of fault code information stored in the reception-side electronic control device 32a to the CAN bus.SELECTED DRAWING: Figure 6

Description

The present invention relates to an in-vehicle network system in which a plurality of electronic control units are connected via a CAN (Controller Area Network) bus, and more particularly to an in-vehicle network system with improved security.

In recent years, in automobiles, the use of electronic control has rapidly spread in order to improve control functions, and in response to this, more and more automobiles are becoming connected to the Internet. Connectivity has improved the comfort and safety of automobiles.In addition to the control that can be realized by the sensors installed in automobiles and the internal in-vehicle network system, various functions can be realized by connecting to the cloud via the Internet. It becomes possible to receive information services.

However, as connectivity advances in this way, the risk of cracking (cyberattack) due to unauthorized access from the outside to the in-vehicle network system of automobiles increases accordingly. It should be noted that malicious attackers need to identify software components (software parts into which various functions of software are divided) to be attacked before carrying out attacks.

For this reason, when an attacker attempts to crack an in-vehicle network system, it is presumed that he or she will identify the software components in advance, determine the attack pattern, and then carry out the attack. As a method for that purpose, it is conceivable to intentionally cause an abnormality, obtain fault code information generated in response to this, and identify the software component from this fault code information. Recently, it has been confirmed that attacks are carried out by connecting smartphones to in-vehicle network systems.

In other words, the attacker launches a brute force attack on the in-vehicle network system of a vehicle, sends random packets to the CAN bus that constitutes the in-vehicle network system, and connects the generated fault code information to the CAN bus. can be confirmed via

Since the fault code information can be obtained on the Internet, for example, as information indicating which software component is faulty, it gives an attacker information that suggests an attack pattern.

In addition, software components are often common to many vehicles produced by automakers, and various vehicles may be subject to large-scale cracking cyberattacks if an attack pattern is identified.

In order to protect an in-vehicle network system of a vehicle from such cyberattacks, for example, an unauthorized message prevention technique such as Japanese Patent Laid-Open No. 2015-114907 (Patent Document 1) has been proposed.

In this patent document 1, one of a plurality of nodes (network devices) performs authentication based on message authentication information included in a message transmitted as a source node via a CAN bus, and authentication fails. In this case, it is determined that the transmission source node pretended to be another node among the plurality of nodes and transmitted illegal data, and the message is invalidated.

JP 2015-114907 A

However, with the fraudulent message prevention technology described in Patent Literature 1, it is possible to detect and invalidate fraudulent messages, but it is not possible to conceal fault code information. In other words, at the stage when the attacker is searching for the software component, the CAN bus also contains the fraudulent message detection confirmed failure code information and other failure code information. It is possible to acquire it with a tool. Therefore, the fraudulent message prevention technology of Patent Document 1 is still insufficient from the security point of view.

SUMMARY OF THE INVENTION It is an object of the present invention to provide an in-vehicle network system in which fault code information cannot be obtained by a fault diagnosis tool via a CAN bus when an action such as cracking occurs.

The present invention
An in-vehicle network system comprising at least a transmitting side electronic control device and a receiving side electronic control device that receives a message from the transmitting side electronic control device via a CAN bus, wherein the receiving side electronic control device receives the message has been altered into an unauthorized message by unauthorized operation on the CAN bus, the failure information secrecy control unit executes control not to transfer all the trouble code information stored in the receiving side electronic control unit to the CAN bus. It is characterized by comprising

According to the present invention, when an unauthorized message is detected, all fault code information is not transferred to the CAN bus, so even if a fault diagnosis tool is connected, the fault code information cannot be read, preventing identification of the software component. As a result, the security of the in-vehicle network system can be improved.

1 is a configuration diagram showing an example of a steer-by-wire system as a configuration of a steering control device to which the present invention is applied; FIG. 2 is a configuration diagram showing the configuration of an electronic control unit of the steering control device shown in FIG. 1; FIG. 1 is a configuration diagram showing a configuration of part of an in-vehicle network system for a vehicle; FIG. 1 is a configuration diagram showing a state in which a fault diagnosis tool is connected to an in-vehicle network system of an automobile; FIG. FIG. 5 is an explanatory diagram for explaining the flow of fault code information of the electronic control unit shown in FIG. 4; FIG. 4 is an explanatory diagram for explaining a mechanism of message authentication; It is a control flow for describing the embodiment of the present invention, and is a flow chart showing the control flow until an ignition switch is turned off. It is a control flow for explaining the embodiment of the present invention, and is a flow chart showing the control flow after an ignition switch is turned on.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. However, the present invention is not limited to the following embodiments, and various modifications and applications can be made within the technical concept of the present invention. is also included in the scope.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. Before describing specific embodiments of the present invention, the configuration of a steer-by-wire steering control apparatus to which the present invention is applied will be described. . It should be noted that the present invention is not limited to the steering control device described below.

First, the steering shaft is separated from the steering shaft, the rotation angle of the steering shaft, disturbance torque, etc. are detected by a rotation angle sensor, a current sensor, etc., and based on these detection signals, the amount of movement of the steering actuator is controlled to operate the steering shaft. A steering control device of a steer-by-wire system that drives the will be described. The configuration of the steering mechanism is omitted.

In FIG. 1, the steered wheels 10 are steered by tie rods 11 , and the tie rods 11 are connected to a steering shaft 17 . The steering wheel 12 is connected to a steering shaft 13, and the steering shaft 13 can be provided with a steering operation angle sensor or the like as required.

The steering shaft 13 is not linked to a steering shaft (also called a rack bar) 17 of the steering mechanism 16 , and an electric motor 18 for reaction force is provided at the tip of the steering shaft 13 . That is, the steering shaft 13 is not mechanically connected to the steering mechanism 16, and as a result, the steering shaft 13 and the steering mechanism 16 are separated. The reaction force electric motor 18 is driven by the operation control device 19 . The reaction force electric motor 18 is hereinafter referred to as the reaction force motor 18 .

The reaction motor 18 is provided with a reaction motor rotation angle sensor 14 to detect the rotation angle of the reaction motor 18 . The steering operation amount sensor detects the rotation angle of the reaction force motor 18, but may be a steering operation angle sensor that detects the steering operation angle of the steering shaft. A sensor capable of detecting is in the category of a steering operation amount sensor.

Further, the reaction motor 18 is provided with a current sensor 15 that detects the current flowing through the coil of the reaction motor 18 . This current is used, for example, when estimating the disturbance torque.

A steering mechanism 16 including the steering shaft 17 is provided with a steering electric motor mechanism 21 , and the steering electric motor mechanism 21 controls the steering operation of the steering shaft 17 . Although an electric motor is used as the steering actuator, it goes without saying that other types of electric actuators may be used.

The rotation angle of the steering wheel 12 is detected by the reaction motor rotation angle sensor 14 of the reaction motor 18, and the current flowing through the coil is detected by the current sensor 15. These detection signals are input to the electronic control unit 19. be. In addition, various detection signals are input to the operation control device 19 from an external sensor 20 .

The operation control device 19 calculates a control amount for the steering electric motor mechanism 21 based on the input rotation angle signal and current signal, and further drives the steering electric motor mechanism 21 . Parameters other than the rotation angle signal and the current signal can be used as the control amount of the electric motor mechanism 21 for steering.

Rotation of the steering electric motor mechanism 21 rotates an output side pulley (not shown) of the steering mechanism 16 via a belt (not shown) from an input side pulley (not shown), and further rotates a steering nut (not shown). (not shown) steers the steered wheels 10 by axially stroking the steering shaft 16 . Since these are also not the essence of the invention, the description thereof is omitted.

Further, the operation control device 19 calculates the control amount of the reaction force motor 18 based on the input rotation angle signal and current signal, and further drives the reaction force motor 18 . It should be noted that parameters other than the rotation angle signal and the current signal can be used as the control amount of the reaction force motor 18 .

A rack position sensor 22 is provided in the steering mechanism 16. The rack position sensor 22 detects the actual steering amount (steering angle) of the steered wheels 10 and outputs a steering amount signal. The rack position sensor 22 detects the amount of axial movement of the steering shaft 17 . As the steering amount sensor, the rack position sensor 22 for detecting the stroke amount of the steering shaft 17 is shown. Sensors other than these that can detect the position (steering amount) of the steering shaft 17 fall under the category of steering amount sensors.

Next, FIG. 2 shows a schematic configuration of the operation control device 19 that controls the reaction force motor 18 and the steering motor 35. As shown in FIG. The operation control device 19 represents both the reaction force actuator controller and the steering actuator controller.

A reaction motor 18 connected to the steering shaft 13 is provided with a reaction motor rotation angle sensor 14 and a current sensor 15. The reaction motor 18 is mechanically connected to the steering wheel 12 via the steering shaft 13. It is The reaction motor rotation angle sensor 14 is a sensor that detects the rotation angle of the reaction motor 18 , and the current sensor 15 is a sensor that detects the current flowing through the coil of the reaction motor 18 .

The reaction force motor 18 is an electric motor that applies a steering reaction force to the steering shaft 13 via a motor driver 23 controlled by the operation control device 19. This steering reaction force is applied to the steering shaft 13 .

Further, the operation control device 19 sends a drive signal to a steering motor 35 mechanically connected to the steering shaft 17 via a motor driver 24 in accordance with detection signals from the reaction motor rotation angle sensor 14, the current sensor 15, and the like. giving.

The operation control device 19 receives a rotation angle signal from the reaction motor rotation angle sensor 14, a current signal from the current sensor 15, and furthermore, from running state sensors such as the vehicle speed sensor 25 and the yaw rate sensor 26, the steering A running state detection signal of the vehicle affecting is given. Further, the electronic control unit 19 is supplied with a detection signal of the movement position of the steering shaft 17 from a rack position sensor 22 (see FIG. 1) attached in the middle of the housing 32 covering the steering shaft 17 .

Here, the rack position sensor 22 detects the position of the steering shaft 17. Since the steering shaft 17 is directly connected to the tie rod 11, the detected value of the rack position sensor 22 is used to detect the position of the steering wheel 10. steering angle can be detected. Thus, the rack position sensor 22 functions as a steering angle detector for the steered wheels 10 .

An external steering command value from an automatic steering system (ADAS system) 27 is input to the operation control device 19 . The external steering command value is a command value calculated by the automatic steering system 27. When the vehicle deviates from the white line on the road or avoids an obstacle, the steering mechanism 16 controls the steering wheel 10 by the lane keep control. to steer the

The operation control device 19 detects the rotation angle, current, rack position, and running state quantity given from the reaction motor rotation angle sensor 14, the current sensor 15, the rack position sensor 22, the running state sensors 25 and 26, and the automatic steering system 27. and the external steering command value, etc. are taken in at a predetermined sampling period, and the steering amount to be applied to the steering shaft 17 is determined by appropriately combining the taken detection signal and the external steering command value, and this steering amount is obtained. For this purpose, the coil current to be applied to the steering motor 35 is calculated, and a control signal corresponding to the calculation result is given to the motor driver 24 .

Similarly, the operation control device 19 obtains the steering reaction force to be applied to the steering wheel 12 by appropriately combining the rotation angle, the current, the rack position, the detection signal of the running state amount, the external steering command value, and the like. A coil current to be energized to the reaction force motor 18 to obtain force is calculated, and a control signal corresponding to the calculation result is given to the motor driver 23 .

Next, a configuration of an in-vehicle network system for an automobile including the operation control device 19 shown in FIGS. 1 and 2 will be briefly described. FIG. 3 is a configuration diagram showing one aspect of an automobile control system including the operation control device 19. As shown in FIG.

The vehicle control system 30 is a system installed in a vehicle 31 such as an automobile, and is controlled by a plurality of ECUs (Electronic Control Units) 32a and 32b, which are vehicle control devices, and the respective ECUs 32a and 32b. It has actuators 33a and 33b and a CAN bus 34, which is a communication line in the CAN communication system.

Although only two combinations of ECUs and actuators are shown in FIG. 3, the vehicle control system 30 can have any combination of three or more. Actuators can be controlled.

The ECUs 32a and 32b are connected to a CAN bus 34 to form an in-vehicle network system, and the ECUs 32a and 32b perform data transmission via the CAN bus 34 at a predetermined first communication speed (eg, 500 kbps). For example, the actuator 33a is an electric motor of a steering control device provided in the vehicle 31, and the ECU 32a (first node) is the operation control device 19 of the steering control device that drives and controls the electric motor.

Further, for example, the actuator 33b is a fuel injection valve of the internal combustion engine, and the ECU 32b (second node) is an engine control device that drives and controls the fuel injection valve. In the present embodiment, the ECU 32a (first node) is defined as the "own ECU" in the present embodiment, and the following description will be given.

The own ECU 32 a includes an MCU (Micro Control Unit) 35 and a CAN transceiver 36 . The MCU 35 also has a transmission port TX and a reception port RX, is connected to a CAN transceiver 36 (interface) via the transmission port TX and the reception port RX, and has a function of performing CAN communication. The MCU 35 also has a memory 38 and a CAN controller 39 .

An external rewritable non-volatile memory 37 such as an EEPROM with power backup is connected to the own ECU 32a. A flash ROM can also be used instead of the nonvolatile memory 37 with power backup.

The memory 38 is storage means for storing a control application program (in other words, a user program or firmware) that is a program for driving and controlling the actuator 33a, for example. Also, the CAN controller 39 implements CAN protocol functions such as bit stuffing, communication arbitration, error handling, and CRC check.

Next, the configuration when a failure diagnosis tool is connected will be described. In FIG. 3, the own ECU 32a has an MCU 35a and a CAN transceiver 36a, and the MCU 35a has a transmission port TX and a reception port RX and is connected to the CAN transceiver 36a. The CAN transceiver 36a has a function of connecting the transmission port TX and the "High" side of the CAN bus 34 and connecting the reception port RX and the "Low" side of the CAN bus 34 to perform CAN communication. .

The MCU 35a also internally includes a volatile memory 40a, a nonvolatile memory 41a, and a CAN controller 39a. The volatile memory 40a is a so-called RAM, and can use "SRAM" or "DRAM", and the stored data is erased when the power is turned off. The non-volatile memory 41a is a flash ROM, and the stored data will not be erased even if the power is turned off. These volatile memory 40a, nonvolatile memory 41a, and CAN controller 39 are built into the MCU 35a as one chip.

Then, when various abnormalities are detected by the fault diagnosis program, the own ECU 32a stores the fault code information and freeze frame data (FFD information), which are the values of the current operating parameters of the vehicle, in the volatile memory 40a. have the ability to register with Freeze frame data is, for example, one of the functions specified in "J-OBD2", and is a numerical value that memorizes the situation of the internal combustion engine at that moment when a failure that affects the internal combustion engine and exhaust gas occurs. is. The own ECU 32a has a function of registering the fault code information registered in the volatile memory 40 and the FFD information in the nonvolatile memory 41 when the ignition is turned off.

Similarly, another ECU 32b has an MCU 35b and a CAN transceiver 36b, and the MCU 35b has a transmission port TX and a reception port RX and is connected to the CAN transceiver 36b. The CAN transceiver 36b has a function of connecting the transmission port TX and the "High" side of the CAN bus 34, connecting the reception port RX and the "Low" side of the CAN bus 34, and performing CAN communication. .

The MCU 35b also internally includes a volatile memory 40b, a nonvolatile memory 41b, and a CAN controller 39b. The volatile memory 40b is a so-called RAM, and can use "SRAM" or "DRAM", and the stored data is erased when the power is turned off. The non-volatile memory 41b is a flash ROM, and stored data will not be erased even if the power is turned off. These volatile memory 40b, nonvolatile memory 41b, and CAN controller 39b are built into MCU 35b as one chip.

The other ECU 32b has a function of registering fault code information and FFD information in the volatile memory 40b when various abnormalities are detected by the fault diagnosis program. The other ECU 32b has a function of registering the fault code information registered in the volatile memory 40b and the FFD information in the nonvolatile memory 41b when the ignition is turned off.

The own ECU 32a and the other ECU 32b are connected to the CAN bus 34 via CAN transceivers 36a and 36b. A transmission message from the own ECU 32a and a transmission message from the other ECU 32b are transferred to the CAN bus 34 and transmitted via the CAN bus 34. FIG.

Furthermore, a fault diagnosis tool 42 is connected to the CAN bus 34 when performing fault diagnosis. The fault diagnosis tool 42 can read fault code information and FDD via the CAN bus 34 .

Next, the flow of trouble code information and FDD information at the time of abnormality in own ECU 32a will be described with reference to FIG.

When an abnormality occurs, fault code information and FDD information corresponding to this abnormality are registered in a predetermined area of the volatile memory 40a. Since the information in the volatile memory 40a is erased when the power is turned off, it is saved and registered in a predetermined area of the nonvolatile memory 41a when the ignition switch is turned off.

On the other hand, in order to read the information in the nonvolatile memory 41a, when the ignition switch is turned on, the fault code information and the FDD information are transferred to the volatile memory 40a and registered in a predetermined area. Thus, the fault code information and the FDD information are registered in the volatile memory 40a or the nonvolatile memory 41a depending on whether the ignition is ON or OFF.

When the fault diagnosis tool 42 is connected to the CAN bus 34 and the own ECU 32a receives the service ID transmitted from the fault diagnosis tool 42, the fault code information and FFD information currently occurring are read out from the volatile memory 40a. , to the diagnostic tool 42 via the CAN bus 34 .

In this way, when the fault diagnosis tool 42 is connected to the CAN bus 34, the own ECU 32a receives the service ID transmitted from the fault diagnosis tool 42, and receives the service ID currently registered in the volatile memory 40a. Since the existing fault code information and FFD information are transmitted to the CAN bus 34 , the fault diagnosis tool 42 can read the fault code information and FFD information flowing through this CAN bus 34 .

The fault code information and FFD information registered in the non-volatile memory 41a are not transmitted to the CAN bus 34, so they cannot be read by the fault diagnosis tool 42. FIG. The fault code information and FFD information registered in the nonvolatile memory 41a are registered by transferring the fault code information and FFD information in the nonvolatile memory 41a to the volatile memory 40a when the own ECU 32a is activated. .

Therefore, when the service ID is transmitted from the fault diagnosis tool 42 via the CAN bus 34 and received by the own ECU 32a, the fault code information and the FFD information transferred and registered in the volatile memory 40a are transmitted to the CAN bus 34. Thus, the fault diagnosis tool 42 can read fault code information and FFD information flowing through the CAN bus 34 .

For this reason, when a malicious attacker attempts to crack an automobile's in-vehicle network system, it intentionally causes an abnormality, acquires the fault code information generated in response to this, and uses the fault code information to extract software components. It is possible that it will be identified. Therefore, it is effective to prevent fault code information and FFD information from being obtained by the fault diagnosis tool 42 via the CAN bus 34 when an action such as cracking occurs.

Next, a method for preventing fault code information and FFD information from being acquired by the fault diagnosis tool 42 via the CAN bus 34 when an act such as cracking occurs will be described.

First, in this embodiment, the presence or absence of an unauthorized message is determined using an unauthorized message detection function using a message authentication code (MAC). FIG. 6 shows the concept of the fraudulent message detection function. This case shows a case where a message is transmitted from another ECU 32b to its own ECU 32a.

In FIG. 6, for a transmission message generated by another ECU 32b, a transmission MAC value is generated by a common key and a MAC algorithm. This transmission MAC value is combined with the transmission message and transmitted to the CAN bus 34 as a "combined transmission message".

The transmission message is, for example, the instructed steering angle, the steering angle compensation value, etc., but it is also possible to transmit various information other than these. The combined transmission message flowing on the CAN bus 34 is received by its own ECU 32a connected to the CAN bus 34. At this time, the combined transmission message is separated into the received MAC value and the received message.

For the separated received message (=transmitted message), a new generated MAC value is generated by the common key and the MAC algorithm. Here, the common key and MAC algorithm of other ECU32b and own ECU32a are the same. Therefore, if the received MAC value and the generated MAC value match, it is determined that the message is not an unauthorized message. On the other hand, if the received MAC value and the generated MAC value do not match, it is determined that the message has been manipulated illegally on the CAN bus 34 and has been tampered with.

In this way, if the transmitted message is determined to be an unauthorized message that has been falsified, the received received message is discarded. Further, in this case, since unauthorized operation (tampering) has been performed from the outside, the fault code information and FDD information are prevented from being read by the fault diagnosis tool 42 . For this purpose, control is executed to prevent fault code information and FDD information from being transmitted to the CAN bus 34 . Specifically, the control flow shown below prevents the failure code information and the FDD information from being transmitted to the CAN bus 34 .

Next, the specific control flow will be explained. Although this control flow is executed by the own ECU 32a, the same control flow is also executed by the other ECU 32b. Also, the following control flow represents the function of the "failure information secrecy control unit" referred to in the claims.

First, FIG. 7 shows a control flow in a state where the in-vehicle network system is in an operating state and power is being supplied until the ignition switch is turned off. Each control step will be described below.

<<Step S10>>
In step S10, an unauthorized message is detected using the message authentication code MAC shown in FIG. As described above, in this step, it is determined whether or not the transmitted message has been illegally manipulated (hereafter referred to as MAC abnormality). However, if it is determined that an unauthorized operation has been performed, the process proceeds to step S15.

<<Step S11>>
Since it is determined in step S10 that no unauthorized operation has been performed, normal processing is executed below. This step determines if a fault code exists. If it is determined that a fault code exists, the process proceeds to step S12, and if it is determined that no fault code exists, the process proceeds to step S13.

<<Step S12>>
Since it is determined in step S10 that a fault code exists, all fault code information and FFD information are stored in the regular area of the volatile memory 40a. This normal area of the volatile memory 40a is designated as a readable area by the fault diagnostic tool 42 when the fault diagnostic tool 42 is connected.

Therefore, for example, when the fault diagnosis tool 42 is connected at an authorized dealer, all fault code information and FFD information can be read. After all the fault code information and FFD information are stored in the normal area of the volatile memory 40a in step S12, the process proceeds to step S13.

<<Step S13>>
If it is determined in step S11 that no fault code exists, or if all fault code information and FFD information are stored in the regular area of the volatile memory 40a, the ignition switch is turned off in step S13. It is determined whether or not If it is determined that the ignition switch has not been turned off, the process exits and waits until the next activation timing. On the other hand, if it is determined that the ignition switch has been turned off, the process proceeds to step S14.

<<Step S14>>
Since it is determined in step S13 that the ignition switch has been turned off, in step S14, all the fault code information and FFD information are transferred and stored in the regular area of the nonvolatile memory 41a.

When the power is shut down after the ignition switch is turned off, the fault code information and FFD information stored in the volatile memory 40a are erased. Therefore, in step S14, all the fault code information and FFD information stored in the normal area of the volatile memory 40a are transferred to the normal area of the nonvolatile memory 41a using the time until the power is shut down. transferred and stored.

This allows all fault code information and FFD information to be available later. When the ignition switch is turned off, the in-vehicle network system stops operating, so the process ends and waits until the next in-vehicle network system starts up.

<<Step S15>>
Returning to step 10, if it is determined that an unauthorized operation has been performed, the count value (En) of the MAC error counter is incremented (+1) in step S15. In this step S15, the number of MAC abnormalities is counted in order to confirm that an unauthorized operation has been intentionally performed. When the count value (En) by the MAC abnormality counter is incremented, the process proceeds to step S16.

<<Step S16>>
In step S16, it is determined whether or not the count value (En) of the MAC anomaly counter exceeds a predetermined anomaly determination threshold (Esh). That is, in step S16, it is determined whether or not an unauthorized operation has been performed.

If the count value (En) of the MAC anomaly counter does not exceed the anomaly determination threshold (Esh), it is not determined that an unauthorized operation is still being performed, and exits to end and waits until the next activation timing. On the other hand, when the count value (En) of the MAC abnormality counter exceeds the abnormality determination threshold value (Esh), it is determined that an unauthorized operation has been performed, and the process proceeds to step S17. In this embodiment, the abnormality confirmation threshold (Esh) is set to a value between "3 and 5", but this value is arbitrary.

<<Step S17>>
Since it is determined in step S16 that an unauthorized operation has been performed, in step S17, this abnormality information is transmitted to the cloud server by telematics communication. This cloud server is a telematics center operated by a vehicle manufacturer or the like, and the administrator or the like there can grasp that a cyberattack has been received from this transmission result. This allows various countermeasures to be taken. After transmitting the abnormality information to the cloud server by telematics communication, the process proceeds to step S18.

<<Step S18>>
Since it is determined by the processing of steps 16 and S17 that a MAC anomaly has occurred, defense against this MAC anomaly is executed in step S18.

Since it is determined in step S16 that a MAC abnormality has occurred, all the fault code information and FFD information are saved in the secret area of the volatile memory 40a. Unlike the regular area of the volatile memory 40a, the hidden area of the volatile memory 40a is specified as an area that cannot be read by the trouble diagnosis tool 42 when the trouble diagnosis tool 42 is connected.

Therefore, for example, when a malicious attacker connects the fault diagnosis tool 42, all the fault code information and FFD information are saved in the secret area, so all the fault code information and FFD information are read. I can't. After all the fault code information and FFD information are stored in the secret area of the volatile memory 40a in step S18, the process proceeds to step S19.

<<Step S19>>
After storing all the fault code information and FFD information in the secret area of the volatile memory 40a in step S18, it is determined in step S19 whether the ignition switch is turned off. If it is determined that the ignition switch has not been turned off, the process exits and waits until the next activation timing. On the other hand, if it is determined that the ignition switch has been turned off, the process proceeds to step S20.

<<Step S20>>
Since it is determined in step S19 that the ignition switch has been turned off, in step S20, all the fault code information and FFD information are moved and stored in the secret area of the nonvolatile memory 41a.

When the power is shut down after the ignition switch is turned off, the fault code information and FFD information stored in the volatile memory 40a are erased. Therefore, in step S20, all the fault code information and FFD information stored in the secret area of the volatile memory 40a are stored in the secret area of the nonvolatile memory 41a using the time until the power is shut down. transferred and stored.

After moving all the fault code information and FFD information to the secret area of the nonvolatile memory 41a, the process proceeds to step S21.

<<Step S21>>
In step S21, the time until the power is shut down is used to set the MAC abnormality flag in preparation for the next operation of the in-vehicle network system. This MAC anomaly flag is set to confirm that an MAC anomaly has occurred when the vehicle-mounted network system is next started up. Here, the setting of the MAC abnormality flag may be executed between step S16 and step S17.

With this MAC abnormality flag, it is possible to determine whether all the fault code information and FFD information stored in the nonvolatile memory 41a should be transferred to the normal area or the secret area of the volatile memory 40a. When the power supply is shut down, the in-vehicle network system stops operating, so it exits to the end and waits until the next in-vehicle network system is started up.

The above is the control flow until the ignition switch is turned off. Next, the control flow after the ignition switch is turned on will be described for each control step with reference to FIG. In the following, the control flow is in a state where the accessory switch is turned on and the in-vehicle network system has started up.

<<Step S30>>
In step S30, it is determined whether or not the transfer flag is set. The transfer flag is set in step S35, which will be described later, and is set when the fault code information and the FFD information are transferred from the nonvolatile memory 41a to the volatile memory 40a.

Therefore, if the transfer flag is set, the process ends and waits until the next activation timing in order to perform normal operation. On the other hand, if the transfer flag is not set, the process proceeds to step 31 to transfer the fault code information and FFD information from the nonvolatile memory 41a to the volatile memory 40a.

<<Step S31>>
In step S31, it is determined whether the ignition switch is ON. If it is determined in step S31 that the ignition switch is not ON, the process exits and waits until the next activation timing. On the other hand, if it is determined that the ignition switch has been turned on, the process proceeds to step S32.

<<Step S32>>
When it is determined that the ignition switch is ON in step S31, it is determined in step S32 whether or not the MAC abnormality flag is set. The MAC abnormality flag is set in step S21 shown in FIG. Then, when it is determined that the MAC abnormality flag is not set, the process proceeds to step S33. On the other hand, if it is determined that the MAC abnormality flag is set, the process proceeds to step S34.

<<Step S33>>
Since it is determined in step S32 that the MAC abnormality flag is not set, in step S33, all the fault code information and FFD information are transferred from the normal area of the nonvolatile memory 41a to the normal area of the volatile memory 40a. and save. As described above, this normal area of volatile memory 40a is designated as an area readable by fault diagnostic tool 42 when fault diagnostic tool 42 is connected.

Therefore, when the fault diagnosis tool 42 is connected at an authorized dealer, all fault code information and FFD information can be read. After all the fault code information and FFD information are stored in the regular area of the volatile memory 40a in step S33, the process proceeds to step S35.

<<Step S34>>
Since it is determined in step S32 that the MAC abnormality flag is set, in step S34, all the fault code information and FFD information are transferred from the secret area of the nonvolatile memory 41a to the secret area of the volatile memory 40a. Transfer and save. As described above, unlike the normal area of the volatile memory 40a, the hidden area of the volatile memory 40a is specified as an area that cannot be read by the fault diagnostic tool 42 when the fault diagnostic tool 42 is connected. ing.

Therefore, if a malicious attacker connects the fault diagnosis tool 42, all the fault code information and the FFD information are stored in the secret area, so all the fault code information and the FFD information can be read. Can not.

After all the fault code information and FFD information are stored in the secret area of the volatile memory 40a in step S34, the process proceeds to step S35.

<<Step S35>>
In step S35, since the fault code information and FFD information have been transferred from the nonvolatile memory 41a to the volatile memory 40a in steps S33 and S34, a transfer flag is set.

This transfer flag is used for determination in step S30, and distinguishes between the case of continuing the normal operation and the case of transferring the fault code information and the FFD information from the nonvolatile memory 41a to the volatile memory 40a. .

In step S35, when the transfer flag is set, the process exits and waits until the next activation timing.

Here, in step S34, the failure code information and the FFD information are transferred from the secret area of the nonvolatile memory 41a to the secret area of the volatile memory 40a. It can also be transferred and stored in the regular area of the volatile memory 40a. This allows it to be read by the fault diagnosis tool 42 .

With the configuration as described above, identification of the software component can be prevented. Also, it is possible to prevent a malicious attacker from being given information that suggests an attack pattern. Furthermore, preventing the identification of software components can reduce the risk of large-scale attacks on many vehicles. Furthermore, when an unauthorized operation is performed, the telematics center administrator or the like can recognize that the cyberattack has occurred, so that various countermeasures can be taken.

As described above, the present invention provides an in-vehicle network system comprising at least a transmitting side electronic control device and a receiving side electronic control device that receives a message from the transmitting side electronic control device via a CAN bus. When the side electronic control unit detects that the received message has been altered into an illegal message by illegal operation on the CAN bus, it does not transfer all fault code information stored in the receiving side electronic control unit to the CAN bus. It has a failure information secrecy control section that executes control.

According to this, when an illegal message is detected, all the fault code information is not transferred to the CAN bus, so even if a fault diagnosis tool is connected, the fault code information cannot be read, preventing identification of the software component. As a result, the security of the in-vehicle network system can be improved.

It should be noted that the present invention is not limited to the above-described embodiments, and includes various modifications. The above embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the described configurations. Moreover, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Other configurations can be added, deleted, or replaced with respect to the configuration of each embodiment.

32a... Own ECU 34... CAN bus 35a... MCU 36a... CAN transceiver 39a... CAN controller 40a... Volatile memory 41a... Non-volatile memory 32b... Other ECU 35b... MCU 36b... CAN transceiver , 39b... CAN controller, 40b... Volatile memory, 41b... Non-volatile memory, 42... Trouble diagnosis tool.

Claims (7)

An in-vehicle network system comprising at least a transmitting electronic control device and a receiving electronic control device that receives a message from the transmitting electronic control device via a CAN bus,
When the receiving side electronic control unit detects that the received message has been altered into an illegal message by an illegal operation on the CAN bus, all fault code information stored in the receiving side electronic control unit is provided with a failure information secrecy control section for executing control not to transmit to the CAN bus. The in-vehicle network system according to claim 1,
The electronic control device on the receiving side includes a volatile memory and a non-volatile memory, and in a state in which power is supplied to the electronic control device on the transmitting side and the electronic control device on the receiving side, the failure information secrecy control unit ,
if the received message is determined to be a legitimate message, storing all the fault code information in a legitimate area of the volatile memory that can be read by a fault diagnostic tool;
When the received message is determined to be the message that has been tampered with by an unauthorized operation on the CAN bus, all the fault code information is stored in the volatile memory that cannot be read by the fault diagnosis tool. An in-vehicle network system characterized by storing in a secret area of . An in-vehicle network system according to claim 2,
The failure information concealment control unit
An in-vehicle network system characterized in that, when the received message is judged to be the message altered into an unauthorized message by unauthorized operation on the CAN bus, the judgment result is reported to an external telematics center. An in-vehicle network system according to claim 2,
The failure information concealment control unit
An in-vehicle network system characterized in that, in addition to the trouble code information, freeze frame data, which are current operating parameter values of the vehicle, are also stored. An in-vehicle network system according to claim 2,
The failure information concealment control unit
When the power supply to the transmitting side electronic control device and the receiving side electronic control device is stopped, all the fault code information saved in the secret area of the volatile memory is stored in the nonvolatile memory. an in-vehicle network system, which transfers and saves the data in the secret area of . An in-vehicle network system according to claim 5,
When power is supplied again to the transmission side electronic control device and the reception side electronic control device after the power supply to the transmission side electronic control device and the reception side electronic control device is stopped, the failure information Anonymity control unit
An in-vehicle network system, wherein all the fault code information saved in the secret area of the nonvolatile memory is transferred to the secret area of the volatile memory and saved. An in-vehicle network system according to claim 2,
If necessary, the failure information concealment control unit
An in-vehicle network system, wherein the fault code information stored in the secret area of the volatile memory is stored in the normal area of the volatile memory.

Images