Search

CN-115769620-B - Securing a connection between a vehicle and a remote management server for managing said vehicle

CN115769620BCN 115769620 BCN115769620 BCN 115769620BCN-115769620-B

Abstract

The invention relates to a vehicle (V) comprising a communication Module (MC) capable of using two telecommunication identifier cards, one telecommunication identifier card (VCA) being related to a subscription of a manufacturer of the vehicle (V) and the other telecommunication identifier card (UCA) being related to a subscription of a user, the vehicle (V) comprising a Trusted Execution Environment (TEE) hosting a security function and a multimedia system Execution Environment (EESM) hosting a part of the communication Module (MC), the Trusted Execution Environment (TEE) comprising a supervision Module (MS) monitoring a connection between the vehicle (V) and a remote management Server (SG) for managing the vehicle (V).

Inventors

  • D. Miyala

Assignees

  • 雷诺股份公司
  • 日产自动车株式会社

Dates

Publication Date
20260508
Application Date
20210527
Priority Date
20200604

Claims (13)

  1. 1. A vehicle (V) comprising a communication Module (MC) capable of using two telecommunications identifier cards, one (VCA) relating to a subscription between a manufacturer of said vehicle (V) and a telecommunications carrier and the other (UCA) relating to a subscription between a user of said vehicle (V) and a telecommunications carrier, said vehicle (V) comprising a Trusted Execution Environment (TEE) hosting a security function of the vehicle (V) and a multimedia system Execution Environment (EESM) hosting at least a part of said communication Module (MC), The vehicle (V) is characterized in that the Trusted Execution Environment (TEE) comprises a supervision Module (MS) monitoring the connection between the vehicle (V) and a remote management Server (SG) of the vehicle (V), the supervision module being configured to: When the communication module indicates that the cellular connection of the vehicle is not available for longer than a first predefined time interval, sending a first instruction to the communication module to trigger disabling external communication of the unsafe application of the vehicle, and When the communication module indicates that the cellular connection of the vehicle is not available for longer than a second predefined time interval, a second instruction is sent to the communication module to trigger the selection by the communication module of a telecommunications identifier card related to a subscription of a manufacturer of the vehicle as a unique connection means, and any communication with outside the remote management server is disabled by the communication module, the second predefined time interval being greater than the first predefined time interval.
  2. 2. The vehicle (V) according to claim 1, characterized in that the supervision Module (MS) is able to test the connection periodically by sending and receiving signed unique and predefined messages to and from the remote management Server (SG), respectively.
  3. 3. The vehicle (V) according to claim 1, characterized in that the supervision Module (MS) is able to test the connection periodically by receiving a signed unique and predefined message from the remote management Server (SG).
  4. 4. A vehicle (V) according to claim 2 or 3, characterized in that the supervision Module (MS) is able to detect a connection anomaly if: Said communication Module (MC) indicating the cellular connection operation of the vehicle, while said communication Module (MC) does not acknowledge the transmission of one of said messages to said remote management Server (SG) or does not transmit one of said messages transmitted by said remote management Server (SG), -Or the communication Module (MC) indicates that the cellular connection of the vehicle is not available for a duration greater than a first predefined time interval.
  5. 5. The vehicle (V) according to claim 2, characterized in that the message sent by the supervision Module (MS) comprises information indicating that a connection abnormality between the vehicle (V) and the remote management Server (SG) is detected or information indicating that no connection abnormality between the vehicle and the remote management server is detected.
  6. 6. The vehicle (V) of claim 4, characterized in that the message sent by the supervision Module (MS) comprises information indicating that a connection abnormality between the vehicle (V) and the remote management Server (SG) is detected or information indicating that no connection abnormality between the vehicle and the remote management server is detected.
  7. 7. A vehicle (V) according to any one of claims 1-3, characterized in that the vehicle comprises at least one of the transmitting means selected from the list comprising: first transmitting means (M1) for transmitting instructions to the communication Module (MC) to trigger disabling of external communication of the unsafe application of the vehicle (V), -Second transmitting means (M2) for transmitting instructions to the communication Module (MC) to trigger the selection by the communication Module (MC) of a telecom identifier card (VCA) related to the subscription of the manufacturer of said vehicle (V) as the sole connecting means, and the disabling by the communication Module (MC) of any communication with outside said remote management Server (SG), Third sending means (M3) for sending an instruction to the communication Module (MC) to trigger a restart of said communication Module (MC) and to cause a restart of said multimedia system Execution Environment (EESM) while enforcing a security configuration for said restart, And fourth transmitting means (M4) for transmitting instructions to trigger restarting at least a part of the other execution environment or other software of the vehicle (V) and at the same time to impose a security configuration on these parts, And the vehicle further comprises an activation device (MA) configured to activate all or part of the selected transmission devices (M1, M2, M3, M4) upon detection of an abnormality of the connection between the vehicle (V) and the remote management Server (SG).
  8. 8. The vehicle (V) according to claim 7, wherein the vehicle (V) comprises at least the first transmitting means (M1), characterized in that the activating Means (MA) are configured to activate only the first transmitting means (M1) when the communication Module (MC) indicates that the cellular connection of the vehicle (V) is not available for a duration greater than the first predefined time interval.
  9. 9. The vehicle (V) according to claim 7, wherein the vehicle (V) comprises at least the second transmitting means (M2), characterized in that the activating Means (MA) are configured to activate the second transmitting means (M2) excluding transmitting means selected from among the third transmitting means (M3) or the fourth transmitting means (M4) when the communication Module (MC) indicates that the cellular connection of the vehicle (V) is not available for a duration greater than a second predefined time interval.
  10. 10. The vehicle (V) according to claim 7, wherein the vehicle (V) comprises at least the third transmitting means (M3) or the fourth transmitting means (M4), characterized in that the activating Means (MA) are configured to activate the third transmitting means (M3) or the fourth transmitting means (M4) only when the vehicle (V) is stopped.
  11. 11. A system for securing a connection between a vehicle and a remote management server for managing the vehicle, the system comprising a vehicle (V) as claimed in any one of claims 1 to 10, and the remote management Server (SG), characterized in that the remote management Server (SG) comprises: -receiving means (SMM) for receiving a message sent by said supervision Module (MS) and comprising information representative of the detection of a connection abnormality between said vehicle (V) and said remote management Server (SG), Detecting means (SMM) for detecting whether the abnormal detection result is due to a network attack by means of an association between the position of the vehicle (V) and radio coverage data, -Sending means (SMM) for sending a message indicating that the anomaly is not due to a network attack on the vehicle (V) in response to the message from the supervision Module (MS) and reporting the anomaly detection result.
  12. 12. The system of claim 11, wherein the remote management Server (SG) further comprises: detecting means (SMM) for immediately detecting a network attack when a plurality of vehicles report more than a predefined threshold of anomalies, -Means for sending a message to the vehicle to activate a program for securely restarting the communication Module (MC) and the multimedia system Execution Environment (EESM) and/or for immediately updating the program of the multimedia system Execution Environment (EESM) upon detection of a network attack by the detection means (SMM).
  13. 13. A method for securing a connection between a vehicle (V) as claimed in any one of claims 1 to 7 and the remote management Server (SG) of the vehicle, the method comprising the steps of: -sending and/or receiving (E1) signed unique and predefined messages to and/or from the remote management Server (SG), respectively, Detecting (E2) an abnormality of said connection, -Sending (E3) an instruction to the communication Module (MC) to enable switching of the communication between the vehicle (V) and the remote management Server (SG) to a connection using a telecommunications identifier card (VCA) related to the subscription of the manufacturer of the vehicle (V).

Description

Securing a connection between a vehicle and a remote management server for managing said vehicle The present invention relates generally to telecommunications and motor vehicles, and more particularly to securing telematics services supplied to a vehicle and software of the vehicle. Telematics services provided by manufacturers on vehicles specify and use sensitive data and functions. These services are typically performed on the one hand by embedded logic residing in the vehicle and on the other hand by external logic residing on at least one remote server of the manufacturer or a third party. One fundamental problem in securing telematics services and automotive software generally surrounds the communication link between these two logics. In fact, to achieve a good level of security, manufacturers establish a secure communication mechanism between the embedded and external portions of the software of these telematics services. Manufacturers have also established management centers for the vehicles they keep. These management tools allow the manufacturer to detect anomalies and trigger blocking or corrective actions in the vehicle to respond to faults or potential network attacks, for example, by updating the software of the vehicle. However, such a security assurance policy proves ineffective when the vehicle is not covered by the network and cannot talk to the manufacturer's remote server, or when the communication between the vehicle and the remote server is no longer considered reliable and trusted. One means for enhancing the security of the connection between the embedded portion of the telematics service software in the vehicle and its external portion is to obtain additional protection and additional countermeasure capabilities implemented by the telecom operator to which the manufacturer of the vehicle is subscribed. However, while these telematics services are being established, the need to bring the Internet to vehicle users is rising and growing. In addition, users of automobiles have a strong need to be able to obtain this internet use using their own cellular telephone subscription. The internet connection now brings back a series of threats and potential vulnerabilities that may allow a hacker to control the electronic components using the connection. Moreover, the fact that a telecommunications carrier different from that of the manufacturer of the associated vehicle is utilized for the internet connection with a subscriber-specific subscription prevents the benefit from the protection and corrective measures that the manufacturer's telecommunications carrier can provide to secure the telematics services used by the vehicle. Therefore, there is a need to secure communications between a vehicle and its remote management center while allowing users of the vehicle to connect to the internet via their cellular telephone subscription. One solution is to isolate connections and systems for the internet on the one hand from those for telematics services on the other hand. Since users use their own cellular telephone subscription, this means that the physical cellular communication system must be duplicated either with two cellular modems instead of just one, or with one cellular modem but which can operate with two SIM (subscriber identity module) cards activated simultaneously, this capability being called "dual-SIM". In both cases, this duplication represents a very significant cost overhead (tens of dollars per vehicle). It is an object of the present invention to remedy at least some of the drawbacks of the prior art by providing a vehicle, a system and a method at a lower cost, which ensure a trusted communication between the vehicle and a management center that manages the network security of the vehicle, while allowing the user of the vehicle to access the internet via his or her own cellular telephone subscription. To this end, the invention proposes a vehicle comprising a communication module capable of using two telecommunication identifier cards, one telecommunication identifier card being related to a subscription between a manufacturer of the vehicle and a telecommunication operator and the other telecommunication identifier card being related to a subscription between a user of the vehicle and a telecommunication operator, the vehicle comprising a trusted execution environment hosting the safety functions of the vehicle and a multimedia system execution environment hosting at least a part of the communication module, the vehicle being characterized in that the trusted execution environment comprises a supervision module monitoring the connection between the vehicle and a remote management server of the vehicle. With the present invention, a single modem either employs a connection using a subscription of the vehicle or a connection using a subscription of the user, but the connection between the vehicle and the remote server is monitored. Thus, when the connection using the user subs