Recent advances of in-vehicle technology have paved a way to connect vehicles to the external world. Car makers are adding various connectivity and telematics solutions for passenger and fleet vehicles. They have also introduced solutions that either use an embedded modem or connect to the Internet via the driver/passenger's cellphone (e.g., GM OnStar, Ford Sync). Besides, fleet solution providers offer solutions attachable to the vehicle's on-board diagnostics (OBD2) port (e.g., Delphi Connect and Zubie). As a result, in-vehicle networks are being connected to an external communication channel for remote diagnostics and remote triggering of on-board functions.
Externally connected devices collect in-vehicle data from, and inject messages into in-vehicle networks. A controller area network (CAN) bus—the de facto in-vehicle network—is connected to an outside network via external interfaces, such as 3G/4G, WiFi and Bluetooth. The device between internal and external networks is called an external interface ECU, or simply a gateway.
Car manufacturers do not want to expose their intellectual assets via vehicle connectivity since their in-vehicle message semantics are usually proprietary. Thus, the gateway translates in-vehicle data to rich type data (e.g., JSON, XML), concealing their proprietary data inside the vehicle.
However the gateway may be compromised and then become a potential threat to vehicle safety and security. That is, since the transmission from and to an external entity relies entirely on the gateway, the communicated data becomes untrustworthy once the gateway is compromised. For example, the compromised gateway can make incorrect translation of, or drop/delay messages, and hence it is referred to as “bogus interpreter problem.”
Existing communication models only consider the communication security between the vehicle's gateway and an external entity by applying a network security layer, such as transport layer security (TLS). There have also been various efforts to provide cyber-vehicle security, but they still lack support for secure data exchange between internal ECUs and external networks.
In this disclosure, a secure communication protocol is presented for exchanges between internal ECUs and external devices. The proposed protocol includes the translation and security of end-to-end communication between an external entity (e.g., the car maker's server) and in-vehicle components that cannot be achieved with a naïve approach such as TLS, mainly because the in-vehicle bus (e.g., CAN) and in-vehicle controllers are severely resource-limited. The proposed protocol is shown to be resilient against the message forgery and drop by a compromised gateway.
This section provides background information related to the present disclosure which is not necessarily prior art.