Modern vehicle systems are increasingly reliant on electronic communications. Communication between different engine subsystems, sensors, actuators, electronic control units (ECUs), and other systems may enable improved control of a vehicle, however such systems may be vulnerable to attack in the form of hacking or malicious tampering. This problem is compounded by the fact that many vehicle systems may be communicatively coupled to one another by one or more buses, e.g. by a Controller Area Network (CAN) bus. In the case where many ECUs or vehicle subsystems are in communicative contact with one another via a bus, as is common in modern vehicles, even small digital security breaches may result in significant problems for a vehicle operator. For example, a hacker or other malicious entity may be able to use small security holes in a multimedia system, accessed via wireless Internet connection or Bluetooth, to gain access to communication on the vehicle's CAN bus. The hacker may then be able to distribute control messages to other vehicle systems via the CAN bus, thereby gaining control of many vehicle subsystems. It should go without saying that this kind of malicious interference is undesirable for the safety of the vehicle operator and for the reliable operation of the vehicle. Thus there is a need for vehicle communication systems which are able to detect this kind of malicious tampering when it occurs and take compensatory action.
Intra-vehicle communications, such as CAN messages (also called CAN frames) are typically provided with a checksum or cyclic redundancy check in a conventional manner to detect transmission errors. For example, a checksum may be a simple sum of each byte in a message. Upon receipt of the message, the recipient may verify the integrity of the message by computing the sum of each byte of said message and comparing it to the checksum, which is included therewith. If the two are equal, the message is assumed to be delivered intact, otherwise a transmission error may have occurred. While conventional checksums are effective tools for detecting transmission errors, there may be no provision for detection of hacking or tampering in systems which only use a conventional checksum system, since it may be assumed that a hacker knows about the existence of the checksum and is able to generate messages which pass this test.
Thus, the inventors herein have recognized that the provision of a data field generated by a dynamic mathematical operator (DMO), in addition to an optional checksum or other communication verification check, in intra-vehicle communication messages may provide a simple and robust method for detecting the presence of hacking. The checksum may be a conventional sum or cyclic redundancy check, according to known and publicly-accessible methods, whereas the dynamic mathematical operator may comprise a mathematical function using parameters which are not known to the public. The checksum may still be employed to detect transmission errors, according to conventional methods, whereas the DMO may be employed for detecting hacking. Since the parameters used in computing the DMO may not be publicly-known, it may be difficult or impossible for a hacker to correctly guess the output of the DMO, which may be provided as part of a CAN bus message, for example. Thus, a method may be provided for differentiating transmission errors from hacking attempts, since messages with a correct checksum and an incorrect DMO output may be indicative of potential hacking.
The systems and methods described herein may be provided with tables of parameters for computing the DMO, indexed according to a key. The key and corresponding parameters may be changed at regular intervals, on an event-driven basis, and/or responsive to a DMO error, in order to prevent potential hackers from guessing or learning the mathematical operation used in the DMO. The systems and methods disclosed herein may also make use of various engine operating parameters and the content of the intra-vehicle communication messages to determine if hacking has occurred on the basis of expected change in parameter values. In one example, hacking may be determined and/or differentiated from transmission errors by a method. The method may include receiving a message including a first parameter and a second parameter; evaluating the first parameter based on a first mathematical operation and evaluating the second parameter based on a second mathematical operation; indicating a transmission error in response to an error in the first parameter; and indicating a security breach in response to an error in the second parameter. In another example, the above-named objects may be achieved by a method comprising, in response to an error in a parameter, requesting that a message comprising the parameter be resent and incrementing an error counter; and in response to the error counter exceeding a threshold, issuing a warning to an operator indicating likely hacking and entering a vehicle safe mode. In yet another example, these object may be achieved by a system. The system may include a controller area network (CAN) bus; an ECU connected to the CAN bus, an actuator, and a sensor; a processor connected to the CAN bus, and including computer-readable instructions stored in non-transitory memory for: receiving a message from the ECU, the message including first and second fields; in response to an error in the first field, requesting retransmission of the message; in response to an error in the second field, requesting retransmission of the message and incrementing an error counter; and in response to the error counter exceeding a threshold, issuing a warning to an operator and adjusting an operating parameter of an engine.
It should be understood that the summary above is provided to introduce in simplified form a selection of concepts that are further described in the detailed description. It is not meant to identify key or essential features of the claimed subject matter, the scope of which is defined uniquely by the claims that follow the detailed description. Furthermore, the claimed subject matter is not limited to implementations that solve any disadvantages noted above or in any part of this disclosure.