JP7707964B2 - In-vehicle device, program, and information processing method - Google Patents

Description

The present invention relates to an in-vehicle device, a program, and an information processing method.

An electronic control device that is mounted on a vehicle and has multiple microcomputers and can detect abnormalities in a communication bus has been disclosed (for example, Patent Document 1). The electronic control device in Patent Document 1 is one of multiple nodes connected to the communication bus, and is equipped with a first microcomputer and a second microcomputer that receive a transmission signal flowing on the communication bus and transmit a transmission signal to the communication bus, and is configured so that the transmission signal to be transmitted to the communication bus is transmitted to each microcomputer without passing through the communication bus, and each microcomputer receives the transmission signal.

JP 2016-126716 A

However, the electronic control device in Patent Document 1 has a problem in that it does not take into consideration the efficient implementation of security measures for the microcomputer contained in the electronic control device.

The purpose of this disclosure is to provide an in-vehicle device etc. that can efficiently implement security measures for the processing unit installed in the device.

An in-vehicle device according to one aspect of the present disclosure is an in-vehicle device mounted on a vehicle having an in-vehicle network, and includes a first processing unit connected to the in-vehicle network and a second processing unit communicatively connected to the first processing unit, and the first processing unit performs security verification on the second processing unit.

According to one aspect of the present disclosure, it is possible to provide an in-vehicle device or the like that efficiently implements security measures for the processing unit installed therein.

1 is a schematic diagram illustrating a system configuration of an in-vehicle system according to a first embodiment; 2 is a block diagram illustrating an example of the internal configuration of an in-vehicle device included in the in-vehicle system. FIG. 4 is a flowchart illustrating the processing of a first processing unit and a second processing unit of the in-vehicle device. 10 is a flowchart illustrating the processing of a first processing unit and a second processing unit of an in-vehicle device according to a second embodiment (return signal). FIG. 13 is a schematic diagram illustrating a system configuration of an in-vehicle system according to a third embodiment (connected to an actuator).

[Description of the embodiments of the present disclosure]
First, embodiments of the present disclosure will be listed and described. In addition, at least some of the embodiments described below may be arbitrarily combined.

(1) An in-vehicle device according to one aspect of the present disclosure is an in-vehicle device mounted on a vehicle having an in-vehicle network, and includes a first processing unit connected to the in-vehicle network and a second processing unit communicatively connected to the first processing unit, and the first processing unit performs security verification on the second processing unit.

In this embodiment, the in-vehicle device includes a first processing unit and a second processing unit, each of which is, for example, a separate microcomputer. The first processing unit connected to the in-vehicle network performs security verification on the second processing unit and performs a monitoring function on the second processing unit. Therefore, when the second processing unit communicates with an external device located outside the vehicle, such as an OTA server or a diagnostic device, even if unauthorized access or data is transmitted from outside the vehicle to the second processing unit, the first processing unit performs security verification on the second processing unit, thereby ensuring the integrity (normality) of the second processing unit. Even when multiple microcomputers constituting the first processing unit and the second processing unit are implemented in a single in-vehicle device, the first processing unit connected to the in-vehicle network can efficiently perform security verification on the second processing unit (other processing unit) that is not directly connected to the in-vehicle network.

(2) In an in-vehicle device according to one aspect of the present disclosure, the first processing unit acquires response data from the second processing unit in response to the security verification, and determines whether the second processing unit is normal based on the acquired response data.

In this aspect, the first processing unit acquires response data from the second processing unit when performing security verification on the second processing unit, and determines whether the second processing unit is normal or not based on the result of the security verification on the response data. The first processing unit may, for example, store a hash value generated based on the response data in a storage unit in advance, and determine whether the acquired response data is normal or abnormal by comparing the hash value (correct answer value) stored in advance with a hash value generated (converted) based on the response data acquired from the second processing unit for security verification. If the response data is normal, the first processing unit determines that the second processing unit is normal, and if the response data is abnormal, the second processing unit determines that the response data is abnormal. Even if the response data cannot be acquired, the first processing unit may determine that the second processing unit is abnormal. In this way, by using the result of security verification on the response data acquired from the second processing unit, security verification can be efficiently performed on the second processing unit.

(3) In an in-vehicle device according to one aspect of the present disclosure, the first processing unit performs security verification on the second processing unit using a challenge-response method.

In this embodiment, the first processing unit uses a challenge-response method to send randomly generated challenge information to the second processing unit and generate response information corresponding to the challenge information. The second processing unit generates (converts) a hash value from the challenge information output from the first processing unit and the password set in the second processing unit to generate response information and outputs it to the first processing unit. The first processing unit compares the response information output from the second processing unit with the response information it generated from the challenge information, and if they are identical, performs security verification by successfully completing the authentication (challenge-response authentication). By using the challenge-response method in this way, security verification can be efficiently performed on the second processing unit.

(4) In an in-vehicle device according to one aspect of the present disclosure, the first processing unit performs security verification on the second processing unit in response to a verification request from the second processing unit.

In this embodiment, the second processing unit makes a verification request to the first processing unit, for example, periodically or periodically (outputs an authentication request), and the first processing unit performs security verification on the second processing unit in response to the verification request from the second processing unit. This allows the first processing unit to use the verification request from the second processing unit as a trigger to start security verification, eliminating the need for processing related to scheduling or timing control when performing security verification on the second processing unit and reducing the load on the first processing unit. Therefore, even if there are multiple second processing units (other processing units) for which the first processing unit is responsible for security verification, it is possible to efficiently perform security verification on the second processing unit by responding to verification requests from these multiple second processing units.

(5) In an in-vehicle device according to one aspect of the present disclosure, if the first processing unit does not receive a verification request from the second processing unit for a predetermined period of time, the second processing unit determines that the second processing unit is abnormal.

In this embodiment, when the second processing unit is configured to periodically output a verification request to the first processing unit, if the first processing unit does not receive a verification request from the second processing unit for a predetermined period of time, it is assumed that the second processing unit is in an abnormal state due to, for example, unauthorized access from outside the vehicle (security attack). Even in such a case, the first processing unit determines that the second processing unit is abnormal because it has not received a verification request from the second processing unit for the predetermined period of time, and therefore can efficiently perform security verification on the second processing unit.

(6) In an in-vehicle device according to one aspect of the present disclosure, the second processing unit acquires outside-vehicle communication data from an external device outside the vehicle, and the first processing unit and the second processing unit are connected by a data communication line through which the outside-vehicle communication data flows and a verification communication line through which data for security verification flows.

In this embodiment, a parallel circuit is configured with a data communication line and a verification communication line as a communication circuit between the first processing unit and the second processing unit, and is duplicated. This allows security verification to be performed using the verification communication line without affecting relay processing, etc., that uses the data communication line.

(7) In an in-vehicle device according to one aspect of the present disclosure, when the first processing unit determines that the second processing unit is abnormal based on the result of the security verification, the first processing unit performs processing to deactivate the second processing unit.

In this aspect, when the first processing unit determines that the second processing unit is abnormal based on the results of the security verification, it deactivates the second processing unit, thereby essentially isolating the abnormal second processing unit from the in-vehicle network and preventing the second processing unit from affecting the control of the vehicle (vehicle system). When deactivating the second processing unit, the first processing unit may cut off the power supply to the second processing unit, forcibly stop (shut down) the second processing unit, cut off the data communication line with the second processing unit, or disable the communication port (in-vehicle communication unit) connected to the data communication line.

(8) In an in-vehicle device according to one aspect of the present disclosure, when the first processing unit determines that the second processing unit is abnormal based on the result of the security verification, the first processing unit performs a recovery process to recover the second processing unit.

In this embodiment, when the first processing unit determines that the second processing unit is abnormal based on the result of the security verification, the first processing unit performs a return process, such as restarting the second processing unit by cutting off and resupplying power to the second processing unit, and outputting a return signal to the second processing unit. This allows the second processing unit, which has become abnormal due to, for example, unauthorized access from outside the vehicle (security attack), to transition (return) to a normal state. The return signal to the second processing unit may be, for example, a signal that reboots or initializes the second processing unit, or a program that is pre-stored in the storage unit of the first processing unit and includes an instruction to execute the program. The first processing unit may deactivate the second processing unit when the result of the security verification (verification result) of the second processing unit continues to be abnormal despite the first processing unit having output the return signal to the second processing unit multiple times (predetermined number of times).

(9) In one aspect of the in-vehicle device of the present disclosure, a plurality of in-vehicle ECUs are connected to the in-vehicle network, and the first processing unit relays data acquired from the second processing unit to the in-vehicle ECUs via the in-vehicle network.

In this embodiment, the first processing unit relays the data acquired by the second processing unit to the vehicle ECU via the vehicle network, so that the vehicle device can function as a relay device. In addition, the first processing unit may be connected to multiple communication cables (such as a CAN bus) that constitute the vehicle network, and may relay data transmitted and received between the vehicle ECUs connected to each of these multiple communication cables.

(10) An information processing method according to one aspect of the present disclosure is a computer that is mounted on a vehicle having an in-vehicle network and includes a first processing unit connected to the in-vehicle network and a second processing unit communicatively connected to the first processing unit, and the first processing unit performs security verification on the second processing unit.

In this aspect, it is possible to provide an information processing method that causes a computer to function as an in-vehicle device that efficiently implements security measures for the on-board processing unit.

(11) A program according to one aspect of the present disclosure is provided for a computer that is mounted on a vehicle having an in-vehicle network and includes a first processing unit connected to the in-vehicle network and a second processing unit communicatively connected to the first processing unit, and the first processing unit performs security verification on the second processing unit.

In this embodiment, a program can be provided that causes a computer to function as an in-vehicle device that efficiently implements security measures for the on-board processing unit.

[Details of the embodiment of the present disclosure]
The present disclosure will be specifically described based on the drawings showing the embodiments. An in-vehicle system S according to an embodiment of the present disclosure will be described below with reference to the drawings. Note that the present disclosure is not limited to these examples, but is indicated by the claims, and is intended to include all modifications within the meaning and scope equivalent to the claims.

(Embodiment 1)
Hereinafter, an embodiment will be described with reference to the drawings. FIG. 1 is a schematic diagram illustrating a system configuration of an in-vehicle system S according to the first embodiment. FIG. 2 is a block diagram illustrating an internal configuration of an in-vehicle device 2 included in the in-vehicle system S. The in-vehicle system S includes an in-vehicle device 2 and a plurality of in-vehicle ECUs 4 mounted on a vehicle C, and the in-vehicle device 2 and the plurality of in-vehicle ECUs 4 are communicatively connected via an in-vehicle network 3 configured by a communication cable 31 such as a CAN bus. An actuator 5 such as a motor (see FIG. 5), or an in-vehicle device such as a lamp or a sensor is connected to the in-vehicle ECU 4. The in-vehicle device 2 may function as a relay device that relays data transmitted and received between the plurality of in-vehicle ECUs 4 connected to the in-vehicle network 3.

An external communication device 1 for communicating via an external network is connected to the in-vehicle device 2. The in-vehicle device 2 communicates with an external server 100 or a mobile terminal, etc., via the external communication device 1 and the external network. The external server 100 is a computer such as a server connected to an external network such as the Internet or a public line network, and may be an OTA (Over The Air) server that provides update programs.

The vehicle-external communication device 1 includes a wireless communication unit (not shown) and a communication I/F for communicating with the vehicle-mounted device 2. The wireless communication unit is a communication device for wireless communication using a mobile communication protocol such as 4G, LTE (Long Term Evolution/registered trademark), 5G, or WiFi (registered trademark), and transmits and receives data to and from the external server 100 via an antenna 11 connected to the vehicle-external communication unit 223. The communication I/F may be, for example, a communication interface for serial communication with the vehicle-mounted device 2, or a CAN transceiver for CAN communication. The communication between the vehicle-external communication device 1 and the external server 100 is performed via an external network such as a public line network or the Internet. In this embodiment, the vehicle-external communication device 1 is a separate device from the vehicle-mounted device 2, and these devices are connected to each other so that they can communicate with each other via a communication I/F or the like, but is not limited to this. The vehicle-external communication device 1 may be built into the vehicle-mounted device 2 as one component of the vehicle-mounted device 2. In this case, the second processing unit 22 (exterior microcomputer) may have the functions of the exterior communication device 1.

The in-vehicle device 2 may be connected to a diagnostic device 101 used during inspection of the vehicle C. Furthermore, the in-vehicle device 2 may be connected to an LF antenna and an RF antenna to receive a signal transmitted from a smart key. In this manner, an external device located outside the vehicle C is directly or indirectly connected to the in-vehicle device 2, and the in-vehicle device 2 also functions as a relay device that relays data output (transmitted) from the external device (external vehicle communication data) to the in-vehicle ECU 4 connected to the in-vehicle network 3. In other words, the in-vehicle device 2 relays data between the in-vehicle ECUs 4 within the in-vehicle network 3, and relays data between the in-vehicle ECUs 4 and external devices located outside the vehicle C.

The in-vehicle device 2 thus functioning as a relay device includes a first processing unit 21 connected to the in-vehicle network 3, and a second processing unit 22 that is not directly connected to the in-vehicle network 3 and receives data transmitted from an external device. When the first processing unit 21 and the second processing unit 22 are each configured with a microcomputer, for example, the first processing unit 21 corresponds to an in-vehicle microcomputer, and the second processing unit 22 corresponds to an in-vehicle microcomputer.

The first processing unit 21 (interior microcomputer) and the second processing unit 22 (exterior microcomputer) are implemented with a security function that uses, for example, a challenge-response system, and the first processing unit 21 monitors the state of the second processing unit 22 by periodically performing security verification (security procedure) on the second processing unit 22 using the security function. In the direction of data flow from outside the vehicle C by an external device, the first processing unit 21 (interior microcomputer) located on the interior side (downstream side) performs security procedure on the second processing unit 22 (exterior microcomputer) located on the exterior side (upstream side), thereby ensuring the integrity of the second processing unit 22 (exterior microcomputer) and providing resistance to security attacks from outside the vehicle.

The in-vehicle device 2 manages multiple segments, such as in-vehicle devices such as control system ECUs, in-vehicle devices such as safety system ECUs, and in-vehicle devices such as body system ECUs (Body Control Units), and relays communication between the in-vehicle devices in these segments. The in-vehicle device 2 may be, for example, a gateway or an Ether switch, and may function as a layer 2 switch, a layer 3 switch, or a CAN gateway. Alternatively, the in-vehicle device 2 may be an integrated ECU that is composed of a central control device such as a vehicle computer and controls the entire vehicle C.

The in-vehicle device 2 includes a first processing unit 21 and a second processing unit 22. The second processing unit 22, located on the outside of the vehicle, receives data transmitted from external devices such as the external server 100 or the diagnostic device 101, and transmits data to these external devices. The first processing unit 21, located on the inside of the vehicle, relays data transmitted and received between the in-vehicle ECUs 4 connected to the in-vehicle network 3, as well as relaying data received by the second processing unit 22 from external devices to the in-vehicle ECU 4, i.e., relaying data between the in-vehicle ECU 4 and the second processing unit 22.

In this embodiment, there is one first processing unit 21 that is directly connected to the in-vehicle network 3 and located on the inside of the vehicle, but this is not limited to this, and there may be multiple first processing units 21 (inside processing units) that are directly connected to the in-vehicle network 3. In this embodiment, there is one second processing unit 22 that is not directly connected to the in-vehicle network 3 and located on the outside of the vehicle, but this is not limited to this, and there may be multiple second processing units 22 (outside processing units) that are not directly connected to the in-vehicle network 3 and located on the outside of the vehicle. In this case, the first processing unit 21 may perform security verification for each of the multiple second processing units 22.

The first processing unit 21 and the second processing unit 22 are communicatively connected by a data communication line 201 and a verification communication line 203. In other words, a parallel circuit is formed by the data communication line 201 and the verification communication line 203 as a communication circuit between the first processing unit 21 and the second processing unit 22, and the in-vehicle device 2 has a duplicated communication circuit in this way.

The first processing unit 21 is configured, for example, by a microcomputer, and includes a first control unit 211, a first storage unit 212, and an in-vehicle communication unit 213. The first control unit 211 is configured, for example, by a CPU (Central Processing Unit) or an MPU (Micro Processing Unit), and performs various control processes, calculation processes, and the like by reading and executing a program P (program product) and data pre-stored in the first storage unit 212.

The first storage unit 212 is composed of, for example, a volatile memory element such as a RAM (Random Access Memory) or a non-volatile memory element such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, and stores in advance a program P (program product) and data to be referenced during processing. The program P (program product) stored in the first storage unit 212 may be a program P (program product) read from a recording medium M readable by the in-vehicle device 2. Alternatively, the program P (program product) may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the first storage unit 212.

The in-vehicle communication unit 213 is, for example, configured with a CAN transceiver, and is an input/output interface using a CAN communication protocol. Alternatively, the in-vehicle communication unit 213 may be configured with an Ethernet PHY, and is an input/output interface using an Ethernet (registered trademark) communication protocol. The first processing unit 21 is communicatively connected to the in-vehicle ECU 4 connected to the in-vehicle network 3 via the in-vehicle communication unit 213.

The second processing unit 22 is configured, for example, by a microcomputer, and includes a second control unit 221, a second storage unit 222, and an external vehicle communication unit 223. The second control unit 221 is configured, for example, by a CPU (Central Processing Unit) or an MPU (Micro Processing Unit), and performs various control processes, calculation processes, and the like by reading and executing a program P (program product) and data pre-stored in the second storage unit 222.

The second storage unit 222 is composed of, for example, a volatile memory element such as a RAM (Random Access Memory) or a non-volatile memory element such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, and stores in advance a program P (program product) and data to be referenced during processing. The program P (program product) stored in the second storage unit 222 may be a program P (program product) read from a recording medium M readable by the in-vehicle device 2. Alternatively, the program P (program product) may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the second storage unit 222.

The external vehicle communication unit 223 is, for example, a CAN transceiver and is an input/output interface using a CAN communication protocol. Alternatively, the internal vehicle communication unit 213 may be an input/output interface using an Ethernet PHY and using an Ethernet (registered trademark) communication protocol. The second processing unit 22 is connected to the external server 100 (external vehicle communication device 1) or the diagnosing device 101 via the external vehicle communication unit 223 so as to be able to communicate with them.

In this embodiment, the first processing unit 21 and the second processing unit 22 are each configured by a separate microcomputer, but this is not limited to the above. The in-vehicle device 2 may, for example, be equipped with a multi-CPU consisting of multiple CPUs, and each CPU in the multi-CPU may function as the first processing unit 21 and the second processing unit 22.

Each of the first processing unit 21 and the second processing unit 22 further includes a data communication unit 202 and a verification communication unit 204. The first processing unit 21 and the second processing unit 22 are communicatively connected via a data communication line 201 connected to each data communication unit 202. When these data communication units 202 are configured, for example, by a CAN transceiver, the data communication line 201 is configured by a CAN bus, and data communication between the first processing unit 21 and the second processing unit 22 is performed using the CAN protocol. When these data communication units 202 are configured, for example, by an Ethernet (registered trademark) PHY, the data communication line 201 is configured by an Ethernet cable, and data communication between the first processing unit 21 and the second processing unit 22 is performed using the TCP/IP protocol. The data flowing through the data communication line 201 is data transmitted and received between an external device, such as the external server 100 or the diagnostic device 101, and an in-vehicle ECU 4 connected to the in-vehicle network 3, and is data relayed by the in-vehicle device 2 (relay target data).

The first processing unit 21 and the second processing unit 22 are further connected to each other so that they can communicate with each other via a verification communication line 203 connected to each of the verification communication units 204. The verification communication line 203 is, for example, a serial cable, and in this case, each of the verification communication units 204 is configured with a serial communication IF. Data communication between the first processing unit 21 and the second processing unit 22 via the verification communication line 203 is performed by serial communication. Alternatively, the verification communication line 203 may be, for example, a conductive pattern such as a land provided on a board on which the first processing unit 21 and the second processing unit 22 are mounted, and in this case, the verification communication unit 204 is configured by terminals provided on the first processing unit 21 and the second processing unit 22. Alternatively, the verification communication line 203 and the verification communication unit 204 may be compatible with CAN or Ethernet, like the data communication line 201 and the data communication unit 202.

The data flowing through the verification communication line 203 is data related to the security verification (security measures) that the first processing unit 21 performs on the second processing unit 22, and includes an authentication request, challenge information, and response information when a challenge-response method is used for the security verification. Furthermore, the verification communication line 203 may carry a deactivation signal that the first processing unit 21 outputs when deactivating the second processing unit 22, or a restoration signal that the first processing unit 21 outputs when restoring the second processing unit 22.

In this way, the communication line between the first processing unit 21 and the second processing unit 22 is configured with a data communication line 201 for data relay, through which outside-vehicle communication data transmitted and received between external devices flows, and a verification communication line 203, through which data for security verification flows, as separate lines (separate systems). This makes it possible to efficiently carry out security measures for multiple processing units (microcomputers) implemented in the in-vehicle device 2 without impeding the relay processing performed by the in-vehicle device 2, that is, while maintaining the processing capacity of the conventional functions performed by the in-vehicle device 2 functioning as a relay device (ensuring bandwidth for data relaying).

Figure 3 is a flowchart illustrating the processing of the first processing unit 21 and the second processing unit 22 of the in-vehicle device 2. The in-vehicle device 2 steadily performs the following processing, for example, when the vehicle C is in a running state (IG switch is on) or stopped state (IG switch is off). A series of processing by the first processing unit 21 (inner-side microcomputer) and the second processing unit 22 (outer-side microcomputer) of the in-vehicle device 2 are performed in conjunction with each other, but first the processing by the first processing unit 21 (inner-side microcomputer) will be described, followed by the processing by the second processing unit 22 (outer-side microcomputer).

The first processing unit 21 (first control unit 211) determines whether or not a verification request has been received from the second processing unit 22 (S101). The first processing unit 21 is communicatively connected to the second processing unit 22 via the verification communication line 203, and periodically or constantly performs a process of acquiring (receiving) data or a signal related to a verification request (authentication request) from the second processing unit 22 via the verification communication line 203. The first processing unit 21 determines whether or not a verification request has been received from the second processing unit 22 based on the acquisition record of the verification request (authentication request).

The first processing unit 21 is further communicatively connected to the second processing unit 22 via a data communication line 201, and data (external vehicle communication data) transmitted from an external device such as the external server 100 and received by the second processing unit 22 is output from the second processing unit 22 to the first processing unit 21 via the data communication line 201. In this way, the first processing unit 21 and the second processing unit 22 are communicatively connected via a communication path that is duplicated by different communication lines, the data communication line 201 and the verification communication line 203. This allows processing for security verification, such as communication of a verification request (authentication request), to be performed on the verification communication line 203 without affecting the relay processing of the external vehicle communication data via the data communication line 201.

If the first processing unit 21 has not received a verification request (authentication request) from the second processing unit 22 (S101: NO), the first processing unit 21 performs loop processing to execute the processing of S101 again. That is, the first processing unit 21 may continue waiting for a verification request (authentication request) to be sent from the second processing unit 22. Therefore, the first processing unit 21 performs relay processing of data (external vehicle communication data) transmitted and received between the second processing unit 22 via the data communication line 201 in parallel with waiting for a verification request (authentication request) to be sent from the second processing unit 22.

When the first processing unit 21 acquires a verification request (authentication request) from the second processing unit 22 (S101: YES), the first processing unit 21 performs security verification on the second processing unit 22 (S102). When the first processing unit 21 acquires (receives) data or a signal related to the verification request (authentication request) from the second processing unit 22, the first processing unit 21 performs security verification on the second processing unit 22 using the verification request as a trigger. However, the first processing unit 21 is not limited to a unit that performs security verification using the verification request (authentication request) from the second processing unit 22 as a trigger, and the first processing unit 21 itself may perform (start) security verification on the second processing unit 22 voluntarily at a predetermined period. The first processing unit 21 may perform relay processing of data (external vehicle communication data) transmitted and received between the second processing unit 22 and the first processing unit 22 via the data communication line 201 in parallel with the security verification on the second processing unit 22.

When performing the security verification, the first processing unit 21 may use, for example, a challenge-response method. When using the challenge-response method, the first processing unit 21 generates challenge information and transmits the generated challenge information to the second processing unit 22. Furthermore, the first processing unit 21 also generates response information corresponding to the generated challenge information and stores the generated response information in the first storage unit 212.

In this embodiment, the first processing unit 21 uses a challenge-response method for security verification, but is not limited to this, and the first processing unit 21 may perform security verification using a predetermined password authentication, common key encryption, or the like. In other words, the first processing unit 21 and the second processing unit 22 may both be implemented with the same type of security function, and the first processing unit 21 may perform security verification (security measures) of the second processing unit 22 using the security function.

The first processing unit 21 acquires response data from the second processing unit 22 in response to the security verification (S103). The first processing unit 21 acquires (receives) from the second processing unit 22 the response data that the second processing unit 22 generates based on the challenge information in response to the generation and transmission of challenge information to the second processing unit 22 as part of the security verification.

The first processing unit 21 determines whether the acquired response data is valid (S104). For example, when using a challenge-response method, the first processing unit 21 compares the response data (response information) acquired (received) from the second processing unit 22 with the response data (response information) that the first processing unit 21 itself (the first processing unit 21) generated based on the challenge information, and determines whether these response data (response information) are identical.

If these response data (response information) are the same, the first processing unit 21 determines that the response data (response information) acquired (received) from the second processing unit 22 is valid (normal). At this time, the first processing unit 21 determines that the challenge-response authentication for the second processing unit 22 has been successful. If these response data (response information) are not the same, that is, if the response data (response information) acquired (received) from the second processing unit 22 is different from the response data (response information) generated by the first processing unit 21 itself (the first processing unit 21) based on the challenge information, the first processing unit 21 determines that the response data (response information) acquired (received) from the second processing unit 22 is invalid (abnormal). At this time, the first processing unit 21 determines that the challenge-response authentication for the second processing unit 22 has failed.

The first processing unit 21 may also determine that the response data (response information) is invalid (abnormal) if response data (response information) cannot be obtained from the second processing unit 22 for a predetermined period of time after outputting (transmitting) the challenge information. If the second processing unit 22 is in an abnormal state due to unauthorized access from outside the vehicle (security attack), for example, it is also possible that the security function for the challenge-response method itself has already failed. Even in such a case, the first processing unit 21 can efficiently determine that the second processing unit 22 is in an abnormal state by determining that the response data is invalid when response information cannot be obtained for a predetermined period of time.

When the first processing unit 21 determines that the response data is valid (S104: YES), it determines that the second processing unit 22 is normal (S105). When the first processing unit 21 determines that the response data is valid (normal), it makes the challenge-response authentication for the second processing unit 22 successful, and determines that the second processing unit 22 is normal. The first processing unit 21 may store the determination result indicating that the challenge-response authentication was successful as history information in the first storage unit 212 in association with time information indicating the date and time or timestamp when the security verification was performed. The first processing unit 21 may perform loop processing to execute the processing from S101 again after executing S105.

When the first processing unit 21 determines that the response data is invalid (S104: NO), it determines that the second processing unit 22 is abnormal (S1041). When the first processing unit 21 determines that the response data is invalid, i.e., invalid (abnormal), it causes the challenge-response authentication for the second processing unit 22 to fail, and determines that the second processing unit 22 is abnormal. The first processing unit 21 may store the determination result indicating that the challenge-response authentication has failed as history information in the first storage unit 212 in association with time information indicating the date and time or timestamp when the security verification was performed.

The first processing unit 21 deactivates the second processing unit 22 (S1042). The first processing unit 21 performs processing to deactivate the second processing unit 22 that has been determined to be abnormal as a result of security verification. The processing to deactivate includes, for example, cutting off the power supply to the second processing unit 22, forcibly stopping (shutting down) the second processing unit 22, cutting off the data communication line 201 with the second processing unit 22, or disabling the communication port connected to the data communication line 201.

When the power supply to the second processing unit 22 is cut off as the process for deactivation, the first processing unit 21 may turn off a relay or a semiconductor switch provided on the power line that supplies power to the second processing unit 22. When the second processing unit 22 is forcibly stopped (shut down) as the process for deactivation, the first processing unit 21 may output (transmit) a forcible stop signal to the second processing unit 22 via the verification communication line 203. When the data communication line 201 with the second processing unit 22 is cut off as the process for deactivation, the first processing unit 21 may turn off a relay or a semiconductor switch provided on the data communication line 201. When the communication port connected to the data communication line 201 is disabled as the process for deactivation, the first processing unit 21 may stop the supply of power to the data communication unit 202 provided in the first processing unit 21. Even in this case, the first processing unit 21 may maintain the activation state of the verification communication unit 204 and continue the state in which communication with the second processing unit 22 via the verification communication line 203 is possible. The first processing unit 21 may store the action taken to deactivate the second processing unit 22 as history information in the first storage unit 212 in association with a determination result indicating that the challenge-response authentication has failed.

The second processing unit 22 (second control unit 221) outputs a verification request to the first processing unit 21 (T101). The second processing unit 22 outputs (transmits) the verification request (authentication request) to the first processing unit 21, for example, periodically or periodically. The second processing unit 22 may output (transmit) the verification request (authentication request) to the first processing unit 21 via the verification communication line 203.

The second processing unit 22 generates response data in response to the security verification by the first processing unit 21 (T102). When a challenge-response method is used for the security verification, the second processing unit 22 acquires (receives) the challenge information output (transmitted) from the first processing unit 21, and generates response information based on the challenge information. The second processing unit 22 may generate the response information by generating (converting) a hash value based on the challenge information and a password set in the second processing unit 22 (a password stored in the second storage unit 222).

The second processing unit 22 outputs the generated response data to the first processing unit 21 (T103). The second processing unit 22 may output (transmit) the generated response data (response information) to the first processing unit 21 via the verification communication line 203.

The second processing unit 22 transitions to a deactivated state by the deactivation process by the first processing unit 21 (T104). If the first processing unit 21 determines that the second processing unit 22 is abnormal (challenge-response authentication fails) based on the result of the security verification, the first processing unit 21 performs a process to deactivate the second processing unit 22. This process transitions the second processing unit 22 to a deactivated state. As a result, the second processing unit 22 that has become abnormal due to, for example, unauthorized access from outside the vehicle (security attack) can be substantially separated (isolated) from the in-vehicle network 3, and the second processing unit 22 can prevent the control of the vehicle C (vehicle C system) from being affected. If the first processing unit 21 determines that the second processing unit 22 is normal (challenge-response authentication succeeds) based on the result of the security verification, the first processing unit 21 does not perform a process to deactivate the second processing unit 22, so that the activated state of the second processing unit 22 is maintained (continued).

(Embodiment 2)
4 is a flowchart illustrating the processing of the first processing unit 21 and the second processing unit 22 of the in-vehicle device 2 according to the second embodiment (return signal). As in the first embodiment, the in-vehicle device 2 steadily performs the following processing when the vehicle C is in a running state (IG switch is on) or stopped state (IG switch is off). A series of processing of the first processing unit 21 (inner-side microcomputer) and the second processing unit 22 (outer-side microcomputer) of the in-vehicle device 2 are performed in association with each other, but the processing by the first processing unit 21 (inner-side microcomputer) will be described first, and then the processing by the second processing unit 22 (outer-side microcomputer) will be described.

The first processing unit 21 determines whether or not a verification request has been received from the second processing unit 22 (S201). The first processing unit 21 performs the process of S201 in the same manner as the process of S101 in the first embodiment.

If the first processing unit 21 has not received a verification request (authentication request) from the second processing unit 22 (S201: NO), the first processing unit 21 judges whether a predetermined period has elapsed (S2011). For example, when a challenge-response method is used, the second processing unit 22 is configured to periodically output a verification request (authentication request) to the first processing unit 21, and the first processing unit 21 judges whether a state in which a verification request (authentication request) has not been received from the second processing unit 22 has continued for a predetermined period according to the period. The predetermined period may be set in advance as, for example, a period three times the transmission period when the second processing unit 22 outputs (transmits) a verification request, and may be stored in the first storage unit 212. The first processing unit 21 may store in the first storage unit 212, as a verification request reception history, whether or not a verification request has been received from the second processing unit 22 each time the transmission period when the second processing unit 22 outputs (transmits) a verification request elapses.

If it is determined that the predetermined period has not elapsed (S2011: NO), the first processing unit 21 performs a loop process to execute the process of S101 again. In other words, the first processing unit 21 may continue waiting for a verification request (authentication request) to be sent from the second processing unit 22.

If it is determined that the predetermined period has elapsed (S2011: YES), the first processing unit 21 determines that the second processing unit 22 is abnormal (S2041). If a state in which the second processing unit 22 does not output a verification request (authentication request) has elapsed for a predetermined period, the first processing unit 21 may determine that the second processing unit 22 is in an abnormal state due to unauthorized access from outside the vehicle (security attack) and that the security function has already failed.

When a verification request (authentication request) is obtained from the second processing unit 22 (S201: YES), the first processing unit 21 performs security verification on the second processing unit 22 (S202). The first processing unit 21 obtains response data from the second processing unit 22 in response to the security verification (S203). The first processing unit 21 determines whether the obtained response data is valid or not (S204). When the first processing unit 21 determines that the response data is valid (S204: YES), the first processing unit 21 determines that the second processing unit 22 is normal (S205). The first processing unit 21 performs the processes from S202 to S205 in the same manner as the processes from S102 to S105 in the first embodiment.

If it is determined that the response data is invalid (S204: NO), or if it is determined that the predetermined period has elapsed as described above (S2011: YES), the first processing unit 21 determines that the second processing unit 22 is abnormal (S2041). The first processing unit 21 performs the process of S2041 in the same manner as the process of S1041 in the first embodiment.

The first processing unit 21 executes a recovery process for the second processing unit 22 (S2042). When the first processing unit 21 determines that the second processing unit 22 is abnormal, the first processing unit 21 performs a recovery process for recovering the second processing unit 22. The recovery process for recovering the second processing unit 22 includes, for example, restarting the second processing unit 22 by cutting off and resupplying power to the second processing unit 22, or outputting a recovery signal to the second processing unit 22.

When the second processing unit 22 is restarted by cutting off and resupplying power to the second processing unit 22 as the recovery process, the first processing unit 21 may turn off and then turn on a relay or semiconductor switch provided on a power line that supplies power to the second processing unit 22. The recovery signal to the second processing unit 22 may be, for example, a signal including rebooting or initializing the second processing unit 22, or a program pre-stored in the storage unit of the first processing unit 21 and an instruction to execute the program. The recovery signal may be output (transmitted) from the first processing unit 21 to the second processing unit 22 via the verification communication line 203. The first processing unit 21 may deactivate the second processing unit 22 as in the first embodiment when the result of the security verification (verification result) of the second processing unit 22 continues to be abnormal even though the first processing unit 21 has output the recovery signal to the second processing unit 22 multiple times (predetermined number of times).

The second processing unit 22 outputs a verification request to the first processing unit 21 (T201). The second processing unit 22 generates response data in response to the security verification by the first processing unit 21 (T202). The second processing unit 22 outputs the generated response data to the first processing unit 21 (T203). The second processing unit 22 performs the processes T201 to T203 in the same manner as the processes T101 to T103 in the first embodiment.

The second processing unit 22 executes the recovery process according to the recovery process performed by the first processing unit 21 (T204). If the first processing unit 21 determines that the second processing unit 22 is abnormal (challenge-response authentication fails) based on the result of the security verification, the first processing unit 21 performs a procedure to recover the second processing unit 22. By performing the procedure, the second processing unit 22 performs the recovery process, for example, by rebooting, loading and executing a normal program transmitted from the first processing unit 21, etc. This allows the second processing unit 22, which has become abnormal due to, for example, unauthorized access from outside the vehicle (security attack), to transition (recover) to a normal state.

(Embodiment 3)
5 is a schematic diagram illustrating a system configuration of an in-vehicle system S according to embodiment 3 (connected to an actuator 5). In this embodiment, the in-vehicle ECU 4 directly connected to an actuator 5 such as a motor also includes a first processing unit 41 and a second processing unit 42, similar to the in-vehicle device 2 described in embodiment 1. The configurations and processing of the first processing unit 41 and the second processing unit 42 of the in-vehicle ECU 4 are similar to the configurations and processing of the first processing unit 21 and the second processing unit 22 of the in-vehicle device 2.

The first processing unit 41 of the on-board ECU 4 is not directly connected to the on-board network 3, but is directly connected to an actuator 5 such as a motor. The second processing unit 42 of the on-board ECU 4 is directly connected to the on-board network 3. The first processing unit 41 and the second processing unit 42 of the on-board ECU 4 are communicatively connected by a data communication line 201 and a verification communication line 203, similar to the on-board device 2 of embodiment 1.

The first processing unit 41 and the second processing unit 42 included in the on-board ECU 4 perform security verification in the same manner as the on-board device 2 of embodiment 1, and the first processing unit 41 located on the actuator 5 side performs security verification (security measures) on the second processing unit 42 located on the on-board network 3 side using a challenge-response method. This ensures the integrity of the second processing unit 42 on the on-board network 3 side in the on-board ECU 4, which is implemented with multiple processing units (microcomputers), and provides resistance to security attacks from outside the vehicle via the on-board network 3.

In this embodiment, the second processing unit 42 is located on the in-vehicle network 3 side, and the first processing unit 41 is located on the actuator 5 side, but this is not limited to the above. The first processing unit 41 may be located on the in-vehicle network 3 side, and the second processing unit 42 may be located on the actuator 5 side. This ensures the integrity of the second processing unit 42 on the actuator 5 side in an in-vehicle ECU 4 that is equipped with multiple processing units (microcomputers), and provides resistance to security attacks from the actuator 5 side.

The embodiments disclosed herein are illustrative in all respects and should not be considered limiting. The scope of the present disclosure is indicated by the claims, not by the meaning described above, and is intended to include all modifications within the meaning and scope of the claims.

C Vehicle S In-vehicle system 100 External server 101 Diagnostic device 1 External communication device 11 Antenna 2 In-vehicle device (relay device)
21 First processing unit (in-vehicle microcomputer)
211 First control unit 212 First storage unit 213 In-vehicle communication unit 22 Second processing unit (outside microcomputer)
221 Second control unit 222 Second storage unit 223 Vehicle exterior communication unit M Recording medium P Program (program product)
201 Data communication line 202 Data communication unit 203 Verification communication line 204 Verification communication unit 3 Vehicle-mounted network 31 Communication cable 4 Vehicle-mounted ECU
41 First processing unit 42 Second processing unit 5 Actuator

Claims (10)

An in-vehicle device mounted in a vehicle having an in-vehicle network,
A first processing unit connected to the in-vehicle network;
a second processing unit communicably connected to the first processing unit,
The first processing unit is
performing security verification on the second processing unit;
performing a recovery process for recovering the second processing unit when it is determined that the second processing unit is abnormal based on a result of the security verification;
When a result of security verification for the second processing unit continues to be abnormal despite a return signal for performing the return process being output to the second processing unit a plurality of times, the second processing unit is deactivated.
In-vehicle device. the first processing unit acquires response data from the second processing unit in response to the security verification;
The in-vehicle device according to claim 1 , further comprising: a determination unit configured to determine whether the second processing unit is normal based on the acquired response data. The in-vehicle device according to claim 1 or 2, wherein the first processing unit performs security verification on the second processing unit using a challenge-response method. The in-vehicle device according to claim 1 , wherein the first processing unit performs security verification on the second processing unit in response to a verification request from the second processing unit. The in-vehicle device according to claim 4 , wherein the first processing unit determines that the second processing unit is abnormal when the first processing unit does not receive a verification request from the second processing unit for a predetermined period of time. The second processing unit acquires outside-vehicle communication data from an external device outside the vehicle,
The in-vehicle device according to any one of claims 1 to 5, wherein the first processing unit and the second processing unit are connected by a data communication line through which the outside-vehicle communication data flows and a verification communication line through which data for the security verification flows. The in-vehicle device according to claim 1 , wherein the first processing unit performs processing to deactivate the second processing unit when the first processing unit determines that the second processing unit is abnormal based on a result of the security verification. A plurality of in-vehicle ECUs are connected to the in-vehicle network,
The in-vehicle device according to claim 1 , wherein the first processing unit relays the data acquired from the second processing unit to the in-vehicle ECU via the in-vehicle network. A computer is provided in a vehicle having an in-vehicle network, the computer including a first processing unit connected to the in-vehicle network and a second processing unit communicatively connected to the first processing unit,
The first processing unit performs security verification on the second processing unit;
performing a recovery process for recovering the second processing unit when it is determined that the second processing unit is abnormal based on a result of the security verification;
When a result of security verification for the second processing unit continues to be abnormal despite a return signal for performing the return process being output to the second processing unit a plurality of times, the second processing unit is deactivated.
An information processing method for executing a process. A computer is provided in a vehicle having an in-vehicle network, the computer including a first processing unit connected to the in-vehicle network and a second processing unit communicatively connected to the first processing unit,
The first processing unit performs security verification on the second processing unit;
performing a recovery process for recovering the second processing unit when it is determined that the second processing unit is abnormal based on a result of the security verification;
When a result of security verification for the second processing unit continues to be abnormal despite a return signal for performing the return process being output to the second processing unit a plurality of times, the second processing unit is deactivated.
A program that executes a process.