SYSTEM AND A METHOD OF PREVENTING UNAUTHORIZED ACCESS TO A VEHICLE

Abstract

The present invention relates to a system and method for preventing unauthorized access to a vehicle when setting up a controlled radio interference in specified frequency ranges and is designed to prevent an attacker from obtaining unauthorized access to the vehicle access control system. The system for preventing unauthorized access to the vehicle contains a key fob, a radio receiver of the vehicle and a device for setting radio interference installed inside the vehicle. The key fob contains a radio transmitter and is made with the ability to transmit data to a radio receiver in encoded form. The device for setting up radio interference is made with the possibility of installing radio interference in the frequency range of the data transmission channel between the key fob and the radon receiver of the vehicle. The technical result increases the safety of the vehicle from unauthorized access and theft, due to the provision of additional radar interference.

Claims

1. A system for preventing unauthorized access to a vehicle, the system comprising: a key fob, a vehicle radio receiver; and a device for setting radio interference installed inside the vehicle, the key fob having a radio transmitter and being configured for transmitting data to the radio receiver in an encoded form, and the device for setting radio interference being configured for generating radio interference in a frequency range of a data transmission channel between the key fob and the radio receiver of the vehicle.

2. The system, according to claim 1 wherein the device for setting up radio interference is connected to the electrical information bus of the vehicle.

3. The system, according to claim 1, wherein the installation of radio interference is carried out at unlicensed frequencies, namely: 312-315 MHz, 433.075 434.750 MHz, 868.7-869.2 MHz.

4. A method for preventing unauthorized access to a vehicle, the method comprising: transmitting data from a key fob to a radio receiver of the vehicle in an encoded form at a given frequency range, setting up a radio interference in the frequency range of a data transmission channel between the key fob and the radio receiver of the vehicle.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0016] The proposed invention is explained by drawings:

[0017] FIG. 1—shows the keyless access system to the vehicle (unidirectional mode);

[0018] FIG. 2—shows a keyless access system to the vehicle (unidirectional mode with cryptography);

[0019] FIG. 3—shows the keyless access system to the vehicle (bidirectional compression);

[0020] FIG. 4—shows the sequence of bytes from the FOB key to the radio receiver of the vehicle in normal operation;

[0021] FIG. 5—shows the sequence of bytes from the FOB key to the radio receiver of the vehicle in configuration mode;

[0022] FIG. 6—shows the spectrum of a radio signal with amplitude modulation and a carrier frequency of 1 kHz;

[0023] FIG. 7—illustrates the temporal representation of a radio signal with amplitude modulation and a carrier frequency of 1 kHz;

[0024] FIG. 8—illustrates the spectrum of the radio signal from frequency-modulated radio signals (in 2FSK mode);

[0025] FIG. 9—illustrates the temporal representation of frequency-modulated radio signals (in 2FSK mode);

[0026] FIG. 10—displays the spectrum of the LFM signal with a deviation of 20 kHz, a tuning speed of 1 kHz;

[0027] FIG. 11—illustrates the temporal representation of the chirp at zero frequency;

[0028] FIG. 12—displays a variant of the implementation of the system using the method of setting controlled radio interference.

DETAILED DESCRIPTION OF THE NON-LIMITING EMBODIMENTS

[0029] FIG. 1 shows a variant of the keyless access system (unidirectional mode). When using this mode, the owner of the vehicle using the FOB key 101 sends a fixed and always the same sequence of bytes via radio channel 103 to the radio receiver of the vehicle 102. When it is detected by the vehicle's radio receiver, one or another operation is performed (opening the closed doors, opening the luggage compartment, etc.).

[0030] FIG. 2 shows a variant of the keyless access system to the vehicle (unidirectional mode with cryptography). This option has become widespread and is the most widespread in terms of the number of visits. As in FIG. 1, the main components involved in data exchange are: FOB key 101; vehicle radio 102; radio channel 103. For this method, one of the following encryption algorithms is used (AES, XTEA, AUT64, etc.). The sequence of bytes 105 transmitted from the FOB key 101 to the radio receiver of the vehicle 102 has a field in which the digitized value of the internal counter is transmitted (as an example, FIG. 2 shows two encrypted values of epstupt (241) and epsturi (242), where the counter value corresponds to 241 and 242). After transmitting a sequence of bytes, the counter increments its value. Further, all sequences with a lower counter value are not fixed and discarded. Encoding/decoding of the counter value is performed using the secret key 104.

[0031] FIG. 3 conditionally shows a variant of the keyless access system to the vehicle (bidirectional mode). This mode represents the most convenient way for vehicle owners to work with the access control system. To open the central lock, it is enough for him to be in the range of the radio receiver of the vehicle 102. The algorithm of operation is the transmission of an arbitrary sequence of bytes of challenge 106 from the vehicle 102 to the radio receiver of the key fob 101. Further, encoding is performed inside the key fob 101 according to the established algorithm, and the resulting sequence of response 107 is sent to the radio channel for fixing it with the radio receiver of the vehicle 102. Encoding/decoding is performed using the secret key 104.

[0032] The system described in FIG. 1 is considered to be the most vulnerable. A sequence of operations from listening to the radio broadcast, copying, and then repeating a sequence of bytes by an attacker makes it possible to obtain unauthorized access to the vehicle.

[0033] The methods shown in FIGS. 2 and 3 also have their vulnerabilities and, under certain scenarios, allow an attacker to gain unauthorized access.

[0034] For a keyless access system (unidirectional mode with cryptography) with a known secret key 104, an attacker can generate the necessary sequences to control the central lock of the vehicle. An attack option is also possible, which consists in pre-recording the correct sequences from the key fob without affecting the radio receiver of the vehicle 102 and repeating them with direct impact on the radio receiver of the vehicle 102.

[0035] For a keyless access system (bidirectional mode), attackers use an attack type like fishing. This type of attack involves the organization of a data transmission channel between the key fob 101 receiver/transmitter of the vehicle 102. The attacker installs additional radio transmitting devices (which are not visible to the owner) between the key fob and the vehicle. Thus, the necessary communication channel is restored, using which it is possible to organize data transmission at the necessary moment, thereby obtaining unauthorized access to the control of the central lock of the vehicle.

[0036] In modern vehicles, a keyless access system to the vehicle is widely used for access control systems. The principle is based on the transmission of information between the key fob of the vehicle owner and the radio receiver of the electronic control unit (ECU) via a radio channel.

[0037] From the description presented above, it is obvious that the existing systems of keyless access to the vehicle, with all approaches to the complexity of their organization, are somehow susceptible to unauthorized hacking.

[0038] The present invention relates to a system and method of access to a vehicle by setting up controlled radio interference to prevent unauthorized access to the vehicle, namely the inability to control the central lock.

[0039] The novelty of the invention lies in the installation of radio interference inside the vehicle. Thus, it is not possible to detect external signals (byte sequences) by the radon receiver of the vehicle.

[0040] This is achieved due to the presence of radio interference, which does not allow radio wave detectors to restore the digital signal in an accurate form. As a consequence, there is no access to the access control system, namely, the ability to control the central lock, when setting up a radio interference.

[0041] The vehicle access system contains a key fob, a vehicle radio receiver and a device for setting up radio interference.

[0042] The key fob is essentially a standard alarm (installed by the car manufacturer) and can be combined with a physical ignition key. With the help of a key fob, the alarm is disarmed, as well as the condition of the car is monitored. In a number of alarm designs, remote engine start, control of electrical equipment, a car in a parking lot, etc., is carried out using a key fob. The key fob contains a radio transmitter and is made with the ability to transmit data to a radio receiver to a vehicle in encoded form. In some versions, the key fob, in addition to the radio transmitter, also contains a radio receiver. In this case, the keyless access system to the vehicle is capable of operating in the bidirectional mode described above (see FIG. 3). The device for setting up radio interference is installed inside the vehicle and is made with the possibility of installing radio interference in the frequency range of the data transmission channel between the key fob and the radio receiver of the vehicle, manufacturers use various frequency ranges from 70 to 1600 MHz for data transmission. In the preferred version of the invention, unlicensed frequency ranges of frequencies are used for data transmission, namely: 312-315 MHz, 433,075-434,750 MHz and 868.7-869.2 MHz.

[0043] The options for implementing the system and a method for preventing unauthorized access to a vehicle are described below using the example of a unidirectional cryptography mode. This mode has the largest number of implementations for vehicle access control systems. However, all the principles described in this technical solution are applicable to other modes.

[0044] Based on the results of the tests, as well as information obtained from open sources, it was found that data transmission (testing with cars, restoring signals transmitted over the radio channel, etc.) is unidirectional. The key fob 101 in its composition has a radio transmitter or a radio transmitter from radios, and the ECU of the vehicle is a radio receiver. Considering the option of transmitting data at a non-dry frequency of 434.25 MHz with amplitude modulation. The data is transmitted in Manchester encoding at a speed of ˜1,667 kbit/s (i.e., a bit duration of 600 microseconds). Data is transmitted in encoded form (possible encoding algorithms XTEA. AUT64).

[0045] FIG. 4 shows one of the variants of the byte sequence from the key fob to the radio receiver of the vehicle in normal operation. The sequence has the following fields: [0046] Sync (201) synchronizing sequence field=15 bits; [0047] Start (202) transmitting information start field=24 bits; [0048] UID (203) key identifier field=32 bits; [0049] 10 cir (204) current command counter field=24 bits; [0050] btn′ (205) button code identifier field=8 bits (encoded); [0051] btn (206) button code identifier field=8 bits (not encoded).

[0052] By pressing the button on the key fob once, 3 identical sequences are transmitted (duplication).

[0053] FIG. 5 shows one of the variants of the byte sequence from the key-15 of the key fob to the radio receiver of the vehicle in configuration mode (long hold of any button). This mode is used to bind a new key to the vehicle. The sequence has the following fields [0054] Sync (201) synchronization sequence field −15 bits; [0055] UID (203) key identifier field=32 bits; [0056] btn (206) button code identifier field=8 bits (not encoded).

[0057] In configuration mode, the byte sequence is repeated each time and does not contain encoded information.

[0058] The setting of controlled radio interference will be effective regardless of the type of modulation used, the data transfer rate, the composition of the fields, the transmitted byte sequence.

[0059] Effective suppression of control commands from the key fob is possible using signal-like interference with a power of −5 dBm within a radius of 10 m (subject to line of sight). As a signal-like radio interference in the proposed method of operation, various options can be used. Below is a description using the LFM signal (linear frequency modulation) as radio interference.

[0060] FIGS. 6-9 show the signal spectra of various types of modulations that can be used to transmit byte sequences from the key fob to the vehicle.

[0061] For radio signals with amplitude modulation and a carrier frequency of 1 kHz with a bitrate of −0.5 kbps, its spectrum in the frequency domain is shown in FIG. 6, and in FIG. 7 in a variable representation.

[0062] For radio signals with frequency modulation (in 2FSK mode) and a bitrate of −20 kbps, the spectrum is shown in FIG. 8 (with the lower frequency detuned by 1 kHz to the left relative to the constant component), in a variable representation in FIG. 9.

[0063] The LFM signal is used as a universal radio interference signal. This signal has the following characteristics: [0064] The deviation of the exposed signal is 20 kHz; [0065] The tuning speed is 1 kHz; [0066] Ranges: 312-315 MHz, 433,075-434, 750 MHz and 868.7-869.2 MHz; [0067] The power characteristics −5 lBm; [0068] Radius—10 m (with a conditional line of sight)

[0069] FIG. 10 shows the spectrum of the LFM signal with the specified characteristics, and FIG. 11 shows the time representation of the LFM signal at zero frequency.

[0070] The main functional purpose of the device is the setting of radio interference in a given frequency range of the communication channel of the key fob and the vehicle. The device is installed inside the vehicle, and the level of the interference signal is selected so as to affect only the radar receiver of this vehicle. This 5-10 are done by adjusting the transmitter power of the device −5-10 dBm.

[0071] The activation of the jammer (activation deactivation of the “Security” mode) is performed via a different communication channel than the radio channel on which the interference of the standard alarm system (WiFi, GSM, Bluetooth, etc.) is installed.

[0072] It is possible to control the central lock of the vehicle access control system without deactivating the “Security” mode, through the device issuing the appropriate command on the electric information bus of the vehicle. Exposed radio interference.

[0073] The exposed radio interference is an additional circuit of protection against unauthorized access to the vehicle access system, and in particular to the control of the central lock.

[0074] The principle of operation is that the owner of the vehicle, in addition to using other means that provide protection against theft (alarm, immobilizer), activates the device 301 to install radio interference. The device exposes radio interference at the frequency of operation of the vehicle access system, the attacker, when trying to gain access to the central locks of the uncontrolled access system, is refused, because the sequences exposed by it are not detected by the vehicle receiver due to the radio interference. The owner can deactivate the interference by communicating with the device via other communication channels (GSM, BLE, WiFi, etc.) Additionally, other algorithms for activating/deactivating the “Protection” mode can be prescribed and implemented (depends on the use and connection option).

[0075] FIG. 12 shows the functional diagram of the connection and operation of the device 301 for installing radio interference. The 301 device contains the following modules:

[0076] The interface and control module 302 of the device 301 is designed to interface the device 301 with the electrical information bus of the vehicle. Provides data reading from it, as well as setting its own data. Interfaces, as well as the type of connection depend on the vehicle or the design of the device (direct connection to the CAN (LIN) electrical information bus of the vehicle; connection via the OBD2 connector)

[0077] The access module 303 of the device 301 are designed to organize a communication channel with the user's portable device (smartphone, tablet computer, laptop, etc.). Information transmission via one of the available communication channels 36), such as: WiFi, GSM, Bluetooth, etc. The communication channel 306 is intended for: parameterization and control of the device 301, reading of service information, log files, etc.

[0078] The radio transmitter module 304 is a transceiver device that is designed to operate in the specified frequency ranges (depending on the selected type of vehicle and the tasks to be solved).

[0079] Module 304 determines the frequency range at which data is transmitted between the key fob and the radio receiver. At the initial moment of time, before installing the device 301 in the vehicle, the frequency at which the system of uncontrolled access to the vehicle operates is determined (this parameter may differ for each vehicle). After setting this parameter, the radio transmitter module 304 will detect interference in the specified frequency range.

[0080] Module 304 is required to perform 2 main functions: [0081] Listening to the selected frequency range, including identification of the “open doors” command; [0082] Interference in the selected frequency range in the case of setting the vehicle in the “Guard” mode.

[0083] This device can be implemented: [0084] As a standalone device [0085] And as part of the system (as an integral part of the complex).

[0086] The module 305 is a device for the owner of the vehicle. Using this device the owner performs activation/deactivation and performs configuration using the device 301.