DE102018007631A1 - Prevention of a relay attack - Google Patents

Abstract

The present invention is directed to a method for avoiding unauthorized unlocking of a vehicle, whereby different security mechanisms are proposed which prevent such an attack. The proposed method can be implemented with little technical effort and essentially uses existing components. The invention is also directed to a correspondingly configured system arrangement and to a computer program product with control commands which implement the method.

Description

The present invention is directed to a method for avoiding unauthorized unlocking of a vehicle, whereby different security mechanisms are proposed which prevent such an attack. The proposed method can be implemented with little technical effort and essentially uses existing components. The invention is also directed to a correspondingly configured system arrangement and to a computer program product with control commands which implement the method.

DE 10 2015 223 345 A1 shows a method for operating an authorization device for a vehicle. The authorization device comprises a first communication interface, which is designed for communication with the vehicle, and a second communication interface, which is designed for communication with a backend. A locating unit is also proposed.

DE 10 2016 207 997 A1 10 shows a method for judging a reliability of a relative position determination between a device for access to a vehicle and the vehicle.

DE 10 2015 223 342 A1 shows a method for operating an authorization device for a vehicle, wherein a first communication is formed with the vehicle and a locating unit is further provided.

DE 10 2015107 410 A1 shows an authorization system for vehicles, which has an authentication element and a key.

So-called relay attacks are known from the prior art, which aim to increase the range of a key for unlocking a motor vehicle. Such key systems are known, for example, as keyless go systems and are based on the vehicle or the corresponding electronics recognizing whether the relevant key is in the vicinity. If this is the case, the vehicle can be unlocked or started. A common attack scenario here is that an unauthorized third party holds a device, a so-called range extender, which enables the radio connection between the key and the vehicle to be extended. As a result, the vehicle is shown that the key is nearby, even if it is not. If, for example, a motor vehicle is parked in front of a residential building and the key is located inside this house, the range of the key located inside the house can be increased without authorization. The vehicle can then be opened even though the key is not sufficiently close to the vehicle.

In addition, it is known to determine both the geographic coordinates of the vehicle and the geographic coordinates of the key and then to compare them. This implements an additional security system and creates a security mechanism that complements the existing radio link.

Since the presence of the contactless key next to the car is sufficient for keyless go systems for user convenience, relay attacks are very easy to carry out. An attacker increases the range of the terminal using an amplifier or range extender and forwards the unlocking process to another suitable chip card nearby.

Such an attack is very difficult to detect on the part of the motor vehicle and on the part of the car key.

There are known security procedures for this, but they are complex and error-prone. In general, there is great interest from the user's point of view to detect relay attacks. With a successful attack, the vehicle can be opened and the objects stolen from it. Theft of the vehicle is then much easier. Furthermore, it can be assumed that with the increasing spread of automated vehicle access systems, the number of attacks will increase and the attack methods will be further refined and improved.

It is therefore an object of the present invention to propose an improved method for avoiding unauthorized unlocking of a vehicle, which is reliable and nevertheless involves little technical effort. Furthermore, the task is to be solved to design a system that still enables the automatic opening of the doors of the vehicle, but is nevertheless protected against relay attacks. Furthermore, it is an object of the present invention to provide an analog system system with respect to the proposed method. Furthermore, it is an object of the present invention to propose a computer program product with control commands that operate the system arrangement or execute the method.

The object is achieved with the features of the independent claims. Further advantageous refinements are specified in the subclaims.

Accordingly, a method for avoiding unauthorized unlocking of a vehicle is proposed, comprising the steps of providing a request for a key to the vehicle to unlock the vehicle, establishing a mobile radio connection between the key and a remote server, requesting position data of the key by the user Server, comparing the position data of the key with determined position data of the vehicle and unlocking the vehicle if the requested and the determined position data essentially match, the cellular connection being a 5G cellular connection and the requesting of position data of the key by the server a home location register HLR or a visitor location register VLR, which provides the position data.

The proposed method reliably prevents a so-called relay attack and thus serves to avoid unauthorized unlocking of a vehicle. In the following, a vehicle is assumed, with any motor vehicle being suitable. The person skilled in the art recognizes here that the vehicle provides suitable electronics which carry out the individual method steps. For example, if a request for a key is made available to the vehicle, the vehicle has a corresponding communication interface available, which can be present in particular in the context of a locking system.

The key is a conventional radio key, which, however, must have a mobile radio module in order to carry out individual communication steps. According to the invention, this mobile radio module communicates by means of the 5G standard, which is already known, but is used here in a different context. Corresponding specifications of the 5G standard can be downloaded, for example, from www.ngmn.org. This standard is not dealt with separately, since it is part of the state of the art. According to the invention, however, this standard is used when using a keyless go system and is therefore used in a different context. The inventors have surprisingly found that this standard is particularly suitable for carrying out the proposed method, since an exact determination of position data is possible according to this standard. The expert has so far been prevented from using such standards, since there is a technical hurdle that the key must be equipped with a communication module.

After the key has made a request to unlock the vehicle, a cellular connection is established between the key and a remote server. This can be done directly or indirectly, with further network technology components typically having to be provided. Typically, the key dials into a base station, which in turn communicates with a backend. The server, which is operated, for example, by a manufacturer of the vehicle, is connected to this system. The server takes over the essential computing tasks in the background so that they do not have to be carried out by the key or the vehicle. This means that technical effort is outsourced to components that have the appropriate hardware resources available.

There follows a request for position data of the key by the server, which implies communication between the server and another data service. According to the invention, this further data service is the so-called home location register HLR or the visitor location register VLR. The key therefore initiates that the server requests the position data of the key. The position data of the key can be determined by the mobile radio system and is then stored in the corresponding register. The mobile radio system can measure response times, for example, by sending signals to the key and returning them. Based on these latencies, several base stations can locate the key.

According to the invention, it is particularly advantageous that the position data of the key are stored in the home location register or the visitor location register, that is to say in the components in which the key registers. This offers the advantage that existing components are used which already exist according to mobile radio systems. The background system knows at all times at which base station the key is registered, and thus the position of the corresponding key can also be determined in a simple manner.

The key data determined serve as reference data and are then to be compared with position data of the vehicle. The corresponding register therefore returns the position data of the key and it is assumed that an authorized owner of the key is in the vicinity of the vehicle. This is because the key has made a request to remove the vehicle. If it is a legitimate user, it must also be close to the vehicle, which excludes a so-called range extender.

The fact that the requested position data, that is, the position data of the key and the determined position data, that is, the position data of the vehicle, essentially coincide so that the key must be in the immediate vicinity of the vehicle. In general, the characteristic "essentially" is an optional characteristic. For this purpose, a radius can be defined, which indicates when the position data match. For example, it can be assumed that the position data match exactly if the key is within a radius of less than 5 meters from the vehicle. It is thus recognized that the key is sufficiently close to the vehicle, and the vehicle can then be unlocked.

According to one aspect of the present invention, the vehicle and the key exchange encrypted random numbers. This has the advantage that both the vehicle can generate a random number and transmit it to the key, and the key can transmit a random number that can only be decrypted by the vehicle. This ensures communication between the two communication partners and prevents an unauthorized third party from participating in the unlocking process.

According to a further aspect of the present invention, the key creates at least one random number which is kept available to the home location register or the visitor location register for authentication. This has the advantage that authentication can also take place with respect to other components, and it is ensured that the key is actually initiated via the corresponding server and that position data are provided. This precludes an unauthorized third component from participating in the process and manipulating the corresponding data.

According to a further aspect of the present invention, transmitted data are encrypted in such a way that they can only be decrypted for the sender and the receiver. This has the advantage that a point-to-point encryption takes place and the communication is in turn protected against manipulation. The sender and the receiver need not be direct communication partners, but rather it is possible that, for example, the key transmits a message to the server, which is forwarded via network components. For encryption and decryption, the respective components hold further information such as secret keys. Each of these can be stored in a data memory.

According to a further aspect of the present invention, the mobile radio connection is established between the key and a remote server by means of a mobile radio module within the key. This has the advantage that conventional keys can also be retrofitted, making data exchange based on the 5G telecommunications standard possible. The advantages of the 5G standard can be used for this, for example that the key can be located precisely. The person skilled in the art recognizes here that the key has further units which, among other things, perform computing operations. The key can thus carry out cryptographic functions and communicates with the other units via a secure connection.

According to a further aspect of the present invention, the key, the vehicle and / or the server store information for decrypting the data communication. This has the advantage that secret keys can be stored in the respective components, and corresponding encryption algorithms can thus be carried out.

In some cases, it is advantageous to use a public and a secret key for data communication, and consequently the secret key can be stored in each case, and then received data packets can be decrypted.

According to a further aspect of the present invention, the respective position data are determined using a location function of a 5G mobile radio network. This has the advantage that the position data of both the key and the vehicle can be created using a very precise location. The proposed method does not rule out that a satellite-based location determination is carried out. For example, the vehicle can use GPS.

According to a further aspect of the present invention, both the vehicle and the key provide an identifier to the server, and position data of the key are only generated if the two identifiers match. This has the advantage that an additional security mechanism is implemented. Thus, both the vehicle and the key can separately transmit the corresponding data to the server, and the server can then determine whether the expected information is known to both communication partners, that is to say the vehicle and the key. If it is detected that there is no match, the method terminates.

According to a further aspect of the present invention, the key is in the form of a radio remote control and has a secured element. This has the advantage that the key can be retrofitted in such a way that conventional keys are used and a secure element ensures that the data is not manipulated. A secured element is, for example, a structure which is particularly secured in terms of hardware and / or software. In terms of hardware, it can be provided that particularly sensitive data is stored in a separate memory, and in terms of software, encryption can take place.

According to a further aspect of the present invention, the position data essentially match if the key is located within a predefined radius with respect to the vehicle. This has the advantage that the manufacturer or the driver can specify an appropriate level of security and can thus specify how close the key must be to the vehicle so that the vehicle is unlocked. Here the user can enter their own preferences and, for example, the radius can be simulated, which must prevail with a conventional radio key. An example of such a predefined radius is, for example, a value of 3 meters. However, other values are also conceivable here, only 4 meters or 5 meters being mentioned by way of example.

According to a further aspect of the present invention, the position data are transmitted in encrypted form. This has the advantage that even a third party cannot intercept the position data and can then manipulate it. This in turn implements a security mechanism and ensures that the required data integrity is guaranteed.

According to a further aspect of the present invention, the method is carried out at least partially iteratively, such that current position data is always available. This has the advantage that the method steps of determining the position of both the key and the vehicle can be carried out several times, and it can then be ascertained whether plausible data is actually available. As a result, the data is kept up-to-date and a replaying of known data is prevented. The data can also be checked for plausibility, since the key can only move a few meters within a few seconds, since it is typically carried by the driver. If there are major deviations in the position of the key, manipulation can be recognized and the procedure can be terminated without unlocking the vehicle.

According to another aspect of the present invention, the key and the vehicle communicate wirelessly. This has the advantage that all involved communication partners of the vehicle and the key communicate wirelessly with these units, and in particular the vehicle and key communicate wirelessly with one another and the vehicle and key communicate wirelessly with the server. Consequently, the proposed method can be implemented such that the driver is not aware of the additional security features and then simply unlocks the vehicle by moving the key closer to the vehicle.

The object is also achieved by a system arrangement for avoiding unauthorized unlocking of a vehicle, comprising a key set up to provide a request to the vehicle to unlock the vehicle, a data interface set up to set up a mobile radio connection between the key and a remote server, a further data interface set up for requesting position data of the key by the server, a security unit set up for comparing the position data of the key with determined position data of the vehicle, and a locking unit set up for unlocking the vehicle if the requested and the determined position data essentially match, the mobile radio connection as one 5G mobile radio connection exists and the position data of the key is requested by the server at a home location register HLR or a visitor location register VLR, w elches provides the position data.

The person skilled in the art recognizes here that the data interfaces can be present as separate interfaces, or else as uniform interfaces. In addition, network technology components are to be provided, and further components can participate in the system arrangement.

The object is also achieved by a computer program product with control commands which execute the method or operate the proposed system arrangement.

According to the invention, it is particularly advantageous that the method provides method steps which can be functionally simulated by the structural features of the system arrangement. Furthermore, the system arrangement includes structural features that provide functions that correspond to the method steps. The method thus serves to operate the system arrangement and the system arrangement can carry out the method.

• 1: ein Anwendungsszenario der vorliegenden Erfindung gemäß dem Stand der Technik;
• 2: die vorgeschlagene Systemanordnung zur Vermeidung eines unberechtigten Entsperrens gemäß einem Aspekt der vorliegenden Erfindung; und
• 3: ein schematisches Ablaufdiagramm eines Verfahrens zur Vermeidung eines unberechtigten Entsperrens eines Fahrzeugs gemäß einem weiteren Aspekt der vorliegenden Erfindung.

Further advantageous configurations are explained in more detail with reference to the attached figures. Show it:

• 1 : An application scenario of the present invention according to the prior art;
• 2nd : the proposed system arrangement for preventing unauthorized unlocking according to an aspect of the present invention; and
• 3rd a schematic flow diagram of a method for avoiding an unauthorized unlocking of a vehicle according to a further aspect of the present invention.

1 shows an example of a relay attack on a keyless go system according to the prior art. The attacker is within range of the vehicle and uses a relay device to forward the data from the vehicle to the owner's key. This also happens in reverse from the key back to the vehicle. The key for the vehicle appears within reach, the doors open automatically.

2nd shows the individual process steps, which are carried out by the proposed system arrangement. The vehicle key is equipped with access to a 5G network, ie a corresponding cell phone module and a subscription, either your own or one belonging to the vehicle.

With the help of the position determination by the 5G network and a suitable secure method, the vehicle can have the position of the vehicle key determined by the 5G mobile network and compare it with its own position. The future 5G network family offers sufficient accuracy of less than one meter for this.

In the following, individual steps are given as examples which correspond to the proposed method or are carried out by the proposed system arrangement.

• - detektiert einen Fahrzeugschlüssel in der Nähe.
• - erzeugt eine Zufallszahl RND_Vehicle und verschlüsselt diese so, dass nur der zum Fahrzeug gehörende Schlüssel sie wieder entschlüsseln kann: enc(RND_Vehicle, PubKey_Key); und/oder
• - sendet dieses Diagramm an den Schlüssel in der Nähe.

Step 1: the vehicle ...

• - detects a vehicle key nearby.
• - generates a random number RND _Vehicle and encrypts it so that only the key belonging to the vehicle can decrypt it again: enc (RND _Vehicle , PubKey _Key ); and or
• - sends this diagram to the key nearby.

• - empfängt die Datei vom Fahrzeug und entschlüsselt RNDvehicie.
• - erzeugt seinerseits eine Zufallszahl RND_Key. Diese wird später als Geheimnis für den Zugriff auf die Positionsdaten des Schlüssels genutzt; und/ oder
• - verschlüsselt RND_Vehicle und RND_Key so, dass nur das zum Schlüssel gehörende Fahrzeug diese Daten wieder entschlüsseln kann:
  • enc(RND_Vehicle | | RNDkey, PubKeyvehicle).

Step 2: the key ...

• - receives the file from the vehicle and decrypts RNDvehicie.
• - in turn generates a random number RND _key . This will later be used as a secret to access the position data of the key; and or
• - encrypts RND _Vehicle and RND _{Key in} such a way that only the vehicle belonging to the key can decrypt this data again:
  • enc (RND _Vehicle | | RNDkey, PubKeyvehicle).

• - aktiviert die integrierte Mobilfunkeinheit, welche sich mit dem nächstgelegenen 5G Zugangspunkt verbindet.

Step 3: the key ...

• - activates the integrated mobile radio unit, which connects to the closest 5G access point.

• - sendet die in Schritt 2 erzeugte Zufallszahl über die nun vorhandene 5G-Mobilfunkverbindung an den Server, der das Fahrzeug mit Diensten betreut - üblicherweise ein entsprechender Server des Fahrzeugherstellers („VehicleServer“). Diese Daten sind wieder so verschlüsselt, dass nur der echte VehicleServer die Daten wieder entschlüsseln kann: enc(RND_key, PubKey_Vehicle).

Step 4: the key ...

• - Sends the random number generated in step 2 over the now available 5G cell phone connection to the server that services the vehicle - usually a corresponding server of the vehicle manufacturer ("VehicleServer"). This data is encrypted again so that only the real VehicleServer can decrypt the data again: enc (RND _key , PubKey _Vehicle ).

• - entschlüsselt die RNDkey mit Hilfe seines SecKey_Vehicle.
• - stellt nun eine Anfrage beim VehicleServer, um die aktuelle Position des Schlüssels im 5G-Mobilfunknetz zu ermitteln. Um die Anfrage als berechtigt auszuweisen, wird RND_Key benötigt;
• - verschlüsselt RND_Key so, dass nur der echte VehicleServer diesen wieder entschlüsseln kann: enc(RND_key, PubKey_{VehicleServer}) ; und/oder
• - sendet das Datagramm an den VehicleServer.

Step 5: the vehicle ...

• - decodes the RNDkey using his SecKey _Vehicle .
• - now makes a request to the VehicleServer to determine the current position of the key in the 5G mobile network. RND _{Key is} required to identify the request as legitimate;
• - encrypts the RND _key so that only the real VehicleServer can decrypt it again: enc (RND _key , PubKey _{VehicleServer} ); and or
• - sends the datagram to the VehicleServer.

• - entschlüsselt die Nachricht vom Schlüssel (Schritt 4) mit Hilfe seines geheimen SecKeyvehideServer;
• - entschlüsselt die Nachricht (Anfrage) vom Fahrzeug (Schritt 5) ebenfalls mit Hilfe seines geheimen SecKey_{VehicleServer}; und/oder
• - vergleicht die beiden entschlüsselten RND_Key. Bei diesem Vergleich handelt es sich um eine zusätzliche Sicherheitsmaßnahme. Das Vorliegen von RND_Key über das Fahrzeug und vom Schlüssel selbst stellt sicher, dass es bei der Anfrage um eine berechtigte Anfrage zum Öffnen der Türen des Fahrzeugs geht.

Step 6: the VehicleServer ...

• - decrypts the message from the key (step 4) using its secret SecKeyvehideServer;
• - decrypts the message (request) from the vehicle (step 5) also using its secret SecKey _{VehicleServer} ; and or
• - compares the two decrypted RND _keys . This comparison is a additional security measure. The presence of the RND _key about the vehicle and the key itself ensures that the request is a legitimate request to open the vehicle doors.

If both decrypted RND _keys match, the position of the key is determined.

• - empfängt die Anfrage des VehicleServer nach der Position des Fahrzeugschlüssels; und/oder
• - ermittelt die aktuelle Position des Fahrzeugschlüssels und sendet diese an den VehicleServer zurück.

Step 7: the HLR / VLR ...

• - receives the request from the VehicleServer for the position of the vehicle key; and or
• - determines the current position of the vehicle key and sends it back to the VehicleServer.

The authentication of the VehicleServer to the HLR / VLR will not be dealt with here, since the VehicleServer has a permanent connection due to the large number of inquiries to the HLR / VLR.

• - empfängt die Positionsdaten von HLR/VLR und verschlüsselt diese für das Fahrzeug: enc(PositionInfo; PubKey_Vehicle) ; und/oder
• - sendet das Datagramm weiter an das anfragende Fahrzeug.

Step 8: the VehicleServer ...

• - receives the position data from HLR / VLR and encrypts them for the vehicle: enc (PositionInfo; PubKey _Vehicle ); and or
• - sends the datagram on to the requesting vehicle.

• - empfängt das Datagramm und entschlüsselt es mit SecKeyvehicie.
• - vergleicht die Positionsinfo mit dem eigenen Standort, der beispielsweise via GPS vom Fahrzeug selbst ermittelt wurde; und/oder
• - öffnet bei ausreichender Übereinstimmung bzw. bei entsprechend geringem Abstand die Türen.

Step 9: the vehicle ...

• - receives the datagram and decrypts it with SecKeyvehicie.
• - compares the position information with your own location, which was determined by the vehicle itself via GPS, for example; and or
• - opens the doors if there is sufficient agreement or if there is a sufficient distance.

Consequently, the proposed method creates a high level of digital security to protect against relay attacks. Nevertheless, there are only low costs, since with a 5G network, position determination via the mobile radio network is likely to become the standard. The invention uses existing and foreseeable techniques and is therefore inexpensive, there is little implementation effort and there is quick implementation.

3rd shows a schematic flowchart of a method for avoiding unauthorized unlocking of a vehicle, comprising the steps of providing 100 requesting a key to the vehicle to unlock the vehicle, building 101 a cellular connection between the key and a remote server, a request 102 of position data of the key by the server, a comparison 103 the position data of the key with determined 104 Position data of the vehicle, and an unlock 105 of the vehicle, if requested 102 and the determined 104 Position data essentially match, the cellular connection being a 5G cellular connection and the request 102 position data of the key is carried out by the server in a home location register HRL or a visitor location register VLR, which provides the position data.

QUOTES INCLUDE IN THE DESCRIPTION

This list of documents listed by the applicant has been generated automatically and is only included for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent literature cited

• DE 102015223345 A1 [0002]
• DE 102016207997 A1 [0003]
• DE 102015223342 A1 [0004]
• DE 102015107410 A1 [0005]

Claims (15)

A method of preventing unauthorized unlocking of a vehicle, comprising the steps of: - providing (100) a request to the vehicle for a key to unlock the vehicle; - Establishing (101) a mobile radio connection between the key and a remote server; - Requests (102) of position data of the key by the server; - Comparing (103) the position data of the key with determined (104) position data of the vehicle; and - unlocking (105) the vehicle if the requested (102) and the determined (104) position data essentially match, characterized in that the mobile radio connection is present as a 5G mobile radio connection and the request (102) of position data of the key by the Server at a home location register (HLR) or a visitor location register (VLR), which provides the position data. Procedure according to Claim 1 , characterized in that the vehicle and the key exchange encrypted random numbers. Procedure according to Claim 1 or 2nd , characterized in that the key creates at least one random number, which is kept in the home location register (HLR) or the visitor location register (VLR) for authentication. Method according to one of the preceding claims, characterized in that transmitted data are encrypted in such a way that they can only be decrypted for the sender and the receiver. Method according to one of the preceding claims, characterized in that the establishment (101) of the mobile radio connection between the key and a remote server is carried out by means of a mobile radio module within the key. Method according to one of the preceding claims, characterized in that the key, the vehicle and / or the server store information for decrypting the data communication. Method according to one of the preceding claims, characterized in that the respective position data are determined on the basis of a location function of a 5G mobile radio network. Method according to one of the preceding claims, characterized in that both the vehicle and the key provide an identifier to the server and position data of the key are only generated if the two identifiers match. Method according to one of the preceding claims, characterized in that the key is present as a radio remote control and has a secured element. Method according to one of the preceding claims, characterized in that the position data essentially match if the key is located within a predefined radius with respect to the vehicle. Method according to one of the preceding claims, characterized in that the position data are transmitted in encrypted form. Method according to one of the preceding claims, characterized in that the method is carried out at least partially iteratively, such that current position data is always available. Method according to one of the preceding claims, characterized in that the key and the vehicle communicate wirelessly. System arrangement for avoiding unauthorized unlocking of a vehicle, comprising: - a key configured to provide (100) a request to the vehicle to unlock the vehicle; - A data interface set up to establish (101) a mobile radio connection between the key and a remote server; - Another data interface set up for requesting (102) position data of the key by the server; - A security unit set up for comparing (103) the position data of the key with determined (104) position data of the vehicle; and - a locking unit set up to unlock (105) the vehicle if the requested (102) and the determined (104) position data essentially match, characterized in that the mobile radio connection is in the form of a 5G mobile radio connection and the request (102) for position data of the key by the server at a home location register (HLR) or a visitor location register (VLR), which provides the position data. Computer program product with control commands which implement the method according to one of the Claims 1 to 13 execute when executed on a computer.

Images