JP4942261B2 - Vehicle relay device and in-vehicle communication system - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a vehicle relay device that relays communication between an external device connected via a communication device and various in-vehicle electronic devices connected to an in-vehicle LAN.
[0002]
[Prior art]
In recent vehicles, especially automobiles, the number of electronic devices in the vehicle such as control devices, information devices, and audio devices is increasing, and in vehicles that require cooperation between devices or sharing of information. In general, electronic devices are connected by a dedicated communication line so that information can be transmitted and received between the devices and an information communication network (so-called in-vehicle LAN) is constructed.
[0003]
In recent years, with the development of networks outside the vehicle, infrastructure has been developed so that various information necessary for each device in the vehicle can be obtained from outside the vehicle. There are an increasing number of examples of connecting in-vehicle electronic devices with in-vehicle electronic devices equipped with wireless devices for performing the above-mentioned operation to an in-vehicle LAN.
[0004]
For example, navigation capable of connecting a VICS radio that can receive road traffic information provided from a road traffic information communication system (VICS) or a mobile phone used for collecting nearby store information from the outside Internet A device, an on-board ETC device to which an ETC radio for communicating with an automatic fee billing system (ETC) is connected.
[0005]
[Problems to be solved by the invention]
However, in a conventional in-vehicle LAN, a radio device for acquiring various information from the outside is directly connected to a device that mainly uses the information. It was inconvenient because it could not be placed in a position or extra wiring between the radio and the device had to be provided.
[0006]
In order to solve this problem, for example, a wireless device is directly connected to the in-vehicle LAN, and a device in the in-vehicle LAN that requires information received by the wireless device is transmitted from the wireless device via the in-vehicle LAN. A method for obtaining necessary information can be considered. In this way, the degree of freedom of the installation position of the wireless device or the like is high, and the number of wires is small, which is convenient.
[0007]
However, with such a configuration, it becomes possible to access each device connected to the in-vehicle LAN from outside the vehicle via a radio, and unauthorized access to network terminals that frequently occur in the Internet and other fields in recent years. There is a high possibility that the same problem will occur.
[0008]
The present invention has been made in view of these problems, and an object thereof is to sufficiently prevent unauthorized access from outside to various in-vehicle electronic devices in a vehicle while simplifying wiring in an in-vehicle communication system.
[0009]
[Means for Solving the Problems]
In order to achieve this object, the invention according to claim 1 is arranged between an in-vehicle LAN constructed in a vehicle and a communication device that performs data communication between an external device and the communication device. A vehicle relay device that relays communication between an external device connected via a vehicle and various in-vehicle electronic devices connected to the in-vehicle LAN, a first identification unit, a first authentication unit, and a first distribution unit And are provided.
[0010]
That is, in the vehicle relay device of the present invention, when there is an access request from the external device to the in-vehicle electronic device connected to the in-vehicle LAN, the first identification means identifies the access destination and the identification result Based on the above, it is determined whether or not the access request is an access request to an in-vehicle electronic device that requires authentication of the external device.
[0011]
In addition, when the first identification unit determines that the access request requires the authentication of the external device, the relay device for the vehicle receives the first authentication transmitted from the external device by the first authentication unit. Based on the information, it is determined whether the out-of-vehicle device is an out-of-vehicle device that is permitted to access the in-vehicle electronic device in advance.
[0012]
Furthermore, the vehicular relay device determines that the out-of-vehicle device requested for access by the first authentication means is an out-of-vehicle device that is permitted to access the in-vehicle electronic device in advance, or the first identification unit requests access. When it is determined that authentication of the external device is not required, the first distribution means distributes communication data transmitted from the external device via the communication device to the in-vehicle electronic device to be accessed To do.
[0013]
  Therefore, the vehicular relay device according to claim 1 relates to access from an external device that is not permitted to access an in-vehicle electronic device in the in-vehicle LAN before connecting the out-of-vehicle device to the in-vehicle LAN. Access to the internal electronic device can be denied. In other words, the vehicular relay device can restrict external access by authenticating the external device by the first authentication means, and as a result, can prevent external unauthorized access.Further, the in-vehicle electronic device connected to the in-vehicle LAN is divided into an information system device for notifying a vehicle occupant of information acquired from the outside and a control system device for controlling the vehicle. You may make it discriminate | determine whether the authentication of an external device is required by making an identification means identify whether an access request is an access request | requirement of an information system apparatus or a control system apparatus. Further, in this case, as described in claim 1, when the first identification unit determines that the access request is an access request to the control system device, the first recognition unit authenticates the external device. It is preferable to configure the vehicular relay device to be performed by the method. In this way, the control system device for controlling the vehicle can be accessed only from an authorized external device that has been authenticated, and the vehicle relay device is connected to the control system device related to the traveling of the vehicle. Can be prevented from unauthorized access.
[0014]
As a method for causing the first identification means to determine whether or not the access request is an access request to an in-vehicle electronic device that requires authentication of the outside device, for example, in advance in the vehicle relay device, There is a method of listing in-vehicle electronic devices that require device authentication, and causing the first identification means to determine whether or not authentication of an external device is required based on the list. In addition, as the in-vehicle LAN, a plurality of independent networks are constructed for each system of the in-vehicle electronic device, and these networks cannot be accessed from the outside unless the vehicle relay device is provided. Further, it may be determined whether the access request requires authentication of the external device by determining whether the access request is an access request to an in-vehicle electronic device belonging to which network.
[0015]
In addition, as an authentication method when authentication of an external device is required at this time, for example, authentication information (such as a password) for each electronic device in the vehicle is stored in advance in the vehicle relay device, and the vehicle relay There is a method in which the device collates the authentication information with the authentication information acquired from the external device. As another example, authentication information common to in-vehicle electronic devices is stored in the vehicular relay device, and when there is an access request that requires authentication of an external device, the common authentication is performed regardless of the access destination. You may make it authenticate an apparatus outside a vehicle by information.
[0018]
  WhenHowever, in the above, the method of determining whether or not the authentication of the external device is necessary by identifying the access destination, but depending on the type of access request from the external device (such as the type of communication data), In some cases, it is better to authenticate the outside device regardless of the access destination.
[0019]
  For example, the access request is a write request for writing a program that operates in the in-vehicle electronic device or a parameter for operating the in-vehicle electronic device (for example, a suitable constant for properly operating the control system in the vehicle). This is the case. For this reason, the claim2In the vehicular relay device described above, in addition to the first identification unit, the first authentication unit, and the first distribution unit, a second identification unit, a second authentication unit, and a second distribution unit are provided. .
[0020]
  That is, the claim2In the vehicle relay device described in the above, when there is an access request from the outside device to the in-vehicle electronic device, the second identification means sends the access request to the in-vehicle electronic device or the in-vehicle electronic device When it is determined whether or not it is a write request for writing an operation parameter, and the second identification means determines that the access request to the in-vehicle electronic device is not a write request, the second authentication means The identification means is operated.
[0021]
In the vehicular relay apparatus, the second identification means transmits an access request to the in-vehicle electronic device when it is determined to be a request for writing a program or a parameter for operating the in-vehicle electronic device. On the basis of the second authentication information, the second authentication means is permitted to write a program for operating the electronic device in the vehicle or a parameter for operating the electronic device in the vehicle. It is determined whether it is a device.
[0022]
When the second authentication means determines that the external device requested to write is an external device that is permitted to write a program for operating the electronic device in the vehicle or parameters for operating the electronic device in the vehicle. Only the second distribution means distributes the program as communication data transmitted from the device outside the vehicle via the communication device or the parameter for operating the electronic device in the vehicle to the electronic device in the access destination.
[0023]
  Therefore, the claims2In the vehicular relay device described in the above, when the access request is a program or a parameter write request for operating the electronic device in the vehicle, the external device based on the second authentication information regardless of the access destination As a result, it is possible to prevent writing of a program to the in-vehicle electronic device and parameters for operating the in-vehicle electronic device due to unauthorized access.
[0024]
Of course, in the case of a write request from a valid external device, the second distribution means distributes the program or parameters for operating the electronic device in the vehicle to the electronic device in the access destination. Therefore, according to the vehicular relay device, it is easy for a legitimate user to write a program for an in-vehicle electronic device and a vehicle while preventing writing of a program for unauthorized access and parameters for operating the in-vehicle electronic device. Parameters for operating the internal electronic device can be written / updated.
[0025]
For example, in the past, a dealer or the like has updated the program of the in-vehicle electronic device with a dedicated device. However, in a vehicle in which such a vehicle relay device is incorporated, it is troublesome to bring the vehicle into the dealer. The program can be updated without forcing the driver.
[0026]
  Claims2In the vehicular relay device described in the above, it is possible to more reliably determine whether the external device is legitimate for the authentication method when the access request is writing of a program or a parameter for operating the electronic device in the vehicle It is desirable to use such a strong authentication method.
[0027]
  For this purpose, for example, the claims3When the second identification means determines that the access request to the in-vehicle electronic device is a write request, the second authentication means determines that the external device is preliminarily in advance based on the first authentication information. Based on the second authentication information, the write request is made to determine whether or not the external device is permitted to access the electronic device. The vehicular relay apparatus is configured to determine whether or not the out-of-vehicle apparatus that has been operated is an out-of-vehicle apparatus that is permitted to write a program that operates in the in-vehicle electronic apparatus or a parameter for operating the in-vehicle electronic apparatus. It is good.
[0028]
  If the vehicle relay device is configured in this way, the vehicle outside device can be authenticated in two stages based on the first authentication information and the second authentication information, so that the program and the in-vehicle electronic device operation can be more reliably performed. It is possible to determine whether the parameter write request is from a valid external device. Therefore, the vehicle relay device of the present invention (claims)3), Unauthorized access to the in-vehicle electronic device connected to the in-vehicle LAN can be more reliably prevented.
[0029]
  Specifically, the claims3The vehicle relay device according to claim4It is preferable to configure as described in the above. Claim4In the vehicular relay device described in the above, the second authentication means possesses authentication information for authenticating the external device, and the first authentication information transmitted from the external device is owned by itself. By collating with the information, it is configured to determine whether or not the out-of-vehicle device is an out-of-vehicle device that is previously permitted to access the in-vehicle electronic device.
[0030]
Further, when the second authentication means determines that the out-of-vehicle device is an out-of-vehicle device that is permitted to access the in-vehicle electronic device in advance, the second authentication information is transmitted to the second authentication information transmitted from the out-of-vehicle device. It transfers to the electronic device in a vehicle used as the writing object of the parameter for electronic device operation.
[0031]
Note that, in the in-vehicle electronic device that receives the transferred second authentication information, it is determined whether the out-of-vehicle device is an out-of-vehicle device that is permitted to write a program or a parameter for operating the in-vehicle electronic device. Authentication information is stored, and the second authentication means transfers the second authentication information to the in-vehicle electronic device, and the second authentication information is owned by the in-vehicle electronic device. Let them collate. In addition, the verification result is acquired from the in-vehicle electronic device, and based on the acquired verification result, the external device that has requested writing is a program for operating in the in-vehicle electronic device or a parameter for operating the in-vehicle electronic device. It is determined whether or not the external device is permitted to be written.
[0032]
  Claim for authenticating an external device by such an authentication method4In the vehicular relay device described in the above, the second authentication is performed by the in-vehicle electronic device to which the program or parameter is written. Therefore, even if the vehicular relay device malfunctions due to unauthorized access, It is possible to prevent the program and parameters for operating the electronic device in the vehicle from being written. In addition, it is possible to prevent an act of connecting a device directly to the in-vehicle LAN and attempting to gain unauthorized access to the in-vehicle electronic device.
[0033]
  In addition, claims 1 to claim described above4If the vehicular relay device described in any of the above is used, an in-vehicle communication system that can withstand unauthorized access can be constructed. More specifically, the claims5Claims 1 to4The vehicle relay device according to any one of the above is disposed between a communication device that performs data communication with an external device and an in-vehicle LAN built in the vehicle, and the vehicle relay device includes a communication device. What is necessary is just to relay communication between the in-vehicle apparatus connected via the vehicle and various in-vehicle electronic devices connected to the in-vehicle LAN.
[0034]
At this time, if all the communication devices mounted in the vehicle are connected to the vehicle relay device, all accesses from the outside device can be relayed by the vehicle relay device, and all unauthorized access is made to the vehicle. Can be dealt with by the relay device. Therefore, in such an in-vehicle communication system, unauthorized access to the in-vehicle electronic device can be prevented more reliably.
[0035]
DETAILED DESCRIPTION OF THE INVENTION
Embodiments of the present invention will be described below with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of an in-vehicle communication system 1 to which the present invention is applied.
[0036]
As shown in FIG. 1, the in-vehicle communication system 1 of this embodiment includes an in-vehicle LAN 10 constructed by each electronic control device (ECU 11 to 37) installed in the vehicle as an in-vehicle electronic device, and an out-of-vehicle device 3. A communication unit 40 for performing communication between them, an in-vehicle LAN 10, and a gateway ECU 50 that relays data communication between each of the ECUs 11 to 37 in the in-vehicle LAN 10 and the external device 3; , Is composed of.
[0037]
The in-vehicle LAN 10 constructed in the vehicle includes a control system network, an AVC system network, and a body system network. Each network has a common transmission line and the above-described in-vehicle LAN system corresponding to each system. ECU is connected.
For example, an ECU for vehicle control related to traveling such as an engine ECU 11, ECT / ECU 13, VSC / ECU 15, ACC / ECU 17, and surrounding monitoring ECU 19 is connected to the control system network.
[0038]
Here, the engine ECU 11 is an engine control device that controls the engine, and the ECT / ECU 13 is a shift control device that performs shift control of the automatic transmission, and these are so-called power train control devices. The VSC / ECU 15 is a control device that controls the attitude and braking of the vehicle, and the ACC / ECU 17 is a travel control device that controls the vehicle to follow the preceding vehicle. It is a control device.
[0039]
On the other hand, body control ECUs such as a meter ECU 21, an anti-theft ECU 23, and an air conditioner ECU 25 are connected to the body network. The meter ECU 21 is for displaying various vehicle states such as vehicle speed, engine speed, door open / close state, transmission shift range, etc. on the display device. The anti-theft ECU 23 monitors the vehicle state, When a malicious person enters the vehicle or attempts to steal each device in the vehicle, it is used to sound an alarm sound or make an emergency call to an external center. The air conditioner ECU 25 controls the air conditioner. Is for.
[0040]
In addition, the AVC system network is connected to an AVC system ECU belonging to an information device that provides various information (information display, reproduction, etc.) such as a navigation ECU 31, an audio ECU 33, a telephone ECU 35, and an ETC / ECU 37.
The navigation ECU 31 acquires map data from a map data storage unit (not shown) composed of a DVD player, a CD player, etc. connected to the navigation ECU 31 and a GPS receiver (not shown) connected to the communication unit 40. ) To obtain information relating to the current position of the vehicle, and based on this information, a map representing the current position of the vehicle is displayed on a display device (not shown) such as a liquid crystal display connected to the audio ECU 33 described later, for example. ECU.
[0041]
Further, the navigation ECU 31 acquires traffic jam information and the like from a VICS radio 41 and the like which will be described later, and displays the information on a display device together with a map, or the position of the ETC gate from the ETC radio 45 and a later-described. Information is acquired and displayed on the display device to guide the driver to the gate position for ETC.
[0042]
Next, the audio ECU 33 displays a radio broadcast program or a television broadcast program desired by the user according to a command input by the user operating an operation switch connected to the ECU. It is obtained from the TV / radio radio 43 by controlling a tuner built in the TV and reproduced by a speaker system, a liquid crystal display or the like in the vehicle.
[0043]
Further, the telephone ECU 35 communicates with a telephone radio unit 47, which will be described later, to connect the telephone radio unit 47 to an external device connected to the telephone line network via a radio base station in the telephone line network. Thus, communication is performed between each ECU of the in-vehicle LAN 10 and an external device through a telephone line.
[0044]
In addition, when the ETC / ECU 37 acquires command information related to charging from the ETC center via an ETC radio (described later), in response to this, reads various information from a card reader or the like connected to itself, This is to be sent to an external ETC center via the ETC radio 45.
[0045]
Subsequently, as shown in FIG. 1, the communication unit 40 according to the present embodiment includes a plurality of types of wireless devices such as a VICS wireless device 41, a television / radio wireless device 43, an ETC wireless device 45, and a telephone wireless device 47. And an external device connecting portion 49 for connecting an external device such as the service tool 5 directly into the vehicle.
[0046]
The VICS radio 41 is composed of, for example, a radio beacon receiver for receiving road traffic information provided from the VICS, an optical beacon receiver, and the like, and communication data from the VICS acquired from these radios Is sent to the gateway ECU 50.
[0047]
The television / radio radio 43 includes a tuner for receiving a television broadcast signal and a radio broadcast signal, and the tuner is configured to be controlled by the audio ECU 33 or the like connected to the in-vehicle LAN 10. The TV / radio radio 43 receives a command from the audio ECU 33 and is connected to an external center that provides a video-on-demand service. To send.
[0048]
The ETC wireless device 45 is a wireless device for communicating with the ETC center. The communication data from the ETC center is sent to the gateway ECU 50 or transmitted from the in-vehicle LAN via the gateway ECU 50. Data is transmitted to the ETC center side.
[0049]
Then, the telephone radio unit 47 is controlled by the telephone ECU, connects itself to an external public telephone line network via the radio base station, and transmits communication data from the public telephone line network to the gateway ECU 50. .
Here, examples of access from outside the vehicle performed via the telephone radio device 47 include the following.
[0050]
For example, there is an access when the vehicle owner inputs a command for starting an air conditioner from a mobile phone or the like to the air conditioner ECU 25 in the in-vehicle LAN 10 and operates the air conditioner by remote control. In addition, an access in the case where the user acquires music data through a telephone line and reproduces the music data in the audio ECU 33 in the vehicle may be considered. In addition, a user acquires a program that operates in each of the ECUs 11 to 37 in the in-vehicle LAN from an external center through a telephone line, and installs the program in the ECUs 11 to 37 to newly write or update the program. Access in the case of or.
[0051]
The wireless devices 41, 43, 45, and 47 in the communication unit 40 have been described above. However, in the in-vehicle communication system 1, communication data without an instruction of a distribution destination (that is, an access destination) is communicated from the outside. The case where it receives in the part 40 is considered. Therefore, when taking measures in such a case, for example, each of the wireless devices 41 to 47 gives information on the delivery destination to the communication data regarding a specific type of data without an instruction of the delivery destination, and this is used as a gateway. What is necessary is just to comprise the communication part 40 so that it may transmit to ECU50. For example, when a television signal is received, the distribution destination is designated to the audio ECU 33.
[0052]
In addition, the external device connection unit 49 includes a connector for connecting an external device such as the service tool 5 for performing vehicle diagnosis or the service tool 5 for updating a program in the ECU to the in-vehicle LAN 10. When the service tool 5 is connected, the service tool 5 is connected to the gateway ECU 50.
[0053]
The gateway ECU 50 is connected to the communication unit 40 and the in-vehicle LAN 10, and has a configuration for relaying data communication between the ECUs 11 to 37 in the in-vehicle LAN 10 and the external device 3. .
For example, the gateway ECU 50 has a so-called routing function, and relays access from an ECU in each system network in the in-vehicle LAN to an ECU in another network in the in-vehicle LAN. Specifically, for example, when there is a request for access from the ECU in the body system network to the ECU in the control system network, communication data from the ECU in the body system network is transmitted to the ECU in the control system network.
[0054]
As a feature of the present invention, when the gateway ECU 50 acquires the communication data received by the communication unit 40, the gateway ECU 50 executes the main routine shown in FIG.
2 is a flowchart showing a main routine executed by the gateway ECU 50, FIG. 3 is a flowchart showing a program transfer process called by the main routine, and FIG. 4A is an individual call called by the program transfer process. FIG. 5 is a flowchart showing the access restriction process.
[0055]
First, in S110, the gateway ECU 50 reads the communication data distribution destination from the communication data, and based on this, the distribution destination (that is, the access destination) is stored in its own storage medium (memory in this embodiment). It is determined whether or not the device is listed in the stored in-vehicle device list (S120). The in-vehicle device list here is a list related to the ECUs 11 to 37 connected to the in-vehicle LAN 10.
[0056]
If the gateway ECU 50 determines that the communication data distribution destination is not registered in the in-vehicle device list, the gateway ECU 50 terminates the processing after executing an access restriction process (described later in detail) in S125.
On the other hand, when determining that the distribution destination of the communication data is registered in the in-vehicle device list, the gateway ECU 50 relates to a write request for a program in which the communication data is operated by the ECU in the in-vehicle LAN 10 in subsequent S130. It is determined whether or not the communication data includes information or information related to a request for writing a compatible constant for properly operating the control system in the vehicle. The request for writing the adaptation constant here is, for example, a request for rewriting the engine ignition timing map.
[0057]
If it is determined that the communication data includes information related to a program or parameter write request, gateway ECU 50 next executes a program transfer process (FIG. 3) in S140. In the following processing, only the program write request will be described. However, these processes are performed in the same procedure even when the request is to write a compatible constant.
[0058]
When the program transfer process is started, the gateway ECU 50 first transmits a password as first authentication information to itself to the vehicle exterior apparatus 3 that has transmitted the program write request via the communication unit 40 in S141. And obtain a password from the vehicle exterior device 3.
[0059]
Subsequently, in step S143, the gateway ECU 50 determines whether the password matches a password registered in advance in the gateway ECU 50 (gateway ECU 50). As for this password, for example, the producer may register a password unique to the gateway ECU 50 in the gateway ECU 50 at the time of product shipment.
[0060]
If it is determined in S143 that the password is not correct (that is, the acquired password and the password registered in advance do not match), the gateway ECU 50 proceeds to S169 and performs an access restriction process (FIG. 5). If the password is correct in S143, the process proceeds to S145, the program is acquired from the vehicle exterior device 3 via the communication unit 40, and is temporarily stored in its own memory. .
[0061]
Subsequently, the gateway ECU 50 executes an individual authentication process (FIG. 4) in S150.
In step S151, the gateway ECU 50 first transfers the program to the ECU in the in-vehicle LAN 10 (hereinafter, referred to as “write target ECU”) that is the program write target of the vehicle exterior device 3 in S151. Request reception.
[0062]
Thus, when gateway ECU50 requests | requires reception of a program, writing target ECU which received the request will perform the program reception process which shows a flowchart in FIG.4 (b). Hereinafter, the details of the individual authentication process executed by the gateway ECU 50 shown in FIG. 4A and the details of the program reception process shown in FIG. 4B will be described in parallel.
[0063]
Upon receiving the program reception request, the writing target ECU first determines in S310 whether or not the vehicle external device 3 that has requested the program write is the vehicle external device 3 that is permitted in advance to write the program. In order to do this, the second authentication information different from the first authentication information is requested to the external apparatus 3 that is the write request source.
[0064]
For example, when a common key method (DES method or the like) is adopted as the authentication method, the writing target ECU generates a random number r in S310 and temporarily stores the random number r in its own memory. Is transmitted to the outside device 3 side together with a request for authentication information, and the outside device 3 is instructed to send back the encrypted random number r with the common key K as authentication information.
[0065]
When making a request for this authentication information to the vehicle exterior device 3, the gateway ECU 50 once acquires the request information from the write target ECU and transfers it to the vehicle exterior device 3 via the communication unit 40 (S153). ). Further, when the gateway ECU 50 acquires the authentication information from the vehicle exterior device 3 as a response result to the request for the authentication information, the gateway ECU 50 transfers it to the writing target ECU in S155.
[0066]
On the other hand, when the writing target ECU obtains the authentication information from the vehicle exterior device 3 via the gateway ECU 50 (S320), it collates this with the authentication information stored in its own memory (S330). Then, based on the collation result, it is determined whether or not the authentication of the external device 3 is successful (S340). If the authentication is successful, the authentication is notified to the gateway ECU 50 (S350), and the authentication must be successful. If the authentication is not successful, a notification that the authentication has failed is sent (S355).
[0067]
Here, an example in the case of performing the above-described common key authentication will be described in detail. The writing target ECU decrypts the authentication information acquired from the vehicle exterior device 3 with the common key K, and the decrypted authentication. It is determined whether or not the information matches the random number r generated in S310. If the information matches, it is determined that the out-of-vehicle apparatus 3 is an out-of-vehicle apparatus that is permitted to write a program in advance (Yes in S340). 3 is notified that the authentication is successful.
[0068]
On the other hand, when the gateway ECU 50 receives the authentication result (authentication success notification or authentication failure notification) from the write target ECU in S157, the gateway ECU 50 ends the individual authentication processing and proceeds to S161 of the program transfer processing (FIG. 3). Then, it is determined whether or not the authentication in the writing target ECU is successful.
[0069]
That is, when the gateway ECU 50 receives a notification of authentication failure from the write target ECU, the gateway ECU 50 determines No in S161, moves the process to S169, and receives a notification of authentication success from the write target ECU, the answer is Yes in S161. Judgment is made and the process proceeds to S163.
[0070]
In S163, the gateway ECU 50 transmits the temporarily stored program to the writing target ECU. In response to this, the write target ECU receives the program transferred from the gateway ECU 50 and stores the program in a state where it can be executed in its own memory (S360).
[0071]
Further, when the writing target ECU finishes storing the program, the gateway ECU 50 verifies whether the writing target ECU correctly stores the program in S165. For example, the gateway ECU 50 collates whether the content of the program transferred by itself and the program stored in the memory of the writing target ECU are the same, thereby correctly storing the program by the writing target ECU. Verify whether.
[0072]
If the program is correctly stored, the program transmitted in S163 is discarded from its own memory (S167), the process is terminated, and if the program is not stored correctly (No in S165). Then, the program stored in its own memory is read again and transmitted to the writing target ECU (S163). If the program writing is not successful for a plurality of times, the program writing may be stopped and the processing may be terminated.
[0073]
Next, the processing when the gateway ECU 50 determines in S130 (see FIG. 2) that the communication data is not a request for writing communication data and a compatible constant (No in S130) will be described.
As shown in FIG. 2, if the gateway ECU 50 determines No in S130, in S170, whether the distribution destination (access destination) of the communication data is the AVC ECUs 31 to 37 connected to the AVC network. Judge whether or not.
[0074]
If it is determined that the distribution destination is the AVC ECU 31 to 37 (Yes in S170), the gateway ECU 50 distributes the communication data to the distribution destination AVC ECU in S175.
On the other hand, if it is determined that the distribution destination is not the AVC ECU 31 to 37 (No in S170), the gateway ECU 50 transmits a password to the ECU to the vehicle exterior device 3 that has transmitted the data via the communication unit 40. To obtain a password as authentication information from the vehicle exterior device 3 (S180).
[0075]
Subsequently, in S190, the gateway ECU 50 determines whether or not the acquired password is correct by determining whether or not the password matches the password registered in advance in the gateway ECU 50. The gateway ECU 50 may be configured to collate the password acquired from the vehicle exterior device 3 with the same password used for collation in S143 of the program transfer process described above. It may be configured to. In this case, the gateway ECU 50 stores in advance both the password used for collation in S143 and the password used for collation in S190.
[0076]
If it is determined that the password is correct (Yes in S190), the gateway ECU 50 transmits the data to the distribution destination ECU (S200). If it is determined that the password is not correct (No in S190), the access restriction process is performed in S195. To finish the process.
[0077]
In this access restriction process, the gateway ECU 50 operates as shown in FIG.
That is, in S410, the gateway ECU 50 determines whether or not the same external device 3 has accessed the gateway ECU 50 n times (for example, 3 times) or more within a predetermined time, and there is no access n times or more. If (No in S410), in S420, the fact that there was an abnormal access that failed in authentication is transmitted from the external device 3 to the corresponding wireless devices 41 to 47 of the communication unit 40 (the corresponding wireless devices 41 to 47). This operation is finished).
[0078]
On the other hand, if there have been n or more accesses (Yes in S410), the corresponding wireless devices 41 to 47 are notified to prohibit access from the external device 3 (S430). 47, the communication data from the external device 3 of the same access source is not sent again to the gateway ECU 50, and the process ends.
[0079]
In addition, each of the wireless devices 41 to 47 of the present embodiment that receives the above notifications of the access restriction process executes an access control process as shown in FIG. 6 to control access from the external device 3. FIG. 6 is a flowchart showing the access control process.
When the wireless devices 41 to 47 acquire communication data as a demodulation result from the demodulation circuit, the wireless devices 41 to 47 acquire information about the transmission source external device 3 included in the communication data, identify the transmission source (S510), and S520. It is then determined whether or not the transmission source is on the access prohibition list. The access prohibition list is updated by the wireless devices 41 to 47 each time an access prohibition notification is received from the gateway ECU 50. The wireless devices 41 to 47 have their access prohibited in their own memory. Possesses an access prohibition list in which the out-of-vehicle devices 3 subject to the registration are registered.
[0080]
If it is determined in S520 that the transmission source of the communication data is on the access prohibition list, the wireless devices 41 to 47 reject access to the gateway ECU 50 of the transmission source external device 3 in the subsequent S540. That is, the wireless devices 41 to 47 discard the communication data received from the transmission source without transmitting it to the gateway ECU 50.
[0081]
On the other hand, if it is determined in S520 that the transmission source of the communication data is not in the access prohibition list, the wireless devices 41 to 47 have passed a certain time after the transmission source received an abnormal access in S530. Judge whether or not. Here, the certain time is set to a time sufficiently shorter than the time when the gateway ECU 50 determines whether or not the access has been made n times or more in S410.
[0082]
Here, if it is determined that a certain time has not passed since the abnormal access, the radio devices 41 to 47 move to S540 and reject the access to the gateway ECU 50 of the transmission source external device 3. On the other hand, if it is determined that a certain period of time has elapsed after the abnormal access or the notification of the abnormal access has not been received, the process proceeds to S550 and the communication data is transmitted to the gateway ECU 50.
[0083]
The in-vehicle communication system 1 according to the present embodiment has been described above. In the in-vehicle communication system 1, the gateway ECU 50 relays communication between the communication unit 40 connected to the external device 3 and the in-vehicle LAN 10. In addition, since it is confirmed by acquiring a password whether or not the vehicle external device 3 is permitted to access the ECUs 11 to 37 of the in-vehicle LAN 10 (that is, data communication with each ECU) as necessary. Unauthorized access to the ECUs 11 to 37 in the in-vehicle LAN 10 can be prevented. Further, by adopting such a configuration, it is possible to further prevent unauthorized access from the outside as compared with the case where the external device 3 is authenticated only by an individual ECU, and to configure such a system at a low cost. Can do. In addition, wiring in the in-vehicle communication system can be reduced.
[0084]
In the in-vehicle communication system 1 according to the present embodiment, the communication data is not related to the program and the request for writing the adaptation constant, but the communication data distribution destination (access destination) notifies the vehicle occupant of the information acquired from the outside. The AVC system ECU (ECUs 31 to 37 connected to the AVC system network) is not authenticated.
[0085]
This is because, as long as the communication data is sent to the AVC ECUs 31 to 37, even if the communication data is maliciously acted on, the communication data does not affect the safety related to the running of the vehicle. . In addition, if it is taken into account that access to the AVC ECU is frequently performed from the outside, the processing load on the gateway ECU 50 increases if the vehicle exterior device 3 is authenticated each time. Of course, if necessary, each ECU may authenticate individually.
[0086]
On the other hand, when the distribution destination of the communication data is an ECU other than the AVC system ECU (in other words, the ECUs 11 to 25 connected to the control system network and the body system network), at least the external device 3 using a password or the like. Authentication is performed once. Because each ECU connected to the control system network and the body system network is an ECU related to vehicle control, it is necessary to prevent these ECUs from being tampered with and to ensure the traveling safety of the vehicle. It is.
[0087]
In particular, in the in-vehicle communication system 1 according to the present embodiment, when communication data relates to a program and a request for writing conformity constants, in addition to the first authentication using a password or the like, regardless of the type of ECU of the delivery destination. By performing the second authentication, the access to the external device 3 is more strictly restricted. Therefore, in the in-vehicle communication system 1 according to the present embodiment, it is possible to prevent a situation in which a program operating in the ECU and a compatible constant related to vehicle control are illegally rewritten.
[0088]
In addition, in this in-vehicle communication system 1, access from the in-vehicle device 3 that often fails in authentication is prohibited with n authentication failures, and the communication data from the in-vehicle device 3 is transferred to the gateway ECU 50 by the communication unit 40. Therefore, problems such as an increase in processing load on the gateway ECU 50 due to unauthorized access can be solved.
[0089]
Here, the relationship between the in-vehicle communication system 1 of the present embodiment described above and the in-vehicle communication system of the present invention is as follows.
First, the vehicle relay device of the present invention corresponds to the gateway ECU 50 of the present embodiment, and the information system device of the present invention corresponds to the AVC system ECUs 31 to 37 connected to the AVC system network. The system device corresponds to each of the ECUs 11 to 25 connected to the control system network or the body system network. Further, the access request from the outside device corresponds to an operation in which the outside device 3 transmits communication data to the communication unit 40.
[0090]
The first identifying means of the present invention corresponds to an operation of determining whether or not the distribution destination is an AVC-type ECU as an information system device in S170 based on the distribution destination grasped in S110 by the gateway ECU 50. The first authentication unit corresponds to an operation in which the gateway ECU 50 acquires a password as first authentication information in S180 and determines whether or not the password is correct in S190. The first distribution means corresponds to S175 executed when the gateway ECU 50 determines Yes in S170 and S200 executed when determined Yes in S190.
[0091]
In addition, the second identification means of the present invention corresponds to the processing operation in S130 executed by the gateway ECU 50, and the second authentication means determines that the gateway ECU 50 determines that the access request is not a write request for a program or the like. When the access request is a write request for a program or the like while the process proceeds to S170, this corresponds to the operation of executing the processes of S140 to S161. Further, the second distribution means corresponds to an operation in which the gateway ECU 50 shifts the step to S163 based on the determination result of S161 and transmits communication data (program or the like) to the ECU.
[0092]
As mentioned above, although the Example of this invention was described, the vehicle relay apparatus and in-vehicle communication system of this invention are not limited to the said Example, A various aspect can be taken.
For example, in the above-described embodiment, the outside device 3 is first authenticated by the password, but the outside device 3 may be authenticated by other authentication methods. If the vehicle exterior device 3 is authenticated by a more reliable authentication method such as a common key method, the authentication time may be longer, but unauthorized access to the ECU in the in-vehicle LAN 10 can be prevented more reliably.
[0093]
In addition, when a write request for a program or the like is received, the external device 3 is authenticated twice with different authentication methods. However, in order to ensure safety related to these writes, reliability is ensured. The authentication may be performed three or more times with a high authentication method, or the system may be constructed so that the vehicle exterior device 3 is authenticated only once with a highly reliable authentication method.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a configuration of an in-vehicle communication system 1 according to an embodiment.
FIG. 2 is a flowchart showing a main routine executed by gateway ECU 50;
FIG. 3 is a flowchart showing a program transfer process executed by gateway ECU 50;
FIG. 4 is a flowchart (a) showing an individual authentication process executed by the gateway ECU 50 and a flowchart (b) showing a program receiving process executed by the writing target ECU.
FIG. 5 is a flowchart showing an access restriction process executed by a gateway ECU 50;
FIG. 6 is a flowchart showing access control processing executed by each wireless device 41 to 47;
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 1 ... In-vehicle communication system, 3 ... Outside device, 10 ... In-vehicle LAN, 11-37 ... ECU, 40 ... Communication part, 41, 43, 45, 47 ... Radio | wireless machine, 49 ... External apparatus connection part, 50 ... Gateway ECU

Claims (5)

Various in-vehicle electronic devices connected between the in-vehicle LAN and the in-vehicle LAN, which are arranged between the in-vehicle LAN constructed in the vehicle and the communication device that performs data communication with the out-of-vehicle device. A relay device for a vehicle that relays communication with a device,
When there is an access request from the external device to the in-vehicle electronic device in the in-vehicle LAN, the access destination is identified and, based on the identification result, the access request requires authentication of the external device. First identification means for determining whether or not the access request is to the electronic device;
When the first identification means determines that the access request requires authentication of the external device, the external device preliminarily stores the vehicle based on the first authentication information transmitted from the external device. First authentication means for determining whether or not the external device is permitted to access the internal electronic device;
The first authentication means determines that the outside device that has requested access is an outside device that has been previously permitted to access the in-vehicle electronic device, or the first identification means sends the access request to the outside device. If it is determined that device authentication is not required, first distribution means for distributing communication data transmitted from the outside device via the communication device to the in-vehicle electronic device to be accessed; Prepared ,
As the in-vehicle electronic device, an information system device for notifying a vehicle occupant of information acquired from the outside and a control system device for controlling the vehicle are connected to the in-vehicle LAN.
When there is the access request, the first identification unit identifies whether the access request is an access request of the information system device or the control system device, and when identified as the control system device, Determining that the access request is an access request that requires authentication of the external device;
When the first identification unit determines that the access request is an access request to the control system device, the first authentication unit, based on the first authentication information transmitted from the vehicle exterior device, Determines whether or not the vehicle is an external device that is previously permitted to access the control system device. If there is an access request from the external device to the in-vehicle electronic device, is the access request a write request for writing a program operating in the in-vehicle electronic device or parameters for operating the in-vehicle electronic device? A second identification means for determining whether or not,
When the second identification means determines that the access request to the in-vehicle electronic device is not the write request, the first identification means is operated,
When the second identifying means determines that the access request to the in-vehicle electronic device is the write request, the outside of the vehicle that has made the write request based on the second authentication information transmitted from the external device. Second authentication means for determining whether or not the device is an external device that is permitted to write a program that operates in the in-vehicle electronic device or a parameter for operating the in-vehicle electronic device;
The second authentication means determines that the external device that has requested the writing is an external device that is permitted to write a program for operating the electronic device in the vehicle or a parameter for operating the electronic device in the vehicle. A second distribution means for distributing the communication data transmitted from the outside device via the communication device only to the in-vehicle electronic device to be accessed.
The vehicle relay device according to claim 1. When the second authentication means determines that the second identification means is an access request to the in-vehicle electronic device is the write request,
Based on the first authentication information, it is determined whether the out-of-vehicle device is an out-of-vehicle device that is previously permitted to access the in-vehicle electronic device,
When the vehicle exterior device is a vehicle exterior device that is previously permitted to access the vehicle electronic device,
Based on the second authentication information, the vehicle exterior device that has requested the writing is a vehicle exterior device that is permitted to write a program that operates in the vehicle electronic device or a parameter for operation of the vehicle electronic device. To judge whether or not
The vehicle relay device according to claim 2. The second authentication means collates the first authentication information transmitted from the vehicle exterior device with the authentication information owned by itself, thereby permitting the vehicle exterior device to access the vehicle electronic device in advance. To determine whether it is an out-of-vehicle device
When the vehicle exterior device is a vehicle exterior device that is previously permitted to access the vehicle electronic device,
The second authentication information transmitted from the outside device is transferred to the in-vehicle electronic device to which the program or the parameter is written, and the second authentication information is transferred to the in-vehicle electronic device. While collating with authentication information owned by the in-vehicle electronic device,
The collation result is obtained from the in-vehicle electronic device, and based on the obtained collation result, the external device that has requested the writing is operated by the in-vehicle electronic device or the in-vehicle electronic device operation To determine whether or not the device is an out-of-vehicle device that is allowed to write its parameters
The vehicle relay device according to claim 3. An in-vehicle LAN built in the vehicle;
A communication device for performing data communication with an external device;
2. The communication between the communication device and the in-vehicle LAN, relaying communication between an external device connected via the communication device and various in-vehicle electronic devices connected to the in-vehicle LAN. The vehicle relay device according to any one of claims 4 to 4,
An in-vehicle communication system comprising:

Images