Monitoring a network connection for eavesdropping

Abstract

A method for detecting unauthorized eavesdropping. A first subscriber determines a transit time for the transmission of data to a second subscriber, adds the random value to the transit time to obtain a waiting time, waits for the waiting time, creates a data packet containing a time stamp and transmits this data packet to the second subscriber. The second subscriber records the time it receives the data packet and compares it with the time stamp contained in the data packet, determines that the data packet has arrived either: before the time indicated in the time stamp, more than a predefined tolerance time after the time indicated in the time stamp, or before or more than a predefined tolerance time after a time at which it can be expected in the second subscriber as an indication that communication between the first subscriber and the second subscriber is being eavesdropped on.

Claims

1. A method for detecting unauthorized eavesdropping on a communication, comprising: determining, by a first subscriber device in a vehicle connected to a network in the vehicle, a transit time for the transmission of data via the network to a second subscriber device in the vehicle connected to the network; determining, by the first subscriber device, a random value and obtaining a waiting time as a summation of the random value and the transit time; waiting, by the first subscriber device, for the waiting time, and after waiting for the waiting time, creating at least one data packet containing a time stamp and transmitting this data packet to the second subscriber device; recording, by the second subscriber device, a time at which it receives the data packet and comparing this time with a time stamp contained in the data packet; determining, by the second subscriber device, that the data packet has arrived before a time indicated in the time stamp, that it has arrived more than a predefined tolerance time after the time indicated in the time stamp or that the data packet arrives before or more than a predefined tolerance time after a time at which it can be expected in the second subscriber device as an indication that the communication between the first subscriber device and the second subscriber device is being eavesdropped on without authorization; and controlling, by a vehicle controller, the vehicle based on the determination that the second subscriber device is being eavesdropped on without authorization.

2. The method as claimed in claim 1, wherein the transit time is determined as part of time synchronization between the first subscriber and the second subscriber.

3. The method as claimed in claim 1, wherein the second subscriber keeps a history of the results of the comparisons and assesses the determination that the result of a new comparison differs significantly from this history as an indication that the communication between the first subscriber and the second subscriber is being eavesdropped on without authorization and/or that the first subscriber has been replaced with another device without authorization.

4. The method as claimed in claim 1, wherein the second subscriber additionally also assesses the determination that the time stamp is before or more than a predefined tolerance time after the time at which the first subscriber can have transmitted the data packet as an indication that the communication between the first subscriber and the second subscriber is being eavesdropped on without authorization.

5. The method as claimed in claim 1, wherein an Ethernet network is selected as the network.

6. The method as claimed in claim 1, wherein the data packet is transmitted on the physical layer of an OSI model.

7. The method as claimed in claim 1, wherein, in response to the transit time being outside a range between a lower threshold value and an upper threshold value, it is determined that the network has been manipulated.

8. The method as claimed in claim 1, wherein the method branches back to waiting for the waiting time and then creating and transmitting the next data packet until a predefined temporal or event-based abort condition has been met, wherein, in response to the abort condition being met, the method branches back to determining the transit time or branches back to determining the random value.

9. The method as claimed in claim 8, wherein the transit time is determined as part of time synchronization between the first subscriber and the second subscriber.

10. The method as claimed in claim 1, wherein an on-board network of a vehicle is selected as the network.

11. The method as claimed claim 10, wherein, in response to the determination that the communication is being eavesdropped on without authorization and/or that the first subscriber has been replaced with another device without authorization, the functionality of a control unit, of a navigation system and/or of an entertainment system is blocked, an immobilizer of the vehicle is locked, and/or the vehicle is removed from the moving traffic by controlling a steering system, a drive system and/or a braking system of the vehicle.

12. The method as claimed in claim 10, wherein a temperature T.sub.1 in the vehicle and/or an ambient temperature T.sub.2 is/are measured using a temperature sensor, and wherein the tolerance time and/or an expected transmission or reception time of the data packet is/are tracked to a change in the temperature T.sub.1 and/or a change in the temperature T.sub.2.

13. The method as claimed claim 12, wherein, in response to the determination that the communication is being eavesdropped on without authorization and/or that the first subscriber has been replaced with another device without authorization, the functionality of a control unit, of a navigation system and/or of an entertainment system is blocked, an immobilizer of the vehicle is locked, and/or the vehicle is removed from the moving traffic by controlling a steering system, a drive system and/or a braking system of the vehicle.

14. A non-transitory computer readable medium containing machine-readable instructions which, when executed on a computer, on a control unit and/or on an embedded system, cause the computer, the control unit or the embedded system to carry out a method as claimed in claim 1.

15. A non-transitory machine-readable data storage medium or download product comprising a computer program as claimed in claim 14.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The subject matter of an aspect of the invention is explained in the following text based on figures, but without limiting the subject matter of the invention. In the drawings:

(2) FIG. 1: shows an exemplary embodiment of the method 100;

(3) FIG. 2: shows an attack scenario on the network 3 with a passive reader 6;

(4) FIG. 3: shows an attack scenario on the network 3 with replacement of the first subscriber 1 with another device 1′.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

(5) FIG. 1 shows an exemplary embodiment of the method 100. In optional step 101, an Ethernet network is selected as the network 3. In optional step 102, an on-board network of a vehicle 5 is selected as the network 3.

(6) In step 110, the first subscriber 1 of the network 3 determines a transit time 11 for the transmission of data to the second subscriber 2, which can take place, in particular, as part of time synchronization 105 between the first subscriber 1 and the second subscriber 2.

(7) In step 115, the first subscriber 1 also determines a random value 12 which is added to the transit time 11 in step 120 in order to form a waiting time 13. Waiting for the waiting time 13 is carried out in step 130.

(8) In step 140, a data packet 4 having a time stamp 41 is then generated and is transmitted to the second subscriber 2 in step 150. In step 160, the second subscriber 2 records the time 42 at which it received the data packet 4. In step 170, this time 42 is compared with the time stamp 41. If it is determined in step 181 that the data packet 4 has arrived before the time indicated in the time stamp 41, it is determined in step 182 that it has arrived more than a predefined tolerance time after the time indicated in the time stamp 41, it is determined in step 183 that it arrives before a time at which it can be expected in the second subscriber 2, it is determined in step 184 that it arrives more than a predefined tolerance time after a time at which it can be expected in the second subscriber, it is determined in step 185 that the time stamp 41 is before the time at which the first subscriber 1 can have transmitted the data packet 4, or it is determined in step 186 that the time stamp 41 is more than a predefined tolerance time after the time at which the first subscriber 1 can have transmitted the data packet 4,

(9) this is assessed in step 180 to the effect that the communication between the first subscriber 1 and the second subscriber 2 is being eavesdropped on without authorization.

(10) In this case, the earliest possible time at which the data packet 4 can be expected in the second subscriber 2 may result, for example, from the time at which the second subscriber 2 transmitted a request 20, not depicted in FIG. 1, to the first subscriber 1. A data packet 4 transmitted in response to such a request 20 must then realistically be delayed by at least the time which is at least required for the round trip through the network 3. If the data packet 4 arrives earlier, it can only be a prefabricated data packet 4′ which comes from a passive reader 6 not depicted in FIG. 1.

(11) The time of the request 20 from the second subscriber 2 may likewise also define the time at which the first subscriber 1 can have transmitted the data packet 4 at the earliest according to the time stamp 41: The first subscriber 1 realistically cannot have transmitted the response 4 before it can have received the request 20 at the earliest.

(12) Discrepancies between the time stamp 41 and the time at which the second subscriber 2 received the data packet 4 can also be detected when the data packet 4 is not a response to a previous request from the second subscriber 2. Such discrepancies may arise because a possible passive reader 6 cannot generate a falsified data packet 4′ from a passively read true data packet 4 from the first subscriber 1 or from a passively read request 20 from the second subscriber 2. A falsified data packet 4′ generated in such a manner would be ready too late in any case and would arrive even later at the second subscriber 2. Rather, the falsified data packet 4′ must be produced in advance and must be transmitted at a predicted or guessed transmission time.

(13) In optional step 171, a temperature T.sub.1 in the vehicle 5 and/or an ambient temperature T.sub.2 is/are measured using a temperature sensor. In optional step 172, the tolerance time and/or an expected transmission or reception time of the data packet 4 is/are tracked to a change in the temperature T.sub.1 and/or to a change in the temperature T.sub.2.

(14) In optional step 175, a history 21 of the results of the comparisons 170 can be kept. If it is then determined in step 187 that the result of a new comparison 170 differs significantly from the history 21, unauthorized eavesdropping on the communication can likewise be inferred in step 180.

(15) It is also possible to check whether the transit time 11 is actually in a plausible range between a lower threshold 11a and an upper threshold 11b. If this is not the case (truth value 0), it can be determined in step 188 that the network 3 has been manipulated.

(16) If, in contrast, the plausible range is complied with (truth value 1) and if, at the same time, the previous checks 181-187 were unremarkable (truth value 0 in each case), it can be checked whether a temporal or event-based abort condition 190 has been met. If this is not the case (truth value 0), it is possible to branch back, in step 200, possibly after waiting for a normal periodic cycle time, to waiting for the randomly determined waiting time 13, that is to say the existing waiting time 13 can continue to be used for the next cycle.

(17) In contrast, if the abort condition 190 has been met, the determination 110 of the transit time 11 can be updated in step 191 and/or the determination 115 of the random value 12 can be updated in step 192.

(18) In response to the determination 180 that the communication is being eavesdropped on without authorization and/or that the first subscriber 1 has been replaced with another device 1′ without authorization and/or in response to the determination 188 that the network 3 has actually been manipulated, it is possible to react in steps 210-230. In step 210, the functionality of a control unit 51, of a navigation system 52 and/or of an entertainment system 53 can therefore be blocked. In step 220, an immobilizer 54 of the vehicle 5 can be locked. In step 230, the vehicle 5 can be removed from the moving traffic by controlling a steering system 55, a drive system 56 and/or a braking system 57.

(19) FIG. 2 shows a possible attack scenario in which a passive reader 6 has been looped into a network 3 having a first subscriber 1 and a second subscriber 2. If the passive reader 6 were not present, data packets would be directly transmitted between the PHY la of the subscriber 1 and the PHY 2a of the subscriber 2. The passive reader 6 introduces two further PHYs 6a and 6b into the travel route for the data packets, which results in corresponding delays.

(20) In the situation shown in FIG. 2, the second subscriber 2 sends a request 20 to the first subscriber 1 and waits for a response to it. The delay caused by the two additional PHYs 6a and 6b of the passive reader 6 is overall so large that a falsified data packet 4′ with a time stamp 41′, which is generated only in response to the request 20 or even in response to the true data packet 4 from the first subscriber 1, would be ready too late to be close enough to the time in the second subscriber at which the true data packet 4 with the time stamp 41 would arrive there in the absence of the passive reader 6. Instead, the passive reader 6 must already create the falsified data packet 4′ and its time stamp 41′ before the second subscriber 2 transmits the request 20. The passive reader 6 must therefore guess the time at which the first subscriber 1 transmits the data packet 4. This is made more difficult by the randomly determined waiting time 13.

(21) FIG. 3 shows a further possible attack scenario in which the first subscriber 1 has been replaced with another device 1′ with PHY 1a′ in the network 3. The subscriber 1 would normally transmit a data packet 4 with a time stamp 41. The replacement device 1′ instead transmits a falsified data packet 4′ with a time stamp 41′. Since the PHY 1a′ inevitably differs from the PHY 1a of the original first subscriber 1, it causes a different delay between the creation of the time stamp 41′ and the creation of the data packet 4 than the original PHY would have caused between the creation of the time stamp 41 and the creation of the data packet 4. This results in a significantly different offset between the arrival of the data packet 4′ and the time stamp 41′ contained in the latter on the side of the second subscriber 2. The second subscriber 2 has created a history 21 of the offset before the first subscriber 1 is replaced with the other device 1′ and can therefore detect the replacement.

LIST OF REFERENCE SIGNS

(22) 1 First subscriber of the network 3

(23) 1′ Replacement device for the first subscriber 1

(24) 1a PHY interface of the first subscriber 1

(25) 1a′ PHY interface of the replacement device 1′

(26) 11 Transit time from the first subscriber 1 to the second subscriber 2

(27) 11a Lower threshold for the transit time 11

(28) 11b Upper threshold for the transit time 11

(29) 12 Random value

(30) 13 Waiting time formed from the transit time 11 and the random value 12

(31) 2 Second subscriber of the network 3

(32) 2a PHY interface of the second subscriber 1

(33) 20 Request transmitted by the second subscriber 2

(34) 21 History of the results of comparisons 170

(35) 3 Network

(36) 4 True data packet from the first subscriber 1

(37) 4′ Falsified data packet

(38) 41 Time stamp of the true data packet 4

(39) 41′ Time stamp of the falsified data packet 4′

(40) 5 Vehicle

(41) 51 Control unit of the vehicle 5

(42) 52 Navigation system of the vehicle 5

(43) 53 Entertainment system of the vehicle 5

(44) 54 Immobilizer of the vehicle 5

(45) 55 Steering system of the vehicle 5

(46) 56 Drive system of the vehicle 5

(47) 57 Braking system of the vehicle 5

(48) 6 Passive reader

(49) 6a First PHY of the passive reader 6

(50) 6b Second PHY of the passive reader 6

(51) 100 Method

(52) 101 Selection of an Ethernet network as the network 3

(53) 102 Selection of a vehicle on-board network as the network 3

(54) 105 Time synchronization between subscribers 1 and 2

(55) 110 Determination of the transit time 11

(56) 115 Determination of the random value 12

(57) 120 Formation of the waiting time 13

(58) 130 Waiting for the waiting time 13

(59) 140 Creation of the data packet 4 with a time stamp 41

(60) 150 Transmission of the data packet 4 to the second subscriber 2

(61) 160 Recording of the reception time 42 by the subscriber 2

(62) 170 Comparison of the reception time 42 with the time stamp 41

(63) 171 Determination of the temperature T.sub.1 and/or T.sub.2

(64) 172 Temperature-dependent tracking

(65) 175 Comparison with history 21

(66) 180 Determination that communication has been eavesdropped on/device has been replaced

(67) 181 Arrival of the packet 4 before the time stamp 41

(68) 182 Arrival of the packet 4 too late after the time stamp 41

(69) 183 Arrival of the packet 4 before the expected time

(70) 184 Arrival of the packet 4 too late after the expected time

(71) 185 Arrival of the packet 4 before possible transmission

(72) 186 Arrival of the packet 4 too late after possible transmission

(73) 187 Deviation from the history 21

(74) 188 Determination that the network 3 has been manipulated

(75) 190 Abort condition

(76) 191 Updating of the transit time 11

(77) 192 Updating of the random value 12

(78) 200 Further use of the waiting time 13 for the next cycle

(79) 210 Blocking of a system 51-54

(80) 220 Locking of the immobilizer 54

(81) 230 Removal of the vehicle 5 from moving traffic

(82) t Time

(83) T.sub.1 Temperature in the vehicle 5

(84) T.sub.2 Ambient temperature

Monitoring a network connection for eavesdropping

Assignee

Inventors

Cpc classification

Classification Explorer

H04L43/106

ELECTRICITY

Classification Explorer

H04L43/0858

ELECTRICITY

Classification Explorer

H04L63/1475

ELECTRICITY

Classification Explorer

H04L63/1466

ELECTRICITY

International classification

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

H04L43/0852

ELECTRICITY

Classification Explorer

H04L43/106

ELECTRICITY

Abstract

Claims

Description