JP2023137768A - Remote diagnosis management apparatus and remote diagnosis management method - Google Patents

Abstract

To provide a remote diagnostic management apparatus capable of reducing security risks.SOLUTION: In a remote diagnosis management apparatus that is connected to a vehicle 20 via wireless communication and includes a controller for managing remote diagnosis that diagnoses a state of the vehicle 20 from a remote position away from the vehicle, the controller 11 comprises: a diagnosis content specifying unit 13 for specifying a diagnosis content of the remote diagnosis; a certificate management unit 14 for granting access authority to the vehicle 20 for performing the remote diagnosis based on the diagnosis content and issuing a certificate indicating that the access authority has been granted; and a communication unit 12 for transmitting the certificate to a remote terminal 30.SELECTED DRAWING: Figure 1

Description

The present invention relates to a remote diagnosis management device and a remote diagnosis management method.

2. Description of the Related Art Conventionally, a vehicle diagnostic system that remotely accesses a vehicle system and diagnoses the vehicle system has been known (for example, Patent Document 1). In the vehicle diagnostic system described in Patent Document 1, a host device is physically connected to the vehicle via an OBD port of the vehicle, the host device is communicatively coupled to a vehicle control unit of the vehicle, and the host device performs a specific Information used for functional diagnosis is acquired from the vehicle, and the acquired information includes the vehicle identification number and the device identification number of the host device and is transmitted to the server system.

JP2019-209964A

Since the vehicle diagnostic system described above is based on the premise of physical connection via the OBD port, the number of workers who can access the vehicle is limited, so the security risk is not so high. However, when diagnosing a vehicle remotely using a wireless connection rather than a wired connection via the OBD port, there is a problem in that security risks increase if any user or worker can access the vehicle.

The problem to be solved by the present invention is to provide a remote diagnosis management device and a remote diagnosis management method that can reduce security risks.

The present invention specifies the diagnostic content of remote diagnosis, and based on the specified diagnostic content, grants access authority to the vehicle for remotely performing remote diagnosis away from the vehicle, and indicates that the access authority has been granted. The above problem is solved by issuing a certificate and transmitting the issued certificate to a remote terminal.

According to the present invention, security risks can be reduced.

FIG. 1 is a block diagram of a remote diagnosis system according to this embodiment. FIG. 2 is a block diagram of a conventional diagnostic system. FIG. 3 is a flowchart of the control flow executed by the server, vehicle, and remote terminal. FIG. 4 is a block diagram of the vehicle.

An embodiment of a remote diagnosis management device and a remote diagnosis management method according to the present invention will be described based on the drawings. FIG. 1 is a block diagram showing an example of the configuration of a remote diagnosis system according to this embodiment. A remote diagnosis system is a system that connects to a vehicle via wireless communication using a wireless communication unit mounted on the vehicle, accesses the vehicle from a remote location, and diagnoses the condition of the vehicle. In the following description, diagnosing the state of the vehicle from a remote location away from the vehicle will be referred to as "remote diagnosis."

In remote diagnosis, a remote worker transmits a diagnostic command to a vehicle, and an in-vehicle wireless communication unit that receives the diagnostic command requests an in-vehicle ECU (Electronic Control Unit) to self-diagnose whether an abnormality has occurred. Then, the in-vehicle ECU returns the diagnosis result, and the wireless communication unit transfers the diagnosis result to the server. This allows the remote worker to obtain diagnosis results without the vehicle having to be put into storage. If an abnormality has occurred or is likely to occur in the vehicle, the server notifies the user of the vehicle of the diagnosis result and urges the user to enter the vehicle for a detailed inspection, thereby preventing the occurrence of a major abnormality.

By the way, in a system configuration that allows remote diagnosis through wireless communication, the in-vehicle wireless communication unit is designed to be able to send a request, such as rewriting a program, to the ECU. These requests are assumed to be made under the control of a mechanic while the vehicle is stopped for maintenance, etc., and are not expected to be made by a remote worker while the vehicle is in motion. Therefore, simply connecting an in-vehicle wireless communication unit to a remote worker via wireless communication poses a high security risk.

Conventionally, as a system for reducing security risks, a method has been known in which a communication network within a vehicle is separated into a communication path for remote diagnosis and an in-vehicle network. FIG. 2 is a block diagram of a conventional diagnostic system. The diagnostic system shown in FIG. 2 includes an external remote server 100, a vehicle 200, and a diagnostic terminal 300. Vehicle 200 includes a wireless communication unit 201, an ECU 202, a gateway 203, and an OBD (On Board Diagnostics) terminal. The gateway 203 is separated into a communication path A for transmitting and receiving diagnostic results, and an in-vehicle network B that allows connection between a terminal outside the vehicle and the ECU 202 via an OBD terminal 204. In the communication path A, the gateway 203 only permits data transfer for low-risk services such as trouble code (DTC) and ECU 202 log reading, and discards service requests that are not permitted. Furthermore, the communication path A has a network configuration that does not transmit or receive highly confidential information, such as key information for unlocking functions that are locked by default in the ECU 202, for example.

Furthermore, the wireless communication unit 201 does not have a function of receiving an arbitrary diagnosis request from the external remote server 100, and only transmits the diagnosis result by push transmission. Then, the operator transmits a diagnosis request to the vehicle 200 with the diagnosis terminal 300 connected to the OBD terminal 204 by wire. The gateway 203 receives a diagnosis request input from the OBD terminal 204 and performs diagnosis according to the request.

In such a system, unless physical access such as connecting the diagnostic terminal 300 to the OBD terminal 204 is established, the diagnostic request will not be accepted by the vehicle 200, and the external remote server 100 will not be able to store diagnostic results, etc. , the system of FIG. 2 was a system with a low security risk because it push-transmitted only information with a low security risk.

However, the system shown in FIG. 2 cannot satisfy the following use cases or demands, for example.
(a) In response to a request for help from a user of a vehicle stopped on the road, a remote diagnosis is performed to identify parts to bring, such as replacement parts, before the worker actually heads to the vehicle.
(b) A worker who is diagnosing a vehicle makes a request to a remote senior mechanic, and the senior mechanic accesses the vehicle and performs the remote diagnosis.

A system that assumes physical access such as connection to the OBD 204 terminal as shown in FIG. 2 cannot satisfy the requirements (a) and (b) above. Therefore, in this embodiment, a remote diagnosis system is provided that can reduce security risks while responding to the needs for service expansion so as to satisfy the above requests (a) and (b).

As shown in FIG. 1, the server 10 includes a controller 11, a server communication unit 15, and a database 16. The server 10 transmits and receives signals to and from the vehicle 20 and a remote terminal 30 operated by a remote worker, and performs worker certification, authentication processing, and registration of diagnosis contents in order to perform remote diagnosis. The controller 11 connects to the vehicle 20 by wireless communication using the server communication unit 15, and manages remote diagnosis in which a remote worker diagnoses the state of the vehicle 20. The controller 11 includes a computer with a processor (hardware and software). This computer has a ROM that stores programs, a CPU, etc. for executing the programs. The controller 11 includes a communication section 12, a diagnosis content specifying section 13, and a certificate management section 14 as functional blocks. In this embodiment, the functions of the controller 11 are divided into three blocks, and the functions of each functional block will be explained. However, the functions of the controller 11 are divided into two or less or four or more functional blocks. Good too. Further, the three functional blocks that the controller has are an example of the functions of the controller 11, and the controller 11 may have functions other than the three functional blocks.

The communication unit 12 transmits and receives signals to and from the vehicle 20 and the remote terminal 30 via the server communication unit 15, and acquires information necessary for remote diagnosis management. The diagnosis content specifying unit 13 specifies the diagnosis content of remote diagnosis. When the user of the vehicle 20 detects a malfunction in the vehicle, the user performs an operation to request remote diagnosis on the HMI 23 of the vehicle 20, accesses the server 10, and sends a remote diagnosis request signal to the server. Send to. The user can request remote diagnosis after specifying the details of the request. The user can specify the part where the problem has occurred, such as the navigation system or air conditioning system. The specification of the request content may be a diagnosis period, a diagnosis location, or the like. The diagnosable period may be specified by date and time, such as limited to one day or within one week from today. The diagnosis location may be specified as home, current location, repair shop near home or current location, or the like. When the communication unit 12 receives a request signal for remote diagnosis from the vehicle 20, the diagnosis content specifying unit 13 specifies the request content for remote diagnosis from the information included in the request signal, and associates it with the ID of the vehicle 20 in the database 16. Then, register the request details. Note that the request signal may be transmitted by operating a communication terminal owned by the user or the warehousing worker.

Note that the request contents are not limited to those specified by the user, and may be set on the server side. For example, if the schedule and diagnosis items for remote diagnosis are determined in advance, such as periodic diagnosis, the database 16 stores data related to the remote diagnosis schedule, diagnosis items, diagnosis location, etc. for each vehicle 20. do. Then, the diagnosis content specifying unit 13 refers to the data in the database 16 and specifies the content of the remote diagnosis. At this time, the diagnosis content specifying unit 13 may notify the user of the diagnosis content of the remote diagnosis and obtain the user's consent before performing the remote diagnosis.

The diagnosis content specifying unit 13 also specifies a vehicle to be subjected to remote diagnosis (target vehicle) based on remote control. The remote operation is performed by the user of the vehicle 20 or the warehousing worker at the warehousing destination of the vehicle 20 . When a user or a warehousing worker performs an operation to request remote diagnosis on the HMI 23 or communication terminal of the vehicle 20, the diagnosis content specifying unit 13 specifies the target vehicle from the vehicle ID included in the request signal. Bye. Similarly to the request details, the diagnosis content specifying unit 13 may refer to data recorded in the database 16 to specify the target vehicle if the remote diagnosis schedule and the like are determined in advance.

The certificate management unit 14 grants access authority to the vehicle 20 for a remote worker to perform remote diagnosis. The certificate management unit 14 determines a remote worker to whom remote diagnosis is to be requested, according to the diagnosis content specified by the diagnosis content identification unit 13. Remote workers who can perform remote diagnosis are registered in the database 16 in advance. In other words, the remote worker has the authority to perform remote diagnosis. Then, the certificate management unit 14 determines a remote worker according to the content of the request. For example, if the requested item for remote diagnosis is a navigation system, the certificate management unit 14 determines a worker who specializes in diagnosing navigation systems as the remote worker. Further, the certificate management unit 14 sends a request for remote diagnosis to the determined remote worker. Authentication processing is then performed between the server 10 and the remote terminal 30 operated by the remote worker, and if the authentication is successful, access authority to the target vehicle is granted.

The certificate management unit 14 also issues a certificate indicating that access authority has been granted. The certificate includes information on the content of the request, information on the access authority holder, and/or information on the target vehicle. The information on the access authority holder includes information on the remote terminal used when granting the access authority, personal information on the remote worker who requested remote diagnosis, and the like. The information on the target vehicle is the vehicle ID. The certificate management unit 14 transmits the issued certificate to the remote terminal 30. The certificate management unit 14 may also send a notification to the vehicle 20 that the certificate has been issued.

When a remote worker performs remote diagnosis, the certificate is sent from the remote terminal 30 to the vehicle 20. Then, if the vehicle 20 performs signature verification based on the certificate and is successfully authenticated, remote diagnosis is permitted. As a result, when performing remote diagnosis, access to the vehicle 20 from terminals other than the remote terminal 30 that received the certificate is prohibited.

Further, when issuing a certificate, the certificate management unit 14 may set the expiration date of the certificate according to the diagnosable period determined from the contents of the request. This prohibits access to the vehicle 20 based on the expired certificate.

Further, the certificate management unit 14 may issue a certificate after determining the operations permitted for remote diagnosis according to the content of the request for remote diagnosis. For example, if the request item for remote diagnosis is limited to a navigation system, the certificate management unit 14 issues a certificate after permitting only operations related to the navigation system. For example, when a diagnosis command unrelated to the navigation system is input to the vehicle 20 during remote diagnosis, the input command is rejected.

When the remote diagnosis is completed, the vehicle 20 or the remote terminal 30 having the certificate sends a signal to the server 10 that the remote diagnosis has been completed. When the certificate management unit 14 determines that the remote diagnosis has been completed by receiving a signal indicating that the remote diagnosis has been completed, the certificate management unit 14 invalidates the issued certificate. Additionally, the server 10 transmits a signal indicating that the certificate has been invalidated to the master ECU 21 of the vehicle 20. Thereby, it is possible to prevent the certificate from being misused after the remote diagnosis is completed.

The server communication unit 15 is a unit that connects between the server 10 and the vehicle 20 and between the server 10 and the remote terminal 30 to perform wireless communication. The database 16 stores vehicle IDs, information regarding remote diagnosis request details, remote worker information, certificate information, and the like.

The vehicle 20 includes a master ECU 21, a vehicle communication unit 22, an HMI 23, and a sensor 24. In addition to the master ECU 21, the vehicle 20 includes a drive source such as an engine and/or a motor, a battery, and the like. The master ECU 21 functions as a gateway in the in-vehicle communication network including communication between each ECU, and has the function of managing remote diagnostic control in addition to the control function of the entire vehicle. Further, the master ECU 21 communicates with the server 10 and the remote terminal 30 via the vehicle communication unit 22.

The vehicle communication unit 22 is a unit that connects between the server 10 and the vehicle 20 and between the vehicle 20 and the remote terminal 30 to perform wireless communication. The HMI (Human Machine Interface) 23 is an in-vehicle device operated by a user, such as a touch panel in-vehicle display (a navigation system screen, a liquid crystal meter, etc.), and accepts input from the user. The HMI 23 also notifies the user of authentication, diagnosis results, etc. necessary for remote diagnosis. The sensor 24 is a sensor for detecting the state of the vehicle, and is a vehicle speed sensor or the like.

Next, the control flow of the remote diagnosis management system will be explained with reference to FIG. FIG. 3 shows the control flow executed by server 10, vehicle 20, and remote terminal 30. In addition, in FIG. 3, the "vehicle user" indicates the user of the vehicle or the warehousing worker at the warehousing location (maintenance shop) of the vehicle 20. “Remote worker” indicates a worker who operates the remote terminal 30.

In step S1, the vehicle user detects a malfunction in the vehicle 20. In step S2, the vehicle user operates the HMI 23 to perform a remote diagnosis permission operation in order to resolve the problem.

In step S3, master ECU 21 of vehicle 20 performs owner authentication. Owner authentication is performed in the following manner. For example, the master ECU 21 displays a confirmation screen for permitting remote diagnosis on the screen of the HMI 23, and determines that consent for remote diagnosis has been obtained from the vehicle user when an operation to permit the remote diagnosis is performed. . Note that when the owner is authenticated by operating the HMI 23, the reliability of the owner authentication can be increased by using the PIN and password set by the vehicle user.

As another example of owner authentication, when the master ECU 21 detects that a plurality of intelligent keys of the vehicle 20 are present in the vehicle interior, the master ECU 21 may determine that consent for remote diagnosis has been obtained. By bringing a spare intelligent key owned by the owner of the vehicle 20 into the vehicle, the master ECU 21 detects a difference from normal driving when only one key is present in the vehicle. Furthermore, regarding the condition for owner authentication that requires multiple intelligent keys to be brought into the vehicle, if there is only one intelligent key, it is not possible to distinguish between, for example, a service where you leave the key and have the vehicle parked, and remote diagnosis. It's for a reason. For example, if you use a service where you leave your key with someone to park your car, and the person you left the key with misuses the operation to allow remote diagnosis, you may be advised not to bring multiple intelligent keys into the car. By making it a condition for owner authentication, such abuse can be eliminated.

As another example of owner authentication, a terminal owned by a vehicle user and the vehicle 20 are paired, and authentication information is stored in the owned terminal. Then, the vehicle user operates an application on the owned terminal to permit remote diagnosis, and reads the authentication information using the NFC reader installed in the vehicle 20. Then, if the authentication information read by the NFC reader is successfully authenticated, the master ECU 21 determines that the conditions for owner authentication are satisfied. Note that the master ECU 21 may allow the vehicle 20 to accept remote diagnosis permission operation only for a certain period of time after the authentication using the NFC reader is successful.

Note that the above method of owner authentication is merely an example, and other methods may be used, or a plurality of the above methods may be combined to increase the reliability of owner authentication.

After the owner authentication is completed, in step S4, the master ECU 21 of the vehicle 20 and the controller 11 of the server 10 specify the diagnosis content of the remote diagnosis. The vehicle user operates the HMI 23 or the owned terminal to input operation information to be permitted for remote diagnosis, and the master ECU 21 specifies the diagnosis content from the input operation information and includes the specified diagnosis content and vehicle ID. Send the signal to the server 10. The controller 11 of the server 10 associates the identified diagnostic details with the vehicle ID and registers them in the database 16. Diagnosis contents to be registered include diagnosis items, diagnostic period, etc. Note that the input of the diagnostic details by the in-vehicle user may be in a format that allows the user to select, for example, whether to allow rewriting of the program or resetting the ECU. Further, when the content of the remote diagnosis is registered in the database 16, the controller 11 notifies the vehicle 20 that the content of the diagnosis has been registered.

The master ECU 21 of the vehicle 20 confirms in advance that "remote operation is permitted" and then determines whether the current state of the vehicle 20 is in a state where remote diagnosis is possible ("diagnosis possible state"). Determination is made (step S5). A state in which remote diagnosis is possible is, for example, when the vehicle 20 is stopped and the engine hood latch is open. That is, the master ECU 21 determines whether the physical condition that the vehicle 20 is not running but is waiting for remote diagnosis is satisfied, and uses this physical condition as a condition for starting the remote diagnosis.

If it is determined in step S6 that the current state of the vehicle 20 is one in which remote diagnosis is possible, master ECU 21 notifies server 10 that it is "waiting for remote diagnosis operation."

Furthermore, when the vehicle 20 notifies the server 10 that it is "waiting for remote diagnosis operation," the master ECU 21 adds the vehicle's location information obtained by GPS etc. and authorizes the server 10 to perform remote diagnosis. You can also limit the location to areas around your current location. By pre-limiting the locations where remote diagnosis is permitted to areas around the current location, in the event that a certificate issued in the past is misused, the vehicle's current location will have changed by the time the past certificate is used. You can deny access based on Upon receiving this notification, the server 10 can send a request for remote diagnosis to an appropriate worker from among the pre-registered access authority holders for remote diagnosis.

In step S7, the controller 11 of the server 10 determines the remote worker to whom the remote diagnosis is requested, according to the diagnosis content of the remote diagnosis, and requests the remote worker's operating terminal to perform the remote diagnosis. Send a request signal to that effect. By including a one-time password in the request signal, the reliability of the certificate issuance process performed in subsequent steps is increased.

In step S8, the remote worker who has received the request from the server 10 operates the remote terminal 30 to log in to the server 10 and requests issuance of a certificate for remote diagnosis. For certificate issuance, authentication is strengthened by requiring the remote worker to enter a one-time password that was only given to the remote worker at the time of requesting remote diagnosis. By using a one-time password, even if the login password is leaked, it is possible to prevent certificates from being issued using only the login password.

In step S9, the controller 11 of the server 10 creates a certificate if the login operation by the remote worker is successfully authenticated and a certificate issuance request is received. The certificate records the certificate's expiration date, operation information permitted for remote diagnosis, and the like. Further, in step S10, the controller 11 issues a certificate as a token to the remote worker. In other words, the issuance of the certificate indicates that the server 10 has granted access authority to the remote worker. Note that the controller 11 may issue the certificate on the condition that it has received a notification of "waiting for remote diagnosis operation." The notification "Waiting for remote diagnosis operation" indicates that the vehicle 20 is in a state where it can accept remote diagnosis. Therefore, the controller 11 determines whether the vehicle 20 is in a state capable of accepting remote diagnosis based on the presence or absence of the notification of "waiting for remote diagnosis operation". Then, when it is determined that the vehicle 20 is in a state where remote diagnosis can be accepted, the controller 11 issues a certificate. The communication unit 12 also transmits the certificate issued by the certificate management unit 14 to the remote terminal 30. Note that the fact that the certificate has been issued is notified to the HMI 23 of the vehicle 20 and/or the terminal owned by the vehicle user. By this notification, if the remote diagnosis request is not intended by the vehicle user, the vehicle can be released from the "waiting for remote diagnosis operation" state or a command can be sent to the server 10 to stop remote diagnosis for the vehicle 20 in question. Risk mitigation measures can be taken to

In step S11, the remote worker transmits the issued certificate (token) to the vehicle 20. In step S12, the master ECU 21 of the vehicle 20 performs signature verification on the transmitted certificate using the public key of the server 10 that it has. The public key is written into the program of the master ECU 21 when the vehicle 20 is manufactured. Then, the master ECU 21 authenticates that the certificate has been issued normally and starts remote diagnosis (remote diagnosis start authentication). Furthermore, the master ECU 21 unlocks the communication function for remote diagnosis and unlocks the permitted operation authority recorded in the certificate. The communication function for remote diagnosis is a function for receiving a command for remote diagnosis in the vehicle 20 and transmitting the diagnosis result to the outside. Furthermore, the permitted operation authority is to enable the master ECU 21 to rewrite programs and send external commands such as diagnostic commands to the ECU that is the target of remote diagnosis. Since these communication functions and operation authority are locked by default, the master ECU 21 unlocks the locked state.

In step S13, the master ECU 21 notifies the remote worker of the certificate authentication result. In step S14, the remote worker confirms the notification from the master ECU 21 and starts remote diagnosis. In step S15, the remote worker transmits a diagnostic command for remote diagnosis to the vehicle 20. In step S16, the ECU 21 of the vehicle 20 performs diagnosis according to the diagnosis command and transmits the diagnosis result. Note that the transmission and reception of diagnostic commands and the transmission and reception of diagnosis results in remote diagnosis may be performed via the server 10.

As described above, in this embodiment, security risks are mainly reduced by performing various authentication processes such as owner authentication, authentication when remote workers log in, and authentication on the vehicle 20 side using certificates. However, security risks can be further reduced by implementing security measures for the network environment within the vehicle 20 and the in-vehicle components. However, there are the following restrictions in implementing security measures in the vehicle 20.

(A) A vehicle is equipped with several dozen ECUs that are subject to diagnosis, and changing all of these ECUs to components that implement security measures for remote diagnosis requires a large scale of development and takes time to implement. It will pass.
(B) Some general ECUs are equipped with low-power processors such as 16-bit microcomputers, but such processors require enhanced authentication algorithms, certificate management (operation authority management, expiration dates), etc. The resources necessary for processing (management) cannot be secured, and the scope of application of ECUs that can be subject to remote diagnosis is limited.
(C) In order to perform remote diagnosis, direct end-to-end communication between the ECU to be diagnosed and the system outside the vehicle means that if there is a vulnerability in the communication software of the ECU, the system outside the vehicle can directly communicate with the ECU inside the vehicle. A communication path is created through which commands can be sent.

In this embodiment, the system of the vehicle 20 is configured under an architecture as shown in FIG. 4 in order to avoid the constraints (A) to (C) above. FIG. 4 is a conceptual diagram illustrating the architecture of vehicle 20 suitable for remote diagnosis.

The master ECU 21 has a remote diagnosis permission determination section 21a, a communication data processing section 21b, and a diagnosis communication processing section 21c as functional blocks. The remote diagnosis permission determination unit 21a has a function of transmitting the determination result of remote diagnosis Lock/Unlock to the diagnosis communication processing unit 21c, and also performs necessary operations such as owner authentication and certificate authentication to start remote diagnosis. It has an authentication processing function.

The master ECU 21 verifies the area (Zone.1) that performs communication processing with the server 10 and/or the remote terminal 30 via the vehicle communication unit 22 and the certificate data for remote diagnosis, and sends the diagnosis to multiple ECUs in the vehicle. It has an area (Zone.2) for performing in-vehicle communication processing for transmitting and receiving commands. Zone. 1 and Zone. During Zone 2, communication processing inside the vehicle is performed from outside the vehicle by separating hardware or software such as Hypervisor. Prevent direct attacks on 2.

The remote diagnosis permission determination unit 21a and the diagnosis communication processing unit 21c are located in Zone. The communication data processing unit 21b is provided in Zone. 1 is provided. Zone of master ECU21. The communication data processing unit 21b provided in 1 performs communication between the remote diagnosis server 10 and the remote terminal 30 using TLS (a protocol for encrypting and transmitting/receiving data over a TCP/IP network such as the Internet). This prevents eavesdropping and tampering of communication data between the vehicle communication unit 22 and the server 10 and the remote terminal 30.

The remote diagnosis permission determination unit 21a locks functions necessary for remote diagnosis, such as communication functions used in remote diagnosis and operation authority permitted for remote diagnosis, by default.

The remote diagnosis permission determination unit 21a performs owner authentication based on the operation command of the HMI 23, and determines whether the current state of the vehicle 20 is a state that allows remote diagnosis based on the detection result of the sensor 24. Then, if the owner authentication is successfully performed and it is determined that the current state of the vehicle 20 is a state in which remote diagnosis is possible, the remote diagnosis permission determination unit 21a permits remote diagnosis. When remote diagnosis is permitted, the state is "waiting for remote diagnosis operation", and the remote diagnosis permission determination unit 21 unlocks the communication function used for remote diagnosis in order to communicate with the server 10. Make it.

For example, the following conditions may be satisfied to enter the "wait for remote diagnosis operation" state.
(1) A permission operation for remote diagnosis has been executed by the HMI 23 of the vehicle 20, and a cancellation operation has not been performed.
(2) A timeout has not occurred from the operation in (1).
(3) The vehicle 20 must be stopped.
(4) The vehicle 20 is in a maintained state (engine hood is open, etc.).

In addition, after the owner authentication based on the operation command of the HMI 23, the remote diagnosis permission determination unit 21a determines whether or not the above conditions are met within a certain period of time, and if the conditions are met, the remote diagnosis permission determination unit 21a enters the "waiting for remote diagnosis operation" state. You can also use it as Further, the above conditions may include that signature verification based on a certificate has been successfully performed.

Then, if the signature verification based on the certificate is successfully performed, the remote diagnosis permission determination unit 21a determines the locked state of other functions necessary for remote diagnosis, such as the operation authority permitted for remote diagnosis. to unlock. When the functions necessary for remote diagnosis are unlocked, the diagnostic communication processing unit 21c identifies the target ECU for remote diagnosis among the ECUs connected to the master ECU 21. The diagnostic communication processing section 21c receives diagnostic commands from the communication data processing section 21b. That is, only when the functions necessary for remote diagnosis are unlocked, Zone. The communication data processing unit 21b of Zone.1 and the communication data processing unit 21b of Zone. Communication with the diagnostic communication processing unit 21c of No. 2 becomes effective.

The diagnostic communication processing unit 21c then transmits the diagnostic command only to the target ECU. The target ECU receives a diagnostic command from the diagnostic communication processing section 21c and operates. Since the master ECU 21 executes the certificate signature processing and owner authentication necessary for security measures for remote diagnosis, it is possible to avoid changing the software and hardware of the ECU to be diagnosed.

As described above, in the remote diagnosis management device and remote diagnosis management method according to the present embodiment, the controller 11 specifies the diagnosis content of the remote diagnosis, and performs the remote diagnosis remotely from the vehicle 20 based on the specified diagnosis content. The system grants access authority to the vehicle to perform the operations, issues a certificate indicating that the access authority has been granted, and sends the issued certificate to the remote terminal of the remote worker. This makes it possible to reduce security risks in remote diagnosis.

Further, in this embodiment, the diagnosis content specifying unit 13 specifies a target vehicle to be subjected to remote diagnosis based on remote control, and issues a certificate indicating that access authority to the target vehicle has been granted. Thereby, the certificate can be validated only for accessing the vehicle 20 that is the target of remote diagnosis, so security risks in remote diagnosis can be reduced.

Further, in this embodiment, when performing remote diagnosis, access to the vehicle 20 from terminals other than the remote terminal that received the certificate is prohibited. This makes it possible to reduce security risks in remote diagnosis.

Further, in this embodiment, the certificate management unit 14 issues a certificate after determining the validity period of the certificate. This makes it possible to check the expiration date of a certificate during certificate signature verification, thereby reducing security risks in remote diagnosis.

Further, in this embodiment, the certificate management unit 14 invalidates the certificate when the remote diagnosis is completed. Further, information indicating that the certificate has been invalidated is transmitted to the master ECU 21 of the vehicle 20. This prevents certificate reuse and reduces security risks in remote diagnosis.

Further, in the present embodiment, the certificate management unit 14 issues a certificate when it is determined that the vehicle 20 is in a state where remote diagnosis can be executed. As a result, the physical condition that the vehicle 20 is not running but is waiting for remote diagnosis becomes the certificate issuance condition, so that remote diagnosis can be performed with the vehicle in a state suitable for diagnosis. In particular, if the system is based on a conventional wired connection via an OBD terminal, the repair worker can ensure that the vehicle is in a safe state, such as by locking the wheels or otherwise preventing the vehicle from running. On the other hand, the remote diagnosis system using wireless communication in this embodiment can confirm that the vehicle is in a state suitable for diagnosis.

Further, in this embodiment, the certificate management unit 14 issues a certificate after determining operations that are permitted for remote diagnosis. Thereby, if remote diagnosis is performed using an operation other than the permitted operation, remote diagnosis can be rejected.

In the present embodiment, the server 10 receives a request signal for requesting remote diagnosis from an authenticated vehicle that has undergone owner authentication or a terminal connected to the authenticated vehicle, and receives request information included in the request signal. The diagnosis content is specified based on the diagnosis content, and a certificate is issued based on the specified diagnosis content. This makes it possible to issue a certificate that is valid only for the content of the remote diagnosis request after obtaining the consent of the vehicle user, thereby reducing security risks in remote diagnosis.

In this embodiment, when the server 10 or the vehicle 20 performs owner authentication, remote worker login authentication, and certificate authentication, if the authentication process fails multiple times, the operation for authentication is unlocked. You may also perform processing such as extending the time until the next operation reception. Furthermore, the vehicle 20 may transmit history information of authentication failures to the server 10 as evidence of authentication failures.

Note that the communication section 12 corresponds to a "transmission section" and a "reception section" of the present invention.

Note that the embodiments described above are described to facilitate understanding of the present invention, and are not described to limit the present invention. Therefore, each element disclosed in the above embodiments is intended to include all design changes and equivalents that fall within the technical scope of the present invention.

10...Server 11...Controller 12...Communication unit 13...Diagnosis content identification unit 14...Certificate management unit 15...Server communication unit 16...Database 20...Vehicle 21...Diagnostic communication processing unit 21...Remote diagnosis permission determination unit 22...Vehicle communication Unit 24...Sensor 30...Remote terminal

Claims (9)

A remote diagnosis management device that connects to a vehicle via wireless communication and includes a controller that manages remote diagnosis that diagnoses the condition of the vehicle remotely from the vehicle.
The controller includes:
a diagnosis content specifying unit that specifies the diagnosis content of the remote diagnosis;
a certificate management unit that grants access authority to the vehicle for performing the remote diagnosis based on the diagnosis content, and issues a certificate indicating that the access authority has been granted;
and a transmitter for transmitting the certificate to a remote terminal. The remote diagnosis management device according to claim 1,
The diagnosis content specifying unit specifies a target vehicle to be subjected to the remote diagnosis based on remote operation,
The certificate management unit is a remote diagnosis management device that issues the certificate indicating that access authority to the target vehicle has been granted. The remote diagnosis management device according to claim 1 or 2,
When performing the remote diagnosis, the remote diagnosis management device prohibits access to the vehicle from terminals other than the remote terminal that received the certificate. The remote diagnosis management device according to any one of claims 1 to 3,
The certificate management unit is a remote diagnostic management device that issues the certificate after determining the validity period of the certificate. The remote diagnosis management device according to any one of claims 1 to 4,
The certificate management unit is a remote diagnosis management device that invalidates the certificate when the remote diagnosis is completed. The remote diagnosis management device according to any one of claims 1 to 5,
The certificate management unit is a remote diagnosis management device that issues the certificate when it is determined that the vehicle is in a state where the remote diagnosis can be executed. The remote diagnostic management device according to any one of claims 1 to 6,
The certificate management unit is a remote diagnosis management device that defines operations permitted for the remote diagnosis and issues the certificate. The remote diagnostic management device according to any one of claims 1 to 7,
comprising a receiving unit that receives a request signal for requesting the remote diagnosis from an authenticated vehicle in which owner authentication has been performed or a terminal connected to the authenticated vehicle;
The diagnosis content specifying unit specifies the diagnosis content based on request information included in the request signal,
The certificate management unit is a remote diagnosis management device that issues the certificate based on the diagnosis content. A remote diagnosis management method for managing remote diagnosis executed by a processor, connecting to a vehicle via wireless communication and remotely diagnosing the state of the vehicle from a distance from the vehicle, the method comprising:
Identify the diagnosis content of remote diagnosis,
Based on the diagnosis content, granting access authority to the vehicle for performing the remote diagnosis;
Issue a certificate indicating that the access authority has been granted,
A remote diagnostic management method for transmitting the certificate to a remote terminal.