The present invention relates to a method and an apparatus for operating a motor vehicle, which method or apparatus is suitable for increasing the security of the motor vehicle.
A problem exists in the theft of motor vehicles. In order to prevent such theft or at least make it more difficult, anti-theft systems are known and are also at least recommended or even prescribed by auto insurance companies for motor vehicles. If an electronic immobilizer, for example, has been set up in the motor vehicle, it prevents the engine from being started without the corresponding electronic key. Another possible way of preventing unauthorized starting of the motor vehicle is to implement departure codes in a corresponding control unit of the motor vehicle. These departure codes are known, at best, to only authorized persons, with the result that it is impossible for unauthorized third parties to change the motor vehicle to a driving mode. In addition, various anti-theft systems are known which indicate malicious opening of the motor vehicle by way of acoustic or visual alarm signals, for example.
Since motor vehicles are nowadays increasingly being equipped with communication interfaces, further points of attack arise for unauthorized intrusion or unauthorized use by third parties. Examples of accordingly suitable communication technologies are WLAN, Ethernet, NFC, Car-to-X and Bluetooth, which are nowadays implemented in the vehicle system of a motor vehicle. In this context, WLAN is an abbreviation for the English expression Wireless Local Area Network and denotes a local radio network, in particular according to a standard in the IEEE 802.11 family. Ethernet denotes a local wired network, which makes it possible to interchange data between devices connected to the local network to the largest possible extent, according to the IEEE 802.3 standard. The acronym NFC is an abbreviation for the English expression Near Field Communication and is an international transmission standard for contactlessly interchanging data by radio technology over short distances and is usually carried out according to either of the standards ISO 14443 and ISO 15693. The expression Car-to-X is a comprehensive designation for communication paths between a motor vehicle and an information source, which information source is abbreviated using the placeholder X. In this context, examples are Car-to-Car and Car-to-Infrastructure communications which describe the interchange of data between motor vehicles and between a motor vehicle and the traffic infrastructure. In this case, it is possible to use different communication technologies, for example a technology in the IEEE 802.11 family. Bluetooth is another technology which makes it possible to transfer data between devices over short distances by radio technology. In this context, the data are transmitted according to the industry standard IEEE 802.15.1. A vehicle may also communicate wirelessly with devices outside the vehicle via a mobile radio interface, for example according to one of the standards GSM, GSM2, GSM3 or GSM4 (LTE). A communication connection may also be effected using a plurality of said technologies and/or via the Internet.
These types of communication make it possible, inter alia, to intervene in the vehicle system without necessarily having to have physical access to the motor vehicle. Internet connections even make it possible for unauthorized third parties to intervene in a manner independent of the location. On account of these risks of attack, further protection of the motor vehicle is necessary in order to prevent intervention by unauthorized third parties or at least to make such intervention more difficult.
An object is to provide a method and an apparatus, which method or apparatus is suitable for increasing the security of the motor vehicle in order to therefore render intrusion and use by unauthorized persons, for example, more difficult.
According to a first aspect of the invention, a method for operating a motor vehicle includes a plurality of steps. In this case, provision is made for measurement signals which comprise information relating to a temporal current and/or voltage profile of an electronic control unit of the motor vehicle to be received. The method also comprises providing vehicle information which includes information relating to a desired state which is representative of a characteristic current and/or voltage profile of the electronic control unit. As part of the method, a discrepancy between the received measurement signals and the vehicle information provided is determined in the further course. If the discrepancy determined is greater than a predefined tolerance value as part of this method, a manipulated state of the electronic control unit is determined.
In this manner or using the steps according to the invention, it is possible, for example, to determine unauthorized intrusion in the vehicle system or unauthorized use of the motor vehicle. In this context, the electronic control unit forms at least one component of the vehicle system and is set up, for example, to open doors or windows of the motor vehicle. Alternatively or additionally, the electronic control unit is designed to start an engine of the motor vehicle or to control further electronics in the motor vehicle. It is possibly a component of the vehicle system or controls all electronic operations inside the motor vehicle as a type of electronic control center.
In this context, use is made of the knowledge that an electronic component has a characteristic temporal current and/or voltage behavior in an authorized mode. This characteristic temporal current and/or voltage behavior of the electronic component acts as a type of fingerprint which can be used to identify the electronic component and to determine normal operation of this electronic component.
As part of the method, a temporal current and/or voltage profile of the electronic control unit of the motor vehicle is accordingly monitored by comparing the measured current and/or voltage profile of the electronic control unit with a stored characteristic current and/or voltage profile for this electronic control unit.
The vehicle information which is provided and includes at least the desired state of the electronic control unit is stored, for example, in a data memory which is associated with the electronic control unit, for example, and is arranged inside the motor vehicle or is arranged outside the motor vehicle, for example in a backend, and is possibly provided by the vehicle manufacturer.
The vehicle system, including its electronic control units, constitutes a known electronic system which is established at the time the motor vehicle is manufactured, with the result that the characteristic current and/or voltage profiles of the electronic control units installed in the motor vehicle are known.
If an electronic control unit is manipulated, whether physically or using the available communication interfaces, this results in a change in the temporal current and/or voltage profile, in particular during a starting operation of the control unit, which can be determined by a comparison with the known characteristic current and/or voltage profile. The temporal current and/or voltage profile of the electronic control unit is therefore used as a type of security identification parameter, which makes it possible to further improve theft protection of motor vehicles which is possibly already present.
In this context, it is necessary to predefine a tolerance value for the measured current and/or voltage profile so that a manipulated state of the electronic control unit is reliably determined. This tolerance value is justified, inter alia, by possible fluctuations of the measurement signal or by the measurement tolerances of the measuring devices which are always present. If the measured temporal current and/or voltage profile of the electronic control unit differs from the characteristic current and/or voltage profile including the predefined tolerance value, a manipulated state of the electronic control unit is reliably determined. Depending on the measuring system, including the measurement signal acquisition by the measuring devices and subsequent evaluation, tolerance values of 0.1% or 5% to be complied with are feasible, for example. In this context, it is pointed out that the tolerance values to be complied with are generally dependent on the available measuring technology and the component to be measured in the vehicle system of the motor vehicle, with the result that, for an electronic control unit with a low current requirement for example, a possibly larger tolerance value than for an electronic control unit with a higher current requirement is advantageous during a current and/or voltage measurement.
It is then possible in the further course to prevent theft of the motor vehicle, for example by providing control signals. These control signals are consequently generated when a manipulated state has been determined. Control signals are understood as meaning control signals in addition to those which are needed to control the vehicle system during operation of the motor vehicle. Refinements with respect to the provision of control signals are described below.
According to one refinement of the first aspect, the received measurement signals include information relating to an actual energy consumption of the electronic control unit. The vehicle information provided also includes information relating to a desired energy consumption of the electronic control unit.
The electronic control units in a motor vehicle are generally connected to a management unit or electronic control center of the motor vehicle which controls the electronics of the motor vehicle as a type of superordinate decision-making entity. For example, this also includes controlling a current source or a current distributor inside the motor vehicle, as a result of which the electronic control units are supplied with current. If a function managed by the electronic control unit is required, the electronic control unit is activated. This makes it possible to log the actual energy consumption of the electronic control unit and to compare it with the known desired energy consumption. If the actual energy consumption deviates from the desired energy consumption including any tolerances, a manipulated state of the electronic control unit is diagnosed.
According to another refinement of the first aspect, the method comprises outputting an information signal if a manipulated state of the electronic control unit has been determined.
This refinement is an example of the above-described additional control signals which therefore signal unauthorized intrusion in the vehicle system of the motor vehicle by way of an acoustic and/or optical signal, for example. Such signals are implemented, for example, by activating a horn of the motor vehicle and/or a lighting system. In addition, it is also possible to indicate the manipulated state of the electronic control unit by transmitting an item of information to the manufacturer and/or the owner of the motor vehicle. This is then reported, for example, in the form of an emergency call with the message “possible theft”.
According to another refinement, the method comprises preventing a drive unit of the motor vehicle from being started if a manipulated state of the electronic control unit has been determined.
This prevents an unauthorized starting operation of the engine of the motor vehicle, for example by means of provided control signals, in order to thus counteract the theft of the motor vehicle. For example, a relay inside the vehicle system of the motor vehicle is opened, with the result that there is temporarily no connection between the engine and an energy supply of the motor vehicle.
According to another refinement of the first aspect, the method comprises outputting a deactivation signal for deactivating at least one departure code for the motor vehicle if a manipulated state of the electronic control unit has been determined.
This refinement prevents, for example, a starting operation of the engine of the motor vehicle, which is initiated by inputting departure codes. If a manipulated state has been determined, theft of the motor vehicle is prevented in this manner.
According to another refinement of the first aspect, the method comprises outputting a deactivation signal for deactivating an energy supply of the motor vehicle if a manipulated state of the electronic control unit has been determined.
In this context, the energy supply of the motor vehicle is deactivated in order to thus prevent unwanted opening of doors and/or windows, for example. This can be implemented, for example, by way of a relay inside the vehicle system, which relay, in a similar manner to that described above, is opened by the deactivation signal and therefore prevents a connection between the electronic control unit and the energy supply inside the motor vehicle.
According to another refinement of the first aspect, the method comprises outputting a deactivation signal for deactivating current paths inside the motor vehicle if a manipulated state of the electronic control unit has been determined.
This makes it possible to deliberately isolate and/or deactivate the manipulated electronic control unit, with the result that further electronic control units remain active. In addition, it is also possible to use the deactivation signal to deactivate individual electrical supply lines by means of a deliberate short circuit, with the result that operation of the electronic control unit is possible again only after maintenance, for example, and theft or unauthorized intrusion is therefore prevented.
According to another refinement of the first aspect, the method comprises outputting a switch-off signal for selectively switching off the electronic control unit of the motor vehicle if a manipulated state of the electronic control unit has been determined.
In addition, it is pointed out that the individual refinements can also be combined in any desired manner.
According to a second aspect of the invention, an apparatus for operating a motor vehicle is designed to carry out at least one of the methods described above.
According to one refinement of the second aspect, the apparatus for operating a motor vehicle comprises at least one current and/or voltage sensor which is coupled, by signaling, to an electronic control unit of the motor vehicle and whose measurement signal is representative of a temporal current and/or voltage profile of the electronic control unit. The apparatus also comprises a data memory which stores vehicle information which includes information relating to a characteristic current and/or voltage profile of the electronic control unit. The apparatus also includes a management unit which is coupled, by signaling, to the at least one current and/or voltage sensor and to the data memory and is designed to receive measurement signals from the at least one current and/or voltage sensor and the vehicle information stored in the data memory. The management unit determines a manipulated state of the vehicle system or of the electronic control unit of the motor vehicle on the basis of a discrepancy between the measurement signals and the vehicle information.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.