JP2020092326A - Fraudulent signal processor - Google Patents

Abstract

To determine a fraudulent signal entered in an on-vehicle communication network.SOLUTION: A fraudulent signal processor 100 includes: multiple ECUs 2, mounted on a vehicle, and connected to each other via an on-vehicle communication network; a signal detection unit 52 for detecting an input signal input via the on-vehicle communication network; a fraudulent signal detection unit 53 for determining that the input signal detected by the signal detection unit 52 is a fraudulent signal if the input signal detected by the signal detection unit 52 is a signal for commanding some of the ECUs 2 out of the multiple ECUs 2 to stop communication; and a fraudulent signal reporting unit 54 for reporting an abnormality when the input signal detected by the signal detection unit 52 is determined to be a fraudulent signal by the fraudulent signal determination unit 53.SELECTED DRAWING: Figure 2

Description

The present invention relates to an illegal signal processing device that processes an illegal signal input to an in-vehicle communication network.

2. Description of the Related Art Conventionally, there is known a device that permits updating of a vehicle control program by an external device according to the state of the vehicle. For example, in the device described in Patent Document 1, when the lock of the electric parking brake device of the vehicle is completed, the update of the program of the control device that controls the operation of the electric parking brake device is permitted.

Patent Document 1: JP 2013-174974 A

By the way, if an illegal signal is input to the vehicle-mounted communication network, appropriate control by the control device may be hindered. Therefore, it is necessary to deal with the input of the illegal signal. However, the device described in Patent Document 1 only permits the update of the vehicle control program when the electric parking brake device is activated, and in the device described in Patent Document 1, an unauthorized signal is input to the vehicle-mounted communication network. It is difficult to deal with the case.

An illegal signal processing device according to one aspect of the present invention is a signal that detects a plurality of control devices mounted on a vehicle and communicably connected to each other via a communication network, and an input signal input via the communication network. If the input signal detected by the detection unit and the signal detection unit is a signal for instructing a part of the control devices to stop communication, the input signal detected by the signal detection unit is incorrect. An unauthorized signal determining unit that determines that the signal is an incorrect signal, the unauthorized signal determining unit, when the input signal detected by the signal detection unit is determined to be an unauthorized signal, an unauthorized signal notification unit that notifies the abnormality, Equipped with.

According to the present invention, even when an unauthorized signal is input to the vehicle-mounted communication network, it is possible to easily cope with it.

The figure which shows schematically the illegal signal processing apparatus which concerns on embodiment of this invention. The block diagram which shows the principal part structure of the fraudulent signal processing apparatus which concerns on embodiment of this invention. The block diagram which shows the modification of FIG. 5 is a flowchart showing an example of processing executed by the unauthorized signal processing device according to the embodiment of the present invention. 4 is a flowchart showing an example of processing executed by the signal invalidating unit in FIG. 2 or 3.

Embodiments of the present invention will be described below with reference to FIGS. FIG. 1 is a diagram schematically showing an unauthorized signal processing device 100 according to an embodiment of the present invention.

A plurality of ECUs (electronic control units) 2 are mounted on a vehicle 1 to which the illegal signal processing device 100 is applied. The plurality of ECUs 2 do not directly affect the operation of the vehicle such as the engine control ECU, the transmission control ECU, the steering control ECU, or the like, or the air conditioner or the navigation. An ECU having a different function, such as an ECU for controlling the device, is included. The plurality of ECUs 2 are communicably connected to each other via an in-vehicle communication network such as a CAN (Controller Area Network).

Each ECU 2 is configured to include a CPU that performs arithmetic processing, a volatile memory (RAM), a rewritable nonvolatile memory (flash memory, EEPROM, etc.), and a computer having other peripheral circuits. Each ECU 2 executes various controls based on output values from various sensors according to programs stored in the nonvolatile memory in advance.

Further, the ECU 2 can be connected to a TCU (telematics control unit) 3 that performs wireless communication with the outside via a vehicle-mounted communication network, and a diagnostic device 6 that reads a fault code stored in the ECU 2 and performs a fault diagnosis of the vehicle 1. DLC (data link connector) 4 is connected. A gateway 5 is provided between the ECU 2 and the TCU 3 and the DLC 4 to relay communication between the vehicle-mounted communication network and the outside of the vehicle or communication between a plurality of vehicle-mounted communication networks.

The diagnostic device 6 can update the program stored in the ECU 2 in addition to the failure diagnosis. The vehicle manufacturer distributes the update program through a store or the like as necessary for updating the program or improving the quality. At a store or the like, the program stored in the ECU 2 of the vehicle 1 is connected to the DLC 4 arranged near the foot of the passenger seat of the vehicle 1 of the user who came to the store by connecting the legitimate diagnostic machine 6 that downloaded the update program. To update.

Usually, such a program update is performed in a state where the vehicle 1 is safely stopped so that an unintended operation does not occur during the program update. Further, prior to updating the program, the diagnostic device 6 transmits a communication stop command for prohibiting the output of the control signal to all the ECUs 2. As a result, the ECU 2 receiving the communication stop command stops outputting the control signal, and the program of each ECU 2 is updated in a state where the input of any control signal to the vehicle-mounted communication network is stopped.

On the other hand, using such a communication stop command, a malicious third party may attempt communication (unauthorized access) with each ECU 2 while the vehicle 1 is traveling. That is, after transmitting a communication stop command to some of the ECUs 2 to stop the output of the control signal, the ECU 2 that has stopped the output of the control signal is spoofed and transmits an incorrect signal to each ECU 2 via the in-vehicle communication network. Sometimes.

For example, when the unauthorized external device 60a is attached to the DLC 4 of the parked vehicle 1 or the unauthorized external device 60b is inserted into the in-vehicle communication network, when power is supplied to the in-vehicle communication network such as when the vehicle 1 is running. It may attempt unauthorized access. Further, there is a possibility that an unauthorized external device 60c may attempt unauthorized access during communication via the TCU 3.

Therefore, the unauthorized signal processing device 100 according to the embodiment of the present invention is configured as follows so as to detect and deal with a signal input to the vehicle-mounted communication network by such unauthorized access.

FIG. 2 is a block diagram showing a main configuration of the unauthorized signal processing device 100. As shown in FIGS. 1 and 2, the illegal signal processing device 100 includes an ECU 2 mounted on the vehicle 1, a TCU 3, a DLC 4, and a gateway 5 provided between the ECU 2 and the TCU 3 and the DLC 4. It is configured as an in-vehicle communication network.

As shown in FIG. 2, the gateway 5 is configured to include a computer having an arithmetic unit 50 such as a CPU, a storage unit 51 such as a ROM, a RAM, a hard disk, and other peripheral circuits. The operation unit 50 has a functional configuration including a signal detection unit 52, an unauthorized signal determination unit 53, an unauthorized signal notification unit 54, and a signal invalidation unit 55.

The signal detector 52 detects all signals input to the vehicle-mounted communication network. In a signal transmitted/received in an in-vehicle communication network, for example, a digital signal (data frame) of CAN communication, in addition to a data field indicating the transmitted/received data itself, an ID indicating a data destination, a source, a data content, etc. included. Therefore, by referring to the ID included in each signal, it is possible to determine the transmission destination and the transmission source of the signal, and it is possible to determine whether or not the data is an instruction to stop the communication.

Unauthorized external devices 60a to 60c that do not have an ID as a legitimate sender disguise the legitimate ECU 2 using the ID of the legitimate ECU 2 and input an improper control signal to the in-vehicle communication network (spoofing). In this case, the unauthorized external devices 60a to 60c transmit the communication stop command to the specific ECU 2 in advance to stop the output of the control signal, and use the ID of the ECU 2 that has stopped the output of the control signal to perform in-vehicle communication. Input an illegal control signal to the network.

On the other hand, when the legitimate diagnostic device 6 updates the program stored in the ECU 2, all the data need not be designated, because all the data signals necessary for updating the program are transmitted in a short time. The communication stop command is transmitted to the ECU 2. By stopping the output of the data signal by the ECU 2 and occupying the in-vehicle communication network, the data signal necessary for updating the program can be efficiently transmitted.

If the signal detected by the signal detection unit 52 is a signal that instructs some of the ECUs 2 to stop communication, the unauthorized signal determination unit 53 outputs the signal detected by the signal detection unit 52. It is determined that the signal is invalid. That is, when the signal detected by the signal detection unit 52 instructs the communication stop and only some of the ECUs 2 are designated as the transmission destination, it is determined that the signal is an invalid signal.

The determination result by the unauthorized signal determination unit 53 is stored in the storage unit 51. The storage unit 51 also stores the ID of the ECU 2 that is the transmission destination of the communication stop command that is determined to be an unauthorized signal by the unauthorized signal determination unit 53.

The incorrect signal notifying unit 54 gives notification when the incorrect signal determining unit 53 determines that the signal detected by the signal detecting unit 52 is an incorrect signal. For example, a warning message such as “abnormal communication has occurred. Please inspect” is displayed on the instrument panel of the vehicle 1. Instead of the notification to the user or in addition to the notification to the user, the notification may be given to the vehicle maker, the dealer, and the like.

By informing the user of the vehicle 1 of the abnormality through the warning display and urging the user to visit the store or the like, the unauthorized external devices 60a to 60c can be detected and dealt with early. For example, it is possible to check whether the unauthorized external device 60a is not attached to the DLC 4 of the vehicle 1 or whether the unauthorized external device 60b is inserted in the wiring of the vehicle-mounted communication network, and take necessary measures. Alternatively, the communication record of the TCU 3 can be inspected for an unauthorized external signal from the external device 60c, and an appropriate countermeasure can be taken.

The signal invalidation unit 55 inputs to the communication network from the ECU 2 instructed to stop communication in the signal after the signal detected by the signal detection unit 52 is determined to be an invalid signal by the incorrect signal determination unit 53. Block the signal that is That is, such a signal is considered to be an unauthorized signal input by the unauthorized external devices 60a to 60c using the ID of the ECU 2 that has stopped the output of the control signal upon receiving the communication stop command, and therefore the gateway 5 The relay of the signal from the transmission source to the transmission destination is prohibited (blocked).

As shown in FIG. 2, in the unauthorized signal processing apparatus 100, the gateway 5 that monitors the signals of the entire vehicle-mounted communication network includes a signal detection unit 52, an unauthorized signal determination unit 53, an unauthorized signal notification unit 54, and a signal invalidation unit 55. .. Therefore, it is not necessary for each ECU 2 to individually detect and block an unauthorized external signal. As a result, the entire illegal signal processing device 100 can have a simple configuration.

It should be noted that the unauthorized signal processing device 100 may be configured as in the modification shown in FIG. That is, each ECU 2 has a signal detection unit 52, an unauthorized signal determination unit 53, and an unauthorized signal notification unit 54 as a functional configuration of a computing unit such as a CPU, and the gateway 5 functions as the functional unit of the computing unit 50. As a configuration, the signal invalidating unit 55 may be included.

In this case, the signal detection unit 52 of each ECU 2 detects only the signal transmitted to the ECU 2. Further, when the signal detected by the signal detection unit 52 is a communication stop command that specifies only some of the ECUs 2 as the transmission destination, the unauthorized signal determination unit 53 of each ECU 2 determines that the signal is an unauthorized signal. judge.

Further, the unauthorized signal notification unit 54 of each ECU 2 notifies the user and the like when the unauthorized signal determination unit 53 determines that an unauthorized signal is received, and also notifies the gateway 5. That is, the notification signal including the ID of the ECU 2 that has received the communication stop command is transmitted to the gateway 5. The content of the notification signal transmitted from the unauthorized signal notification unit 54 of each ECU 2 is stored in the storage unit 51 of the gateway 5.

When the signal invalidating unit 55 of the gateway 5 receives the notification signal from each ECU 2, the signal invalidating unit 55 cuts off the signal whose transmission source is the ID of the ECU 2 that receives the communication stop command. In this case, the gateway 5 can have a simple structure.

FIG. 4 is a flowchart showing an example of processing executed by the unauthorized signal processing device 100 according to a program stored in advance. The process shown in this flowchart is started, for example, when the vehicle 1 is started and power is supplied to the vehicle-mounted communication network, and is repeated in a predetermined cycle.

First, in step S1, it is determined whether or not a signal is detected by the processing in the signal detection unit 52. Step S1 is repeated until it is affirmed. When the result in step S1 is affirmative, the process proceeds to step S2, and it is determined whether or not the signal detected in step S1 is a communication stop command by the processing in the incorrect signal determination unit 53. If the result in step S2 is affirmative, the process proceeds to step S3. If the result is negative, the process ends.

In step S3, it is determined whether the transmission destination of the signal detected in step S1 is a part of the ECUs 2. When the result in step S3 is affirmative, the process proceeds to step S4, in which the signal detected in step S1 is determined to be an incorrect signal. If the result in step S3 is negative, the process ends. Next, in step S5, various notifications are performed by the processing in the unauthorized signal notification unit 54.

That is, the illegal signal processing apparatus 100 determines (detects) an illegal signal input to the vehicle-mounted communication network with a simple configuration in order to determine whether the signal is an illegal signal based on the IDs included in various signals. can do.

FIG. 5 is a flowchart showing an example of processing executed by the signal invalidating unit 55 of FIG. 2 or 3 according to a program stored in advance. Similar to the process of FIG. 4, the process shown in this flowchart is started, for example, when the vehicle 1 is started and power is supplied to the in-vehicle communication network, and is repeated at a predetermined cycle.

First, in step S10, it is determined whether or not a signal has been detected by the processing of the signal invalidating unit 55. Step S10 is repeated until it is affirmed. When the result in step S10 is affirmative, the process proceeds to step S2, in which it is determined whether the signal detected in step S10 is a spoofing signal. That is, it is determined whether or not the signal is the signal stored in the storage unit 51 and having the ID of the ECU 2 that has received the communication stop command as the transmission source.

When the result in step S11 is affirmative, the process proceeds to step S12, and the signal detected in step S10 is cut off. On the other hand, when the result in step S11 is negative, the process proceeds to step S13, and the signal detected in step S10 is relayed. Thereby, the relay of the spoofing signal by the gateway 5 can be prohibited.

The main operation of the unauthorized signal processing device 100 according to the present embodiment will be described more specifically. It is assumed that an unauthorized external device (for example, the unauthorized external device 60b in FIG. 1) is mounted on the vehicle 1 during parking. When the user starts the vehicle 1, power is supplied to the vehicle-mounted communication network, and the unauthorized external device 60b outputs a signal for instructing a specific ECU 2 to stop communication.

When the gateway 5 (FIGS. 1 and 2) detects a signal for instructing a part of the ECUs 2 to stop communication, it displays a warning message informing the abnormality on the instrument panel of the vehicle 1 (step S1 to FIG. 4). S6). After that, the gateway 5 detects the impersonation signal and shuts it off (steps S10 to S12 in FIG. 5).

This makes it possible to determine (detect) that an unauthorized signal has been input to the vehicle-mounted communication network. Further, when the user of the vehicle 1 who has seen the warning message has the vehicle 1 inspected by a professional engineer at a shop or the like, it can be found early even if an unauthorized external device 60b is attached to a complicated in-vehicle communication network. Can be dealt with. Further, since the spoofing signal is blocked by the gateway 5, it is possible to prevent an unauthorized attack from the external device 60b to each ECU 2.

According to this embodiment, the following operational effects can be achieved.
(1) The unauthorized signal processing device 100 is mounted on the vehicle 1 and includes a plurality of ECUs 2 communicably connected to each other via an in-vehicle communication network, and a signal detection unit that detects a signal input via the in-vehicle communication network. 52 and the signal detected by the signal detection unit 52 is a signal for instructing a part of the plurality of ECUs 2 to stop communication, the signal detected by the signal detection unit 52 is an invalid signal. An unauthorized signal determination unit 53 that determines that there is a signal, and an unauthorized signal notification unit 54 that reports an abnormality when the signal detected by the signal detection unit 52 is determined to be an unauthorized signal by the unauthorized signal determination unit 53. Prepare (FIGS. 1 to 3).

That is, since it is determined whether or not the signal is an unauthorized signal based on the destination and contents of various signals, it is possible to determine (detect) an unauthorized signal input to the vehicle-mounted communication network.

(2) In the unauthorized signal processing device 100, another signal indicating that the signal is determined to be an unauthorized signal by the unauthorized signal determination unit 53 and is input from the ECU 2 instructed to stop the communication is input to the in-vehicle communication network. Then, it further includes a signal invalidation unit 55 that invalidates the signal (FIGS. 2 and 3). Accordingly, it is possible to prevent the spoofing signal input to the vehicle-mounted communication network from being transmitted to each ECU 2.

(3) The unauthorized signal processing device 100 further includes a storage unit 51 that stores the ID of the ECU 2 that is the transmission destination of the signal determined to be an unauthorized signal by the unauthorized signal determination unit 53 (FIGS. 2 and 3). .. The signal invalidation unit 55 invalidates a signal whose transmission source is the destination of the signal stored in the storage unit 51. By referring to the ID stored in the storage unit 51, spoofing communication can be easily detected.

(4) The unauthorized signal processing device 100 further includes the gateway 5 that relays the signals transmitted and received among the plurality of ECUs 2 and that configures the signal invalidating unit 55 (FIGS. 1 to 3 ). When the gateway 5 receives another signal, which is input from the ECU 2 instructed to stop the communication in the signal determined to be an unauthorized signal by the unauthorized signal determination unit 53, to the vehicle-mounted communication network, Prohibit signal relay. Since the gateway 5 that monitors the signal of the entire vehicle-mounted communication network blocks the spoofing signal, the entire illegal signal processing device 100 can be configured simply.

(5) The plurality of ECUs 2 can connect the diagnostic device 6 and unauthorized external devices 60a to 60c via the vehicle-mounted communication network (FIG. 1). The diagnostic device 6 and the unauthorized external devices 60a to 60c input signals via the in-vehicle communication network. It is possible to connect the diagnostic device 6 to diagnose the failure of the ECU 2, update necessary programs, and the like, detect unauthorized access by unauthorized external devices 60a to 60c, and prevent an attack on the ECU 2.

The above embodiment can be modified into various forms. Hereinafter, modified examples will be described. In the above-described embodiment, the signal detection unit 52, the unauthorized signal determination unit 53, and the unauthorized signal notification unit 54 are provided in the gateway 5 (FIG. 2) or each ECU 2 (FIG. 3), but the signal input to the communication network is used. The configurations of the signal detection unit for detecting a signal, the unauthorized signal determination unit for determining an unauthorized signal, and the unauthorized signal notification unit for reporting are not limited to this. For example, the signal detection unit 52, the unauthorized signal determination unit 53, and the unauthorized signal notification unit 54 may be provided in a dedicated device that monitors the signals of the entire in-vehicle communication network.

The above description is merely an example, and the present invention is not limited to the above-described embodiments and modifications unless the characteristics of the present invention are impaired. It is also possible to arbitrarily combine one or more of the above-described embodiment and modifications, and it is also possible to combine modifications.

1 vehicle, 2 ECU, 3 TCU, 4 DLC, 5 gateway, 6 diagnostic machine, 50
Arithmetic unit, 51 storage unit, 52 signal detection unit, 53 illegal signal determination unit, 54 illegal signal notification unit, 55 signal invalidation unit, 60a to 60c illegal external device, 100 illegal signal processing device

Claims (5)

A plurality of control devices mounted on the vehicle and connected to each other via a communication network so that they can communicate with each other;
A signal detection unit for detecting an input signal input via the communication network,
When the input signal detected by the signal detection unit is a signal for instructing a part of the plurality of control devices to stop communication, the input signal detected by the signal detection unit is An unauthorized signal determination unit that determines that the signal is an unauthorized signal,
An illegal signal processing section, comprising: an illegal signal notifying section for notifying an abnormality when the illegal signal judging section judges that the input signal detected by the signal detecting section is an illegal signal. apparatus. In the illegal signal processing device according to claim 1,
The input signal determined to be an unauthorized signal by the unauthorized signal determination unit is used as a first input signal, and indicates that the input signal is input from the part of the control devices instructed to stop communication in the first input signal. The illegal signal processing device further comprising a signal invalidating unit that invalidates the second input signal when the second input signal is input to the communication network. In the illegal signal processing device according to claim 2,
Further comprising a storage unit that stores information on the destination of the first input signal,
The illegal signal processing device, wherein the signal invalidating unit invalidates the input signal, which has the transmission destination of the first input signal stored in the storage unit as a transmission source, as the second input signal. In the illegal signal processing device according to claim 2 or 3,
While relaying a signal transmitted and received between the plurality of control devices, further comprising a relay device that constitutes the signal nullification unit,
The illegal signal processing device, wherein the relay device inhibits relay of the second input signal when the second input signal is input to the communication network. The illegal signal processing device according to any one of claims 1 to 4,
The plurality of control devices can be connected to an external device via the communication network,
The illegal signal processing device, wherein the external device inputs the input signal via the communication network.

Images