Method for detecting an attack on a control device of a vehicle

Abstract

A method for detecting an attack, in particular a cyber-attack, on a control device of a vehicle, with the step of: checking communication data that is transmitted via at least one communication channel of the vehicle that is connected to the control device, wherein the checking of the communication data that is transmitted via the at least one communication channel of the vehicle that is connected to the control device includes the examination of whether the communication data transmitted via the at least one communication channel of the vehicle fulfils data requirements that are defined by one or a plurality of changeable rules.

Claims

1. A method for detecting a cyber-attack on a control device of a vehicle, comprising: transmitting communication data over a communication channel from a first device in the vehicle to a second device in the vehicle; generating, by the second device in the vehicle, a check response by applying at least one changeable rule to the communication data; transmitting the check response over the communication channel from the second device in the vehicle to the first device in the vehicle; analyzing, by the first device in the vehicle, the check response and in response to the analysis: determining, by the first device in the vehicle, that the communication data was properly received by the second device in the vehicle when the check response matches a predetermined check response generated by applying the at least one changeable rule to the communication data, and determining, by the first device in the vehicle, that the communication data was erroneously received by the second device in the vehicle when the check response does not match the predetermined check response generated by applying the at least one changeable rule to the communication data.

2. The method as claimed in claim 1, further comprising: classifying the communication data transmitted via the at least one communication channel of the vehicle as non-hazardous or harmless if the communication data fulfils data requirements defined by the at least one changeable rule; and classifying the communication data transmitted via the at least one communication channel of the vehicle as malicious or harmful if the communication data does not fulfil the data requirements.

3. The method as claimed in claim 1, further comprising: allowing the reception of the communication data transmitted via the at least one communication channel of the vehicle by the control device or a control unit of the control device if the communication data transmitted via the at least one communication channel of the vehicle fulfils data requirements defined by the at least one changeable rule; preventing the reception of the communication data transmitted via the at least one communication channel of the vehicle by the control device or a control unit of the control device if the communication data transmitted via the at least one communication channel of the vehicle does not fulfil the data requirements; and temporarily interrupting or permanently preventing the communication with a data source whose communication data, transmitted via the at least one communication channel of the vehicle, does not fulfil the data requirements.

4. The method as claimed in claim 1, further comprising: changing the at least one changeable rule that defines the data requirements; supplementing the at least one changeable rule that defines the data requirements with one or a plurality of further rules; cancelling or deleting the one or the plurality of the rules defining the data requirements; and exchanging the one or the plurality of the rules defining the data requirements.

5. The method as claimed in claim 1, wherein the at least one changeable rule defining the data requirements is protected against modification by means of a hardware-based trust anchor.

6. The method as claimed in claim 1, wherein the communication data that is transmitted via the at least one communication channel of the vehicle that is connected to the control device and checked is data received via a communication interface of the vehicle and/or data that is internal to the vehicle that is stored in a memory internal to the vehicle or which is generated by the vehicle.

7. The method as claimed in claim 1, wherein the control device is operated as a client-control device of a network internal to the vehicle, wherein the checking of the communication data takes place jointly by the client control device and by a server control device of the network internal to the vehicle.

8. The method as claimed in claim 7, further comprising: transmitting an apparently erroneous check signal from the client control device to the server control device; checking by the server control device whether the check signal received by the server control device corresponds to the check signal transmitted by the client control device or has been changed; generating a check response to the received check signal by the server control device; and transmitting the generated check response from the server control device to the client control device, wherein the checking of communication data that has been transmitted via the at least one communication channel of the vehicle connected to the control device preferably comprises checking the check response generated by the server control device.

9. A communication system for a vehicle, including: a first device in the vehicle; and a second device in the vehicle, wherein the first device is configured to transmit communication data over a communication channel to the second device, wherein the second device is configured to: generate a check response by applying at least one changeable rule to the communication data, and transmit the check response over the communication channel to the first device; wherein the first device is configured to analyze the check response and in response to the analysis: determine that the communication data was properly received by the second device in the vehicle when the check response matches a predetermined check response generated by applying the at least one changeable rule to the communication data, and determine that the communication data was erroneously received by the second device in the vehicle when the check response does not match the predetermined check response generated by applying the at least one changeable rule to the communication data.

10. A vehicle comprising: a communication system for the vehicle, the communication system including: a first device in the vehicle; and a second device in the vehicle, wherein the first device is configured to transmit communication data over a communication channel to the second device, wherein the second device is configured to: generate a check response by applying at least one changeable rule to the communication data, and transmit the check response over the communication channel to the first device; wherein the first device is configured to analyze the check response and in response to the analysis: determine that the communication data was properly received by the second device in the vehicle when the check response matches a predetermined check response generated by applying the at least one changeable rule to the communication data, and determine that the communication data was erroneously received by the second device in the vehicle when the check response does not match the predetermined check response generated by applying the at least one changeable rule to the communication data.

11. The method as claimed in claim 2, further comprising: allowing the reception of the communication data transmitted via the at least one communication channel of the vehicle by the control device or a control unit of the control device if the communication data transmitted via the at least one communication channel of the vehicle fulfils the data requirements; preventing the reception of the communication data transmitted via the at least one communication channel of the vehicle by the control device or a control unit of the control device if the communication data transmitted via the at least one communication channel of the vehicle does not fulfil the data requirements; and temporarily interrupting or permanently preventing the communication with a data source whose communication data, transmitted via the at least one communication channel of the vehicle, does not fulfil the data requirements.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Preferred embodiments of the invention are explained and described in more detail below with reference to the accompanying drawings. In the drawing:

(2) FIG. 1 shows an exemplary embodiment of the communication system according to the invention in a schematic illustration;

(3) FIG. 2 shows a control device in a schematic illustration;

(4) FIG. 3 shows a further exemplary embodiment of the communication system according to the invention in a schematic illustration; and

(5) FIG. 4 shows a communication between a client control device and a server control device corresponding to one exemplary embodiment of the method according to the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

(6) FIG. 1 shows a communication system 100 for a vehicle with a control device 10 that comprises an attack detection system 14. The attack detection system 14 is configured to check communication data that is transmitted via the communication channels 12a, 12b of the vehicle that are connected to the control device 10.

(7) While checking the communication data, the question of whether the communication data fulfils data requirements that are defined by a plurality of rules is examined in real time. The attack detection system 14 is configured to classify communication data as non-hazardous or harmless if the communication data fulfils the data requirements. The attack detection system 14 is, on the other hand, configured to classify communication data as malicious or harmful if the communication data does not fulfil the data requirements.

(8) In order that an adaptation of the rules for the protection of the control device 10 from new attack methods and/or new harmful data can take place, the rules that define the data requirements can be changed, supplemented, cancelled or deleted and exchanged.

(9) To avoid a modification of the rules that would have the consequence of a corresponding change in the data requirements by an attacker, the rules are protected against modification by means of a hardware-based trust anchor. The hardware-based trust anchor is implemented by the security module 16 that is connected for signal transfer to the attack detection system 14.

(10) In addition to the attack detection system 14 and the security module 16, the control device 10 also comprises a plurality of control units 18a, 18b that represent potential recipients of the communication data. The control device can, in principle, comprise a large number of control units that can be potential recipients of the communication data. If the communication data is classified as non-hazardous or harmless, it can, for example, be forwarded to the control units 18a, 18b for the implementation of a control process.

(11) FIG. 2 shows a control device 10 that is divided schematically into a software stack 24 and hardware 26.

(12) The control device 10 comprises a hardware-side communication interface 22 that is connected to a software-side communication module 20. The control device is connected via the communication interface 22 to a communication channel 12 via which harmful data can be loaded onto the control device 10. The communication data received via the communication interface 22 is made available to an attack detection system 14 by the communication module 20.

(13) The attack detection system 14 is configured to examine the communication data in real time as to whether the communication data fulfils data requirements that are defined by a plurality of rules. The attack detection system 14 is, moreover, configured to permit the reception of the communication data by a control unit 18 of the control device 10 if the communication data fulfil the data requirements, and to prevent the reception of the communication data by the control unit 18 of the control device 10 if the communication data do not fulfil the data requirements, and to prevent the reception of the communication data by the control unit 18 of the control device 10 if the communication data does not fulfil the data requirements.

(14) The rules that define the data requirements are protected against modification by means of a hardware-based trust anchor. The control device 10 comprises for this purpose a hardware-side security module 16 that encrypts the rules.

(15) FIG. 3 shows a communication channel 12 formed as a CAN bus that is connected to a plurality of control devices 10′, 28, 30a-30c. The communication channel 12 is moreover connected to a telematic apparatus 32 and a communication interface 34. The communication interface 34 can, for example, serve for vehicle-to-vehicle communication, and be configured to exchange communication data wirelessly with other vehicles.

(16) The communication data that is transmitted via the communication channel 12 of the vehicle and that is to be checked can thus either be received via the communication interface 34 of the vehicle, or be data internal to the vehicle that is stored, for example, in a memory that is internal to the vehicle or is generated by the vehicle, wherein the data internal to the vehicle is transmitted within the vehicle via the communication channel 12.

(17) The control device 10′ is operated as a client control device of a network internal to the vehicle. The checking of the communication data takes place in this case jointly by the client control device 10′ and a server control device 28 of the network internal to the vehicle. The attack detection system is thus partially integrated into the client control device 10′ and partially into the server control device 28.

(18) In the present case the attack detection system is designed to temporarily interrupt or to permanently prevent communication with a data source, inasmuch as this is identifiable, if the communication data transmitted from the data source via the communication channel 12 does not fulfil the data requirements. In this way, other devices which permanently or temporarily transmit harmful communication data are temporarily or permanently excluded from the communication.

(19) FIG. 4 shows the transmission of an apparently erroneous check signal 36 from a client control device 10′ to a server control device 28. The apparently erroneous check signal 36 comprises a signal error 42 that can be exploited by an attacker 44.

(20) The attacker 44 transmits a signal extension 38 extending the apparently erroneous check signal. The check signal received by the server control device 28 now appears to be error-free as a result of the signal extension 38. The server control device 28 is configured to generate a check response 40 for the received check signal 36 and to transmit it to the client control device 10′. In the present case the server control device is configured to generate a short signal pulse in the check response 40 at every zero contact of the check signal 36.

(21) The client control device 10′ can henceforth recognize that the apparently erroneous check signal 36 has been modified by an attacker 44, since the check response 40 does not correspond to the expected check response. Since the received check response 40 differs from the expected check response, it is also possible to deduce that a signal modification has been made by an attacker 44, and the received communication data is malicious or harmful.

(22) Because an apparently erroneous check signal 36 was transmitted, the attacker 44 has been tempted to exploit the signal error 42 of the check signal 36. On the basis of the intentional transmission of this signal, what is known as a honeypot functionality has in this way been implemented, with which the attacker 44 has been tempted to carry out expected attacks.

LIST OF REFERENCE DESIGNATIONS

(23) 10 Control device

(24) 10′ Client control device

(25) 12, 12a, 12b Communication channels

(26) 14 Attack detection system

(27) 16 Security module

(28) 18, 18a, 18b Control units

(29) 20 Communication module

(30) 22 Communication interface

(31) 24 Software stack

(32) 26 Hardware

(33) 28 Server control device

(34) 30a-30c Other control devices

(35) 32 Telematic apparatus

(36) 34 Communication interface

(37) 36 Check signal

(38) 38 Signal extension

(39) 40 Check response

(40) 42 Signal error

(41) 44 Attacker

(42) 100 Communication system