[go: up one dir, main page]

WO2016091439A1 - A security device for a vehicle's electronic system - Google Patents

A security device for a vehicle's electronic system Download PDF

Info

Publication number
WO2016091439A1
WO2016091439A1 PCT/EP2015/074273 EP2015074273W WO2016091439A1 WO 2016091439 A1 WO2016091439 A1 WO 2016091439A1 EP 2015074273 W EP2015074273 W EP 2015074273W WO 2016091439 A1 WO2016091439 A1 WO 2016091439A1
Authority
WO
WIPO (PCT)
Prior art keywords
security device
bus
vehicle
obd
ignition key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2015/074273
Other languages
French (fr)
Inventor
Robin Robert SMIT
Martin John COYNE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Digitpol Ltd
Original Assignee
Digitpol Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digitpol Ltd filed Critical Digitpol Ltd
Publication of WO2016091439A1 publication Critical patent/WO2016091439A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/01Fittings or systems for preventing or indicating unauthorised use or theft of vehicles operating on vehicle systems or fittings, e.g. on doors, seats or windscreens
    • B60R25/04Fittings or systems for preventing or indicating unauthorised use or theft of vehicles operating on vehicle systems or fittings, e.g. on doors, seats or windscreens operating on the propulsion system, e.g. engine or drive motor
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01RELECTRICALLY-CONDUCTIVE CONNECTIONS; STRUCTURAL ASSOCIATIONS OF A PLURALITY OF MUTUALLY-INSULATED ELECTRICAL CONNECTING ELEMENTS; COUPLING DEVICES; CURRENT COLLECTORS
    • H01R13/00Details of coupling devices of the kinds covered by groups H01R12/70 or H01R24/00 - H01R33/00

Definitions

  • This invention relates to a security device for a vehicle's electronic system. More specifically, the present invention relates to a security device that is operable to prevent theft of the vehicle perpetrated through exploitation of the vulnerabilities of the On-Board Diagnostics (OBD) plug.
  • OBD On-Board Diagnostics
  • the connection to the OBD plug can be used to communicate with one or more engine control units (ECUs) or modules via the Control Area Network (CAN) Bus. This connection can be used to turn off the immobiliser module, thereby allowing the car to be started with practically any key, or can be used to allow access to the key programming module thereby allowing programming of a new key for the vehicle.
  • ECUs engine control units
  • CAN Control Area Network
  • a security device for a vehicle's electronic system, the vehicles electronic system comprising a Control Area Network (CAN) Bus connected to a plurality of engine control units (ECUs) and an On-Board Diagnostics (OBD) plug, the ECUs being accessible from the OBD plug through the CAN Bus, characterised in that the security device comprises an input port for connection to the OBD plug and an output port for connection to the CAN Bus so that communications to and from the CAN Bus and the OBD plug are routed through the security device, the security device comprising means to detect whether a valid ignition key has been presented in the vehicle and means to permit write communications to pass from the OBD plug to one or more of the ECUs via the CAN Bus on detection of a valid ignition key and prevent write communications from passing from the OBD plug to the ECUs via the CAN Bus in the absence of a valid ignition key.
  • CAN Control Area Network
  • OBD On-Board Diagnostics
  • the security device will prevent any write commands from being passed from the OBD port to the ECUs over the CAN Bus if a valid ignition key is not present. In this way, if an unscrupulous individual should gain access to the interior of the car and the OBD port, they will not be able to send write commands to the ECUs as there will not be a valid ignition key present. Therefore, these individuals will not be able to turn off the immobiliser or program a new key using this method. This will obviate a significant portion of all car thefts each year. However, it will still be possible for car dealers and others with access to a valid ignition key to send write commands to one or more of the ECUs if they need to. Furthermore, the present invention is seen as a particularly simple device to manufacture and install. The solution only requires one piece of equipment, located intermediate the OBD port and the CAN Bus, and it will be possible to retrofit the device into an existing vehicle with relatively little difficulty.
  • a security device in which the means to detect whether a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle.
  • a security device in which the means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from the immobilizer ECU to operate a fuel pump.
  • a security device in which the means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from the immobilizer ECU to operate a start engine.
  • This requirement is also highly specific and requires that the immobilizer security protocols have been fully satisfied before it will send a communication to the start engine. Accordingly, the device is seen as particularly secure as it benefits from the full security mechanisms of the immobilizer module.
  • the immobilizer ECU may be connected to both the fuel pump and the start engine and the means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle comprises means to detect one or more communications on the CAN Bus from the immobilizer ECU to operate the start engine and the fuel pump.
  • a security device in which the security device is connected intermediate the CAN Bus and the OBD plug adjacent a CAN Gateway of the CAN Bus. This is seen as particularly effective as it will be difficult to circumvent the security device in this location.
  • a security device in which the security device comprises an accessible memory and in which there is provided a data table stored in accessible memory with a list of acceptable commands, and the security device is operable to block any commands not listed in the data table.
  • the security device comprises an accessible memory and in which there is provided a data table stored in accessible memory with a list of acceptable commands, and the security device is operable to block any commands not listed in the data table.
  • a security device in which the security device comprises a catch-can filter and the security device comprises means to direct unverified data or commands received through the OBD plug to the catch-can filter.
  • the security device comprises a catch-can filter and the security device comprises means to direct unverified data or commands received through the OBD plug to the catch-can filter.
  • Any commands or data will be transmitted onwards onto the catch- can filter. This may be via the CAN Bus or indeed may be separate from the CAN Bus. However, it will not be possible from the OBD plug to detect whether or not the command or data has been transmitted onwards to the ECU. There will be no indication that the command or data has been blocked or re-routed.
  • a security device in which the catch-can filter is connected to the CAN bus. In this way, the command will be passed onto the CAN bus but will be readdressed to the catch-can filter rather than the original intended target ECU for the command.
  • a security device in which the security device is provided with means to permit read communications to pass to and from the OBD plug and one or more of the ECUs via the CAN Bus on detection of a valid ignition key and prevent read communications to pass to and from the OBD plug and the ECUs via the CAN Bus in the absence of a valid ignition key.
  • This is seen as a useful alternative embodiment of the present invention.
  • a security device in which the security device is provided with a wireless communications module for communications with a remote entity.
  • the security device may be provided with a SIM card and may be capable of communications over the GSM network.
  • a security device in which the security device is powered by the vehicle's electronic system.
  • a vehicle's electronic system comprising a security device connected in-line intermediate a CAN Bus and an OBD plug of the vehicle's electronic system.
  • Figure 1 is a diagrammatic representation of a security system incorporating the security device according to the invention
  • Figure 2 is a diagrammatic representation of a security device according to the invention
  • Figure 3 is a diagrammatic representation of an alternative embodiment of a security system incorporating the security device according to the invention.
  • a vehicle's electronic system comprising an On-Board Diagnostics (OBD) port 3, a Control Area Network (CAN) Bus 5 and a plurality of Engine Control Units (ECU) modules 7, 8, only two of which are shown.
  • ECU module 7 is in fact an immobiliser module.
  • an ignition coil 9 There is further shown an ignition coil 9, a transponder key amplifier 1 1 and a pair of fuel injector components 13, 15.
  • the vehicle's electronic system comprises a security device 17 located intermediate the OBD port 3 and the CAN Bus 5. All communications between the CAN Bus 5 and the OBD port 3 pass through the security device 17.
  • the security device 17 is operable to selectively block write commands from the OBD port 3 directed towards the CAN Bus 5.
  • the CAN Bus 5 is the system of communication between the vehicles central processing unit (not shown) and the peripheral computer components such as central locking, air bag control and a plurality of ECUs.
  • the CAN Bus 5 would allow any data to be sent via the OBD port 3 however in this implementation, the security device 17 will prevent write commands from being passed onwards from the OBD port 3 to the CAN Bus 5 unless there is a valid key (not shown) inserted in the vehicles ignition.
  • a signal will be sent from the transponder key amplifier 1 1 to the immobiliser module 7 that a valid key has been inserted into the ignition.
  • the immobiliser module 7 will in turn send an instruction over the CAN Bus 5 to the fuel injector components 13, 15.
  • the security device 17 is however monitoring the communications over the CAN Bus and detects the instruction from the immobiliser module 7 to the fuel injector components 13, 15. This instruction is indicative that there is a valid key in the ignition and under those circumstances, the security device 17 will allow write commands to be transmitted from the OBD port 3 to the ECU module(s) 8 via the CAN Bus 5.
  • This is graphically represented by a switch 19 on the transmission line from the security device to the CAN Bus. If the switch 19 is open, the communications from the OBD port 3 will be prevented from reaching the CAN Bus 5 but if the switch 19 is closed, the communications from the OBD port 3 will be allowed to pass onwards to the CAN Bus 5.
  • a catch-can filter (not shown) connected to one of the CAN Bus 5 or the security device.
  • the security device 17 is operable to redirect communications from the OBD to the catch-can filter in the event that there is no valid key present in the ignition.
  • the commands are not allowed reach their intended target ECU but instead are redirected to a catch-can filter where the commands will have no further consequence on the operation of the vehicles electronic system. This will prevent detection of the security device 17 as there will be no evidence of the security device's existence other than the command did not work.
  • the security device 17 comprises an input port 21 and an output port 23.
  • the input port 21 is arranged to be coupled to the OBD port 3 and the output port 23 is arranged to be coupled to the CAN Bus 5.
  • the security device further comprises a processor 25, an accessible memory 27 including a data table 29, a wireless communications module 31 , a detection circuit 33 and a write blocker 35. ln use, the input port 21 is connected to the OBD port and the output port 23 is connected to the CAN Bus.
  • the detection circuit 33 monitors communications on the CAN Bus 5 to detect whether a valid key has been presented.
  • the detection circuit will detect the presence of the valid key and will send a notification to the write blocker 35 to allow write communications from the OBD port (i.e. the input 21 ) to pass through to the CAN Bus (i.e. from the output 23). If a valid key is not detected, the detection circuit will not send the appropriate signal to the write blocker 35 and the write blocker 35 will prevent commands from being passed to the ECUs 8.
  • a data table 29 in the accessible memory 27 and the data table 29 has a list of all permissible write commands. If a data table is provided, when a write command is received at the input 21 , the write command is checked against the list of write commands and if the write command matches one of the valid write commands in the data table, the write command is allowed to proceed from the output 23 to an ECU 8. If however the write command does not match a valid write command in the data table, the write command will be terminated and not allowed to proceed to an ECU 8.
  • the wireless communication module 31 is provided to allow for remote access to the security device from a remote location.
  • the wireless communications module 31 may comprise a SIM card to permit communications over a GSM network as would be understood in the art. Such a system would allow for the security device to be updated with software updates from a remote location.
  • FIG. 3 there is shown an alternative embodiment of a security system, indicated generally by the reference numeral 41 , incorporating the security device 17 according to the invention,
  • the security device 17 further comprises a catch-can filter 43.
  • the security device 17 In use, if invalid communications are sent via the OBD interface 3 along the CAN bus 5, the communications are intercepted by the security device 17. The invalid communications are redirected to the catch-can filter 43 where they may be stored for subsequent analysis.
  • the switch 19 has been omitted however it may be provided in addition to the catch-can filter 43.
  • a start engine 45 There is further shown a start engine 45.
  • an OBD(2) interface is provided and the invention has been described in terms of an OBD(2) interface.
  • the invention has been described in terms of a CAN Bus.
  • the security device of the present invention may also be provided with various components and features to allow the information transmitted during an attempted attack to be captured and used as evidence subsequently.
  • the imaging process of the security device will be changed to suit the justice aspect of collection and analysis of data to satisfy a global standard.
  • the data collection process is built to the same standard used in Computer Forensics, which satisfies a global standard for Law Enforcement and commercial investigation of data.
  • the main focus is on the steps taken to image (copy) and store data that is used as evidence.
  • hashing tools will be utilised.
  • a hashing process analyses the copy and assigns it a unique number. If the hash numbers on the original and the copy match, the copy is a perfect replica of the original.
  • the security device will store its log in a hashed and verified format.
  • the security device also needs to implement a hashing process on the final read-out, meaning the saved file to the target disk or target location is proven to be identical to the original read-out.
  • a hashing process is the focus of any presented digital evidence.
  • the security device will collect the evidence file and the complete HEX image of the CAN BUS at the time of attack. This will preferably be saved in an encrypted format with a timestamp.
  • the security device is also configured to include an audit trail that will be accessible by a super administrator user only. This audit trail must be an encrypted file on the security device.
  • the Audit trail will include the following: (i) the time the "key” switched on, registered in computer time; (ii) the number of CAN IDs sent (if any un-verified data was sent); (iii) the Vehicle Identification Number (VIN) number the end-user tried to program; and (iv) the Kilometre or Mileage (KM) the end-user tried to program.
  • the audit trail will upload to the investigation team either using the mobile communications module upon a prompt to do so or through a direct connection once the vehicle enters a dealership, or, if the vehicle owner takes the vehicle for examination to explore when and how errors occurred.
  • the wireless communications module 31 illustrated in Figure 2 is useful to allow remote authorised communications with the security device by authorised personnel, it is not essential to the operation of the device and it is possible to provide a security device without the wireless communications module.
  • various parts of the present invention are performed in hardware and other parts of the invention may be performed either in hardware and/or software.
  • the method steps and various components of the present invention will be performed largely in software and therefore the present invention extends also to computer programs, on or in a carrier, comprising program instructions for causing a computer or a processor to carry out steps of the method or provide functional components for carrying out those steps.
  • the computer program may be in source code format, object code format or a format intermediate source code and object code.
  • the computer program may be stored on or in a carrier, in other words a computer program product, including any computer readable medium, including but not limited to a floppy disc, a CD, a DVD, a memory stick, a tape, a RAM, a ROM, a PROM, an EPROM or a hardware circuit.
  • a transmissible carrier such as a carrier signal when transmitted either wirelessly and/or through wire and/or cable could carry the computer program in which cases the wire and/or cable constitute the carrier.
  • the present invention may be performed on two, three or more devices with certain parts of the invention being performed by one device and other parts of the invention being performed by another device.
  • the devices may be connected together over a communications network.
  • the present invention and claims are intended to also cover those instances where the system is operated across two or more devices or pieces of apparatus located in one or more locations in the vehicle.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Lock And Its Accessories (AREA)

Abstract

This invention relates to a security device (17) for a vehicle's electronic system. The vehicles electronic system comprises a Control Area Network (CAN) Bus (5) connected to a plurality of engine control units (ECUs) (7, 8) and an On-Board Diagnostics (OBD) plug (3). The ECUs (7, 8) are accessible from the OBD plug (3) through the CAN Bus. The security device comprises an input port (21) for connection to the OBD plug, and an output port (23) for connection to the CAN Bus. Communications to and from the CAN Bus and the OBD plug are routed through the security device (17). The security device comprises means to detect whether a valid ignition key has been presented in the vehicle and means to permit write communications to pass from the OBD plug to the ECUs via the CAN Bus on detection of a valid ignition key and prevent write communications from passing from the OBD plug to the ECUs via the CAN Bus in the absence of a valid ignition key.

Description

Title of Invention:
"A security device for a vehicle's electronic system" Technical Field:
This invention relates to a security device for a vehicle's electronic system. More specifically, the present invention relates to a security device that is operable to prevent theft of the vehicle perpetrated through exploitation of the vulnerabilities of the On-Board Diagnostics (OBD) plug.
Background Art:
A recent study has shown that although the number of car thefts in the EU has fallen by 12% over the last five years, the total value of cars stolen has increased by 51 % over the same period. The increase in value is due predominantly to the fact that the cars are now being stolen at a much younger age than was heretofore the case. Of the cars stolen in the EU, 72% are now estimated to be only between 1 and 5 years old. This represents a massive problem for insurers. These figures are taken from official European police figures provided by the Dutch national institute against vehicle crime.
It has also been estimated that 82% of all cars stolen in the EU are stolen by unscrupulous individuals exploiting the vulnerabilities of the On-Board Diagnostics (OBD) plug. Once access to the OBD plug has been gained, the connection to the OBD plug can be used to communicate with one or more engine control units (ECUs) or modules via the Control Area Network (CAN) Bus. This connection can be used to turn off the immobiliser module, thereby allowing the car to be started with practically any key, or can be used to allow access to the key programming module thereby allowing programming of a new key for the vehicle.
Worryingly, the tools necessary for carrying out such nefarious activities are readily available to buy over the internet and as they are typically described as "locksmith" tools, they are often perfectly legal for members of the public to own in most jurisdictions. Furthermore, these tools are typically very compact, small enough to fit into an individual's pocket. This represents a significant problem for the authorities as these crimes are becoming increasingly easier to perpetrate and increasingly harder to prevent. A number of solutions have been proposed to address the problem of attacks via the OBD plug. One solution is that proposed in GB2510099 in the name of Shaw. This patent application proposes to provide a cover for the OBD plug with tamper resistant fasteners to prevent quick and easy access to the OBD. Although such a device may slow down a thief, this solution can be readily circumvented once the thief has the appropriate equipment. Other solutions to the problem of attacks via the OBD plug are proposed in DE202014104646 in the name of Matzke and WO2014181094 in the name of Chambers et al. Both of these disclosures propose providing a theft protection device that connects to the OBD plug and presents an alternative external interface. The theft protection devices have one or more switches for interrupting throughpassage of signals to the OBD plug. Although such devices may also help to slow down a thief, the devices are readily detectable and therefore may be circumvented by the determined thief.
It is an object of the present invention to provide a security device for a vehicle's electronic system that overcomes at least some of the above-identified problems. It is a further object of the present invention to provide a security device that protects vehicles from theft through an OBD plug attack.
Summary of Invention: According to the invention there is provided a security device for a vehicle's electronic system, the vehicles electronic system comprising a Control Area Network (CAN) Bus connected to a plurality of engine control units (ECUs) and an On-Board Diagnostics (OBD) plug, the ECUs being accessible from the OBD plug through the CAN Bus, characterised in that the security device comprises an input port for connection to the OBD plug and an output port for connection to the CAN Bus so that communications to and from the CAN Bus and the OBD plug are routed through the security device, the security device comprising means to detect whether a valid ignition key has been presented in the vehicle and means to permit write communications to pass from the OBD plug to one or more of the ECUs via the CAN Bus on detection of a valid ignition key and prevent write communications from passing from the OBD plug to the ECUs via the CAN Bus in the absence of a valid ignition key.
By having such a security device, the security device will prevent any write commands from being passed from the OBD port to the ECUs over the CAN Bus if a valid ignition key is not present. In this way, if an unscrupulous individual should gain access to the interior of the car and the OBD port, they will not be able to send write commands to the ECUs as there will not be a valid ignition key present. Therefore, these individuals will not be able to turn off the immobiliser or program a new key using this method. This will obviate a significant portion of all car thefts each year. However, it will still be possible for car dealers and others with access to a valid ignition key to send write commands to one or more of the ECUs if they need to. Furthermore, the present invention is seen as a particularly simple device to manufacture and install. The solution only requires one piece of equipment, located intermediate the OBD port and the CAN Bus, and it will be possible to retrofit the device into an existing vehicle with relatively little difficulty.
In one embodiment of the invention there is provided a security device in which the means to detect whether a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle. This is seen as a simple way to determine whether or not a valid ignition key has been presented and will require the immobilizer to be activated in order to operate. This embraces the inherent security of the immobilizer in the vehicle resulting in a robust, secure device. In one embodiment of the invention there is provided a security device in which the means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from the immobilizer ECU to operate a fuel pump. As this requirement is highly specific and requires that the immobilizer security protocols have been fully satisfied before it will send a communication to the fuel pump, the device is seen as particularly secure as it benefits from the full security mechanisms of the immobilizer module. In one embodiment of the invention there is provided a security device in which the means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from the immobilizer ECU to operate a start engine. This requirement is also highly specific and requires that the immobilizer security protocols have been fully satisfied before it will send a communication to the start engine. Accordingly, the device is seen as particularly secure as it benefits from the full security mechanisms of the immobilizer module. It is envisaged that the immobilizer ECU may be connected to both the fuel pump and the start engine and the means to detect a communication on the CAN Bus from an immobilizer ECU indicative that a valid ignition key has been presented in the vehicle comprises means to detect one or more communications on the CAN Bus from the immobilizer ECU to operate the start engine and the fuel pump. In one embodiment of the invention there is provided a security device in which the security device is connected intermediate the CAN Bus and the OBD plug adjacent a CAN Gateway of the CAN Bus. This is seen as particularly effective as it will be difficult to circumvent the security device in this location. In one embodiment of the invention there is provided a security device in which the security device comprises an accessible memory and in which there is provided a data table stored in accessible memory with a list of acceptable commands, and the security device is operable to block any commands not listed in the data table. This is seen as a particularly useful embodiment of the present invention as this will allow for certain commands to be blocked or redirected while other commands may be allowed to pass through. This will help prevent detection of the security device by an unscrupulous third party with access to the OBD port.
In one embodiment of the invention there is provided a security device in which the security device comprises a catch-can filter and the security device comprises means to direct unverified data or commands received through the OBD plug to the catch-can filter. This is seen as a particularly useful embodiment of the present invention as such a device will counteract counter-surveillance measures attempting to detect the presence of a security device. Any commands or data will be transmitted onwards onto the catch- can filter. This may be via the CAN Bus or indeed may be separate from the CAN Bus. However, it will not be possible from the OBD plug to detect whether or not the command or data has been transmitted onwards to the ECU. There will be no indication that the command or data has been blocked or re-routed.
In one embodiment of the invention there is provided a security device in which the catch-can filter is connected to the CAN bus. In this way, the command will be passed onto the CAN bus but will be readdressed to the catch-can filter rather than the original intended target ECU for the command.
In one embodiment of the invention there is provided a security device in which the security device is provided with means to permit read communications to pass to and from the OBD plug and one or more of the ECUs via the CAN Bus on detection of a valid ignition key and prevent read communications to pass to and from the OBD plug and the ECUs via the CAN Bus in the absence of a valid ignition key. This is seen as a useful alternative embodiment of the present invention. By preventing read communications, it will be possible to detect that there is a security device present however this method will also prevent any potential weaknesses that could be exposed by allowing read communications to be transmitted and received by the CAN Bus.
In one embodiment of the invention there is provided a security device in which the security device is provided with a wireless communications module for communications with a remote entity. This is seen as useful as it will be possible for the security device to be updated remotely. For example, the security device may be provided with a SIM card and may be capable of communications over the GSM network.
In one embodiment of the invention there is provided a security device in which the security device is powered by the vehicle's electronic system. In one embodiment of the invention there is provided a vehicle's electronic system comprising a security device connected in-line intermediate a CAN Bus and an OBD plug of the vehicle's electronic system. Brief Description of the Drawings:
The invention will now be more clearly understood from the following description of some embodiments thereof given by way of example only with reference to the accompanying drawings, in which:-
Figure 1 is a diagrammatic representation of a security system incorporating the security device according to the invention; and Figure 2 is a diagrammatic representation of a security device according to the invention; and
Figure 3 is a diagrammatic representation of an alternative embodiment of a security system incorporating the security device according to the invention.
Detailed Description of the Drawings:
Referring to Figure 1 , there is shown a vehicle's electronic system, indicated generally by the reference numeral 1 , comprising an On-Board Diagnostics (OBD) port 3, a Control Area Network (CAN) Bus 5 and a plurality of Engine Control Units (ECU) modules 7, 8, only two of which are shown. ECU module 7 is in fact an immobiliser module. There is further shown an ignition coil 9, a transponder key amplifier 1 1 and a pair of fuel injector components 13, 15. The vehicle's electronic system comprises a security device 17 located intermediate the OBD port 3 and the CAN Bus 5. All communications between the CAN Bus 5 and the OBD port 3 pass through the security device 17.
In use, the security device 17 is operable to selectively block write commands from the OBD port 3 directed towards the CAN Bus 5. As will be understood, the CAN Bus 5 is the system of communication between the vehicles central processing unit (not shown) and the peripheral computer components such as central locking, air bag control and a plurality of ECUs. Heretofore, the CAN Bus 5 would allow any data to be sent via the OBD port 3 however in this implementation, the security device 17 will prevent write commands from being passed onwards from the OBD port 3 to the CAN Bus 5 unless there is a valid key (not shown) inserted in the vehicles ignition.
If a valid key is present in the vehicles ignition, a signal will be sent from the transponder key amplifier 1 1 to the immobiliser module 7 that a valid key has been inserted into the ignition. The immobiliser module 7 will in turn send an instruction over the CAN Bus 5 to the fuel injector components 13, 15. The security device 17 is however monitoring the communications over the CAN Bus and detects the instruction from the immobiliser module 7 to the fuel injector components 13, 15. This instruction is indicative that there is a valid key in the ignition and under those circumstances, the security device 17 will allow write commands to be transmitted from the OBD port 3 to the ECU module(s) 8 via the CAN Bus 5. This is graphically represented by a switch 19 on the transmission line from the security device to the CAN Bus. If the switch 19 is open, the communications from the OBD port 3 will be prevented from reaching the CAN Bus 5 but if the switch 19 is closed, the communications from the OBD port 3 will be allowed to pass onwards to the CAN Bus 5.
In an alternative embodiment, there is provided a catch-can filter (not shown) connected to one of the CAN Bus 5 or the security device. In that embodiment, the security device 17 is operable to redirect communications from the OBD to the catch-can filter in the event that there is no valid key present in the ignition. In other words, the commands are not allowed reach their intended target ECU but instead are redirected to a catch-can filter where the commands will have no further consequence on the operation of the vehicles electronic system. This will prevent detection of the security device 17 as there will be no evidence of the security device's existence other than the command did not work.
Referring to Figure 2, there is shown a diagrammatic representation of the security device 17. The security device 17 comprises an input port 21 and an output port 23. The input port 21 is arranged to be coupled to the OBD port 3 and the output port 23 is arranged to be coupled to the CAN Bus 5. The security device further comprises a processor 25, an accessible memory 27 including a data table 29, a wireless communications module 31 , a detection circuit 33 and a write blocker 35. ln use, the input port 21 is connected to the OBD port and the output port 23 is connected to the CAN Bus. The detection circuit 33 monitors communications on the CAN Bus 5 to detect whether a valid key has been presented. If a valid key has been presented, for example inserted into the vehicle's ignition, the detection circuit will detect the presence of the valid key and will send a notification to the write blocker 35 to allow write communications from the OBD port (i.e. the input 21 ) to pass through to the CAN Bus (i.e. from the output 23). If a valid key is not detected, the detection circuit will not send the appropriate signal to the write blocker 35 and the write blocker 35 will prevent commands from being passed to the ECUs 8.
In one embodiment of the invention, there is provided a data table 29 in the accessible memory 27 and the data table 29 has a list of all permissible write commands. If a data table is provided, when a write command is received at the input 21 , the write command is checked against the list of write commands and if the write command matches one of the valid write commands in the data table, the write command is allowed to proceed from the output 23 to an ECU 8. If however the write command does not match a valid write command in the data table, the write command will be terminated and not allowed to proceed to an ECU 8. The wireless communication module 31 is provided to allow for remote access to the security device from a remote location. The wireless communications module 31 may comprise a SIM card to permit communications over a GSM network as would be understood in the art. Such a system would allow for the security device to be updated with software updates from a remote location.
Referring to Figure 3, there is shown an alternative embodiment of a security system, indicated generally by the reference numeral 41 , incorporating the security device 17 according to the invention, The security device 17 further comprises a catch-can filter 43. In use, if invalid communications are sent via the OBD interface 3 along the CAN bus 5, the communications are intercepted by the security device 17. The invalid communications are redirected to the catch-can filter 43 where they may be stored for subsequent analysis. In the embodiment show, the switch 19 has been omitted however it may be provided in addition to the catch-can filter 43. There is further shown a start engine 45. Various modifications can be made to the present invention without departing from the scope of the appended claims. For example, in the embodiment shown, an OBD(2) interface is provided and the invention has been described in terms of an OBD(2) interface. Furthermore, the invention has been described in terms of a CAN Bus. However, it is envisaged that the present invention is also relevant to other interfaces and other communication buses than those outlined above and is not so limited unless specified in the claims. It is envisaged that the security device of the present invention may also be provided with various components and features to allow the information transmitted during an attempted attack to be captured and used as evidence subsequently. For example, it is envisaged that the imaging process of the security device will be changed to suit the justice aspect of collection and analysis of data to satisfy a global standard. The data collection process is built to the same standard used in Computer Forensics, which satisfies a global standard for Law Enforcement and commercial investigation of data. The main focus is on the steps taken to image (copy) and store data that is used as evidence. For example, it is envisaged that hashing tools will be utilised. In the event of imaging (copying) a file or a number of files, it is necessary to compare the original hard disks to a copy or an image of the original. A hashing process analyses the copy and assigns it a unique number. If the hash numbers on the original and the copy match, the copy is a perfect replica of the original. The security device will store its log in a hashed and verified format. The security device also needs to implement a hashing process on the final read-out, meaning the saved file to the target disk or target location is proven to be identical to the original read-out. In a court of Law, a hashing process is the focus of any presented digital evidence.
It is envisaged that mechanisms will be put in place to facilitate a complete memory dump. Once an attack has taken place, the security device will collect the evidence file and the complete HEX image of the CAN BUS at the time of attack. This will preferably be saved in an encrypted format with a timestamp. The security device is also configured to include an audit trail that will be accessible by a super administrator user only. This audit trail must be an encrypted file on the security device. The Audit trail will include the following: (i) the time the "key" switched on, registered in computer time; (ii) the number of CAN IDs sent (if any un-verified data was sent); (iii) the Vehicle Identification Number (VIN) number the end-user tried to program; and (iv) the Kilometre or Mileage (KM) the end-user tried to program. The audit trail will upload to the investigation team either using the mobile communications module upon a prompt to do so or through a direct connection once the vehicle enters a dealership, or, if the vehicle owner takes the vehicle for examination to explore when and how errors occurred. It is envisaged that although the wireless communications module 31 illustrated in Figure 2 is useful to allow remote authorised communications with the security device by authorised personnel, it is not essential to the operation of the device and it is possible to provide a security device without the wireless communications module. It will be understood that various parts of the present invention are performed in hardware and other parts of the invention may be performed either in hardware and/or software. It will be understood that the method steps and various components of the present invention will be performed largely in software and therefore the present invention extends also to computer programs, on or in a carrier, comprising program instructions for causing a computer or a processor to carry out steps of the method or provide functional components for carrying out those steps. The computer program may be in source code format, object code format or a format intermediate source code and object code. The computer program may be stored on or in a carrier, in other words a computer program product, including any computer readable medium, including but not limited to a floppy disc, a CD, a DVD, a memory stick, a tape, a RAM, a ROM, a PROM, an EPROM or a hardware circuit. In certain circumstances, a transmissible carrier such as a carrier signal when transmitted either wirelessly and/or through wire and/or cable could carry the computer program in which cases the wire and/or cable constitute the carrier.
It will be further understood that the present invention may be performed on two, three or more devices with certain parts of the invention being performed by one device and other parts of the invention being performed by another device. The devices may be connected together over a communications network. The present invention and claims are intended to also cover those instances where the system is operated across two or more devices or pieces of apparatus located in one or more locations in the vehicle.
In this specification the terms "include, includes, included and including" and the terms "comprise, comprises, comprised and comprising" are all deemed totally interchangeable and should be afforded the widest possible interpretation.
The invention is in no way limited to the embodiment hereinbefore described but may be varied in both construction and detail within the scope of the appended claims.

Claims

Claims:
(1 ) A security device (17) for a vehicle's electronic system (1 , 41 ), the vehicles electronic system comprising a Control Area Network (CAN) Bus (5) connected to a plurality of engine control units (ECUs) (7, 8) and an On-Board Diagnostics (OBD) plug (3), the ECUs being accessible from the OBD plug through the CAN Bus, characterised in that the security device (17) comprises an input port (21 ) for connection to the OBD plug (3) and an output port (23) for connection to the CAN Bus (5) so that communications to and from the CAN Bus and the OBD plug are routed through the security device (17), the security device comprising means to detect whether a valid ignition key has been presented in the vehicle and means to permit write communications to pass from the OBD plug (3) to one or more of the ECUs (7, 8) via the CAN Bus (5) on detection of a valid ignition key and prevent write communications from passing from the OBD plug to the ECUs via the CAN Bus in the absence of a valid ignition key.
(2) A security device (17) as claimed in claim 1 in which the means to detect whether a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from an immobilizer ECU (7) indicative that a valid ignition key has been presented in the vehicle.
(3) A security device (17) as claimed in claim 2 in which the means to detect a communication on the CAN Bus from an immobilizer ECU (7) indicative that a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from the immobilizer ECU to operate a fuel pump (13, 15).
(4) A security device (17) as claimed in claim 2 or 3 in which the means to detect a communication on the CAN Bus from an immobilizer ECU (7) indicative that a valid ignition key has been presented in the vehicle comprises means to detect a communication on the CAN Bus from the immobilizer ECU to operate a start engine (45).
(5) A security device (17) as claimed in any preceding claim in which the security device is connected intermediate the CAN Bus and the OBD plug adjacent a CAN Gateway of the CAN Bus.
A security device (17) as claimed in any preceding claim in which the security device comprises an accessible memory (27) and in which there is provided a data table (29) stored in accessible memory with a list of acceptable commands, and the security device is operable to block any commands not listed in the data table.
A security device (17) as claimed in any preceding claim in which the security device comprises a catch-can filter (43) and the security device comprises means to direct unverified data or commands received through the OBD plug to the catch-can filter.
A security device (17) as claimed in claim 7 in which the catch-can (43) filter is connected to the CAN bus.
(9) A security device (17) as claimed in any preceding claim in which the security device is provided with means to permit read communications to pass to and from the OBD plug and one or more of the ECUs via the CAN Bus on detection of a valid ignition key and prevent read communications to pass to and from the OBD plug and the ECUs via the CAN Bus in the absence of a valid ignition key.
(10) A security device (17) as claimed in any preceding claim in which the security device is provided with a wireless communications module (31 ) for communications with a remote entity.
(1 1 ) A security device (17) as claimed in any preceding claim in which the security device is powered by the vehicle's electronic system.
(12) A vehicle's electronic system (1 , 41 ) comprising a security device (17) as claimed in any preceding claim connected in-line intermediate a CAN Bus (5) and an OBD plug (3) of the vehicle's electronic system.
PCT/EP2015/074273 2014-12-11 2015-10-20 A security device for a vehicle's electronic system Ceased WO2016091439A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1422063.6 2014-12-11
GB1422063.6A GB2525462B (en) 2014-12-11 2014-12-11 A security device for a vehicle's electronic system

Publications (1)

Publication Number Publication Date
WO2016091439A1 true WO2016091439A1 (en) 2016-06-16

Family

ID=54261393

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/074273 Ceased WO2016091439A1 (en) 2014-12-11 2015-10-20 A security device for a vehicle's electronic system

Country Status (2)

Country Link
GB (1) GB2525462B (en)
WO (1) WO2016091439A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108334058A (en) * 2018-02-13 2018-07-27 安徽江淮汽车集团股份有限公司 A kind of diagnostic system and method based on car body controller
US10124750B2 (en) * 2016-04-26 2018-11-13 Honeywell International Inc. Vehicle security module system
CN109996235A (en) * 2017-12-29 2019-07-09 宝沃汽车(中国)有限公司 Car networking terminal, for the method and apparatus of car networking terminal
US10484425B2 (en) 2017-09-28 2019-11-19 The Mitre Corporation Controller area network frame override
CN111142504A (en) * 2019-12-30 2020-05-12 深圳移航通信技术有限公司 Bus detection device and method
CN112262555A (en) * 2018-06-21 2021-01-22 标致雪铁龙汽车股份有限公司 Communication network segment for a land motor vehicle and associated land motor vehicle
CN113853555A (en) * 2019-05-27 2021-12-28 宁波吉利汽车研究开发有限公司 Identification of safety devices in a vehicle
CN115150187A (en) * 2022-07-28 2022-10-04 中汽创智科技有限公司 Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015226214A1 (en) * 2015-12-21 2017-06-22 Robert Bosch Gmbh Device for controlling external control commands
CN105449477A (en) * 2015-12-30 2016-03-30 广西玉柴机器股份有限公司 Connector for burning ECU (Electronic Control Unit) of gas engine
ITUA20162862A1 (en) * 2016-04-06 2016-07-06 Paser Srl ELECTRONIC ELECTRIC SHIELDING DEVICE FOR VEHICLES EQUIPPED WITH OBD2 DOOR
US9868418B2 (en) * 2016-05-12 2018-01-16 Ford Global Technologies, Llc Vehicle network communication protection
CN107682334B (en) * 2017-09-30 2019-12-31 郑州信大捷安信息技术股份有限公司 OBD interface data safety protection system and data safety protection method
CN108099826A (en) * 2018-01-16 2018-06-01 山东省科学院自动化研究所 A kind of synthesis body control system of integrated OBD gateways

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001026338A2 (en) * 1999-10-06 2001-04-12 Sensoria Corporation Apparatus for remote access of vehicle components
EP1975897A2 (en) * 2007-03-28 2008-10-01 Denso Corporation Vehicle control device and data rewriting system
DE202014104646U1 (en) * 2014-09-29 2014-10-24 Sören Matzke Vehicle theft protection device
WO2014181094A1 (en) * 2013-05-09 2014-11-13 Gregory Chambers Vehicle security arrangement

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2510099A (en) * 2012-11-16 2014-07-30 Matthew Shaw Protection device for a data communication port

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001026338A2 (en) * 1999-10-06 2001-04-12 Sensoria Corporation Apparatus for remote access of vehicle components
EP1975897A2 (en) * 2007-03-28 2008-10-01 Denso Corporation Vehicle control device and data rewriting system
WO2014181094A1 (en) * 2013-05-09 2014-11-13 Gregory Chambers Vehicle security arrangement
DE202014104646U1 (en) * 2014-09-29 2014-10-24 Sören Matzke Vehicle theft protection device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10124750B2 (en) * 2016-04-26 2018-11-13 Honeywell International Inc. Vehicle security module system
US10484425B2 (en) 2017-09-28 2019-11-19 The Mitre Corporation Controller area network frame override
CN109996235A (en) * 2017-12-29 2019-07-09 宝沃汽车(中国)有限公司 Car networking terminal, for the method and apparatus of car networking terminal
CN108334058A (en) * 2018-02-13 2018-07-27 安徽江淮汽车集团股份有限公司 A kind of diagnostic system and method based on car body controller
CN112262555A (en) * 2018-06-21 2021-01-22 标致雪铁龙汽车股份有限公司 Communication network segment for a land motor vehicle and associated land motor vehicle
CN113853555A (en) * 2019-05-27 2021-12-28 宁波吉利汽车研究开发有限公司 Identification of safety devices in a vehicle
CN113853555B (en) * 2019-05-27 2024-05-31 宁波吉利汽车研究开发有限公司 Identification of safety equipment in vehicles
CN111142504A (en) * 2019-12-30 2020-05-12 深圳移航通信技术有限公司 Bus detection device and method
CN115150187A (en) * 2022-07-28 2022-10-04 中汽创智科技有限公司 Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium
CN115150187B (en) * 2022-07-28 2024-04-26 中汽创智科技有限公司 Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium

Also Published As

Publication number Publication date
GB2525462B (en) 2017-01-25
GB2525462A (en) 2015-10-28

Similar Documents

Publication Publication Date Title
WO2016091439A1 (en) A security device for a vehicle's electronic system
US6950013B2 (en) Incident recording secure database
US10229547B2 (en) In-vehicle gateway device, storage control method, and computer program product
CN101795261B (en) Information protection system and method based on mobile data safety
EP3680799A1 (en) Method for collecting and managing event data of a vehicle
CN111532239A (en) Method and system for vehicle protection
CN106850199B (en) A method, device and system for identifying a license plate vehicle
US10275366B2 (en) Protect information stored in ECU from unintentional writing and overwriting
US20060137018A1 (en) Method and apparatus to provide secured surveillance data to authorized entities
CN102956107A (en) Parking lot vehicle parking information acquisition and false license, slip license and illegal vehicle recognition system and method
CN106529619B (en) Detect the positive pseudo- method and system of motor vehicle identity
CN112385197A (en) Block chain-based distributed automatic driving data management device and method
CA2756910A1 (en) Method for capturing images of vehicles
CN1971656A (en) Electronic testing system capable of managing motor vehicles and driver reliably
CN112507939A (en) Key vehicle detection method, system, equipment and storage medium
Prevost et al. On data privacy in modern personal vehicles
Zhang et al. Test and evaluation system for automotive cybersecurity
CN115959083B (en) Vehicle privacy security protection method, device, system and storage medium
Hoppe et al. IT-forensic automotive investigations on the example of route reconstruction on automotive system and communication data
US20040207526A1 (en) Structural improvement for a vehicle multifunctional identification and management device
CN112956167A (en) Authentication module for sensor data
WO2018045400A1 (en) Incident management & information capturing system
JP2004237814A (en) Electronic license plate recognizing system
JP2012083996A (en) Vehicle number recognition device, illegal vehicle discrimination and notification system provided with the same, vehicle verification method and illegal vehicle discrimination and notification method applying the same
KR101468407B1 (en) Digital forensic photographing device and digital forensic photographing system installed in car for preventing abuse of personal image information using the device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15794481

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 02.10.2017)

122 Ep: pct application non-entry in european phase

Ref document number: 15794481

Country of ref document: EP

Kind code of ref document: A1