Over the last half a century the automotive industry, has, initially slowly, and subsequently with great rapidity, been evolving from using mechanical control systems to control a vehicle's functions to electronic “drive by wire” control systems for controlling the functions. In mechanical vehicular control systems, a driver of a vehicle controls components of a vehicle that control vehicle functions by operating mechanical systems that directly couple the driver to the components via mechanical linkages. In drive by wire vehicle control systems, a driver may be coupled directly, and/or very often indirectly, to vehicle control components that control vehicle functions by electronic control systems and electronic wire and/or wireless communication channels, rather than direct mechanical linkages. The driver controls the control components by generating electronic signals that are input to the communication channels and the electronic control systems.
Typically, a vehicular electronic control system includes a user interface for receiving driver actions intended to control a vehicle function, transducers that convert the actions to electronic control signals, and a plurality of sensors and/or actuators that generate signals relevant to the function. In other cases, electronic control systems and sensors are used in, or for, autonomous cars (e.g., driverless cars, self-driving cars, robotic cars and the like) as known in the art. An electronic control unit (ECU) of the control system receives user generated signals and the signals generated by the sensors and/or actuators, and responsive to the signals, operates to control a vehicle component involved in performing the function. The ECU of a given control system may also receive and process signals relevant to performance of the function generated by, and/or by components in, other vehicle control systems. The sensors, actuators, and/or other control systems communicate with each other and the ECU of the given control system via a shared in-vehicle communication network, to cooperate in carrying out the function of the given control system. Messages sent over an in-vehicle network as described herein may include signals and/or signal values.
By way of example, a vehicle throttle by wire control system that replaces a conventional cable between an accelerator pedal and an engine throttle may include an electronic accelerator pedal, an ECU also referred to as an engine control module (ECM), and an electronic throttle valve that controls airflow and/or fuel injection into the engine and thereby controls power that the engine produces. The electronic accelerator pedal generates electronic signals responsive to positions to which a driver depresses the pedal. The ECM receives the accelerator pedal signals, and in addition electronic signals that may be generated by other sensors, actuators, and electronic control systems in the vehicle that provide information relevant to the safe and efficient control of the engine via an in-vehicle communication network. The ECM processes the driver input signals and the other relevant signals to generate electronic control signals that control the throttle. Among the other sensors actuators, and electronic control systems that may provide relevant signals to the ECM over the in-vehicle network are, air-flow sensors, throttle position sensors, fuel injection sensors, engine speed sensors, vehicle speed sensors, brake force and other traction control sensors included in a brake by wire system, and cruise control sensors. Typically, messages sent over an in-vehicle network as described herein include one or more signals or signal values. The terms message and signal as used herein may mean, or relate to, values sent by nodes on an in-vehicle network, accordingly, the terms message and signal may be used interchangeably herein.
In-vehicle communication networks of modern vehicles are typically required to support communications for a relatively large and increasing number of electronic control systems of varying degrees of criticality to the safe and efficient operation of the vehicles. A modern vehicle may for example be home to as many as seventy or more control system ECUs that communicate with each other and sensors and actuators that monitor and control vehicle functions via the in-vehicle network. The ECUs may, by way of example, be used to control in addition to engine throttle described above, power steering, transmission, antilock braking (ABS), airbag operation, cruise control, power windows, doors, and mirror adjustment.
In addition, an in-vehicle network typically supports on board diagnostic (OBD) systems and communication ports, various vehicle status warning systems, collision avoidance systems, audio and visual information and entertainment (known in the art as infotainment) systems and processing of images acquired by on-board camera systems. The in-vehicle network in general also provides access to mobile communication networks, e.g., WiFi and Bluetooth communication networks or systems, tire pressure monitor system (TPMS), vehicle to vehicle and vehicle to infrastructure communication (V2X), keyless entry system, the Internet, and global positioning systems (GPS).
Various communication protocols have been developed to configure, manage, and control communications of vehicle components that are connected to, and communicate over, an in-vehicle communication network. Popular in-vehicle network communication protocols currently available are control area network (CAN), an automotive network communications protocol known as FlexRay, Media Oriented Systems Transport (MOST), Ethernet, and local interconnect network (LIN). The protocols may define a hardware communication bus and how the ECUs, sensors and actuators, generically referred to as nodes, connected to the communication bus, access and use the bus to transmit signals to each other.
The growing multiplicity of electronic control systems, sensors, actuators, ECUs and communication interfaces and ports, that an in-vehicle communication network supports makes the in-vehicle communication network, and the vehicle components that communicate via the communication system, increasingly vulnerable to attempts (e.g., by hackers) to damage, destroy, or interfere with an operation of, an in-vehicle network, node or system (e.g., cyber-attacks as known in the art) that may dangerously compromise vehicle safety and performance. In addition, the growing complexity of electronic control systems in vehicles makes it harder than before to identify and/or detect faults or malfunctions of, or related to, components and networks included in a vehicle.
ECUs may be configured to receive or send data (e.g., “update data” that may include software updates) over an in-vehicle network. For example, a session initiator (for example, a diagnostic terminal) may transfer update data to a target node, device or component, e.g., an ECU (“target ECU”) that is targeted for receiving the transferred update data. Establishment and execution of an update data transfer session (which may be referred to herein as a “transfer session”) may include preparatory steps performed by the initiator and target ECU, which steps may be characterized at being part of the following stages: a “session request stage” in which the initiator transmits a “session request” message to request a transfer session with the target ECU; a “security access stage” in which the initiator exchanges security messages with the target ECU to gain security access; and a “pre-transfer stage” in which the initiator transmits an “update start” message to the target ECU that notifies that the initiator is ready to begin transferring update data, and may include specifications regarding the upcoming update data transfer, for example size of the update data. By way of example control of the transfer session between the initiator and the target ECU may follow the ISO 14229 Unified Diagnostic Services (UDS) standard or the DoIP standard. A transfer session as referred to herein may relate to any transfer, exchange or communication of data, that may be performed according to any communication, diagnostic or other protocol. A transfer session may include one or more messages.
Update data may include instructions that alter the function of the ECU. By way of example, update data may be a firmware update. Alternatively, or additionally, update data may include instruction, or data that results in instructions, for a given action to be executed by a control system comprising the ECU. As such, a malicious entity may take advantage of the software update process for example by injecting messages into a data transfer session or by hijacking a data transfer session. For example, this may allow the attacker to render ECUs inoperable or update the firmware or configuration of the target ECUs in the vehicle. For example, an attacker may wait for a transfer session to commence and once such a session is detected, the attacker may attempt to use it for malicious purposes. The attacker may wait until the authentication stage (for example the “security access” stage) of the session is over which will allow the attacker to interfere with the session even though the attacker is not able to perform a proper authentication. Another example may be that the attacker may initiate a malicious transfer session. By way of example, the update data may include a firmware update and/or instructions that reconfigure the engine unit to be less efficient, overcharge or undercharge batteries, disable or improperly activate brake units, unlock car doors, change persistent records such as the odometer or the vehicle identification number (VIN), or disable dashboard warning lights.