The invention relates to a method, a server, a firewall, a control unit and a system for programming a control unit of a vehicle.
Currently, vehicle software or vehicle software settings to be programmed are frequently transmitted unencrypted to the respective control units of a vehicle. Although the transmission channel can be encrypted for the transmission, the vehicle software is mostly present unencrypted on the computer of the transmitter and/or of the receiver. For example, the unencrypted vehicle software settings of computers of the manufacturer of a vehicle can be distributed to computers of repair workshops for servicing purposes. Thus, the vehicle software settings can be present unencrypted on the computers of repair workshops and/or the computers of the manufacturer of a vehicle. The unencrypted vehicle software settings can be disassembled, for example, to restore the original source code from the binary code of the vehicle software. By this means, the mode of action of control units and/or the security architecture of the software of vehicles can be analyzed. During a transmission of encrypted vehicle software settings it may be necessary that the key for decrypting the encrypted vehicle software setting is transmitted between the transmitter and the receiver, e.g. between a computer of the vehicle manufacturer and a computer of the repair workshop. If data thieves come into possession of the key on the computer of the transmitter and/or on the computer of the receiver together with the associated encrypted vehicle software settings, an unauthorized decryption by an untrustworthy third party may be possible.
It is an object of the invention to improve the security of the programming of control units of a vehicle. In particular, it is an object of the invention to improve the security in writing vehicle software settings and/or keys into a control unit.
The invention is distinguished by a method for programming a control unit of a vehicle. The method comprises the writing of a first software module via a first interface into the control unit. The method also comprises the blocking of the first interface of the control unit. After the blocking of the interface, a key is stored via a second interface in a secured storage area of the control unit and encrypted vehicle software is written via the second interface into the control unit. The encrypted vehicle software is decrypted by the first software module using the written key. The decrypted vehicle software is stored in a storage area of the control unit. Finally, a read protection for the storage area of the decrypted vehicle software is installed.
By blocking the first interface of the control unit, a read-out of the key and of the unencrypted vehicle software via the first interface can be prevented. Further the read-out of the unencrypted vehicle software via further interfaces of the control unit can be prevented by installing read protection. By this means, the security of the control unit can be increased. Furthermore, writing of the vehicle software or of the vehicle software setting can be encrypted so that an untrustworthy third party does not have the option to decrypt the encrypted vehicle software and/or to disassemble the content of the vehicle software.
According to an advantageous embodiment, the blocking of the first interface can comprise conveying a command for blocking the first interface of the control unit from the server to the control unit and executing the command for blocking the first interface on the control unit. By means of a command-controlled blocking of the first interface, the first interface, e.g. a diagnostic interface, of the control unit can be blocked in a simple manner. No further program and/or no further function is necessary for blocking the first interface. Furthermore, blocking can be carried out actively so that controlling the blocking can be activated from outside the control unit. By this means, control of the programming of the control unit can be simplified.
According to a further advantageous embodiment, the command for blocking the first interface can be conveyed from the server to a firewall and the command for blocking the first interface can be conveyed from the firewall via the second interface of the control unit to the control unit. By conveying the command for blocking the interface via a firewall, controlling of the blocking of the first interface of the control unit can be improved. By using a firewall, it can be restricted which unit or which computer may transmit the command for blocking the first interface. For example, rules in the firewall can specify which computer may convey the command to the firewall. Thus, the blocking of the first interface can be monitored and controlled efficiently. The command for blocking the first interface can thus take place via a secured interface between the firewall and the control unit which further increases the security of the programming of the control unit.
According to a further advantageous embodiment, the method can comprise conveying a command for writing a key from the server to the firewall and executing the command for writing the key in the firewall. Executing the command for writing the key in the firewall can also comprise blocking the interface between the firewall and the server, reading the key out of a memory of the firewall, conveying the key via the second interface of the control unit from the firewall to the control unit and releasing the interface between the firewall and the server. By this means, the security in writing the key from the firewall into the control unit can be increased. By blocking the interface between the firewall and the server, possible attacks by the server on the firewall in order to read the key out of the firewall, for example, can be prevented.
According to a further advantageous embodiment, the conveying of the key can comprise conveying an inquiry to the control unit as to whether the first interface is blocked and receiving a response of the control unit as to whether the first interface is blocked. The key can be conveyed via the second interface of the control unit when the response comprises a confirmation that the first interface of the control unit is blocked. This makes it possible to ensure that the control unit is in a state which prevents the read-out or change of the key from the control unit via the first interface of the control unit. The security in writing the key can thus be increased.
According to a further advantageous embodiment, the method can comprise conveying the encrypted vehicle software from the server to the firewall, blocking the interface between the firewall and the server and conveying the encrypted vehicle software from the firewall to the control unit. Advantageously, the encrypted vehicle software can be transmitted from the firewall to the control unit only when the interface between the server and the firewall is blocked. By this means, the security of the method can be increased further. The distribution of the encrypted vehicle software can take place independently of the distribution of the key. The firewall ensures that there is no transmission of the key from the server to the firewall. It is only the encrypted vehicle software which has to be transmitted from the server to the firewall.
The invention is also distinguished by a server for programming a control unit, the server being designed for receiving a first software module, receiving encrypted vehicle software, conveying the first software module via a first interface to a control unit, conveying a command for blocking the first interface to the control unit, conveying the encrypted vehicle software to the firewall and conveying a command for writing a key to the firewall.
The invention is also distinguished by a firewall for programming a control unit, the firewall being designed for receiving a command for blocking a first interface of a control unit, forwarding the command for blocking the first interface to the control unit, receiving encrypted vehicle software, receiving a command for writing a key into the control unit, writing the key via a second interface into a secured storage area of the control unit and conveying the encrypted vehicle software via the second interface to the control unit.
The invention is also distinguished by a control unit, the control unit comprising a first interface which is designed to receive a first software module. The control unit also comprises a first storage element which is designed to store the first software module, a second storage element which is designed to store unencrypted vehicle software, and a third storage element which is designed to store a key. Within the context of the present document, the first, second and/or third storage element can be storage areas of one or more nonvolatile memories or storage elements of a control unit. The control unit also comprises a processor and instructions for execution on the processor which, when executed on the processor, execute the above-described method.
The invention is also distinguished by a system for programming a control unit, the system comprising a server described above, a firewall described above and a control unit described above.
Further features of the invention are gained from the claims, the figures and the description of the FIGURES. All features and combinations of features mentioned above in the description and the features and combinations of features mentioned in the text which follows in the description of the figures and/or shown in the FIGURES alone can be used not only in the combination specified in each case but also in other combinations or by themselves.
The invention is based on the considerations explained in the text which follows:
Vehicle software settings will be encrypted as soon as they are generated. The encryption can take place, for example, by familiar symmetric or asymmetric encryption methods. The encrypted vehicle software settings can be transmitted or conveyed in encrypted form on a production server of a vehicle manufacturer and/or to servers of repair workshops. In the case of a production of a control unit, the production server only programs a boot loader or a starting program, respectively, into the control unit. The programming can take place, for example, via a diagnostic interface or a debugging interface, respectively. The programming can preferably take place via the standardized diagnostic interface, e.g. the standardized diagnostic interface of the Joint Test Action Group JTAG. Preferably, the production server can program the starting program directly into the control unit.
The starting program or the boot loader, respectively, generally does not contain any secret or critical data. The diagnostic interface can be closed accordingly. The production server can then no longer communicate directly with the control unit to be programmed but only with a firewall. The firewall can receive the encrypted data to be programmed, e.g. encrypted vehicle software settings. After receiving the encrypted data to be programmed, the interface between the production computer and the firewall can be closed. The key for decrypting the encrypted data to be programmed is preferably not present or stored on the production server but only in the firewall. The firewall is configured to be read-protected towards the outside, i.e. with respect to the interface towards the production server. The read-protected firewall can communicate with the control unit to be programmed via a protected interface. The firewall can initially transmit a secret decryption key into the control unit to be programmed. Following this, the vehicle software to be programmed can be transmitted to the control unit. The decryption of the encrypted vehicle software can be carried out by the control unit itself. By installing a read protection on the control unit, the vehicle software no longer encrypted can be protected against unauthorized access by third parties.
Vehicle software settings can thus no longer be disassembled. An analysis of the vehicle software by third parties is thus no longer possible. The unauthorized access to control and/or security code in the vehicle can thus be excluded, since the encrypted vehicle software and the associated key never occur together from a computer or server. Due to the firewall between the production server and the control unit in a production plant, spying out of the decryption keys can also be prevented.
In the text which follows, a preferred exemplary embodiment of the invention is described by means of the attached drawings. From this, further details, preferred embodiments and further developments of the invention are obtained.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.