IT201700013903A1 - METHOD AND SYSTEM TO CONTRAST A COMPUTER ATTACK TO A VEHICULAR DATA NETWORK - Google Patents

Description

"METHOD AND SYSTEM TO FIGHT A COMPUTER ATTACK TO A VEHICLE DATA NETWORK"

Field of application of the invention

The present invention refers to the field of vehicle data networks and in particular to a method that allows to minimize or prevent the effectiveness of a computer attack on the vehicle data network.

State of the art

In the remainder of this description, "network" means a data network through which various devices are interconnected.

The systems on board the vehicle exchange data with each other, generally via a serial bus.

The most widely used serial bus is the CAN (Control Area Network). Networks of a different nature can be used.

The data is usually inserted into messages.

Within the CAN, a message contains various information, including an ID identifier and a variable number of signals.

The ID is composed, among others, of the Parameter Group Number (PGN), which identifies the message itself, and the source address SA, the Anglo-Saxon acronym "Source Address", which identifies the transmitting device.

The signals, on the other hand, are identified by a respective and unique Suspect Parameter Number (SPN), as regulated by the SAE committee.

The transmission of messages is of the asynchronous type, although there is a nominal transmission frequency which, however, is strongly influenced by the traffic on the bus.

Some messages carry physical data, such as temperatures, pressures, consumption. Other messages carry command instructions. For example, the processing unit that oversees the control of the gearbox can request a target number of revolutions or a torque value from the processing unit (ECU) that controls a vehicle engine. Or there may be a request to the ECU to shut down the heat engine.

Some command instructions have a high relevance in terms of safety. For example, a command to increase the copy delivered while the vehicle is approaching an intersection could cause accidents.

Command messages generally contain a "Message Checksum" and a "Message Counter".

The Message Checksum is a control code, for example of 3 bits, inserted in the same message and calculated by the transmitting device using an algorithm known per se, based on some or all of the portions of the message to which the Message Checksum refers. The receiving device, once received this command message, recalculates the Message Checksum and compares it with the one already present in the same message and in case of discrepancy, rejects the entire message containing the command instructions.

The Checksum can also reach an extension of 128 bits, using a CAN variant, called CAN-FD (Flexible Data) in order to increase safety.

The Message Counter is a counter, for example of 3 bits, implemented by each transmitting device which is incremented each time a message is sent. It can be non-carry-over. The Message Counter is also inserted, as well as the Checksum, within a message to be sent. When a receiving device receives a message, it verifies that the Message Counter received each time falls within a dynamic window of values. Otherwise, reject the entire message.

The receiving device, to validate a command message, ensures that the Message Checksum and the Message Counter are correct.

In addition, the receiving device can only receive command instructions from some specific authorized transmitter devices and therefore, it extracts the relevant SA from the ID and, if so, the receiving device extracts the command instruction contained therein and executes it.

Otherwise, the receiving device rejects the received message.

Today's vehicles are often equipped with wireless connections. The most common is Bluetooth to connect the infotainment on board with the smartphone of a passenger in the same vehicle.

The infotainment that generally integrates the hands-free system and often also the satellite navigation system is connected, like other on-board devices, to the vehicle data network.

Alternatively, the vehicle may have been tampered with by connecting a malicious device directly to the vehicle network.

An attacker could enter "on-the-air" in the vehicle data network, through the access offered by the infotainment, and simulating being one of the authorized transmitters would take possession of the relevant ID, and send command messages.

Before starting the attack, the hacker would just listen to the messages circulating in the vehicle network to associate an ID with a Message Counter. At that point the hacker is able to send messages containing formally correct command instructions.

Furthermore, the hacker would take care to transmit his messages at a much higher frequency than the nominal one. In this way, its instruction would override that of the usurped transmitting device.

For example, the command could be given to make the engine deliver the maximum power available, regardless of the position of the accelerator pedal.

In these circumstances, the ECU would receive messages from a correct ID, among those authorized, and having a Message Counter in the aforementioned window.

In the remainder of this description, reference is made to a "malicious" transmitting device that clones the ID of a "usurped" device in order to change the behavior of the vehicle itself.

Summary of the invention

The purpose of the present invention is to present a method which allows to counteract a computer attack on a vehicular data network.

The basic idea of the present invention is to cause the transmitting device to generate a further control message to be sent according to a first time interval, in which a count of the command messages sent by said transmitting device is contained in the control message, for example starting from a reset event, in which the receiving device keeps its own count of the messages received from said transmitting device and verifies the correspondence between its own count and the count contained in the control message and, if they differ, then the receiving device rejects any message received from said transmitting device until a subsequent reset event.

According to a preferred variant of the invention, when the receiving device receives a first and a subsequent second control message and the count contained in the second message is less than the count contained in the first message, then the receiving device rejects any message received from said transmitting device until a subsequent reset event.

The object of the present invention is a method and to counter a computer attack on a vehicular data network according to claim 1.

The present invention also relates to a transmitting and receiving device comprising processing means configured to carry out the above method.

The present invention also relates to a vehicle equipped with a vehicle data network, propulsion means and processing units including said receiving and transmitting devices.

The claims describe preferred variants of the present invention, forming an integral part of the present description.

Brief description of the figures

Further objects and advantages of the present invention will become clear from the following detailed description of an example of embodiment of the same (and its variants) and from the attached drawings given purely by way of non-limiting explanation, in which figure 1 schematically shows a network of data in which the method object of the present invention is implemented. The same reference numbers and letters in the figures identify the same elements or components.

In the context of this description, the term "second" component does not imply the presence of a "first" component. These terms are in fact used only for clarity and should not be understood in a limiting way.

Detailed description of examples of realization

Fig. 1 shows a data network, for example a serial network of the CAN bus type.

Several devices CU_1, CU_2, CU_3, ENT_BT and ECU are connected to this network.

Some of them are able both to generate and transmit messages and to receive and decode received messages, while others would be able to compile and transmit only.

In the subsequent transmission, the expression "generate a message" means that the message is not only generated, but also queued to be sent as soon as the transmitting device has access to the transmission channel. Similarly, the receipt of a message implies that it must be analyzed independently of the layers involved in the decoding, see ISO-OSI model. Obviously, if a layer discards a message, it is not decoded and analyzed at the higher levels as is known to the person skilled in the art.

For example, the transmitting device relating to the accelerator pedal, sends information about the position of the accelerator pedal, may not be able to receive and decode messages.

The messages are published on the vehicular network and it is then up to the individual devices to discard or decode the messages received.

Figure 1 shows an entertainment and information device (infotainment). In the vast majority of cases it is equipped with Bluetooth which allows wireless interaction of a smartphone with the device itself. The Bluetooth channel represents the most common means in which a hacker attack on a vehicle is carried out.

Alternatively, it must be assumed that the attacker has directly connected a malicious device HK, possibly remotely controlled, to the vehicle network.

Only for an easy understanding of the present invention, it is assumed that the malicious device HK or ENT_BT clone the device ID CU_1 by overwriting the command instructions sent by said device.

For example, assuming that the CU_1 device represents a sensor associated with the accelerator pedal, and that the driver wants a torque of 20% of the nominal torque of the engine. The HK or ENT_BT malicious device sends high frequency messages containing command instructions indicating 100% of the nominal torque as the torque to be delivered. Evidently, the driver of the vehicle would lose control of the vehicle itself, especially in the case of a vehicle with an automatic transmission.

The malicious device, by sending high-frequency messages, tricks the processing unit that controls the engine ECU.

Furthermore, since each message contains correct Message Counter and Message Checksum, the messages sent by the CU_1 device would be exceeded by those sent by the malicious device and would therefore be ignored or in any case their effect would be negligible.

According to the present invention, the transmitting device generates a control message to be sent preferably according to a multiple time frequency with respect to the sending of messages containing command instructions. This implies that the frequency at which command messages are sent is greater than the frequency at which control messages are sent.

The control message contains a count of messages sent since a reset event. At the same time, the receiving device maintains its own independent count of the command messages received by the transmitting device - and obviously by all the devices enabled to send control messages - and checks the correspondence between its own count and the count contained in the message. and if they differ, then the receiving device rejects any message received from said transmitting device, whether malicious or usurped, until a subsequent reset event.

According to a preferred variant of the present invention, a reset event can advantageously coincide with a request to switch off the engine which leads to the switching off of the devices connected to the vehicular network. The ignition off command belongs to a subset of command messages subject to so-called debouncing. This technique, known to those skilled in the art, provides that the same message must be repeated with coherent content for a predetermined time interval.

Therefore, if the malicious transmitting device sends the engine shutdown command, it must repeat it for a certain predetermined number of times.

Thus, if within this repetition sequence, the command message of the usurped transmitting device reaches its destination indicating to keep the engine running, then the repetition indicating engine shutdown must start over with the result that the fraudulent command it never runs.

It is preferred that the Message Counter be neglected in the sense that the related field can be not present or present and ignored at least for

- The command messages that determine the reset event, in order to allow the so-called debouncing, accepting the message of the usurped device even if outside the sliding window of the Message Counter;

- The control messages in order to be able to receive in any case the message sent by the usurped device and recognize a discrepancy which leads to the rejection of any further command message from that specific ID.

According to a further preferred aspect of the invention, it may happen that the malicious device transmits at such a high frequency as to monopolize the entire band of the vehicular data network. In this case, the usurped transmitting device would hardly be able to transmit its command and / or control message.

To also obviate this hypothesis of circumventing the solution described here, the receiving device is configured to perform an autonomous evaluation on its own count of command messages received in a predetermined time interval, typically equal to the nominal interval between two control messages. If an increase in the count in said predetermined time interval exceeds a predetermined threshold then the receiving device rejects any further message received from said transmitting device until a subsequent reset event.

Therefore, any attempt to circumvent the strategy object of the present invention is identified and suppressed.

Advantageously, the generation of a control message dedicated to counting the messages sent between two consecutive reset events does not change the formatting of the "ordinary" messages that meet the various standards and protocols (SAE). In addition, the bit space available for this count is enormously higher - it can be 32bit - compared to the few bits generally dedicated to the Message Counter.

To avoid false positives, when the network is of the CAN type or in any case asynchronous, the receiving device preferably implements a "sliding" window of tolerance on the number of messages counted in order to avoid blocking the device due to the possible loss of some command messages.

This sliding window can be of the order of a few units.

Furthermore, for the same reason, according to a preferred variant of the invention, the receiving device performs a resynchronization of its own count with that carried out by the transmitting device with a wide time interval, for example of the order of one hour. Preferably, when the receiving device receives a first and a subsequent second control message and a count contained in the second message is lower than the count contained in the first message, then the receiving device rejects any message received from said transmitting device until a subsequent reset.

In this way, advantageously, even if the malicious device were able to implement the sending of control messages, while implementing the aforementioned sliding window, it is possible to immediately identify the malicious action before the count between the usurped device, for example CU_1 , and the count of the receiving device ECU exceeds the width of the sliding window. According to the previous example, the engine would be brought to a minimum (idle) with definitely reduced risks compared to 100% torque delivery.

Preferably, when the reset message coincides with the “ignition off” engine shutdown command, the count of messages received is zeroed.

Some processing units that control vehicle dynamics may have a so-called “post-run” phase, activated starting from the shutdown command. This phase lasts from a few seconds to a few tens of seconds. During this phase it is used to transfer some data accumulated during the previous cycle to the permanent memory (EEPROM) and possibly to perform other operations, for example the safety of the ATS (After Treatment System). The control unit switches off only at the end of this post-run phase. In this case, if a "postrun" function is provided, the counts can also be saved in the permanent memory of the processing units, but when the receiving unit has rejected an ID, it saves the lower value between the last two in the permanent memory. control messages received.

Advantageously, the counting carried out by the malicious transmitting device, which generally transmits at a higher frequency than the usurped device, is rejected.

According to a preferred variant of the invention, the control message can have the same formatting as an ordinary message, including for example the Message Checksum and the Message Counter.

This means that the modifications proposed by the present invention are fully delegated to the application level rather than to the network level, which instead remains completely unchanged, respecting any existing standards.

According to a further preferred variant of the invention which is combined with the previous ones, the counting of messages containing command instructions sent by a predetermined transmitting device can be encrypted according to a unique encryption code, vehicle by vehicle, attributed to the network, during the assembly of the same vehicle.

A practical example of implementation of the invention is now proposed. It is assumed that the CU_1 device sends a message containing a command instruction every 10 ms. A malicious device HK acquires a message from CU_1, extracts the ID and the Counter and uses the same ID as CU_1, updates the Counter and compiles a message containing a false command instruction including the Checksum calculated according to the same algorithm used in that network.

The malicious device compiles and sends further messages at a rate higher than that of CU_1, for example every 2 ms.

For example, when 200 ms has elapsed, CU_1 sends a control message with its own message count containing command instructions.

The receiving device detects that that count is not consistent, as this device has received many more messages from HK which works at a higher frequency than that of CU_1 and from that moment it rejects any message coming from CU_1 and therefore also from HK.

Conversely, if HK sends its control message before CU_1, the receiving device still does not detect the malicious intervention, but as soon as CU_1 sends its control message, also in this case the control device detects a discrepancy and rejects any further message coming from CU_1 and therefore from HK.

The present invention can be advantageously carried out by means of a computer program which comprises coding means for carrying out one or more steps of the method, when this program is executed on a computer. Therefore, it is intended that the scope of protection extends to said computer program and further to computer readable means comprising a recorded message, said computer readable means comprising program coding means for carrying out one or more steps of the method. , when said program is run on a computer.

Implementation variants of the described non-limiting example are possible, without however departing from the scope of protection of the present invention, including all the embodiments described by the claims.

From the above description, the person skilled in the art is able to realize the object of the invention without introducing further construction details. The elements and features illustrated in the various preferred embodiments, including the drawings, can be combined with each other without however departing from the scope of the present application as defined by the claims. What is described in the chapter relating to the state of the art is needed only for a better understanding of the invention and does not represent a declaration of existence of what is described. Furthermore, if not specifically excluded in the detailed description, what is described in the state of the art chapter is to be considered as an integral part of the detailed description.

Claims (12)

CLAIMS 1. Method and for countering a computer attack on a vehicular data network comprising at least a receiving device (ECU) and a transmitting device (CU_1, CU_2, ENT_BT ...) interconnected through said vehicular data network, the transmitting device being able to send a succession of command messages to said receiving device according to a first predetermined frequency, the method comprising - a first step (I) of generation, by said transmitting device (CU_1, CU_2, ENT_BT ...), of a control message, different from said command message, containing a first count of the command messages previously sent by it same ed - a second step (II) of carrying out a second count, by said receiving device, of the command messages received by said transmitting device and, when said receiving device receives said control message, - a third step (III) of comparison between said first and said second count by said receiving device and in case said first and second count differ, - a fourth step (IV) of rejecting, by said receiving device, any subsequent message received by said transmitting device. A method according to claim 1, further comprising a fifth step (V) of resetting said first and second counts and of resetting a reception of a command message from said transmitting device when a reset event occurs. Method according to one of claims 1 or 2, wherein said succession of command messages is sent according to a first frequency and wherein said control message is sent according to a second sending frequency lower than said first frequency. The method according to claim 3, wherein said second frequency is lower by at least one order of magnitude than said first frequency. Method according to one of the preceding claims, in which said comparison (III) is operated up to a predetermined tolerance window. Method according to any one of the preceding claims, wherein, when said receiving device receives a first and a subsequent second control message, the method comprises a sixth step (VI) of comparing a count contained in the second message with a count contained in the first message and if the latter is less than the count contained in the first message, then execution of said fourth step (IV). Method according to any one of the preceding claims, wherein said second count is suitably encrypted according to an encryption scheme shared between said transmitting device and said receiving device. Method according to any one of the preceding claims, further comprising a seventh step (VII) of comparing said first count with a predetermined threshold value and if said first count exceeds said predetermined threshold value, then performing said fourth step (IV) . 9. Computer program comprising program coding means suitable for carrying out all the steps ((((I, II, III, IV), V), VI), VII) of any one of claims 1 to 8, when this program is run on a computer. 10. Computer readable means comprising a recorded program, said computer readable means comprising program coding means adapted to perform all steps (((I, II, III, IV), V), VI), VII) of any one of claims 1 to 8, when said program is run on a computer. 11. Transmitting device (CU_1, CU_2, ENT_BT) comprising first interface means for being connected to a vehicular data network and processing means configured to send a succession of command messages on said data network according to a first predetermined frequency, and further configured to (I) generate a control message containing a first count of the command messages previously sent by it, according to a third frequency lower than said first frequency. 12. Receiving device (ECU) comprising second interface means for being connected to a vehicular data network and processing means configured to receive a succession of command messages through said data network and further configured to (II) perform a first message count commands received from at least one predetermined transmitting device (CU_1, CU_2, ENT_BT) and configured to receive a control message, from said at least one predetermined transmitting device (CU_1, CU_2, ENT_BT), containing a second count and to (III) compare said first and second count and in case said first and second count differ, said processing means are configured to (IV) reject any subsequent message received from said at least one predetermined transmitting device (CU_1, CU_2, ENT_BT).