EP3928485A1 - Appareil de véhicule et procédé de connexion sécurisée de données - Google Patents

Appareil de véhicule et procédé de connexion sécurisée de données

Info

Publication number
EP3928485A1
EP3928485A1 EP20719572.8A EP20719572A EP3928485A1 EP 3928485 A1 EP3928485 A1 EP 3928485A1 EP 20719572 A EP20719572 A EP 20719572A EP 3928485 A1 EP3928485 A1 EP 3928485A1
Authority
EP
European Patent Office
Prior art keywords
vehicle
data
external
connection
communication device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20719572.8A
Other languages
German (de)
English (en)
Inventor
Andres GONZALEZ GUILARTE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility GmbH
Original Assignee
Siemens Mobility GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Mobility GmbH filed Critical Siemens Mobility GmbH
Publication of EP3928485A1 publication Critical patent/EP3928485A1/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls

Definitions

  • a vehicle device for the secure data processing of at least one vehicle with at least one device external to the vehicle, with at least one interface device for connection to an in-vehicle wired data network, with at least one communication device for radio-based connection with the device external to the vehicle and with little At least one data diode device connected to the interface device and the communication device, which data diode device is designed for the unidirectional data connection from the interface device to the communication device.
  • the invention achieves the object by means of a method for the secure data connection of at least one vehicle with at least one device external to the vehicle, in the case of which data from a vehicle-internal wired data network can be transmitted wirelessly and unidirectionally to the equipment outside the vehicle.
  • the solution according to the invention offers the possibility of vehicles being networked in a secure manner without endangering safety-critical internal systems. Thus, the risk of occupants and other road users is held th.
  • the solution according to the invention is therefore particularly suitable for future applications in the mobility sector.
  • the invention can establish a secure connection in autonomous vehicles that are intended for levels 4 and 5 (GoA - Grade of Automation).
  • the solution can also be used for driver assistance systems according to level 2 (GoA 2) and semi-automated driving according to level 3 (GoA 3).
  • the solution according to the invention can be used, for example, for the secure direct connection of vehicles, for solutions for digital twins and juridical recorders in the event of an accident, for external monitoring of vehicle sensor data for external analysis, for external recording of vehicle CCTV systems, Regular checking of data completeness of the on-board systems and for much more.
  • the interface device establishes a connection to the vehicle-internal data network during operation, the data of which is to be passed at least partially to the vehicle-external device.
  • the communication device according to the invention of the vehicle device can establish a radio-based connection with the device external to the vehicle in order to transmit the said data from the vehicle-internal data network.
  • the data diode device according to the invention ensures that data is only transferred unidirectionally from the vehicle-internal data network can be transmitted in the direction of the off-vehicle device, but not in the other direction. Since a data flow from the communication device, which can be connected to the device external to the vehicle, to the interface device is excluded, the invention can ensure a high level of security for the vehicle. External attacks can thus be blocked.
  • the vehicle device can have at least one switchable or switchable data connection from the communication device to the interface device.
  • This has the advantage that, in addition to the unidirectional data connection, there is also an additional data connection in the opposite direction, which can be used as required.
  • software updates can be transmitted to the vehicle's data network via the switchable data connection.
  • the data connection can have at least one further data diode device which is designed for a unidirectional data connection from the communication device to the interface device.
  • This has the advantage that an undesired flow of data in the opposite direction can also be excluded here.
  • the two parts of the vehicle device are still galvanically separated from one another.
  • the vehicle device can have at least one first computing device which is designed to switch the data connection as a function of at least one predetermined rule.
  • This rule ensures that data from the communication device to the interface device is only allowed in a permitted manner and that security in the vehicle-internal data network is guaranteed.
  • the at least one rule can be at least one predetermined point in time, a predetermined size or comprise a specific identity. For example, a user's fingerprint can be checked in order to verify his or her authorization.
  • a predetermined data size can be used, for example, to ensure that only permitted data enter the vehicle-internal data network.
  • the data connection from the communication device to the interface device can only be released if the communication between the communication device and the external device is interrupted. In this way, an external attack can be excluded during the established data connection.
  • the vehicle-internal data network can be configured as a multi-vehicle bus, electrical middle distance bus, CAN bus or Ethernet.
  • a multi-vehicle bus electrical middle distance bus
  • CAN bus electrical middle distance bus
  • Ethernet Ethernet
  • other data networks used internally in the vehicle can also be used.
  • the communication device can have at least one memory unit. This has the advantage that data from the device external to the vehicle can be temporarily stored in the communication device before they are transmitted to the interface device. This makes it possible, for example, to interrupt the data connection to the device external to the vehicle while the switchable data connection is closed. This means that a malicious attack from outside can be excluded during transmission via the switchable data connection.
  • the vehicle device can have at least one first and at least one second computing device, the first computing device being arranged or designed as part of the interface device and the second computing device as part of the communication device.
  • Each of the computing devices can check specified safety rules and thus increase the safety of the vehicle.
  • the communication device can have at least one mobile radio unit operating according to the 5G standard.
  • the new 5G mobile radio standard will make mobile vehicles even more networked in the future.
  • the invention also relates to a vehicle with at least one vehicle device according to one of the aforementionedParksfor men.
  • a data connection from a communication device connected to the vehicle-external device to an interface device connected to the vehicle-internal data network can be activated if at least one predetermined rule is met.
  • the transmission can be carried out unidirectionally.
  • the predetermined rule can be checked by a computing device which is arranged separately from a communication device connected to the device external to the vehicle. This ensures that the rule check cannot be changed by an external criminal attack. This increases the safety of the vehicle.
  • the data can only be transmitted from the vehicle-external device to the vehicle-internal data network if there is no active connection to the vehicle-external device.
  • FIG. 1 is a schematic representation of an exemplary embodiment of a vehicle according to the invention with a vehicle device according to the invention
  • FIG. 2 shows a schematic representation of part of the exemplary embodiment of the vehicle device according to the invention from FIG. 1;
  • Fig. 3 shows a schematic representation of an exemplary embodiment of the method according to the invention
  • FIG. 5 shows a schematic representation of the vehicle device according to the invention from FIG. 1;
  • FIG. 11 is a schematic representation of a further embodiment of a vehicle according to the invention.
  • a vehicle 1 according to the invention has a vehicle device 2 according to the invention so that a secure data connection with a device 3 external to the vehicle is established.
  • the vehicle 1 is shown here as a car. But it can Of course, it can also be any other vehicle, such as a truck, a motorcycle, a tram, a subway or other trains.
  • the external device 3 to which the data are to be transmitted can, for example, be a central control device (SCADA), a control center or the like. Via data stream 4, data from vehicle 1 is transmitted by vehicle device 2 to external device 3.
  • SCADA central control device
  • the vehicle device 2 has an interface device 5, a communication device 6 and a first data diode device 7.
  • the vehicle device 2 also includes an additional connection device 8, which will be explained somewhat later with reference to FIG. 2.
  • the interface device 5 is connected to a vehicle-internal, usually wired data network 9, which can be, for example, a CAN bus of the vehicle or also a multi-vehicle bus, electrical middle distance bus or Ethernet.
  • a vehicle-internal, usually wired data network 9 which can be, for example, a CAN bus of the vehicle or also a multi-vehicle bus, electrical middle distance bus or Ethernet.
  • the communication device 6 is designed for radio-based connection with the vehicle-external device 3 and, during operation, transmits data via data stream 4 to the external device 3.
  • the communication device 6 can include modules for communication, not shown, for example, the external device 3 via 5G , WLAN, LTE US, LTE E, UMTS or GSM.
  • the vehicle device 2 can be subdivided into a vehicle-internal part 10 and a vehicle-external part 11.
  • the vehicle-internal part 10 and the vehicle-external part 11 are connected to one another via the data diode device 7.
  • This data diode device 7 also connects the interface device 5 arranged in the vehicle-internal part 10 with the communication device 6 arranged in the vehicle-external part 11.
  • the data diode device 7 also comprises two parts, a first part 12 and a second part 13, which are galvanically separated from one another.
  • Each part 12, 13 has, for example, socket elements 14 into which known connectors can be inserted in order to establish a connection to the interface device 5 or to the communication device 6.
  • the socket elements 14 are connected to one another via a listening module 15 in which the data are only transmitted unidirectionally.
  • the monitoring module 15 the data is monitored by means of electromagnetic induction and the monitored data is passed on.
  • a data diode is implemented, as is known, for example, from "Monitoring and safety-critical warning networks by means of one-way gateways", Ri carda Weber, Martin Wimmer, Signal + Draht 9/2018.
  • the interface device 5 furthermore comprises a first computing device 16 and a first storage device 17.
  • the communication device 6 comprises a second computing device 18 and a second storage device 19.
  • data from the internal data network 9 of the vehicle 1 can be transmitted to the external device 3 in a secure manner.
  • the data diode device 7 ensures that, despite the existing data connection to the external device 3, no external attacks on the vehicle-internal data network 9 or on the vehicle-internal part 10 can be carried out, because only a unidirectional data stream 4 is physically possible.
  • any type of data such as position or diagnostic data can be sent from the vehicle 1 to the external device 3 without opening the vehicle's internal data network 9 to the outside.
  • the vehicle device 2 can optionally have binding device 8, which is described below with reference to FIG.
  • the connection device 8 represents a switchable data connection from the communication device 6 in the direction of the interface device 5.
  • this switchable data connection is formed with a further data diode device 20.
  • the further data diode device 20 also realizes a unidirectional data connection, which, however, is designed opposite to the first data diode device 7. In this way, data can flow from the vehicle-external part 11 into the vehicle-internal part 10 according to the data stream 21 shown.
  • This data stream 21 is only enabled and enabled when required.
  • this control of the data stream 21 is carried out by the first computing device 16 arranged in the vehicle-internal part 10. The first computing device 16 only enables the data stream 21 if predetermined rules are met that ensure security.
  • the connection device 8 also has a power supply 22, a first communication module 23 in the vehicle-external part 11, a second communication module 24 in the vehicle-internal part 10 and a further storage device 25.
  • the first communication module 23 is designed in the same way as the communication device 6 and the second communication module 24 is designed like the interface device 5.
  • data packets 26 which represent a software update, for example, are provided by a creator such as the vehicle manufacturer 27, for example. These data packets 26 are stored in a cloud 28, for example. The vehicle 1 can establish access to the data packets 26 in the cloud 28.
  • Information about the provided data packets 26 is then output, for example to the owner of vehicle 1.
  • This information is made available, for example, in a step 29 by email, mobile app or also via a vehicle information system.
  • the owner of the vehicle must transmit the data packets 26 to the vehicle
  • the release can be carried out, for example, using PKI, fingerprints, face recognition or one of their other known verification methods.
  • download conditions can be checked before the download of the data packets 26 from the cloud 28 to the vehicle 1 is started.
  • These download conditions can be, for example, that the vehicle 1 is parked, the vehicle 1 is connected to a charging station (only for e-cars) or the vehicle is connected to an approved, trustworthy network, e.g. B. is connected via WLAN.
  • the data packets 26 are then transferred to the part external to the vehicle
  • step 31 Another release takes place in step 31. With this release, the necessary rules are queried, such as validation of the vehicle manufacturer, disconnection of communication device 6, parking of vehicle 1, charging of vehicle 1 (only for e-cars), and possibly further authorization by the owner. If all the rules are met, the data stream 21 is produced by the connection device 8, so that the data packets 26 are transmitted from the vehicle-external part 11 to the vehicle-internal part 10 via the further data dial device 20. This data transfer takes place in step 32. After the data transfer has been completed the connection is interrupted again by the connection device 8 and the data transmission is completed.
  • Fig. 4 shows schematically the division of a printed circuit board (PCB - Printed Circuit Board) of the Anlagenge devices 2.
  • the areas of the control panel shown include the interface device 5, the data diode device 7, the first computing device 16, the communication device 6 and a power supply 33 and optional System modules 34.
  • FIG. 5 shows the areas from FIG. 4 in detail.
  • FIG. 6 shows the schematic structure of the vehicle device 2, which in this exemplary embodiment has two printed circuit boards (PCB).
  • the upper printed circuit board 37 is designed as a main switchboard corresponds to the illustration in FIGS. 4 and 5.
  • the lower printed circuit board 38 which connects to the upper printed circuit via pins
  • Boards 37 is only optional and can e.g. include a passenger internet gateway.
  • FIG. 7 shows a side view from the front or from the rear of the vehicle device 2 according to the invention.
  • FIG. 8 shows a detail of Fig. 7. This shows an overlap pende front panel to increase stability.
  • Fig. 9 shows a further detail of Fig. 7, in which an adjustable loading mounting rail 40 is shown.
  • FIG. 10 shows a top view of the exemplary embodiment of the vehicle device 2 according to the invention from FIG. 7.
  • the vehicle device 2 has a housing 35 with a plurality of cooling fins 36. The number of cooling fins 36 can be adjusted as required.
  • the housing 35 can for example be made of aluminum and, depending on the use, also be waterproof or water-protected (IP 20 or IP 50).
  • 11 shows a further embodiment of the vehicle device 2 according to the invention, in which the connecting device 8 is designed to be more integrated.
  • connection device 8 with the further data diode device 20 is arranged parallel to the first data diode device 7 between the interface device 5 and the communication device 6.
  • the function of the embodiment in FIG. 11, however, is the same as that of the embodiment shown in FIGS. 1 and 2 and described above. The same reference symbols are therefore used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un appareil de véhicule (2) destiné à la connexion sécurisée de données d'au moins un véhicule (1) avec au moins un dispositif (3) externe au véhicule. L'invention vise à augmenter la sécurité du véhicule (1). À cet effet, l'appareil de véhicule (2) selon l'invention comporte au moins un dispositif interface pour la connexion à un réseau de données (9) filaire embarqué, au moins un dispositif de communication pour la connexion radio avec le dispositif (3) externe au véhicule et au moins un dispositif à diode de données (7) connecté avec le dispositif interface (5) avec le dispositif de communication (6), qui est conçu pour effectuer une connexion de données unidirectionnelle du dispositif interface (5) avec le dispositif de communication (6). L'invention concerne en outre un procédé de connexion sécurisée de données.
EP20719572.8A 2019-04-12 2020-03-30 Appareil de véhicule et procédé de connexion sécurisée de données Pending EP3928485A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102019205304.1A DE102019205304A1 (de) 2019-04-12 2019-04-12 Fahrzeuggerät und Verfahren zur sicheren Datenverbindung
PCT/EP2020/058891 WO2020207836A1 (fr) 2019-04-12 2020-03-30 Appareil de véhicule et procédé de connexion sécurisée de données

Publications (1)

Publication Number Publication Date
EP3928485A1 true EP3928485A1 (fr) 2021-12-29

Family

ID=70292936

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20719572.8A Pending EP3928485A1 (fr) 2019-04-12 2020-03-30 Appareil de véhicule et procédé de connexion sécurisée de données

Country Status (3)

Country Link
EP (1) EP3928485A1 (fr)
DE (1) DE102019205304A1 (fr)
WO (1) WO2020207836A1 (fr)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10530811B2 (en) * 2016-08-11 2020-01-07 Vm-Robot, Inc. Routing systems and methods
DE102017203898A1 (de) * 2017-03-09 2018-09-13 Siemens Aktiengesellschaft Gateway-Vorrichtung, Kommunikationsverfahren und Kommunikationssystem für ein Fahrzeug, insbesondere ein Schienenfahrzeug

Also Published As

Publication number Publication date
DE102019205304A1 (de) 2020-10-15
WO2020207836A1 (fr) 2020-10-15

Similar Documents

Publication Publication Date Title
DE10326287A1 (de) Fahrzeug-Kommunikationssystem, welches eine anormale Steuereinheit initialisiert
DE4126449C2 (de) Kontroll- bzw. Steuerungsvorrichtung für Fahrzeuge
DE102019107768A1 (de) Systeme und Verfahren zum automatischen Bestimmen einer Mitte eines autonomen Lenksystems
EP3741094B1 (fr) Systeme de commande pour vehicule automobile, procede de fonctionnement du systeme de commande et vehicule automobile comportant un tel systeme de commande
WO2016058681A1 (fr) Procédé pour établir et faire fonctionner un réseau de véhicule sans-fil
WO2017020999A1 (fr) Procédé de fonctionnement d'un véhicule automobile et système de fonctionnement d'un véhicule automobile
DE102019212958B3 (de) Verfahren und Vorrichtung zur Erzeugung von kryptographischen Schlüsseln nach einem Schlüsselableitungsmodell sowie Fahrzeug
DE102013200535A1 (de) Verfahren und Vorrichtung zum Betrieb eines Kommunikationsnetzwerks insbesondere eines Kraftfahrzeugs
DE102011007588A1 (de) Verfahren und Vorrichtung zur Steuerungs-Kommunikation zwischen gekoppelten Zugteilen
EP3496975B1 (fr) Véhicule automobile ayant un réseau de données divisé en plusiers domaines séparés et procédé d'exploitation du réseau de données
DE102017205993A1 (de) System und Verfahren zur selektiven Freischaltung von Fahrzeugfunktionen
DE102018129015A1 (de) Systeme und verfahren zur fahrzeugdiagnosetesterkoordination
DE102013001412A1 (de) Verfahren zur Steuerung einer Kommunikation zwischen einer Diagnosestelle eines Fahrzeugs und einem Fahrzeugnetz sowie entsprechende Steuerung für ein Fahrzeug
DE102011002713A1 (de) Verfahren und Vorrichtung zum Bereitstellen von kyptographischen Credentials für Steuergeräte eines Fahrzeugs
DE102016212230A1 (de) Verfahren zur sicheren Authentifizierung von Steuervorrichtungen in einem Kraftfahrzeug
WO2021122362A1 (fr) Communication entre réseaux d'un véhicule automobile
DE102020208536A1 (de) Gateway-vorrichtung, abnormitätsüberwachungsverfahren und speichermedium
DE10360120B3 (de) Rolling-Code basiertes Verfahren
DE102020121540A1 (de) Bestimmungseinrichtung, Bestimmungssystem, Speichermedium, das ein Programm speichert, und Bestimmungsverfahren
WO2020207836A1 (fr) Appareil de véhicule et procédé de connexion sécurisée de données
EP2962162B1 (fr) Procédé pour la mise en place et/ou la mise à jour d'une programmation d'un appareil de commande d'un moyen de transport
DE102013200528A1 (de) Verfahren und Vorrichtung zum Betrieb eines Kommunikationsnetzwerks insbesondere eines Kraftfahrzeugs
DE102015016928A1 (de) Verfahren zum Betrieb eines Fahrzeugs
DE102018102677A1 (de) Verfahren zur Freigabe einer Funktion eines Systems und zugehöriges System
DE102013022498A1 (de) Verfahren und Vorrichtung zum Betrieb eines Kommunikationsnetzwerks insbesondere eines Kraftfahrzeugs

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210924

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20240209