DE102019001978A1 - Method for monitoring communication on a communication bus, electronic device for connection to a communication bus and vehicle - Google Patents

Abstract

The invention relates to a monitoring method for a communication bus (104). This means that unauthorized bus access is detected. The method includes providing a monitoring module (1517) at a station connected to the communication bus (104). In the method, the messages are identified by an identifier, it being determined for each station (140-163) which messages with which identifier may be sent by it. A uniqueness rule is that it is forbidden for another station (152, 153) to send a user data message with an identifier that is already reserved for this station (151). This rule is used in the monitoring, in such a way that it is monitored whether a user data message with an identifier is sent on the communication bus (104) from another station (152, 153) which is reserved for its own station (151) . If so, unauthorized bus access was detected. One or more of the following countermeasures are then initiated: rendering the smuggled message unusable by overwriting the message with the dominant level, by overwriting the message with a specific bit pattern, by changing a specific part of the message, such as the CRC field of the message , or by setting an information entry in an additional field of the messages sent; warning another electronic station (140-163) by sending implausible data content in one or more subsequent messages, or by sending a warning in one or more dedicated warning messages .

Description

The invention relates to the technical field of monitoring communication on a communication bus with regard to unauthorized bus access. This method can be used in particular in communication buses that are used in vehicles. Networked control devices can also be found in other areas of technology, e.g. in automation technology, process technology, etc. The invention also relates to an electronic device for connection to a communication bus.

A large number of control units are installed in modern vehicles. A number of control units are used for the drive train alone, e.g. Engine control unit, transmission control unit, selector lever control unit, airbag control unit and others. There are also other control units that are installed in the area of the vehicle body and provide certain convenience functions. Examples include door or window regulator control devices, air conditioning control devices, seat adjustment control devices, etc. Then there are also control devices that belong to the infotainment area, such as camera control devices for monitoring the surroundings, navigation devices, communication modules and entertainment devices with TV, radio, video and music functions.

Typically, the control devices of the different categories are each networked with a separate bus designed for the device category. Several different bus systems can therefore be used in the vehicle. The various bus systems can be connected to one another via gateways in order to enable data exchange. The CAN bus (Controller Area Network) is typically used in the area of powertrain control units, also in the area of convenience control units. Other bus systems are also used in the infotainment area, such as bus systems based on Ethernet technology, e.g. AVB (Audio Video Bridging), which is based on the IEEE 802.1 standard family. Bus systems in which data is transmitted via fiber optics can also be used. Examples are the MOST bus (Media Oriented System Transport) or the D2B bus (Domestic Digital Bus).

Bus systems in the automotive sector are increasingly becoming the focus of hacker attacks and attempts to deliberately manipulate message content. Such hacker attacks on the bus system typically take place via a connection to the physical transmission medium, i.e. the bus line, or via access to a so-called OBD socket (On Board Diagnostic Interface). Cyber security is also coming more and more into focus because more and more complex driver assistance systems are being used in vehicles, including automated driving. Manipulation must be ruled out here.

The protection of bus systems in motor vehicles is becoming increasingly important. Automated functions and / or vehicles in particular require effective protection against attacks. Unprotected or inadequately protected systems can be manipulated and pose a potential danger to vehicle occupants and the environment.

In the following, procedures and methods are described to make suspicious messages unusable, to mark them accordingly, as well as procedures for how affected control units can be informed about a detected attack, and the reaction of affected control units.

In addition to the detection and identification of smuggled messages, the control units involved must be informed of an incident. This can be done by marking and / or destroying such messages and by sending a new message (warning message). These receiver control units must react accordingly and, if necessary, switch to a safe state in order to reliably avoid further risks for the occupants and the environment. A sensible balance between security and availability can be achieved by overwriting different data areas as required.

A decentralized recognition system is the basis for identifying smuggled messages. In the ideal case, a monitoring module can be implemented in each control unit that sounds an alarm if messages with a Can identifier occur that are assigned to its own control unit. If the monitoring module receives messages with a Can identifier that are only used by its own control unit, this is an indication of an attack. This means that another control unit sends messages that are reserved for the control unit with the monitoring module. It can be a manipulated production control unit or additionally installed hardware. Another aspect is the error handling, eg the detection of incorrectly programmed control units.

There is therefore a need to further secure communication on the communication buses in the vehicle and elsewhere.

The CAN bus is particularly widespread in the automotive sector and is often used for networking safety-related electronics in vehicles. Therefore, there is a special need here for securing communication.

From the DE 10 2015 205 670 A1 an attack detection method for a bus system of a motor vehicle and a corresponding device is known. The aim is to detect and ward off attacks from outside on the bus system. For this purpose, a module is installed in a gateway of the bus system, which uses a general approach to check whether the messages transmitted on the bus were transmitted in accordance with the communication rules. This includes various communication rules: According to one aspect, the module checks certain properties of a specified message cycle. This includes, for example, the time between two consecutive messages and if it detects that the time interval between two consecutive messages does not match the specified cycle duration, it issues a warning message. According to another aspect, the module checks whether only identical messages are transmitted in succession. There are, for example, adapted verification aspects for different message types.

From the US 2015/172306 A1 An attack monitoring method is also known in which the cycle times are monitored for cyclically occurring messages. An attack is recognized if there are deviations from the averaged cycle time. In order to be able to monitor messages that do not occur cyclically, they are protected by inserting a security code. The monitoring module is positioned centrally in a gateway of the vehicle communication network.

From the EP 3 148 154 B1 a monitoring module is known in a CAN bus station with which it is checked whether the identifier of a received CAN message matches an identifier reserved for the bus station. This checks whether the uniqueness rule applicable to the CAN bus for CAN message identifiers is violated. If the uniqueness rule has been violated, an external attack on the bus system is concluded and the received CAN message that violates the uniqueness rule is declared invalid while it is being received. This is done by sending an error flag in the End of Frame field of the received CAN message.

The invention aims to provide an effective monitoring method for a communication bus that can reliably detect unauthorized bus accesses and prevents the manipulated messages from causing damage.

This object is achieved by a method for monitoring communication on a communication bus according to claim 1 and an electronic device according to claims 13 and 14 and a vehicle according to claim 15.

The dependent claims contain advantageous developments and improvements of the invention according to the following description of these measures.

The solution consists in a method for monitoring communication on a communication bus through which a number of electronic stations are networked. A special feature is that the message format is designed in such a way that the messages are identified by an identifier, whereby it is specified for each station which messages with which identifier can be sent by it. A uniqueness rule is adhered to, which prohibits another station from sending a user data message with an identifier that is already reserved for this station. In the method, a monitoring module is provided in one or more or all of the electronic stations, which monitors whether a user data message with an identifier is sent on the communication bus from another station that is already reserved for its own station. In this case, one or more countermeasures are initiated. The countermeasures consist in rendering the smuggled message unusable by overwriting the message with the dominant level, by overwriting the message with a specific bit pattern, by changing a specific one Part of the message, such as the CRC field of the message, or by setting an information entry in an additional field of the messages sent; and the
Warn another control unit by sending implausible data content in one or more subsequent messages, or by sending a warning in one or more dedicated warning messages.

The process is as simple as it is effective. Compared to the known state of the art, there are further possibilities as to how the suspicious message can be made unusable. Even if the received message cannot be made unusable in this way, the other control units will still be warned.

Since the other control units are also warned, they can ignore the previously received manipulated message. However, the warning must be given immediately.

To implement the method, it is advantageous if the monitoring module for monitoring accesses a transmission table in which all of the identifiers reserved for the station are recorded and compares the identifier of a received message with the entries in the transmission table. The creation of the table is already necessary for the CAN bus for the acceptance filtering in the respective station and can be implemented accordingly. The comparison can be carried out easily in a microcomputer. If the processor is overloaded here, a special circuit can alternatively be implemented, e.g. by an FPGA chip or an ASIC.

If the message identifier of the received message matches an entry in the transmission table, the monitoring module then detects unauthorized bus access and the countermeasures can be initiated.

In one variant, the step of specifically changing a specific message part is carried out by changing the entry in an error protection data field, in particular a CRC field of the message. This has the advantage that the message is then automatically discarded during the prescribed error protection check of the received message because it is recognized as being incorrect. This message cannot cause any damage in the respective control unit.

A particularly advantageous variant also consists in that a station which receives a message that has been rendered unusable from another station equipped with a monitoring module or a dedicated warning message, carries out a step of transferring the station to a safe state. This is an important measure to prevent an accident from happening if messages are tampered with during operation. Such bus systems are often used in vehicles where manipulation during operation can lead to accidents with fatal consequences. On the other hand, such bus systems are also used in airplanes, elevator controls or other machine controls, in which manipulation must also be prevented. This measure can also be carried out if the station is connected to a different sub-bus than the station with the monitoring module. To this end, a gateway can be provided which, in this example, forwards the message from the sub-bus to which the station with the monitoring module is connected to the sub-bus to which the actually affected station is connected.

The method can advantageously be used in a communication bus that is designed for the exchange of messages between electronic components of a vehicle. Bus systems are used there in particular, in which such identifiers are used in conjunction with the uniqueness rule described.

In another variant, which is particularly interesting for vehicles, a further countermeasure for a device responsible for outputting information is e.g. an infotainment system that receives a message that has been rendered unusable or a dedicated warning message, a step of warning the vehicle driver is carried out by outputting an optical, acoustic or haptic signal.

The design can also be such that the station equipped with a monitoring module sends a dedicated warning message to the infotainment system device responsible for outputting information, which then carries out the step of warning the vehicle driver by outputting the optical, acoustic or haptic signal.

In this context, it is advantageous if, as a further countermeasure, a device in the vehicle responsible for communication with the outside world is carried out a step of sending a manipulation message via radio to a central computer of the vehicle manufacturer or an authority or to a smartphone of the vehicle owner. This informs the vehicle manufacturer about the manipulation and can react to it. If necessary he can close the security gap by issuing a new software version for one or more control units. The measure that the authorities are informed about the manipulation can also be important. So it is possible that the manipulation is reported to the law enforcement authorities. The place and time of the occurrence of the manipulation are preferably also communicated. Even if immediate law enforcement cannot be successfully carried out, authorities can still issue warnings to the public. The device responsible for communication with the outside world is typically an on-board communication module in a vehicle that is designed for communication in a cellular network such as LTE (Long Term Evolution) or 5G and also for vehicle-to-vehicle communication V2V according to a communication standard such as WLAN p, corresponding to IEEE 802.11 p.

The configuration can also be such that the station equipped with a monitoring module sends a dedicated warning message to the device responsible for communication with the outside world, which then carries out the step of sending a manipulation message to the central computer via radio.

In another variant, the device responsible for communication with the outside world also carries out a step of sending a dedicated warning message to a device in the infotainment system responsible for outputting information, which then outputs the signal to warn the vehicle driver.

This monitoring method can be used particularly advantageously in the communication bus according to a variant of the family of CAN bus standards, corresponding to the Controller Area Network. This is particularly widespread in the motor vehicle sector and meets the requirements. There the messages are content-addressed, i.e. There the CAN bus message identifier describes the content of the message and also defines the urgency of the message. During the arbitration phase, the CAN bus message identifier is used to determine which station has access to the transmission medium. Access conflicts are resolved without delay via the wired AND circuit.

For an electronic device for connection to a communication bus, it is advantageous if the device has a monitoring module which is designed for monitoring according to the steps according to the monitoring method described.

For an electronic device of a different type for connection to a communication bus, it is advantageous if the device has a security module which is designed to transfer the electronic device to the safe state according to the monitoring method described.

For a vehicle, it is advantageous that the vehicle is equipped with one or both variants of the electronic devices mentioned.

The messages typically contain a user data field. This can contain a control command. This is particularly advantageous if the monitoring method is used with the so-called LIN bus, corresponding to the local interconnect network bus. There, the identifiers of messages are also used to identify certain control commands.

In addition, payload data can be included in any form, e.g. Sensor data, setting parameters, audio data, video data, etc.

An embodiment of the invention is shown in the drawings and is explained in more detail below with reference to the figures.

• 1 das Prinzip der Vernetzung von elektronischen Komponenten mittels CAN-Bus;
• 2 das Format des Standard Frame-Übertragungsrahmens beim CAN-Bus;
• 3 das Format des Remote Frame-Übertragungsrahmens beim CAN-Bus;
• 4 das Prinzip von Fahrzeug-zu-Fahrzeug-Kommunikation V2V und Fahrzeug-zu-Allem-Kommunikation V2X mittels Mobilfunkunterstützung;
• 5 ein Blockdiagramm für ein Fahrzeug-Kommunikationsnetzwerk mit Steuergeräten und anderen Stationen verschiedener Kategorie;
• 6 ein Blockschaltbild einer CAN-Bus-Schnittstelle, die mit einem Überwachungsmodul gemäß der Erfindung ausgestattet ist;
• 7 ein Flussdiagramm für ein Programm, das als Überwachungsmodul auf der CAN-Busschnittstelle installiert ist,
• 8 ein Diagramm, das die durch einen Angreifer eingeschleusten Botschaften während der Überwachungsphase illustriert; und
• 9 den Ablauf des erweiterten Überwachungsverfahrens in Form eines Zustandsdiagramms.

Show it:

• 1 the principle of networking electronic components using a CAN bus;
• 2 the format of the standard frame transmission frame on the CAN bus;
• 3 the format of the remote frame transmission frame on the CAN bus;
• 4th the principle of vehicle-to-vehicle communication V2V and vehicle-to-all communication V2X using mobile phone support;
• 5 a block diagram for a vehicle communication network with control units and other stations of various categories;
• 6th a block diagram of a CAN bus interface, which is equipped with a monitoring module according to the invention;
• 7th a flow chart for a program that is installed as a monitoring module on the CAN bus interface,
• 8th a diagram illustrating the messages introduced by an attacker during the monitoring phase; and
• 9 the sequence of the extended monitoring procedure in the form of a state diagram.

The present description illustrates the principles of the disclosure of the invention. It is therefore understood that those skilled in the art will be able to design various arrangements which, although not explicitly described here, embody principles of the disclosure according to the invention and are also intended to be protected in their scope.

The CAN bus was standardized back in 1994. The corresponding ISO standard has the number ISO 11898 . There is a standard for the high-speed range up to 1 Mbit / s, that is ISO 11898-2 standard . Then there is a standard for the low-speed range up to 125 kBit / s, that is it ISO 11898-3 standard . The increasing volume of data results in ever higher bus loads on the CAN buses. This led to a further development of the CAN bus. The extended CAN bus is known under the term CAN FD bus. FD stands for Flexible Data Rate. With this CAN bus variant, the data rate is switched. The rate remains low for the arbitration phase, as with the classic CAN bus. A higher data rate is used for the transmission of the user data. If the user data of a CAN FD message is transmitted faster, the duration of the bus occupancy is shortened and the bus load is reduced. If the transmission time remains within the same range as with classic CAN messages, larger amounts of data could be transported with a CAN FD message. This is how it was implemented with CAN FD. Instead of the 8-byte user data field, a 64-byte user data field is used with CAN FD. The data rate increases for the transmission of the user data field with a conversion, for example from 500 kbit / s to 2 Mbit / s.

The classic CAN bus also has a special CAN remote frame format. The CAN remote frame is sent by a station in order to request certain data from another station.

In the following description of the exemplary embodiment, the bus stations are referred to as control devices, as is customary in the motor vehicle sector. However, it is also possible that a bus station is not designed as a control device. Certain sensors or actuators (e.g. actuators) that are connected to the bus are named as examples. The CAN bus is not only used in vehicles, including aircraft, but also in other areas. As already mentioned, this concerns the area of process and machine controls. Here the CAN bus is also used as a field bus.

1 shows the principle of networking electronic components using a CAN bus. A CAN network is a system network made up of CAN nodes (electronic components (control units, sensors, actuators) with CAN interface) which exchange data with one another via their respective CAN interfaces and a transmission medium (CAN bus) that connects all CAN interfaces . There are three CAN nodes 10 shown. The bus structure of the CAN bus is linear. There is therefore a bus line 15th to which all three CAN nodes 10 are connected. As a bus line 15th In the most common applications, a twisted, unshielded two-wire line (Unshielded Twisted Pair - UTP) is used, via which symmetrical signal transmission takes place. With symmetrical signal transmission, the signals are transmitted as voltage differences over two lines. The line pair consists of a non-inverted CANH and an inverted signal line CANL. The receivers reconstruct the original data signal from the difference between the signals present on these two conductors. This has the advantage that there is common mode interference on both conductors of the bus line 15th occur, delete them by forming the difference and thus do not affect the transmission.

To avoid signal reflections, the bus line is 15th at both ends of the line with a terminating resistor 13 the size of the wave impedance of the bus line ( 120 Ohm).

A CAN interface consists of two parts: the communication software and the communication hardware. While the communication software includes higher communication services, the basic communication functions are typically implemented in hardware: A distinction is made here between two hardware components: The CAN controller 14th ensures the uniform handling of the CAN communication protocol and thereby relieves the host 16 on which the aforementioned communication software runs. The CAN transceiver 12 ensures the coupling of the CAN controller 14th to the CAN bus 15th . It forms the signals for data transmission during the transmission process and does the signal processing when it is received.

2 shows the message format of a CAN standard frame. More precisely, illustrated 2 a CAN transmission frame format according to the CAN communication standard.

There are many different individual bits in the transmission frame according to ISO 11898-1 that fulfill control purposes. The various fields and control bits of the transmission frame are listed in the following table with their names in English. The length of the individual fields is also specified. The detailed designation is no longer repeated when these bits are mentioned below. Control bit Detailed description length SOF Start of frame 1 bit Identifier Identifier 9 bits RTR Remote transmission request 1 bit IDE Identifier extension 1 bit R. Reserved bit 1 bit DLC Data length code 4 bit Data field Data field 0-8 bytes CRC CRC sequence DEL CRC delimiter 1 bit ACK Acknowledge 1 bit DEL ACK delimiter 1 bit EOF End of frame code 4 bit

A CAN frame contains a start-of-frame (SOF) field, an arbitration field, a control field, a data field, a cyclic redundancy check (CRC) field, an ACK field, an end-of-frame (EOF) - and an Intermission Sequence (ITM) field.

According to an exemplary embodiment of the invention, the SOF field is a field which indicates the beginning of a CAN frame, ie the beginning of a message. The arbitration field identifies a message and assigns a priority to the message. According to the length of an identification field assigned in the arbitration field, the CAN frame is divided into a standard format and an extended format (the standard format is shown). In the standard format, the arbitration field has a length of 11 bits. For the extended format, the length of the identification field in the arbitration field is 29 Bits.

The identifier defines the priority of the data frame and, together with the acceptance filtering, ensures the transmitter-receiver relationships in the CAN network defined in the communication matrix. The communication matrix defines which messages it processes for each control unit. So if a message is received whose message identifier is not listed there, this message is sorted out by the acceptance filtering and not forwarded to the application.

The transmitting station uses the RTR bit to inform the receivers of the frame type (data frame or remote frame). A dominant RTR bit indicates a data frame, while a recessive bit indicates the remote frame. In addition, the arbitration field may contain an identification extension field (IDE) with a length of 1 bit to identify whether a frame is in the standard format or the extended format. If the value of the IDE field is 0, this indicates the default format. If the value is 1, it means the extended format.

The number of user data bytes contained in the message is displayed to the recipients in the DLC field. The user data bytes are transported in the data field. A maximum of eight useful data bytes can be transmitted with one data frame. The user data bytes are protected against transmission errors with the help of a checksum transmitted in the CRC field using the cyclic redundancy check.

Based on the result of the CRC check, the receivers in the ACK slot acknowledge receipt either positively or negatively. An ACK bit at the end of the message is transmitted by the CAN controller that exactly received the message. The node that sent the message checks whether the ACK bit is present on the CAN bus or not. If ACK is not found, this is an indication that a node was unable to receive the message correctly and the sending station can try to transmit again.

The transmission of a data frame with seven recessive bits is ended, which corresponds to the End Of Frame Code EOF.

3 shows the message format of a CAN remote frame. With the remote frame, a control unit can request desired user data if it is not sent cyclically anyway. This type of frame is rarely used for applications in automobiles, since the data is not transmitted on demand, but essentially cyclically.

Except for the missing data field, the structure of the remote frame corresponds to that of the data frame. The distinction between data and remote frame is made using the RTR bit. In the case of a data frame, the RTR bit is sent dominantly. A remote frame is identified by a recessive RTR bit.

In principle, corresponding remote frames can be defined for all existing data frames in the CAN network. You only have to ensure that the identifiers of the remote frames correspond to the identifiers of the associated data frames. As soon as a CAN node receives a remote frame whose identifier is identical to an identifier in its own communication matrix, it replies with the corresponding standard frame.

4th shows the system architecture for vehicle communication using mobile radio. The reference number 10 means a vehicle. The vehicle shown is designed as a passenger car. This is not intended to be limiting; it can be any type of vehicle. Examples of other vehicle types are: buses, motorcycles, commercial vehicles, in particular trucks, agricultural machines, construction machinery, rail vehicles, etc. The use of the invention would generally be possible in land vehicles, rail vehicles, water vehicles and aircraft. The vehicle 10 is with an on-board communication module 110 Equipped with a corresponding antenna unit so that it can participate in the various types of vehicle communication V2V and V2X. 1 shows that the vehicle 10 with the cellular base station 210 of a mobile network provider can communicate.

Such a base station 210 can be an eNodeB base station from an LTE cellular network provider (Long Term Evolution). The base station 210 and the corresponding equipment is part of a cellular communications network comprising a plurality of cellular cells, each cell from a base station 210 is served.

The base station 210 is positioned near a main road on which the vehicles 10 drive. In LTE terminology, a mobile terminal corresponds to a user equipment UE that enables a user to access network services, connecting to the UTRAN or the Evolved UTRAN via the radio interface. Typically, such user equipment corresponds to a smartphone. Such mobile terminals are used by the passengers in the vehicles 10 used. In addition, the vehicles are 10 each with an on-board communication module 110 fitted. This on-board communication module 110 corresponds to an LTE communication module with which the vehicle 10 can receive mobile data (downlink) and send such data in the uplink direction (uplink). This on-board communication module 110 can also be equipped with a WLAN p-module in order to be able to participate in an ad hoc V2X communication mode. V2V and V2X communication is also supported by the new 5th generation of mobile radio systems. There the corresponding radio interface is referred to as the PC5 interface. With regard to the LTE mobile radio communication system, LTE's Evolved UMTS Terrestrial Radio Access Network E-UTRAN consists of several eNodeBs that provide the E-UTRA user level (PDCP / RLC / MAC / PHY) and the control level (RRC) . The eNodeBs are connected to one another using the so-called X2 interface. The eNodeBs are also connected to the EPC (Evolved Packet Core) 200 via the so-called S1 interface.

From this general architecture shows 4th that the base station 210 via the S1 interface with the EPC 200 connected and the EPC 200 with the Internet 300 connected is. A backend server 320 to which the vehicles 10 Being able to send and receive messages is also with the Internet 300 connected. The backend server is located in the area of cooperative and autonomous driving 320 typically in a traffic control center. This can be assigned to an authority, including law enforcement agencies and the police, or to a vehicle manufacturer or a technical monitoring association, etc. Finally, there is also a road infrastructure station 310 shown. This can be done, for example, by a roadside unit, often referred to in technical jargon as the Road Side Unit RSU 310 will be illustrated. To simplify the implementation, it is assumed that all components have been assigned an Internet address, typically in the form of an IPv6 address, so that the packets that transport messages between the components can be routed accordingly. The various interfaces mentioned are standardized. In this regard, reference is made to the corresponding LTE specifications that are published.

5 shows the typical structure of a communication network in a modern motor vehicle. With the reference number 151 is called an engine control unit. The reference number 152 corresponds to an ESP control unit and the reference number 153 refers to a transmission control unit. Other control devices, such as an additional driving dynamics control device (for vehicles with electrically adjustable dampers), airbag control devices, etc., can be present in the motor vehicle. The networking of such control devices, which are all assigned to the drive train category, is typically done with the CAN bus system (Controller Area Network) 104 , which is standardized as an ISO norm, mostly as ISO 11898-1 . For different sensors 161 to 163 In the motor vehicle, which are no longer to be connected to individual control units, it is also provided that they are connected to the bus system 104 connected and whose sensor data are transmitted to the individual control units via the bus. Examples of sensors in motor vehicles are wheel speed sensors, steering angle sensors, acceleration sensors, yaw rate sensors, tire pressure sensors, distance sensors, knock sensors, air quality sensors, etc.

The modern motor vehicle can, however, also have other components, such as video cameras, for example as a reversing camera or as a driver monitoring camera. There are then also further electronic devices in the motor vehicle. These are arranged more in the area of the passenger compartment and are often also operated by the driver. Examples are a user interface device with which the driver can make settings, but can also operate classic components. These include the indicator control, windscreen wiper control, light control, audio settings for the radio, other settings for the car phone, navigation system, etc. (not shown). With the reference number 130 denotes a computing device. A touch-sensitive display device (LCD touchscreen) is connected to it 135 . A navigation system has the reference number 120 , which is also installed in the cockpit area. The route which is displayed on a map is shown on the display device 135 displayed in the cockpit. Other components, such as a hands-free device, may be present, but are not shown in detail. The reference number 110 still refers to an on-board unit. This on-board unit 110 corresponds to a communication module via which the vehicle can receive and send mobile data. An antenna module is connected to it AT THE . Typically, this is a cellular communication module, e.g. B. according to the LTE standard or 5G standard. With the reference number 105 is another camera 105 referred to, which is designed as a front camera for observation of the surroundings. Additional cameras can be provided for observation in other directions, sides and stern. A camera for use as an interior surveillance camera can also be present. The devices mentioned are assigned to the infotainment area. They are therefore via a bus system designed for the special needs of this device category 102 networked. In the example shown, it is assumed that the bus system 102 is designed as another bus system specially designed for the infotainment area. In this regard, the bus systems AVB (Audio Video Bridging), the MOST bus (Media Oriented System Transport) or the D2B bus (Domestic Digital Bus) are referred to as examples. The already mentioned CAN FD bus could also be considered, since data can be transported there at a higher data rate, which is advantageous for the networked control units in the infotainment area.

For the purpose that vehicle-relevant sensor data via the communication interface 110 to another vehicle or to an external central computer 320 to be transferred to a database is the gateway 140 intended. This is with both different bus systems 102 and 104 connected. The gateway 140 is designed to handle the data that it receives via the CAN bus 104 receives in such a way that they are in the transmission format of the infotainment bus 102 implemented so that they can be distributed in the packages specified there. The on-board unit is used for forwarding this data externally, ie to another motor vehicle or to the central computer 110 with the Communication interface equipped to receive these data packets and convert them in turn into the transmission format of the corresponding mobile radio standard. Implementation is also required when the bus 102 implemented as a CAN FD bus.

The 6th now shows the implementation of the monitoring module and security module in the form of software modules. With the reference number 1510 is the CAN interface of the engine control unit 151 designated. This consists of the hardware components CAN controller 1513 and CAN transceiver (not shown) and from the software components application software 1511 , a monitoring module 1517 and a security module 1518 . There is an interface between these two software components 1514 . The CAN messages that come in and go out via the CAN bus are on the corresponding line 1516 on. The 6th shows a possible variant of an architecture. The implementation can also be done with other variants.

How the monitoring module works 1518 is now using the flow chart in the 6th and the 7th explained.

The monitoring module 1517 is always active when the CAN interface is in receive mode. A control unit often sends its data cyclically on the bus. For this purpose, a corresponding timer is set up in the control unit for each cycle. Different user data can be sent with different cycles. The application software 1511 takes over the setup of the various timers. They can be software-supported timers or hardware-supported timers (not shown). In the area of the control units of the drive train, microcontrollers are usually used which are equipped with a programmable timer / counter unit, so that the timers are often hardware-supported here. When a timer expires, an interrupt is triggered, which means that the control unit changes from receiving mode to sending mode. Each time after the transmission mode has been carried out, the control unit switches back to receiving mode. This can be signaled by setting a flag in the control unit. Setting this flag will then start the monitoring module 1517 trigger. In addition, there are also a number of other types of transmission in control units. The send modes (ifActiv, ifAcitvWithRepetition, OnChange, OnChangeWithRepetition) are mentioned as examples, which only send cyclically in normal / idle state. If a certain, defined event occurs, e.g. a change in a sensor value, the data is often sent outside the normal cycle with a faster cycle time.

The start of the monitoring program is in 7th with the reference number 181 designated. In step 182 Similar to the acceptance filtering, the program checks each received message to determine whether this message is identified with a message identifier that is itself in the station's own transmission table 1515 was recorded. In the station's own transmission table 1515 all message identifiers are listed that are used when sending user data. This broadcast table 1515 can be seen as part of the station's own communication matrix.

If a message identifier was received that is not in the send table 1515 is listed, the program branches to the beginning. If a message identifier was received, it is in the send table 1515 is listed, it could be a message that was smuggled into the bus by an attacker. However, it could also be a remote frame that was sent by another control unit. Therefore it is still in step 183 checks whether it is a remote frame. As explained above, this can be recognized by the RTR bit. If it is a remote frame, the monitoring module in step 185 completed. If it is not a remote frame, then the message can be dangerous because it then comes with user data. Then it is also certain for the monitoring module that it is an irregular message. Because of the uniqueness principle mentioned at the beginning, which applies to the CAN bus, no other control device may use the same message identifier when sending its messages. So then in the next step 184 the countermeasures initiated. Immediate countermeasures can be initiated with the aim of rendering the smuggled message unusable while it is being transmitted.

Overwrite with dominant bus level

1. a. Ein derartiges Bitmuster kann vorzugsweise aus einer bestimmten Folge von Bits mit dominantem Buspegel bzw. nicht-dominantem Buspegel bestehen.
2. b. Bei entsprechender Gestaltung des Bitmusters ist dieses auch zur Informationsübertragung geeignet. Diese Information kann in das entsprechende Bitmuster kodiert werden.
3. c. Die Art des Bitmusters (d.h. die Länge der dominanten/nicht-dominanten Sequenzen) kann so gewählt werden, dass die Empfänger-Steuergeräte mit ausreichend hoher Wahrscheinlichkeit sowohl einen Angriff erkennen können als auch die im Bitmuster enthaltenen Informationen dekodieren können.
4. d. Das Bitmuster kann sich über den kompletten Datenbereich erstrecken, bzw. einen oder mehrere Teilbereiche umfassen.
5. e. Wird nur ein bestimmter Bereich im Datenfeld benutzt, um mit einem Bitmuster eine kompromittierte Botschaft zu kennzeichnen, kann ein weiterer Bereich im Datenfeld verwendet werden, mit dem das betroffene Steuergerät Informationen zum Empfängersteuergerät, das den Angriff erkannt hat, überträgt.
   • - Dieses Bitmuster kann eine Empfängerbestätigung der in a genannten Mitteilung darstellen.
   • - Dieses Bitmuster kann zusätzliche Informationen zur Reaktion des Empfängersteuergerätes enthalten.
6. f. Vorzugsweise überschreibt das Empfängersteuergerät, das den Angriff erkannt hat, wie beschrieben das Datenfeld noch während die kompromittierte Botschaft versendet wird.

This can be done by overwriting the bus level applied to the bus with the dominant bus level. The change can relate to the data field of the message or another field. Changing or overwriting the message field for the error protection data is also very effective. The CRC field is provided for this in the CAN bus message format. In the receiver, the received messages are checked for errors with the CRC check code. If an error is detected, the Message discarded. If no error is detected, the recipient acknowledges receipt of the message positively. To do this, it applies a dominant bus level to the bus while the ACK field is being transmitted. In the event of an error, it applies the recessive bus level accordingly. If there is not a single positive confirmation, i.e. the recessive ACK slot is not overwritten by any recipient, the sender detects an ACK error and immediately aborts the current message transmission by activating an error flag. In this way, smuggled data is deliberately changed and thus made unusable. With the targeted modification of certain message parts or their CRC protection, it is also possible to control the reaction of the affected control units to a certain extent. Overwriting can be done with a constant dominant level. A specific bit pattern can also be generated by specifically overwriting individual bits with the dominant level.

1. a. Such a bit pattern can preferably consist of a specific sequence of bits with a dominant bus level or a non-dominant bus level.
2. b. If the bit pattern is designed accordingly, it is also suitable for transmitting information. This information can be encoded in the corresponding bit pattern.
3. c. The type of bit pattern (ie the length of the dominant / non-dominant sequences) can be selected so that the receiver control units can both detect an attack and decode the information contained in the bit pattern with a sufficiently high probability.
4. d. The bit pattern can extend over the entire data area or include one or more sub-areas.
5. e. If only a certain area in the data field is used to identify a compromised message with a bit pattern, another area can be used in the data field with which the affected control unit transmits information to the recipient control unit that recognized the attack.
   • - This bit pattern can represent a recipient confirmation of the message mentioned in a.
   • - This bit pattern can contain additional information on the reaction of the receiver control unit.
6. f. The receiver control unit that recognized the attack preferably overwrites the data field as described while the compromised message is being sent.

If the CRC field is overwritten with an invalid CRC code, this can also be done in such a way that information is encoded in the "invalid CRC code". This information can e.g. indicate which signal has been manipulated or how many messages of this type have already been manipulated. In that case the information represents a manipulation counter.

• Warnung mittels Botschaftssignal

Various other countermeasures can be considered, which can be used individually or in combination:

• Warning by means of a message signal

Another way of warning control units after an attack is to insert an additional signal in the data part of regular messages. In the simplest embodiment, an existing / additional bit of the data field can be reserved for this, with which an attack is signaled in regular messages. After an attack, the control unit whose monitoring module has detected the attack sends one or more messages whose signal bit is set to a specific, defined value. In another embodiment, the signal consists of a specific bit pattern that is specified for this purpose.

Warning by means of implausible data content

Affected control units can also be warned of an attack by implausible data content. The control unit that recognized the attack sends one or more messages with implausible data after the attack. The data field or certain signals in the data field are set to implausible values after a recognized attack. As an example, it is mentioned that an implausible physical variable such as speed, acceleration, speed, throttle valve position, oil pressure, fuel consumption, etc. is transmitted. A plausibility check is carried out in the control units that receive the message. If it is found that the received data concern implausible values, the received message is discarded. Implausible can be defined in such a way that the signals are outside a certain permissible range of values.

Warning by sending a warning message

Control units affected by an attack can also be informed of an attack by additional warning messages. These warning messages are only used if an attack is detected. Separate Can-Bus message identifiers can be assigned for this, which are unique for each station or are individually assigned to each message used in the station. In this way, the affected control units can recognize which message was attacked and initiate a corresponding reaction.

Response of affected control units

In addition to the detection of smuggled messages, the response of the affected control units is of particular importance. In the event of an attack, a security module implemented in the control unit transfers the affected control unit to a so-called safe state. This is provided for each control unit and is programmed during software development. There are predefined rules as to how the transition to the safe state should take place. In this regard, reference is made to the ISO standard ISO 26262 entitled “Functional Safety”.

In addition, if an attack notification is received, standard measures that have already been implemented, such as the corresponding reaction in the event of failure of the CAN bus or certain degradation concepts can be used.

8th now shows the principle of the monitoring procedure. The same reference numerals denote the same components as previously explained. The attacker is in 8th with the reference number 157 marked. In the example he has connected to the CAN bus with an appropriate tool 104 activated. This is certainly possible in a workshop without any problems, despite the fact that the CAN bus is often laid in an inaccessible place in the vehicle. However, there are usually certain points on the vehicle where the CAN bus is accessible. In the lower part of the 8th shows a cycle with which the engine control unit 151 a message ECM sends on the bus. The monitoring module is at the respective transmission phase 1517 not active. In the marked phases MP the bus traffic is monitored. In the second phase MP occur further ECM 'messages that the attacker 157 sends. Since these use the same message identifier that is used for the control unit 151 is reserved, they are taken from the monitoring module 1517 recognized as irregular as described above. The engine control unit 151 then initiates countermeasures as described.

The 9 shows another state diagram with which the monitoring process and the initiation of countermeasures is described. The same reference numbers denote the same components as in the other figures. The in 9 The state machine shown describes the functionality of the new system from bus monitoring to reaching the safe state of an affected control unit 152 as well as the notification of the communication with the driver, the central computer 320 , other road users 10 and infrastructure 310 responsible control units 110 . Different variants of the notification are shown. These can be carried out individually or in any combination.

First of all, it is assumed that the engine control unit 151 with the monitoring module 1517 carries out bus monitoring. The control unit is accordingly in the state Z1 . Used by the monitoring module 1517 If an attack is detected by one of the checking measures described above, the engine control unit changes 151 in the state Z2 . The state transition change is denoted by the reference number ①. In condition Z2 countermeasures are carried out. The control unit concerned is first notified. In the example shown, the control unit concerned corresponds to the ESP control unit 152 . The message placed on the bus by an attacker is therefore a message for the engine control unit 151 is reserved. The engine control unit 151 will try as a first countermeasure to invalidate the embassy. This happens with the status transition ② in that the incoming message is sent to the bus by applying the dominant bus level 102 gets destroyed. Both the data field and the CRC field can be overwritten in this way. A specific bit pattern can also be transmitted in this way, which is clearly interpreted as a warning of a detected attack. During the state transition ③, a new message is generated with the same message identifier in which implausible data is entered in the data field. When the status transition ④, a new message is generated that was specifically specified as a warning message. A separate message identifier has been reserved for this warning message. The ESP control unit 152 changes to the state due to one of the messages delivered during the state transitions ②, ③, ④ Z3 in which the notifications of an affected Control unit are processed after detection of an attack. During the state transition ⑤ a new message is generated which contains a message identifier that is sent to the computing device 130 is directed. The computing device 130 determines that it is a warning message about an attack and goes into the state Z5 above, in which it generates a warning message on the display unit 135 is displayed for the driver. This can be done by visual display (e.g. warning symbol or text), acoustic or haptic warnings. During the state transition ⑥ a new message is generated which contains a message identifier that is sent to the communication module 110 is directed. The gateway 140 must convert this message into the format of the bus system 104 . The communication module 110 then recognizes a warning about an attack that has taken place and goes into the state Z6 about. In that condition Z6 a message is generated which is sent to the central computer 320 is addressed. This is the central computer 320 communicated that an attack occurred. The message type as well as the place and time of the attack become the central computer 320 transfer.

In condition Z3 can also be the ESP control unit 152 initiate further measures. Then there is a message to the computing device at the state transition ⑦ 130 Send with the same content as was done with the state transition ⑤. Finally, the communication module is notified when the status transition ⑧ occurs 110 as with the state transition ⑥. With the state transition ⑨ there is a change in the state of the ESP control unit 152 instead of. The control unit changes to the safe state Z4 . Even in the state Z5 the computing device 130 can use this form of notification of the communication module 110 at state transition ⑩ still take place in another variant.

The disclosure is not restricted to the exemplary embodiments described here. There is room for various adaptations and modifications which those skilled in the art, based on their expert knowledge as well as belonging to the disclosure, would consider.

The monitoring method described can also be used with other bus systems than the CAN bus. The LIN bus (Local Interconnect Bus) is particularly mentioned as an example. The LIN bus, however, is a master / slave bus in which an identifier is also provided in the message format, but which can also identify a specific control command.

All examples mentioned herein as well as conditional formulations are to be understood without restriction to such specifically cited examples. For example, it will be appreciated by those skilled in the art that the block diagram presented herein is a conceptual view of exemplary circuitry. In a similar way, it can be seen that a depicted flowchart, state transition diagram, pseudocode and the like represent different variants for the representation of processes that can essentially be stored in computer-readable media and thus executed by a computer or processor.

It should be understood that the proposed method and associated devices can be implemented in various forms of hardware, software, firmware, special purpose processors, or a combination thereof. Specialty processors can include application-specific integrated circuits (ASICs), reduced instruction set computers (RISC), and / or field programmable gate arrays (FPGAs). The proposed method and the device are preferably implemented as a combination of hardware and software. The software is preferably installed as an application program on a program storage device. Typically, it is a computer platform-based machine that includes hardware such as one or more central processing units (CPU), random access memory (RAM), and one or more input / output (I / O) interfaces. An operating system is also typically installed on the computer platform. The various processes and functions described here can be part of the application program or a part that is executed by the operating system.

List of reference symbols

10

CAN node

12

CAN transceiver

13

Terminating resistor

14th

CAN controller

15th

Bus line

16

Host

20th

vehicle

100

Automotive electronics

102

Infotainment bus

104

CAN bus

110

On-board communication module

120

navigation system

130

Computing device

135

Display unit

140

Gateway

151

Engine control unit

152

ESP control unit

153

Transmission control unit

157

attacker

161

1. Sensor

162

2nd sensor

163

3. Sensor

181

Program start

182

Comparison of the message ID with the send table

183

Check for remote frame

184

Countermeasures

185

End of program

200

Evolved Packet Core

210

Base station

300

Internet

310

Road Side Unit

320

Central computer

1510

Architecture CAN bus interface

1511

Application software

1512

1. Interface

1513

CAN controller

1514

2. Interface

1515

Transmission table

1516

3. Interface

1517

Monitoring module

1518

Security module

AT THE

Antenna module

ECM

a message from the engine control unit

ECM '

a smuggled message from an attacker

MP

Monitoring phase

Z1 - Z6

different states

①-⑩

different state transitions

QUOTES INCLUDED IN THE DESCRIPTION

This list of the documents listed by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent literature cited

• DE 102015205670 A1 [0011]
• US 2015172306 A1 [0012]
• EP 3148154 B1 [0013]

Non-patent literature cited

• ISO 11898 [0039]
• Standard ISO 11898-2 [0039]
• Standard ISO 11898-3 [0039]
• ISO 11898-1 [0061]

Claims (15)

Method for monitoring communication on a communication bus (104), a number of electronic stations (140-163) being networked through the communication bus (104), the messages transmitted via the communication bus (104) being identified with an identifier, for Each station (140-163) is specified which messages with which identifier can be sent by it, whereby a uniqueness rule is observed that forbids another station (140-163) to send a user data message with an identifier that already is reserved for this station (140-163), with a monitoring module (1517) being provided in one or more or all of the electronic stations (140-163) which monitors whether a user data message from a other station (140-163) is sent with an identifier that is reserved for its own station (140-163), if from the monitoring module (1517) determines that the uniqueness rule has been violated, one or more of the following countermeasures are initiated: Making the smuggled message unusable by overwriting the message with the dominant level, by overwriting the message with a certain bit pattern, by deliberately changing a certain part of the message, such as the CRC field of the message, or by setting an information entry in an additional field of the messages sent; Warning another electronic station (140-163) by sending implausible data content in one or more subsequent messages or by sending a warning in one or more dedicated warning messages. Procedure according to Claim 1 wherein the monitoring module (1517) accesses a transmission table (1515) for monitoring, in which all of the identifiers reserved for the station (140-163) are recorded and compares the identifier of a received message with the entries in the transmission table (1515) . Procedure according to Claim 1 or 2 , wherein if the identifier of the received user data message (ECM) matches an entry in the transmission table (1515), the monitoring module (1517) detects an unauthorized bus access and one or more of the countermeasures are initiated. Method according to one of the preceding claims, wherein the step of specifically changing a specific message part relates to changing the entry in an error protection data field, in particular a CRC field of the message. Method according to one of the preceding claims, wherein from a station (140-163) which another station (140-163) equipped with a monitoring module (1517) receives an unusable message or a dedicated warning message, a step of transferring the station (140 - 163) is executed in a safe state (Z4). Method according to one of the preceding claims, wherein as a further countermeasure a device (130) responsible for the output of information, in particular a device of an infotainment system that receives a message that has been rendered unusable or a dedicated warning message, a step of warning the vehicle driver with an optical, performs an acoustic or haptic signal. Method according to one of the preceding claims, wherein the station (1518) equipped with a monitoring module (1517) sends a dedicated warning message to the device (130) responsible for outputting information, in particular the device of the infotainment system, which then carries out the step of warning the Vehicle driver by outputting the optical, acoustic or haptic signal .. Method according to one of the preceding claims, wherein as a further countermeasure a device (110) responsible for communication with the outside world carries out a step of sending a manipulation report by radio to a central computer (320) of the car manufacturer or an authority or to a smartphone of the vehicle owner. Method according to one of the preceding claims, wherein the station (140-163) equipped with a monitoring module (1517) sends a dedicated warning message to the device (110) responsible for communication with the outside world, which then includes the step of sending a manipulation report by radio to the central computer (320). Procedure according to Claim 9 wherein the device (110) responsible for communication with the outside world additionally carries out a step of sending a dedicated warning message to a device (130) of the infotainment system that is responsible for outputting information. Method according to one of the preceding claims, wherein the communication bus (104) is designed according to a variant of the family of CAN bus standards, corresponding to the Controller Area Network. Procedure according to Claim 11 , whereby the identifier corresponds to a CAN bus message identifier. Electronic device for connection to a communication bus (104), characterized in that the device has a monitoring module (1517) which is designed for monitoring according to the steps according to one of the preceding claims. Electronic device for connection to a communication bus (104), characterized in that the device has a security module (1518) which is used to transfer the control device (152) to the safe state according to the steps according to Claim 5 is designed. Vehicle, characterized in that the vehicle (10) with one or both electronic devices according to Claim 13 or 14th Is provided.

Images