WO2019160726A1 - Systems and methods to prevent autonomous vehicle misuse - Google Patents

Systems and methods to prevent autonomous vehicle misuse Download PDF

Info

Publication number
WO2019160726A1
WO2019160726A1 PCT/US2019/016938 US2019016938W WO2019160726A1 WO 2019160726 A1 WO2019160726 A1 WO 2019160726A1 US 2019016938 W US2019016938 W US 2019016938W WO 2019160726 A1 WO2019160726 A1 WO 2019160726A1
Authority
WO
WIPO (PCT)
Prior art keywords
lss
controller
illuminator
override
autonomous vehicle
Prior art date
Application number
PCT/US2019/016938
Other languages
French (fr)
Inventor
Gordon David MCINTOSH
Original Assignee
Mcintosh Gordon David
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mcintosh Gordon David filed Critical Mcintosh Gordon David
Publication of WO2019160726A1 publication Critical patent/WO2019160726A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]

Definitions

  • the present invention relates generally to an improved data processing system and in particular to a method and apparatus for implementing security features using Autonomous Vehicle (AV) sensors. Still more particularly, the present invention provides for dedicated or integrated sensors that allow override of vehicle functions by authorized personnel, specifically allowing the shutdown and/or management of an AV by external means.
  • AV Autonomous Vehicle
  • Autonomous vehicles are categorized by the Society of Automotive Engineers (SAE) in specification J3016, Autonomy Levels as follows: • Level 0: Automated system issues warnings and may momentarily intervene but has no sustained vehicle control
  • Level 1 Driver and automated system shares control over the vehicle.
  • An example would be Adaptive Cruise Control (ACC) where the driver controls steering and the automated system controls speed.
  • ACC Adaptive Cruise Control
  • Parking Assistance steering is automated while speed is manual. The driver must be ready to retake full control at any time.
  • Level 2 The automated system takes full control of the vehicle accelerating, braking, and steering. The driver must monitor the driving and be prepared to immediately intervene at any time if the automated system fails to respond properly
  • Level 3 The driver can safely turn their attention away from the driving tasks, e.g. the driver can text or watch a movie.
  • the vehicle will handle situations that call for an immediate response, like emergency braking.
  • the driver must still be prepared to intervene within some limited time when called upon by the vehicle to do so (specified by the manufacturer).
  • Level 4 As level 3, but no driver attention is ever required for safety, i.e the driver may safely go to sleep or leave the driver's seat. Self driving is supported only in limited areas or under special circumstances, like traffic jams. Outside of these areas or circumstances, the vehicle must be able to safely abort the trip, i.e. park the car, if the driver does not retake control.
  • the policies and methodologies must meet all regulatory requirements for all jurisdictions where the AV is operated as the industry is subject to many additional rules and regulations such as required by the USG Federal Motor Carrier Safety Administration (FMCSA) e.g., Federal Motor Carrier Safety Regulations (FMCSRs).
  • FMCSA Federal Motor Carrier Safety Administration
  • FMCSRs Federal Motor Carrier Safety Regulations
  • Level 1 Class 8 vehicles are frequently required to stop for various inspections; in transit, intrastate weigh stations, border weigh stations, agricultural, etc. Additionally, law enforcement is frequently required to pull these vehicles over (lawfully stop) to issue violations for overweight loads, safety violations, or to alert the driver there are issues with vehicle or load. Level 5 vehicles do not magically make these disappear, law enforcement will have the same (and possibly more) reasons to stop the vehicle.
  • connection protocol must provide cryptographic mechanisms to:
  • Level 2 and above autonomous vehicles use the best technology available and that was designed to provide law enforcement's identification and authentication, message integrity, message confidentiality, non-repudiation of origin and non- repudiation of receipt.
  • the software and hardware should be subject to review by third party experts; it is suggested as a minimum that they undergo a Common Criteria evaluation as well as FIPS 140-2 Level 4 certification.
  • the present invention provides a system, method and apparatus to prevent autonomous vehicle misuse.
  • the exemplary aspects of the present invention details an effective and secure methodology to implement the external management and/or shutdown of autonomous vehicles by authorized personnel through the use of intelligent sensors that can override functionality as necessary.
  • Figure 1 is a block diagram showing a typical Autonomous Vehicle with AV Controller and Sensor System in which the present invention may be implemented;
  • Figure 2 is a block diagram showing details of a typical Autonomous Vehicle Controller and Support Systems in which the present invention may be implemented;
  • Figure 3 depicts a handheld Lawful Stop and Search (LSS) illuminator
  • Figure 4 depicts a car mounted Lawful Stop and Search (LSS)
  • Figure 5 depicts a helicopter mounted Lawful Stop and Search (LSS) illuminator
  • Figure 6 is a diagram depicting a Fixed LSS Fence, an electronic fence using Lawful Stop and Search (LSS) illuminators;
  • Figure 7 is a diagram depicting the two way communications where the LSS Illuminator, acting as a client, communicates with a LSS AV Override System Controller, acting as the server, i.e., actively listening for an illuminator;
  • Figure 8 is a block diagram of an example LSS illuminator electronics
  • Figure 9 is a block diagram of an example LSS Manual Controller electronics
  • Figure 10 is a block diagram of an example LSS AV Override System Controller electronics
  • Figure 11 is a block diagram showing details of a LSS Override System Controller interfaces to a typical Autonomous Vehicle Controller;
  • Figure 12 is a diagram depicting a driver-less AV with wired LSS Manual Controller.
  • Figure 13 is a diagram depicting a driver-less AV with wireless LSS Manual Controller
  • FIGURE 1 a block diagram depicting a typical Autonomous Vehicle (AV) with AV Controller and Sensor System 100 in which the present invention may be implemented.
  • AV Autonomous Vehicle
  • FIG. 1 Depicted in Figure 1 is an autonomous vehicle with AV Controller 130 and the various sensors currently being designed for autonomous vehicles; direction of forward travel is indicated by arrow.
  • omnidirectional sensor may represent a GPS/GNSS, LIDAR, V2X, LSS, RF, or a combination of these (or other technology types) i.e., an AV could support multiple omnidirectional technologies each having dedicated sensors, or sensors integrated with multiple technologies.
  • a LSS (Lawful Stop and Search) sensor, either dedicated or integrated with other sensor technology may be implemented as a single mode or as a multi-mode sensor as design demands.
  • FIG. 2 a block diagram depicting a typical Autonomous Vehicle (AV) Controller and Support Systems 200 in which the present invention may be implemented.
  • AV Controller and Support systems may vary according to the manufacturer, design requirements, requirements mandated by local and federal regulatory bodies, as well as intended usage.
  • the autonomous vehicle controller processor subsystem 201 providing the main processing resources and external interface, the User Interface 203 that provides possible manual interfaces to the controller. Additionally shown are the following systems, the Brake Controller & Brake System 205, Radio Controller & Radio
  • the External Control Interfaces 221 and 223 provide both normal control interfaces 223 and emergency control interfaces 221 to the AV Controller.
  • the normal control interface 223 interfaces directly with the AV Controller Processor Subsystem 210 and allows an external controller override the normal autonomous operations.
  • the emergency control interface 221 bypasses the AV
  • Controller Processor Subsystem 210 interfaces directly to the Brake Controller & Brake System 205, Steering Controller & Steering System 209 and Drive Motor Controller & Drive Motor System 213.
  • FIGS 3, 4, 5 and 6 depictions of a LSS handheld illuminator, a LSS Car Mounted illuminator, a LSS Helicopter Mounted illuminator, and a fixed LSS Fence, in accordance with a preferred embodiment of the present invention.
  • LSS Car Mounted illuminator and the LSS Helicopter Mounted illuminator will require external mounts that have azimuth and elevation control for pointing; however, this is beyond the scope of the present invention.
  • law enforcement personnel will operate the LSS illuminators as part of an intervention process when an AV must be stopped for inspection or where other means have failed or deemed unusable or unsafe.
  • the LSS illuminator is used to signal the AV that authorized personnel are overriding AV control.
  • a LSS illuminator may be a single mode, or multi-mode device; multi-mode may allow different modes to be selectable or all modes may be used simultaneously.
  • each Illuminator depicted may be integrated into other systems already required; e.g. the LSS handheld illuminator could be integrated into a flashlight, the LSS Car Mounted illuminator could be integrated into the vehicle's emergency lighting.
  • the LSS handheld illuminator could be integrated into a flashlight
  • the LSS Car Mounted illuminator could be integrated into the vehicle's emergency lighting.
  • Typical modes would be visible laser, infrared laser, ultrasonic, Radio Frequency (RF) and/or other applicable technologies; multi-mode devices would utilize two or more of these (or two or more frequencies), either selectably or simultaneously.
  • RF Radio Frequency
  • FIG. 6 a concept drawing of a restricted area consisting of Restricted Roadway 312C, Pedestrian Walkways 310C and 314C. These areas are protected by an electronic fence consisting of LSS Illuminators 302C, 304C, 306C, and 308C, each transmitting a "Fence" command with the GPS coordinates of the restricted area. These coordinates could be the corners of the fenced area or the center and radius as design dictates. Commands are transmit periodically at a high repetition rate during periods of usage, and may be turned off otherwise. The installation could be used to exclude AV from restricted areas, such as large celebrations, and/or large public gatherings.
  • LSS Illuminators 302C, 304C, 306C, and 308C each transmitting a "Fence" command with the GPS coordinates of the restricted area. These coordinates could be the corners of the fenced area or the center and radius as design dictates. Commands are transmit periodically at a high repetition rate during periods of usage, and may be turned off otherwise. The installation could
  • communications may be visible laser, infrared laser, ultrasonic, Radio Frequency (RF) and/or other applicable technologies.
  • RF Radio Frequency
  • LSS user identification and authentication is necessary to guarantee unauthorized interference to the AV
  • message integrity is required to ensure the message is received correctly so it may be interpreted properly
  • message confidentiality is required to prevent spoofing of LSS messages or other hacking techniques.
  • Non-repudiation of origin is required to ensure the AV's owner/dispatcher has sufficient records to know who and why the AV was stopped and non-repudiation of receipt is required so the origin (ownership) of the AV can be verified.
  • LSS illuminator 400 with Transmitter (TX) 401 and Receiver (RX) 402, and LSS AV Sensor 420 with Receiver (RX) 421 and Transmitter (TX) 422.
  • LSS AV Sensor 420 acts as a server, listening for a LSS illuminator 400 communication to be initiated via Receiver 421; its Transmitter 422 is inactive.
  • LSS illuminator 400 When LSS illuminator 400 is activated it initiates a Transport Layer Security version 1.2 (TLSvl.2) handshake with mutual authentication; if the LSS AV Sensor 420 Receiver 421 is in its beam 410 as shown, the LSS AV Sensor 420 responds via Transmitter 422 and completes the handshake.
  • TLSvl.2 Transport Layer Security version 1.2
  • the LSS illuminator 400 issues a TLSvl.2 shutdown command to terminate the link; this ends the TLS session.
  • protocols other than TLSvl.2 may be used to achieve the necessary link security; however, they will also recognize non-repudiation of origin and non-repudiation of receipt are required whether provided as an extension to TLS or as part of the application layer.
  • the command "Fence” is issued in fixed locations that require the AV recognize a restricted area that the AV may not enter, this command transmits the GPS coordinates of its location so the AV may reroute.
  • the command "Acknowledge” requires the AV respond to a sensor query to verify the health of the LSS System.
  • the command “Identify” requires the vehicle return AV
  • the command "Manifest” requires the AV respond with the current vehicle manifest data.
  • the command “PullOverPark” is intended for normal situations where vehicle inspection e.g., load
  • “ResumeOperation” is intended to allow the AV continue its operation after interruption; however, no internal AV control may be applied until enabled by receipt of this command. Additionally, some commands could requires sub-commands for added functionality, the "PullOverPark” command could include sub-commands to indicate why the AV was pulled over, e.g., "MobileScale”, “Loadlnspection”, “EquipmentViolation”, or others as required. Those of ordinary skill in the art will appreciate that design requirements, regulatory requirements, field experience, etc., may require commands be added, modified, and/or removed.
  • FIG. 8 a block diagram illustrating components of a LSS illuminator 500 used by authorized personnel to mitigate and/or prevent autonomous vehicle misuse is depicted in accordance with a preferred embodiment of the present invention.
  • the LSS illuminator described herein communicates directly with the LSS Sensor described in the paragraph below.
  • processing, transmit chain, receive chain, user interface and dispatch interface may be used in the transmit and/or receive chain, or other subsystems.
  • the transmit chain is comprised of Oscillator 501 which generates the carrier frequency, the Modulator 503 which modulates the carrier, Amplifier 505 which amplifies the signal, the Transmitter 507 which emits the modulated beam 530 intended for the LSS Sensor.
  • the receive chain is comprised of the Receiver 515 which receives the modulated beam 532 from the LSS Sensor, Signal Conditioner and Amplifier 513 which
  • the processing chain is comprised of Processor 509, and the RAM/NVRAM 517.
  • the Processor 509 performs all processing tasks including generating transmit signals, interpreting receive signals, user input/output functions, and interfacing to dispatch; it interfaces to RAM/NVRAM 517 where program and data are stored, interfaces to USB Interface 521 which provides means to load necessary system data, reads User Input 519, drives Status Indicators 523, and drives the Dispatch Interface 525 which insures all device (LSS Illuminator) usage is externally monitored to preserve usage records.
  • GPS Receiver 527 and GPS Antenna 529 can be integrated. It is recommended high-accuracy GPS be implemented.
  • FIG. 9 a diagram illustrating components of an LSS Manual Controller 600 intended to communicate with the AV and used to manage the autonomous vehicle is depicted in accordance with a preferred embodiment of the present invention.
  • the LSS Manual Controller described herein communicates directly with the LSS AV
  • Override System via an attached cable or by wireless link; the details of cable or wireless link are not illustrated.
  • processing transmit chain
  • receive chain receive chain
  • user interface user interface
  • the transmit chain is comprised of Oscillator 601 which generates the carrier frequency, the Modulator 603 which modulates the carrier, Amplifier 605 which amplifies the signal, the Transmitter 607 which emits the modulated signal 630 to the LSS AV Override System, either via wired or wireless means.
  • the receive chain is comprised of the Receiver 615 which receives the modulated signal 632 from the LSS AV Override
  • the processing chain is comprised of Processor 609, and the RAM/NVRAM 617.
  • the Processor 609 performs all processing tasks including generating transmit signals, interpreting receive signals, user input/output functions, and interfacing to dispatch; it interfaces to RAM/NVRAM 617 where program and data are stored, interfaces to USB Interface 621 which provides means to load necessary system data, reads User Input 619, and drives Status Indicators 623.
  • LSS Manual Controller 600 When LSS Manual Controller 600 is activated it initiates a TLSvl.2 handshake with mutual authentication;
  • the LSS Manual Controller 600 transmits command(s) and waits on a response from the LSS AV Override System.
  • the command(s) are acknowledged, the LSS
  • Manual Controller 600 issues a TLSvl.2 shutdown command to terminate the link; this ends the TLS session.
  • protocols other than TLSvl.2 may be used to achieve the necessary link security.
  • the command “ContactTerminal” is intended to notify the vehicle's owner/operator that additional assistance is required.
  • the command “ResumeOperation” is intended to allow the AV continue its operation after interruption; however, no internal AV control may be applied until enabled by receipt of this command.
  • the LSS AV Override System described herein communicates directly with the LSS illuminator described in the paragraph above and communicates with the LSS Manual Controller described below.
  • the components may be integrated into existing AV sensors such as LIDAR, radar, GNSS, or ultrasonic, etc; furthermore, significant anti-tampering characteristics of the LSS AV Override System may be gained through the use of integrated sensors e.g., if an integrated LSS/LIDAR sensor were tampered, the LIDAR system would also be downgraded and the system fail. Additionally, some components, such as receiver and/or transmitter, may be integrated into the vehicle's running, braking, or emergency lighting. Those of ordinary skill in the art will appreciate that the hardware depicted in Figure 10 may vary, e.g., other components may be used in the transmit and/or receive chain, or other subsystems.
  • the transmit chain is comprised of Oscillator 701 which generates the carrier frequency, the Modulator 703 which modulates the carrier, Amplifier 705 which amplifies the signal, the Transmitter 707 which emits the modulated beam 730 intended for the LSS Illuminator.
  • the receive chain is comprised of the Receiver 715 which receives the modulated beam 732 from the LSS Illuminator, Signal Conditioner and Amplifier 713 which synchronizes to the incoming signal and amplifies to the proper level, and Demodulator 711 which recovers the information content from the modulated carrier wave and sends for processing.
  • the processing chain is comprised of Processor 709, and the RAM/NVRAM 717.
  • the Processor 709 performs all processing tasks including generating transmit signals, interpreting receive signals, user input/output functions, and interfacing to dispatch; it interfaces to RAM/NVRAM 717 where program and data are stored, interfaces to USB Interface 721 which provides means to load necessary system data, reads User Input 719, drives Status Indicators 723, and drives the Dispatch Interface 725 which insures all device (LSS Illuminator) usage is externally monitored to preserve usage records, interfaces to the External Control Interface 727 which allows the AV be controlled by an external device, and interfaces to the AV Computer Interface 729 which sends override commands to the AV control system computer, or to a separate control implemented to bypasses the AV's controller and operates directly on the motor feed and braking
  • a high-accuracy GPS Receiver 720 and GPS Antenna 724 provide accurate LSS location data that is independent of the AV control system. LSS location data is used in conjunction with "Fence" commands received from LSS electronic fence installations. As the vehicle approaches a restricted area marked with the LSS fence, the AV controller may be notified to avoid the restricted area. In the case the LSS AV Override System detects actual AV intrusion into a LSS electronic fenced area, the vehicle is reliably stopped by bypassing the AV's controller via the
  • LSS AV Override System location data can also be sent to the AV control system to increase its reliability.
  • the Native AV Controller can transmit the route map to the LSS AV Override System via the AV Computer Interface 729 where the route is continuously checked by the LSS Override System. Small route deviations can be transmit back to the AV controller for correction resulting in higher route reliability, whereas large route deviations will result in activation of the Emergency Override Interface and subsequent AV stop.
  • FIG. 7 a diagram illustrating components of a LSS illuminator 400 and Figure 9, a diagram illustrating components of an LSS Manual Controller 600, show significant similarities such that the handheld LSS Illuminator and a LSS Manual Controller may be integrated into a single package.
  • FIG. 11 a block diagram of a LSS Override System Controller and Autonomous Vehicle Controller 800 showing the relationship and connections between the LSS Override System Controller 801, the AV Controller and Support System 803, and the External Control Interfaces 805 and 807.
  • the LSS Override System Controller 801 is purposefully shown above the AV Controller and Support System 803 because it can override the AV Controller and Support System 803 which must respond to the direction of LSS Override System Controller 801.
  • the LSS Override System Controller 801 is fully explained in the
  • LSS Sensor 902 may be an independent sensor, or may be integrated into the AV navigation sensors such as LIDAR, RADAR, camera or other; however, integrated sensors offer increased anti-tampering security, and are therefore preferred.
  • Control Port 904 is depicted with attached Control Cable 912 and LSS Manual Controller 910; Control Port 904 is attached internally to the External Control Interface 527 shown in Figure 8.
  • LSS Control Cable 912 and LSS Manual Controller 910 are attached to provide local management of the AV 900 after the AV has stopped.
  • LSS Sensor 904A may be an independent sensor, or may be integrated into the AV navigation sensors such as LIDAR, RADAR, camera or other;
  • the LSS Manual Controller 920A communicates to the LSS Sensor 902A via wireless signal and provides local management of the AV 900A after stopped. Upon establishment of LSS Manual Controller 910A control, all internal control functions are overridden, including remote AV control via other pathways. Control Port 904A is unused in this example.
  • the AV can be moved locally as necessary using the LSS Manual Controller; in terminal this can aid in vehicle maintenance, vehicle fueling for non-electric vehicles such as diesel or hydrogen fuels, and charging for electric vehicles, load and unload tasks, in transit this can aid in mobile or Port of Entry weight inspections, and/or load inspection. Additional the AV Controller can be used in terminal for final inspection to verify route information, and verify all required documentation is present, available, and correct.
  • a driver-less AV was used in these examples, those of ordinary skill in the art will appreciate that the AV could be with driver present, with driver facilities but no driver, or driver-less, i.e., no driver facilities, as this will probably be the development sequence for fully autonomous driver-less vehicles.

Abstract

Methods and systems for implementing autonomous vehicle security features. The present invention details an effective and secure methodology to implement the external management and control of autonomous vehicles by authorized personnel, usually law enforcement, through the use of intelligent sensors that can override an autonomous vehicle controller's functionality as necessary.

Description

Systems and Methods to Prevent Autonomous Vehicle Misuse
CROSS-REFERENCE TO RELATED APPLICATIONS
The present application claims priority to U.S. Provisional Application No. 62/710,221, filed February 14, 2018, U.S. Provisional Application No. 62/762,453, filed May 07, 2018, the disclosures of which are incorporated by reference herein in their entirety.
Technical Field
The present invention relates generally to an improved data processing system and in particular to a method and apparatus for implementing security features using Autonomous Vehicle (AV) sensors. Still more particularly, the present invention provides for dedicated or integrated sensors that allow override of vehicle functions by authorized personnel, specifically allowing the shutdown and/or management of an AV by external means.
BACKGROUND OF THE INVENTION
The field of autonomous vehicle control is currently emerging as a promising technology that can reduce costs, reduce accidents and loss of life, reduce insurance premiums, increase productivity for workers in transit and potentially eliminate drunk driving and the associated losses; however, recent misuse of vehicles by terrorists demands that the technology be proactive to develop a comprehensive threat model, as well as mitigation and prevention methodologies rather than reacting to the consequences.
Autonomous vehicles are categorized by the Society of Automotive Engineers (SAE) in specification J3016, Autonomy Levels as follows: • Level 0: Automated system issues warnings and may momentarily intervene but has no sustained vehicle control
• Level 1: Driver and automated system shares control over the vehicle. An example would be Adaptive Cruise Control (ACC) where the driver controls steering and the automated system controls speed. Using Parking Assistance, steering is automated while speed is manual. The driver must be ready to retake full control at any time.
• Level 2: The automated system takes full control of the vehicle accelerating, braking, and steering. The driver must monitor the driving and be prepared to immediately intervene at any time if the automated system fails to respond properly
• Level 3: The driver can safely turn their attention away from the driving tasks, e.g. the driver can text or watch a movie. The vehicle will handle situations that call for an immediate response, like emergency braking. The driver must still be prepared to intervene within some limited time when called upon by the vehicle to do so (specified by the manufacturer).
• Level 4: As level 3, but no driver attention is ever required for safety, i.e the driver may safely go to sleep or leave the driver's seat. Self driving is supported only in limited areas or under special circumstances, like traffic jams. Outside of these areas or circumstances, the vehicle must be able to safely abort the trip, i.e. park the car, if the driver does not retake control.
• Level 5: No human intervention is required e.g., robotic taxi.
Because of this recent technology's development, there are currently few commercially available autonomous vehicles available for sale worldwide, however, the very nature of an autonomous vehicle provides a large measure of anonymity and therefore the possibility of subsequent misuse. Additionally, a majority of the AVs under development are electric AVs that are much easier to drive and therefore will provide a larger potential for misuse. Misuse can be intentional as in the case of a terrorist's use of an autonomous truck to deliver explosive devices or mow down pedestrians in crowded venues; however, misuse can also be accidental as in the case of sensor failure, environmental conditions that interfere with sensor operations, driver medical issues, failure of mechanisms to secure vehicle loads, or third party misuse such as skitching or hooky bobbing, as well as any other of a multitude of real- world problems yet to be discovered.
It is clear that at AV Level 2 and above, where all control has been relinquished to the AV, there is the need for additional external control applied by authorized personnel, usually law enforcement, for mitigating and/or preventing misuse. At Level 2 after a driver has relinquished control, the driver could possibly have an incapacitating medical event that prevents proper control of the vehicle and if no external stimulus can provide access to the vehicle, the driver may not receive medical treatment promptly. As the level of autonomy increases, there are many additional factors that demand the development of a comprehensive policy and threat model, as well as mitigation and prevention
methodologies. The policies and methodologies must meet all regulatory requirements for all jurisdictions where the AV is operated as the industry is subject to many additional rules and regulations such as required by the USG Federal Motor Carrier Safety Administration (FMCSA) e.g., Federal Motor Carrier Safety Regulations (FMCSRs).
The trucking industry is heavily regulated and in the normal course of business, Level 1 Class 8 vehicles are frequently required to stop for various inspections; in transit, intrastate weigh stations, border weigh stations, agricultural, etc. Additionally, law enforcement is frequently required to pull these vehicles over (lawfully stop) to issue violations for overweight loads, safety violations, or to alert the driver there are issues with vehicle or load. Level 5 vehicles do not magically make these disappear, law enforcement will have the same (and possibly more) reasons to stop the vehicle.
A partial list of requirements for lawful stop and search of Level 2 and above AVs are as follows:
95 1. The connection protocol must provide cryptographic mechanisms to:
1. identify and authenticate the entity performing Lawful Stop as authorized law enforcement personnel,
2. command messages and replies must be confidential and free of loo errors,
1. messages must have both non-repudiation of origin and non- repudiation of receipt
2. In non-emergency situations:
1. Indicate law enforcement's command received and action is in
105 progress
2. If message is "Stop", the AV must safely pull off the right of way and stop, and:
1. communicate with dispatch
1. Notify owner/operator the vehicle is being stopped no 2. Send law enforcement's credentials for records
1. Identification,
2. Method for authentication
3. Jurisdiction,
4. location and time,
115 1. communicate with law enforcement to provide any necessary information, 2. possibly relinquish control of vehicle to law enforcement,
3. unlock cargo compartment upon request for inspection,
4. lock cargo compartment,
5. safely retake control of the vehicle,
6. safely resume operation,
2. If message is "EmergencyStop", the AV must apply all means to stop immediately,
3. Obey all "Fence" commands immediately by requesting reroute map and immediately reroute around restricted area.
Currently, the lawful stop of a vehicle depends on visual verification of law enforcement, i.e., the police vehicle, police uniform and the badge; unfortunately, unmarked police cars and a rising mistrust of law
enforcement makes these inadequate, if a computer could perform these actions. The opportunity to improve these outdated metrics and move to secure methodologies requires that Level 2 and above autonomous vehicles use the best technology available and that was designed to provide law enforcement's identification and authentication, message integrity, message confidentiality, non-repudiation of origin and non- repudiation of receipt.
The current marketing blitz being waged by more than 20 AV manufacturers doesn't discuss AV Control System security, the use of recognized international standards for software development or the testing methodologies of the AV control system. They certainly don't disclose the dangers posed to the public by AVs used responsibly, or under normal misuse cases, or much less, the use of these vehicles by terrorists. Without secure control systems, i.e., developed with secure development practices, tested, evaluated and approved by third party experts, AVs are easily usable by terrorists as delivery programs for weapons. Therefore, all Level 2 and above AVs must implement lawful stop and search that is independent of the vehicle's controller. Because all computer systems are much more vulnerable to exploit when an attacker has physical control of the device, the lawful controller must be
implemented in a tamper-proof enclosure, as should the vehicle controller, sensor system, and all sensor wiring. It is recommended that a FIPS 140-2 Level 4 specification be used for guidance.
Additionally, the software and hardware should be subject to review by third party experts; it is suggested as a minimum that they undergo a Common Criteria evaluation as well as FIPS 140-2 Level 4 certification.
Most importantly, lawful stop and search must take into account that any Level 2 and above AV can be effectively used as a terrorist's weapon acting a great distance. When contemplating the use of Class 8 AVs as a weapon, the true gravity of the situation appears clear, an
80,0001b weapon is frightening and cannot be ignored.
It is readily apparent that many threats and extensive regulations are present, but unsolved for this emerging technology; therefore, it would be advantageous to have an improved method and apparatus to prevent autonomous vehicle misuse.
SUMMARY OF THE INVENTION
The present invention provides a system, method and apparatus to prevent autonomous vehicle misuse. The exemplary aspects of the present invention details an effective and secure methodology to implement the external management and/or shutdown of autonomous vehicles by authorized personnel through the use of intelligent sensors that can override functionality as necessary.
BRIEF DESCRIPTION OF THE DRAWINGS
The novel features believed characteristic of the invention are set forth in the appended claims; however, the invention itself, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:
Figure 1 is a block diagram showing a typical Autonomous Vehicle with AV Controller and Sensor System in which the present invention may be implemented;
Figure 2 is a block diagram showing details of a typical Autonomous Vehicle Controller and Support Systems in which the present invention may be implemented;
Figure 3 depicts a handheld Lawful Stop and Search (LSS) illuminator;
Figure 4 depicts a car mounted Lawful Stop and Search (LSS)
illuminator;
Figure 5 depicts a helicopter mounted Lawful Stop and Search (LSS) illuminator;
Figure 6 is a diagram depicting a Fixed LSS Fence, an electronic fence using Lawful Stop and Search (LSS) illuminators;
Figure 7 is a diagram depicting the two way communications where the LSS Illuminator, acting as a client, communicates with a LSS AV Override System Controller, acting as the server, i.e., actively listening for an illuminator;
Figure 8 is a block diagram of an example LSS illuminator electronics;
Figure 9 is a block diagram of an example LSS Manual Controller electronics; Figure 10 is a block diagram of an example LSS AV Override System Controller electronics;
Figure 11 is a block diagram showing details of a LSS Override System Controller interfaces to a typical Autonomous Vehicle Controller;
Figure 12 is a diagram depicting a driver-less AV with wired LSS Manual Controller; and
Figure 13 is a diagram depicting a driver-less AV with wireless LSS Manual Controller;
DETAILED DESCRIPTION OF THE INVENTION
With reference now to the figures, and in particular with reference to FIGURE 1, a block diagram depicting a typical Autonomous Vehicle (AV) with AV Controller and Sensor System 100 in which the present invention may be implemented. Those of ordinary skill in the art will appreciate that the AV Controller and the sensor systems may vary according to the manufacturer, design requirements, requirements mandated by local and federal regulatory bodies, as well as intended usage. Depicted in Figure 1 is an autonomous vehicle with AV Controller 130 and the various sensors currently being designed for autonomous vehicles; direction of forward travel is indicated by arrow. These diagrams show long range radar sensor coverage 101, medium radar coverage 104, 105, and 106, camera coverage 102, short range radar coverage 103, ultrasonic sensor coverage 110, 111, 112, 113,114, and 115, and omnidirectional sensor coverage 120 generated by the omnidirectional sensor 132. The
omnidirectional sensor may represent a GPS/GNSS, LIDAR, V2X, LSS, RF, or a combination of these (or other technology types) i.e., an AV could support multiple omnidirectional technologies each having dedicated sensors, or sensors integrated with multiple technologies. A LSS (Lawful Stop and Search) sensor, either dedicated or integrated with other sensor technology may be implemented as a single mode or as a multi-mode sensor as design demands.
With reference now to Figure 2, a block diagram depicting a typical Autonomous Vehicle (AV) Controller and Support Systems 200 in which the present invention may be implemented. Those of ordinary skill in the art will appreciate that the AV Controller and Support systems may vary according to the manufacturer, design requirements, requirements mandated by local and federal regulatory bodies, as well as intended usage. Depicted in Figure 2 is the autonomous vehicle controller processor subsystem 201 providing the main processing resources and external interface, the User Interface 203 that provides possible manual interfaces to the controller. Additionally shown are the following systems, the Brake Controller & Brake System 205, Radio Controller & Radio
System 207, Steering Controller & Steering System 209, Sensor
Controllers 211, Drive Motor Controller & Drive Motor System 213, GPS Controller & GPS System 215, Lighting Controller & Lighting System 217, Other Systems Controller & Systems 219. The External Control Interfaces 221 and 223 provide both normal control interfaces 223 and emergency control interfaces 221 to the AV Controller. The normal control interface 223 interfaces directly with the AV Controller Processor Subsystem 210 and allows an external controller override the normal autonomous operations. The emergency control interface 221 bypasses the AV
Controller Processor Subsystem 210 and interfaces directly to the Brake Controller & Brake System 205, Steering Controller & Steering System 209 and Drive Motor Controller & Drive Motor System 213.
With reference now to Figures 3, 4, 5 and 6, depictions of a LSS handheld illuminator, a LSS Car Mounted illuminator, a LSS Helicopter Mounted illuminator, and a fixed LSS Fence, in accordance with a preferred embodiment of the present invention. Those of ordinary skill in the art will appreciate that the LSS Car Mounted illuminator and the LSS Helicopter Mounted illuminator will require external mounts that have azimuth and elevation control for pointing; however, this is beyond the scope of the present invention. Typically, law enforcement personnel will operate the LSS illuminators as part of an intervention process when an AV must be stopped for inspection or where other means have failed or deemed unusable or unsafe. The LSS illuminator is used to signal the AV that authorized personnel are overriding AV control. A LSS illuminator may be a single mode, or multi-mode device; multi-mode may allow different modes to be selectable or all modes may be used simultaneously.
Additionally, each Illuminator depicted may be integrated into other systems already required; e.g. the LSS handheld illuminator could be integrated into a flashlight, the LSS Car Mounted illuminator could be integrated into the vehicle's emergency lighting. Those of ordinary skill in the art will appreciate that these modes may vary according to the manufacturer, design requirements, requirements mandated by local and federal regulatory bodies, as well as intended usage and range. Typical modes would be visible laser, infrared laser, ultrasonic, Radio Frequency (RF) and/or other applicable technologies; multi-mode devices would utilize two or more of these (or two or more frequencies), either selectably or simultaneously.
With reference now to Figure 6 a concept drawing of a restricted area consisting of Restricted Roadway 312C, Pedestrian Walkways 310C and 314C. These areas are protected by an electronic fence consisting of LSS Illuminators 302C, 304C, 306C, and 308C, each transmitting a "Fence" command with the GPS coordinates of the restricted area. These coordinates could be the corners of the fenced area or the center and radius as design dictates. Commands are transmit periodically at a high repetition rate during periods of usage, and may be turned off otherwise. The installation could be used to exclude AV from restricted areas, such as large celebrations, and/or large public gatherings.
With reference now to Figure 7, a depictions of the communications path between a LSS illuminator 400 and a LSS AV Sensor 420 showing the two way nature of communication in accordance with a preferred
embodiment of the present invention. In this depiction, the
communications may be visible laser, infrared laser, ultrasonic, Radio Frequency (RF) and/or other applicable technologies. Those of ordinary skill in the art will appreciate that one way communication cannot provide the required level of security to prevent LSS misuse, e.g., malicious or criminal hacking and/or pranking, load hijacking, competitor interference, etc.; therefore, a two way encrypted communication channel with mutual authentication is established to meet the applicable standards to
guarantee LSS user identification and authentication, message integrity, message confidentiality, non-repudiation of origin and non-repudiation of receipt. LSS user identification and authentication is necessary to guarantee unauthorized interference to the AV, message integrity is required to ensure the message is received correctly so it may be interpreted properly, and message confidentiality is required to prevent spoofing of LSS messages or other hacking techniques. Non-repudiation of origin is required to ensure the AV's owner/dispatcher has sufficient records to know who and why the AV was stopped and non-repudiation of receipt is required so the origin (ownership) of the AV can be verified.
Depicted in Figure 7 are LSS illuminator 400 with Transmitter (TX) 401 and Receiver (RX) 402, and LSS AV Sensor 420 with Receiver (RX) 421 and Transmitter (TX) 422. LSS AV Sensor 420 acts as a server, listening for a LSS illuminator 400 communication to be initiated via Receiver 421; its Transmitter 422 is inactive. When LSS illuminator 400 is activated it initiates a Transport Layer Security version 1.2 (TLSvl.2) handshake with mutual authentication; if the LSS AV Sensor 420 Receiver 421 is in its beam 410 as shown, the LSS AV Sensor 420 responds via Transmitter 422 and completes the handshake. Immediately after the handshake is completed, the LSS illuminator 400 transmits command(s) and waits on a response from the LSS AV Sensor 402. When the
command(s) are acknowledged, the LSS illuminator 400 issues a TLSvl.2 shutdown command to terminate the link; this ends the TLS session.
Those of ordinary skill in the art will appreciate that protocols other than TLSvl.2 may be used to achieve the necessary link security; however, they will also recognize non-repudiation of origin and non-repudiation of receipt are required whether provided as an extension to TLS or as part of the application layer.
Typical necessary commands (or their equivalent) that are
envisioned are the emergency commands, "EmergencyStop", "Stop", and "Fence", and the normal commands, "Acknowledge", "Identify",
"Manifest", "PullOverPark", and "ResumeOperation"; once the AV is at a full stop, further actions can be initiated via other communication paths. The command "EmergenctStop" is issued only when imminent danger necessitates the AV must apply all means to halt motion; this may necessitate a separate control path be implemented, one that bypasses the AV's controller and operates directly on the motor feed and braking mechanisms. The command "Stop" is issued in situations that require immediate AV halt; however, normal safety rules remain in place except the AV does not need to clear traffic lanes. The command "Fence" is issued in fixed locations that require the AV recognize a restricted area that the AV may not enter, this command transmits the GPS coordinates of its location so the AV may reroute. The command "Acknowledge" requires the AV respond to a sensor query to verify the health of the LSS System. The command "Identify" requires the vehicle return AV
identification data. The command "Manifest" requires the AV respond with the current vehicle manifest data. The command "PullOverPark" is intended for normal situations where vehicle inspection e.g., load
inspection, vehicle weight, etc., or other lawful stop of the AV is required where the AV needs to be clear traffic lanes. The command
"ResumeOperation" is intended to allow the AV continue its operation after interruption; however, no internal AV control may be applied until enabled by receipt of this command. Additionally, some commands could requires sub-commands for added functionality, the "PullOverPark" command could include sub-commands to indicate why the AV was pulled over, e.g., "MobileScale", "Loadlnspection", "EquipmentViolation", or others as required. Those of ordinary skill in the art will appreciate that design requirements, regulatory requirements, field experience, etc., may require commands be added, modified, and/or removed.
With reference now to Figure 8, a block diagram illustrating components of a LSS illuminator 500 used by authorized personnel to mitigate and/or prevent autonomous vehicle misuse is depicted in accordance with a preferred embodiment of the present invention. The LSS illuminator described herein communicates directly with the LSS Sensor described in the paragraph below. In this illustrative example, the components organized into the following subsystems: processing, transmit chain, receive chain, user interface and dispatch interface. Those of ordinary skill in the art will appreciate that the hardware depicted in Figure 8 may vary; e.g., other components may be used in the transmit and/or receive chain, or other subsystems.
The transmit chain is comprised of Oscillator 501 which generates the carrier frequency, the Modulator 503 which modulates the carrier, Amplifier 505 which amplifies the signal, the Transmitter 507 which emits the modulated beam 530 intended for the LSS Sensor. The receive chain is comprised of the Receiver 515 which receives the modulated beam 532 from the LSS Sensor, Signal Conditioner and Amplifier 513 which
synchronizes to the incoming signal and amplifies to the proper level, and Demodulator 511 which recovers the information content from the modulated carrier wave and sends for processing. The processing chain is comprised of Processor 509, and the RAM/NVRAM 517. The Processor 509 performs all processing tasks including generating transmit signals, interpreting receive signals, user input/output functions, and interfacing to dispatch; it interfaces to RAM/NVRAM 517 where program and data are stored, interfaces to USB Interface 521 which provides means to load necessary system data, reads User Input 519, drives Status Indicators 523, and drives the Dispatch Interface 525 which insures all device (LSS Illuminator) usage is externally monitored to preserve usage records.
Optionally, for electronic fence applications, a GPS Receiver 527 and GPS Antenna 529 can be integrated. It is recommended high-accuracy GPS be implemented.
With reference now to Figure 9, a diagram illustrating components of an LSS Manual Controller 600 intended to communicate with the AV and used to manage the autonomous vehicle is depicted in accordance with a preferred embodiment of the present invention. The LSS Manual Controller described herein communicates directly with the LSS AV
Override System via an attached cable or by wireless link; the details of cable or wireless link are not illustrated. In this illustrative example, the components organized into the following subsystems: processing, transmit chain, receive chain, and user interface. Those of ordinary skill in the art will appreciate that the hardware depicted in Figure 9 may vary; e.g., other components may be used in the transmit and/or receive chain, or other subsystems.
The transmit chain is comprised of Oscillator 601 which generates the carrier frequency, the Modulator 603 which modulates the carrier, Amplifier 605 which amplifies the signal, the Transmitter 607 which emits the modulated signal 630 to the LSS AV Override System, either via wired or wireless means. The receive chain is comprised of the Receiver 615 which receives the modulated signal 632 from the LSS AV Override
System, again , either via wired or wireless means, Signal Conditioner and Amplifier 613 which synchronizes to the incoming signal and amplifies to the proper level, and Demodulator 611 which recovers the information content from the modulated carrier wave and sends for processing. The processing chain is comprised of Processor 609, and the RAM/NVRAM 617. The Processor 609 performs all processing tasks including generating transmit signals, interpreting receive signals, user input/output functions, and interfacing to dispatch; it interfaces to RAM/NVRAM 617 where program and data are stored, interfaces to USB Interface 621 which provides means to load necessary system data, reads User Input 619, and drives Status Indicators 623. When LSS Manual Controller 600 is activated it initiates a TLSvl.2 handshake with mutual authentication;
immediately after the handshake is completed, the LSS Manual Controller 600 transmits command(s) and waits on a response from the LSS AV Override System. When the command(s) are acknowledged, the LSS
Manual Controller 600 issues a TLSvl.2 shutdown command to terminate the link; this ends the TLS session. Those of ordinary skill in the art will appreciate that protocols other than TLSvl.2 may be used to achieve the necessary link security.
Typical necessary commands (or their equivalent) that are
envisioned are the proportional commands, "PullForward", "Backup", "TurnLeft", and "TurnRight" and fixed commands, "Stop",
"DownloadVehicleldentification", "UnlockLoadCompartment",
"ContactTerminal", and "ResumeOperation"; proportional commands carry rate information and are used to move the vehicle locally at low rates of speed. The The command "Stop" is issued in situations that require immediate AV halt. The command "DownloadVehicleldentification" is intended for situations where vehicle inspection requires the vehicle produce documentation such as: identification (the motor carrier's name or trade name and the motor carrier's Department of Transportation (DOT) registration number, manifest, proof of insurance, maintenance records, accident records, licenses, permits, planned route and actual route, etc.; this information is downloaded to the controller's USB drive for review and storage. The command "UnlockLoadCompartment" is used to perform vehicle load inspections. The command "ContactTerminal" is intended to notify the vehicle's owner/operator that additional assistance is required. The command "ResumeOperation" is intended to allow the AV continue its operation after interruption; however, no internal AV control may be applied until enabled by receipt of this command. Those of ordinary skill in the art will appreciate that design requirements, regulatory requirements, field experience, etc., may require commands be added, modified, and/or removed.
With reference now to Figure 10, a diagram illustrating
components of a LSS AV Override System Controller 700 mounted on the AV used to mitigate and/or prevent autonomous vehicle misuse and vehicle management is depicted in accordance with a preferred
embodiment of the present invention. The LSS AV Override System described herein communicates directly with the LSS illuminator described in the paragraph above and communicates with the LSS Manual Controller described below. In this illustrative example, the components organized into the following subsystems: processing, transmit chain, receive chain, user interface and dispatch interface; the subsystems may be
appropriately separated into physically different enclosures with the transmit and receive chains located in one package mounted on top of the AV and the remainder in a more accessible location. Additionally, the components may be integrated into existing AV sensors such as LIDAR, radar, GNSS, or ultrasonic, etc; furthermore, significant anti-tampering characteristics of the LSS AV Override System may be gained through the use of integrated sensors e.g., if an integrated LSS/LIDAR sensor were tampered, the LIDAR system would also be downgraded and the system fail. Additionally, some components, such as receiver and/or transmitter, may be integrated into the vehicle's running, braking, or emergency lighting. Those of ordinary skill in the art will appreciate that the hardware depicted in Figure 10 may vary, e.g., other components may be used in the transmit and/or receive chain, or other subsystems.
The transmit chain is comprised of Oscillator 701 which generates the carrier frequency, the Modulator 703 which modulates the carrier, Amplifier 705 which amplifies the signal, the Transmitter 707 which emits the modulated beam 730 intended for the LSS Illuminator. The receive chain is comprised of the Receiver 715 which receives the modulated beam 732 from the LSS Illuminator, Signal Conditioner and Amplifier 713 which synchronizes to the incoming signal and amplifies to the proper level, and Demodulator 711 which recovers the information content from the modulated carrier wave and sends for processing. The processing chain is comprised of Processor 709, and the RAM/NVRAM 717. The Processor 709 performs all processing tasks including generating transmit signals, interpreting receive signals, user input/output functions, and interfacing to dispatch; it interfaces to RAM/NVRAM 717 where program and data are stored, interfaces to USB Interface 721 which provides means to load necessary system data, reads User Input 719, drives Status Indicators 723, and drives the Dispatch Interface 725 which insures all device (LSS Illuminator) usage is externally monitored to preserve usage records, interfaces to the External Control Interface 727 which allows the AV be controlled by an external device, and interfaces to the AV Computer Interface 729 which sends override commands to the AV control system computer, or to a separate control implemented to bypasses the AV's controller and operates directly on the motor feed and braking
mechanisms via the Emergency Override Interface 728. A high-accuracy GPS Receiver 720 and GPS Antenna 724 provide accurate LSS location data that is independent of the AV control system. LSS location data is used in conjunction with "Fence" commands received from LSS electronic fence installations. As the vehicle approaches a restricted area marked with the LSS fence, the AV controller may be notified to avoid the restricted area. In the case the LSS AV Override System detects actual AV intrusion into a LSS electronic fenced area, the vehicle is reliably stopped by bypassing the AV's controller via the
Emergency Override Interface 728, operating directly on the motor feed and braking mechanisms. Once the AV has been stopped using the
Emergency Override Interface 728, it can only be restarted by law enforcement. LSS AV Override System location data can also be sent to the AV control system to increase its reliability. To reduce misuse and increase route reliability, the Native AV Controller can transmit the route map to the LSS AV Override System via the AV Computer Interface 729 where the route is continuously checked by the LSS Override System. Small route deviations can be transmit back to the AV controller for correction resulting in higher route reliability, whereas large route deviations will result in activation of the Emergency Override Interface and subsequent AV stop. Those of ordinary skill in the art will appreciate that the LSS AV Override System and all interfaces to the AV must have sufficient physical and logical protection to prevent misuse and/or tampering; therefore, manufacturers should consider FIPS 140-2 Level 4 certification or its equivalent.
With reference now to Figure 7, a diagram illustrating components of a LSS illuminator 400 and Figure 9, a diagram illustrating components of an LSS Manual Controller 600, show significant similarities such that the handheld LSS Illuminator and a LSS Manual Controller may be integrated into a single package.
With reference now to Figure 11, a block diagram of a LSS Override System Controller and Autonomous Vehicle Controller 800 showing the relationship and connections between the LSS Override System Controller 801, the AV Controller and Support System 803, and the External Control Interfaces 805 and 807. The LSS Override System Controller 801 is purposefully shown above the AV Controller and Support System 803 because it can override the AV Controller and Support System 803 which must respond to the direction of LSS Override System Controller 801.
The LSS Override System Controller 801 is fully explained in the
description of Figure 10 above, the AV Controller and Support System 803 and the External Control Interfaces 805 and 807 are fully explained in the description of Figure 2
With reference now to Figure 12, a concept drawing of a driver-less AV 900 having LSS Sensor 902 and Control Port 904 depicted in
accordance with a preferred embodiment of the present invention. LSS Sensor 902 may be an independent sensor, or may be integrated into the AV navigation sensors such as LIDAR, RADAR, camera or other; however, integrated sensors offer increased anti-tampering security, and are therefore preferred. Control Port 904 is depicted with attached Control Cable 912 and LSS Manual Controller 910; Control Port 904 is attached internally to the External Control Interface 527 shown in Figure 8. LSS Control Cable 912 and LSS Manual Controller 910 are attached to provide local management of the AV 900 after the AV has stopped. Upon
connection of LSS Manual Controller 910, all internal control functions are overridden, including remote AV control via other pathways.
With reference now to Figure 13 a concept drawing of a driver-less AV 900A having LSS Sensor 902A and Control Port 904A depicted in accordance with an alternate embodiment of the present invention. LSS Sensor 904A may be an independent sensor, or may be integrated into the AV navigation sensors such as LIDAR, RADAR, camera or other;
however, integrated sensors offer increased anti-tampering security, and are therefore preferred. The LSS Manual Controller 920A communicates to the LSS Sensor 902A via wireless signal and provides local management of the AV 900A after stopped. Upon establishment of LSS Manual Controller 910A control, all internal control functions are overridden, including remote AV control via other pathways. Control Port 904A is unused in this example.
With reference now to Figure 12 and Figure 13, whether wired or wireless, the AV can be moved locally as necessary using the LSS Manual Controller; in terminal this can aid in vehicle maintenance, vehicle fueling for non-electric vehicles such as diesel or hydrogen fuels, and charging for electric vehicles, load and unload tasks, in transit this can aid in mobile or Port of Entry weight inspections, and/or load inspection. Additional the AV Controller can be used in terminal for final inspection to verify route information, and verify all required documentation is present, available, and correct. Although a driver-less AV was used in these examples, those of ordinary skill in the art will appreciate that the AV could be with driver present, with driver facilities but no driver, or driver-less, i.e., no driver facilities, as this will probably be the development sequence for fully autonomous driver-less vehicles.
The descriptions of the present invention has been presented for purposes of illustration and description, and is not intended to be
exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiment was chosen and described in order to best explain the principles of the invention, the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated. Definitions:
Figure imgf000023_0001
Figure imgf000024_0001

Claims

CLAIMS What is claimed is:
1. A Lawful Stop and Search (LSS) Override Controller for an autonomous vehicle, the controller comprising:
a sensor system that detects at least one of ultrasonic waves and
electromagnetic waves;
a receiver coupled to the sensor system to receive a modulated signal from a LSS Illuminator acting as a network client or a LSS Manual Controller acting as a network client;
a processor acting as a network server to respond to the modulated signal via a transmitter to establish a communications link with the LSS Illuminator or the LSS Manual Controller using a protocol that identifies a user of the LSS
Illuminator or the LSS Manual Controller and authenticates authority of the user to directly control the autonomous vehicle via the LSS Illuminator or the LSS Manual Controller.
2. The LSS Override Controller of claim 1, wherein the communications link protocol between the LSS Override Controller and the LSS Illuminator or the LSS Manual Controller includes at least one of the following characteristics: message confidentiality, message integrity, end-point authentication, reliability, and perfect forward secrecy.
3. The LSS Override Controller of claim 1, wherein the processor receives from the LSS Illuminator or the LSS Manual Controller a digital certificate issued by a certificate authority to provide said identification and authentication, and wherein the processor supplies the LSS Illuminator or the LSS Manual
Controller with a digital certificate issued by a certificate authority to identify and authenticate ownership of the autonomous vehicle.
4. The LSS Override Controller of claim 1, wherein the processor employs the protocol to send digitally signed messages to the LSS Illuminator or the LSS Manual Controller to provide non-repudiation of message receipt.
5. The LSS Override Controller of claim 1, wherein contingent upon said identification and authentication, the processor automatically acknowledges and complies with at least one of the following commands: "EmergencyStop", "Stop", "Fence", "Acknowledge", "Identify", "Manifest", "PullOverPark", and "ResumeOperation".
6. The LSS Override Controller of claim 1, wherein contingent upon receipt of one of the following commands: "EmergencyStop", "Stop", and "PullOverPark", the LSS Override Controller will respond to only a first set of commands from a LSS Illuminator or a second set of commands from a LSS Manual Controller, wherein the first set of commands includes: "Acknowledge", "Identify",
"Manifest", and "ResumeOperation"; and wherein the second set of commands includes: "PullForward", "Backup", "TurnLeft", "TurnRight", "Stop",
"DownloadVehicleldentification", "UnlockLoadCompartment",
"ContactTerminal", and "ResumeOperation".
7. The LSS Override Controller of claim 6, wherein contingent upon receipt of the "ResumeOperation" command the processor will return vehicle control to a default control system for the autonomous vehicle.
8. A lawful stop and search (LSS) Illuminator that comprises:
a processor acting as a network client, the processor coupled to a transmitter to provide a directed beam of acoustic or electromagnetic energy to a LSS Override Controller of an autonomous vehicle, the directed beam including a modulated signal to establish a communications link with the LSS Override Controller acting as a server, the communications link using a protocol that identifies and authenticates authority of a user of the LSS Illuminator to direct the LSS Override Controller to take control of the autonomous vehicle from a default control system for the autonomous vehicle.
9. The LSS Illuminator of claim 8, further comprising:
a receiver coupled to the processor, the receiver operating to detect, from the vehicle, responses that complete the communications link,
the processor issuing one or more commands via the communications link, the one or more commands being from a command set that includes at least:
"EmergencyStop", "Stop", "Fence", "Acknowledge", "Identify", "Manifest", "PullOverPark".
10. The LSS Illuminator of claim 9, wherein the communications link protocol between LSS Illuminator and LSS Override Controller includes at least one of the following characteristics: message confidentiality, message integrity, end- point authentication, reliability, and perfect forward secrecy.
11. The LSS Illuminator of claim 8, wherein the protocol employs a digital certificate issued by a certificate authority to provide said authentication.
12. The LSS Illuminator of claim 8, wherein the processor employs the protocol to send digitally signed messages to the LSS Override Controller to provide non-repudiation of origin of the commands from the user of the LSS Illuminator directing operation of the autonomous vehicle.
13. The LSS Illuminator of claim 8, further comprising an external casing that renders the LSS Illuminator operable as a handheld device.
14. The LSS Illuminator of claim 8, wherein the transmitter is steerably mounted to a law enforcement vehicle.
15. The LSS Illuminator of claim 8, further comprising:
a receiver to detect, from the vehicle, responses that complete the
communications link,
the processor issuing a "Fence" command via the communications link, the "Fence" command including coordinates that define at least one edge of a restricted area.
16. A lawful stop and search (LSS) Manual Controller that comprises:
a processor acting as a network client, the processor coupled to a transmitter to provide a modulated signal to a LSS Override Controller of an autonomous vehicle, the modulated signal employing a protocol to establish a communications link with the LSS Override Controller acting as a network server, the processor using the protocol to identify and authenticate authority of a user of the LSS Manual Controller to direct the LSS Override Controller to take control of the autonomous vehicle from a default control system for the autonomous vehicle.
17. The LSS Manual Controller of claim 16, further comprising:
a receiver coupled to the processor, the receiver operating to detect, from the LSS Override Controller, responses that complete the communications link, the processor issuing one or more commands via the communications link, the one or more commands being from a command set that includes at least:
"PullForward", "Backup", "TurnLeft", "TurnRight", "Stop",
"DownloadVehicleldentification", "UnlockLoadCompartment",
"ContactTerminal", and "ResumeOperation".
18. The LSS Manual Controller of claim 17, wherein the communications link protocol between LSS Controller and LSS Override Controller includes at least one of the following characteristics: message confidentiality, message integrity, end-point authentication, reliability, and perfect forward secrecy.
19. The LSS Manual Controller of claim 16, wherein the protocol employs a digital certificate issued by a certificate authority to provide said
authentication.
20. The LSS Manual Controller of claim 16, wherein the processor employs the protocol to send digitally signed messages to the LSS Override Controller to provide non-repudiation of origin of the commands from the user of the LSS Manual Controller directing operation of the autonomous vehicle.
21. The LSS Manual Controller of claim 16, wherein the modulated signal between LSS Manual Controller and LSS Override Controller is conveyed by at least one of: direct wired connection, ultrasonic waves, and electromagnetic waves.
22. The LSS Manual Controller of claim 16, further comprising an external casing that renders the LSS Manual Controller operable as a handheld device.
23. A lawful stop and search (LSS) enforcement method that comprises:
illuminating a LSS Override Sensor on an autonomous vehicle with a directed beam of acoustic or electromagnetic energy that includes a modulated signal; using responses from the LSS Override Controller to establish a
communications link employing a protocol that authenticates authority of the LSS Override Controller to direct operation of the autonomous vehicle; and issuing at least one command for the LSS Override Controller to obey
automatically to direct the operation of the autonomous vehicle.
24. The LSS enforcement method of claim 23, wherein the at least one command is selected from a command set that includes at least
"EmergencyStop", "Stop", and "ResumeOperation".
25. The LSS enforcement method of claim 23, wherein the protocol includes at least one of the following characteristics: message confidentiality, message integrity, end-point authentication, reliability, and perfect forward secrecy, and wherein the protocol identifies and authenticates authority of a user of an LSS Illuminator to direct the LSS Override Controller to take control of the
autonomous vehicle from a default control system of the autonomous vehicle.
26. The LSS enforcement method of claim 23, wherein said illuminating includes steering a ultrasonic or electromagnetic beam from a handheld device or from an transmitter steerably mounted to a law enforcement vehicle.
27. The LSS enforcement method of claim 23, wherein said illuminating includes positioning a transmitter near an edge of a restricted area to exclude the autonomous vehicle, and wherein said at least one command is a "Fence" command that specifies coordinates to define said edge.
28. A lawful stop and search (LSS) compliance method that comprises: detecting a modulated signal from an LSS Manual Controller to a LSS Override Controller;
responding to the modulated signal using a protocol that authenticates authority of the user of the LSS Manual Controller to direct the LSS Override Controller to take control of the autonomous vehicle from a default control system of the autonomous vehicle; and
if said authority is authenticated, establishing a communications link to receive commands from the LSS Manual Controller.
29. The LSS compliance method of claim 28, wherein if said authority is authenticated, the method further comprises acknowledging and automatically complying with at least one of the following commands: "Stop",
"Acknowledge", "Identify", "Manifest", "ResumeOperation", "PullForward", "Backup", "TurnLeft", "TurnRight", "DownloadVehicleldentification",
"UnlockLoadCompartment", and "ContactTerminal".
30. The LSS compliance method of claim 28, wherein the communications link protocol includes at least one of the following characteristics: message confidentiality, message integrity, end-point authentication, reliability, and perfect forward secrecy, and
wherein the protocol supplies the LSS Manual Controller with a digital certificate to authenticate ownership of the vehicle, and further employs a digital certificate from the LSS Manual Controller to authenticate authority of the controller to direct operation of the vehicle.
PCT/US2019/016938 2018-02-14 2019-02-07 Systems and methods to prevent autonomous vehicle misuse WO2019160726A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201862710221P 2018-02-14 2018-02-14
US62/710,221 2018-02-14
US201862762453P 2018-05-07 2018-05-07
US62/762,453 2018-05-07

Publications (1)

Publication Number Publication Date
WO2019160726A1 true WO2019160726A1 (en) 2019-08-22

Family

ID=67619028

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/016938 WO2019160726A1 (en) 2018-02-14 2019-02-07 Systems and methods to prevent autonomous vehicle misuse

Country Status (1)

Country Link
WO (1) WO2019160726A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4878050A (en) * 1987-03-06 1989-10-31 Kelley William L Motor vehicle remote control system
US20070045018A1 (en) * 2005-08-25 2007-03-01 Carter Scott J Systems and methods for controlling powered vehicles near a restricted region
US20080086241A1 (en) * 2006-10-06 2008-04-10 Irobot Corporation Autonomous Behaviors for a Remove Vehicle
US20080091309A1 (en) * 1998-01-15 2008-04-17 Walker Richard C Electrically controlled automated devices to operate, slow, guide, stop and secure, equipment and machinery for the purpose of controlling their unsafe, unattended, unauthorized, unlawful hazardous and/or legal use, with remote control and accountability worldwide
US20130212659A1 (en) * 2012-02-13 2013-08-15 Intertrust Technologies Corporation Trusted connected vehicle systems and methods
US20170305423A1 (en) * 2016-04-20 2017-10-26 GM Global Technology Operations LLC Remote interrogation and override for automated driving system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4878050A (en) * 1987-03-06 1989-10-31 Kelley William L Motor vehicle remote control system
US20080091309A1 (en) * 1998-01-15 2008-04-17 Walker Richard C Electrically controlled automated devices to operate, slow, guide, stop and secure, equipment and machinery for the purpose of controlling their unsafe, unattended, unauthorized, unlawful hazardous and/or legal use, with remote control and accountability worldwide
US20070045018A1 (en) * 2005-08-25 2007-03-01 Carter Scott J Systems and methods for controlling powered vehicles near a restricted region
US20080086241A1 (en) * 2006-10-06 2008-04-10 Irobot Corporation Autonomous Behaviors for a Remove Vehicle
US20130212659A1 (en) * 2012-02-13 2013-08-15 Intertrust Technologies Corporation Trusted connected vehicle systems and methods
US20170305423A1 (en) * 2016-04-20 2017-10-26 GM Global Technology Operations LLC Remote interrogation and override for automated driving system

Similar Documents

Publication Publication Date Title
US11027697B2 (en) System, method, and apparatus to mitigate and or prevent autonomous vehicle misuse through the use of security enabled sensors
US20210043096A1 (en) Aircraft controlled by a secure integrated airspace management system
US8103402B2 (en) Apparatus, method and system for enforcing vehicle operator policy compliance
US20220055657A1 (en) System and method to enhance autonomous vehicle operations
JP6483552B2 (en) Proximity vehicle data transmission
EP3384457A1 (en) System and method for identification of transport vehicles and drivers
US10891814B2 (en) Mobile credential management system for vehicle key box access control
US11912220B2 (en) Vehicle and passenger transportation system
WO2019032162A2 (en) Secure beacon and reader system for remote drone and pilot identification
US10081332B2 (en) System and method for shutting down an unlawfully utilized vehicle
US20040008103A1 (en) Vehicle security system
CN111688636A (en) Method for monitoring the surroundings of a vehicle
US8116966B2 (en) Low power microwave vehicle stopper with feedback
KR102002373B1 (en) Reservation managing system for flying one or more drone
US20230294634A1 (en) Systems and methods for communicating with third parties external to autonomous vehicles
WO2019160726A1 (en) Systems and methods to prevent autonomous vehicle misuse
EP3526714B1 (en) Method, devices and system for improved control of a service means for dedicated use in infrastructures
WO2020225681A1 (en) Anti-hijacking system and method for an autonomous machine
KR20150071095A (en) System and method for chauffeur service based on telematics
US10623412B2 (en) Method for preventing deactivation of online services in a vehicle
KR20200115879A (en) Automatic Wireless Train Protection System based on LTE-R and Method thereof
US20230398959A1 (en) Systems and methods for granting access to autonomous vehicles
US20240109513A1 (en) Vehicle control method and related apparatus
CN108924752B (en) Vehicle driving data processing method and system
US20230037318A1 (en) Systems and methods for operating an autonomous vehicle

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19754382

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19754382

Country of ref document: EP

Kind code of ref document: A1