It is known in the art to interconnect a vehicle's internal device control units via field buses such as CAN, J1850, VAN, and others. These device control units are typically inaccessible from outside the vehicle. Protection from unauthorised access from outside is essential to ensure safe operation, since the device control units directly access safety-sensitive hardware such as the vehicle braking system.
Recent attention has been given to the idea of vehicles being connected via a mobile link to networks such as the Internet, to enable drivers and passengers to access traffic and navigation information for example, and to support emergency and breakdown calls from the vehicle. In the past, these applications have not needed to interact with the vehicle's internal network which interconnects the electronic control units. A typical protocol for these communication functions is the upcoming Global Automotive Telematic Standard (GATS).
A serious security problem arises as soon as Internet access, or other network access, is desired to enable operations relating to the vehicle's internal electronic device control units to be initiated by users or programs elsewhere in the network. For example, there may be requirements to allow an authorised breakdown service company or the vehicle manufacturer to be able to request specific operational data to diagnose problems and then to remotely initiate corrective operations. If remote access to the vehicle's internal buses is possible, then there is a risk of hackers interfering with the vehicle's internal communications, and changing system parameters or triggering operations which could lead to control unit faults. There is also a risk of hackers obtaining confidential information from the internal control units. There is currently no known solution to these problems which applies to vehicles.
Additionally, if software can be downloaded via the network links, there is a potential for such downloaded software to monopolize the available hardware resources or the vehicle's internal communication bus. This could impact the performance of critical operations.
Similar problems arise in non-vehicle environments, whenever there is a need to achieve both the protection of resources from unauthorised operations and the ability to invoke certain operations relating to the protected resources from elsewhere in a network.