The need for data exchange between components of a vehicle and a communication partner external to the vehicle via wireless communication links is on the increase. Components of a vehicle are understood as either software applications running on a computer of the vehicle (vehicle computer) or hardware components, for example, an engine control module. In order to exchange data between vehicle components, all these components include at least one communication module which is usually designed as software and which is executable on the vehicle computer. The communication module for the engine control module is a communication interface, for example, which runs on the vehicle computer as software and makes access to the hardware parts of the component possible via a bus system.
A need for communication between the external communication partner and the components of the vehicle may have multiple reasons. For example, it may be desirable for a user of the vehicle that the engine control module exchanges data with a contract workshop of the vehicle manufacturer to make rapid and reliable troubleshooting possible in the case of a vehicle malfunction. Another example of communication via a wireless communication link is the download of multimedia information into an infotainment module of the vehicle. Many other applications are possible in which wireless communication between a component of the vehicle and an external communication partner takes place. They include applications in which a device separated or separable from the vehicle, for example, a cell phone or a portable computer, etc., is connected to the vehicle and wireless data exchange takes place via a transceiver device of the vehicle to a transceiver station. The communication partner may be a software application, for example, which runs on a computer which is connected to the transceiver station via a network. There may be, however, other devices or individuals that exchange data with a component of the vehicle via an electronic device which is connected to the transceiver station with the help of the network.
The wireless communication link between the transceiver device of the vehicle and the external transceiver station is normally designed as a WLAN (Wireless Local Area Network). In wireless communication links there is the basic difficulty that this link may be eavesdropped on by unauthorized persons. In particular when sensitive data are exchanged, eavesdropping and/or manipulation by an unauthorized person are to be avoided. For this purpose, different authentication and encryption mechanisms are used.
In the following it is assumed that the wireless communication link is a WLAN link. However, the description applies to any type of wireless communication link. WLAN networks allow mobile transceiver devices to establish a communication link to the external transceiver station which is referred to as an access point or a hotspot. WLAN access points may be made available from different operators. For example, contract dealers and contract workshops of an automobile manufacturer may make access points available to make communication with the vehicle via a WLAN link possible to thereby in turn facilitate service and troubleshooting. The owner of a vehicle may also operate a private WLAN via which he may transfer navigation data, multimedia data, etc., from his computer into a navigation unit of the vehicle or an infotainment unit of the vehicle. Further functionalities may be made available via WLAN links. For example, it is possible that access points are made available at gas stations and other public places via which additional services may be utilized.
The protection mechanisms that are used at the different access points are usually different. While a private WLAN network may be very well protected by the user because it is provided only for the communication with the vehicle and occasionally a few other electronic components, a publicly accessible access point, for example, a gas station or a fast-food restaurant, must allow access for a plurality of different devices and communication partners. There are access points that require both authentication and encryption of the data traffic. Other access points use neither authentication nor data encryption. In addition to data encryption, the trustworthiness of the access point affects the security of the communication. A public access point, for example, could be set up by a hacker. The trustworthiness may be checked via exchange of certificates. The trustworthiness of the access point, like data encryption, also contributes to the transmission security in wireless transmission.
In addition to transmission security between the mobile transceiver device and the transceiver station of the access point, the trustworthiness of the communication partner, as well as transmission from the external communication partner to the access point of the wireless communication link via a network, are relevant to the security of communication.
Authentication of the external communication partner and encryption of the transmitted data may also be performed at this level.
All in all, there are thus very different communication scenarios as a function of the transmission security of the wireless communication link as well as of authentication of the external interlocutor or of the encryption of data in the case of a network transmission to the transceiver station of the wireless communication link. To allow a high degree of functionality, it is, however, necessary that individual components of the vehicle communicate with untrustworthy external communication partners or via wireless communication links that are not properly secured. In such a case, intrusion by a hacker into the communication link cannot be ruled out. The individual components of the vehicle are designed such that they should withstand an attack by a hacker. However, it has been found that, in particular in the case of software implementation, errors of this type allowing a hacker to gain control over the application, i.e., the particular component, are unavoidable. If a hacker has gained control over a component, he may attack other components of the vehicle via this component. If the computer of the vehicle communicates with a hacker, the hacker could attempt to find security holes in components or applications executed on the computer. As soon as a hacker finds a security hole in any application or component, he may make use of this security hole to gain control over this particular application or component. The hacker could use this infected application or component to gain access to the vehicle computer resources, interfaces, and other networked computer-supported or computer-based vehicle components which are connected to the vehicle computer. The hacked vehicle application may be used as a stepping stone for infecting other applications/components on the vehicle computer to ultimately gain access to the vehicle computer resources.
Thus, if only one of the many applications/components on the vehicle computer has a security hole which is found by a hacker, the hacker may use this infected application for gaining access to other applications/devices, resources, or components within the vehicle computer or such components that are linked to the vehicle computer on which the infected application is executed.
Unfortunately, vehicle manufacturers are unable to ensure that applications or components will not have any security holes. Security holes may always be found, and they have been found to be an unavoidable phenomenon of software development.
It must therefore be assumed that a vehicle computer equipped with a WLAN client within a vehicle has at least one executed application/component which has at least one security hole, and that this vehicle computer is allowed to communicate with a public access point (for example, a WLAN access point at a parking place, a gas station, or a fast-food restaurant, etc.).
It must furthermore be assumed that it is possible that the access point has already also been infected by a hacker or it is made available by the hacker. In such a case the infected access point would have the opportunity to test the executed applications/components on the vehicle computer to find security holes which may be made use of by the hacker.