JP2018116354A - Car equipment - Google Patents

Abstract

An in-vehicle device capable of preventing unauthorized acquisition of stored highly confidential information is provided. An in-vehicle device according to an embodiment includes an integrated circuit (IC) disposed on a circuit board having a storage unit for storing information, and is mounted on the circuit board so as to cover the IC. A shield case, a detection unit that detects that the shield case has been removed from the circuit board, and a memory that is stored in the storage unit of the IC when the detection unit detects that the shield case has been removed. An in-vehicle device including an information protection unit that disables reading of information, the power supply unit that supplies power to the information protection unit, and the power supply when the shield case is attached to the circuit board The portion is covered with the shield case. [Selection] Figure 3

Description

  The present invention relates to an in-vehicle device that prevents information leakage to the outside.

  In recent years, in-vehicle devices such as an ECU (Electronic Control Unit) mounted on a vehicle respond to messages to be transmitted and received when communicating via an in-vehicle network or wirelessly communicating with an apparatus outside the vehicle. It has been studied to improve security by performing encryption processing or the like. Some ICs (Integrated Circuits) such as microcomputers (microcontrollers, microcomputers) provided in in-vehicle devices have a nonvolatile storage area inside, and this storage area is used for encryption processing. Key information can be stored. Information with high secrecy such as encryption key information needs to be reliably prevented from leaking to the outside.

  Patent Document 1 proposes a vehicle communication lock system that makes forgery difficult by encrypting data transmission / reception between a parent device (such as an in-vehicle device) and a child device (such as a wireless key). In this vehicle communication lock system, the encryption data transmitted from the parent device to the child device and the encryption data transmitted from the child device to the parent device are encrypted using different encryption methods and different encryption keys. Doing so increases security.

JP 2007-85007 A

  In the vehicle communication lock system described in Patent Literature 1, a highly malicious information stored in the in-vehicle device may be illegally acquired by a malicious third party disassembling and analyzing the in-vehicle device. There is. For example, an attempt is made to directly or indirectly acquire highly confidential information stored in the IC by analyzing signals input to and output from the IC such as the microcomputer of the in-vehicle device. The In order to improve the secrecy of information against such unauthorized attempts, so-called tamper resistance, various measures have been studied in recent in-vehicle devices.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide an in-vehicle device that can prevent unauthorized acquisition of stored highly confidential information. .

  An in-vehicle device according to the present invention includes an integrated circuit (IC) disposed on a circuit board having a storage unit for storing information, a shield case that covers the IC and is mounted on the circuit board, and the circuit A detection unit that detects that the shield case has been removed from the substrate, and reading of information stored in the storage unit of the IC is impossible when the detection unit detects that the shield case has been removed. An information protection unit for converting the power supply unit to supply power to the information protection unit, and when the shield case is mounted on the circuit board, the power supply unit is covered with the shield case. Features.

  The in-vehicle device according to the present invention includes a power supply circuit that receives power supply from the outside and supplies power to the information protection unit, and the power supply unit cuts off power supply from the outside to the power supply circuit. In this case, power is supplied to the information protection unit.

  In the in-vehicle device according to the present invention, the power supply unit stores the power supplied from the power supply circuit, and supplies the stored power to the information protection unit.

  The on-vehicle device according to the present invention is characterized in that the power supply circuit is not covered with the shield case when the shield case is mounted on the circuit board.

In the present invention, the IC disposed on the circuit board is covered by attaching a shield case to the circuit board of the in-vehicle device. The in-vehicle device includes an information protection unit that makes it impossible to read information stored in the storage unit of the IC when it is detected that the shield case is removed from the circuit board. For example, the information protection unit can make it impossible to read the information stored in the storage unit by erasing the information stored in the storage unit of the IC or destroying a circuit constituting the storage unit.
Further, the in-vehicle device includes a power supply unit that supplies power to the information protection unit that makes it impossible to read information stored in the storage unit of the IC. As a result, even when the power supply from the outside to the in-vehicle device is cut off, it is possible to perform an operation of making IC information unreadable by the power supplied by the power supply unit. The power supply unit is arranged on the circuit board so as to be covered with the shield case in a state where the shield case is mounted on the circuit board. As a result, it is possible to prevent an unauthorized operation of removing the shield case by cutting off the power supply from the power supply unit in advance, and more reliably preventing unauthorized reading of the IC information. It becomes possible.

  In the present invention, the in-vehicle device includes a power supply circuit that receives power from a vehicle battery or an alternator and supplies power to the IC on the circuit board and the information protection unit. When power supply to the power supply circuit is cut off from the outside, power supply from the power supply unit covered with the shield case to the information protection unit is performed. Thereby, when the in-vehicle device is removed from the vehicle, information protection is performed by supplying power from the power supply unit, but when the in-vehicle device is mounted on the vehicle and supplied with power from a battery, etc. Information protection is performed by supplying power from the outside.

  In the present invention, the power supply unit covered by the shield case of the in-vehicle device receives the power supply from the power supply circuit and accumulates this power. The power supply unit supplies power to the information protection unit instead of the power supply circuit when the power supply from the power supply circuit is cut off. The power supply unit can be configured to store power using, for example, a capacitor. In the case of a configuration using a battery or the like as the power supply unit, the power of the battery may be reduced due to natural discharge or the like, and there is a possibility that the power supply to the information protection unit cannot be sufficiently performed. Such a state can be avoided by adopting a configuration in which the power supply unit stores the power supplied from the power supply circuit.

  In the present invention, the power supply circuit is not covered with the shield case when the shield case is mounted on the circuit board. In order to cover the power supply circuit with the shield case, it is necessary to increase the size of the shield case. However, since there is little need to cover the power supply circuit, it is possible to suppress an increase in the size of the shield case by making the power supply circuit outside the shield case.

  In the case of the present invention, the power supply unit that supplies power to the information protection unit that makes it impossible to read the information of the IC is provided so as to be covered by the shield case mounted on the circuit board. Since it is possible to prevent the unauthorized operation of removing the shield case by cutting off the power supply from the power supply unit in advance, the in-vehicle device can be removed even after the in-vehicle device is removed from the vehicle. It is possible to more reliably prevent unauthorized reading of highly confidential information stored.

It is a perspective view which shows the external appearance of the circuit board which comprises the vehicle equipment which concerns on this Embodiment. It is a top view which shows the external appearance of the circuit board which comprises the vehicle equipment which concerns on this Embodiment. It is a block diagram which shows the structure of the vehicle equipment which concerns on this Embodiment. It is a block diagram which shows the structure of the vehicle equipment which concerns on a modification.

  FIG. 1 is a perspective view showing an appearance of a circuit board constituting the in-vehicle device according to the present embodiment. FIG. 2 is a plan view showing the appearance of a circuit board constituting the in-vehicle device according to the present embodiment. The in-vehicle device according to the present embodiment is an ECU that performs wireless communication using ITS (Intelligent Transport Systems). In the figure, reference numeral 1 denotes a circuit board provided in this in-vehicle device. The circuit board 1 is a substantially rectangular plate, and a plurality of circuit elements and a wiring pattern (not shown) for electrically connecting them are provided on the circuit board 1, and an electric circuit is configured by these. Thus, various functions as an ECU are realized.

  A connector 2 to which a power cable and a communication cable arranged in the vehicle are connected to an end portion on one long side of the circuit board 1, a GPS (Global Positioning System) signal receiving antenna, and a wireless communication Connectors 3a to 3c to which the antennas and the like are respectively connected are provided side by side. Further, circuit elements such as a microcomputer IC 4 and a memory IC 5 are mounted on the circuit board 1 at appropriate positions. The microcomputer IC4 is a semiconductor element in which a CPU (Central Processing Unit), a nonvolatile memory, and the like are integrated on a single chip, and performs arithmetic processing related to communication performed between devices inside and outside the vehicle. The connector 2 and the connectors 3a to 3c are electrically connected to the microcomputer IC 4 directly or indirectly via a circuit element or the like. The memory IC 5 is a volatile memory element such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory), and temporarily stores data generated by the processing of the microcomputer IC 4.

  A plurality of clips 6 are erected on the circuit board 1 according to the present embodiment so as to surround the microcomputer IC 4 and the memory IC 5. The clip 6 is made of metal, for example, and can be held by sandwiching a thin plate. In the present embodiment, the plurality of clips 6 are used to hold the shield case 7. The shield case 7 has a substantially rectangular top plate portion and side wall portions provided substantially perpendicular to the four sides of the top plate portion. The plurality of clips 6 hold the shield case 7 by sandwiching the four side walls of the shield case 7. In other words, the shield case 7 is mounted on the circuit board 1 by being sandwiched between the plurality of clips 6.

  When the shield case 7 is attached to the circuit board 1, the shield case 7 covers the microcomputer IC 4 and the memory IC 5 provided on the circuit board 1. In FIGS. 1 and 2, the internal microcomputer IC 4 and the memory IC 5 are visible through the shield case 7, but this is for simplifying the description. The shield case 7 is made of, for example, metal. Actually, when the shield case 7 is attached to the circuit board 1, the internal microcomputer IC 4 and the memory IC 5 cannot be visually recognized from the outside. 1 and FIG. 2, although the illustration is omitted, a portion that is an empty area on the circuit board 1 is actually provided with one or a plurality of circuit elements, wiring patterns, and the like. An electric circuit for realizing the function is configured.

  In the in-vehicle device according to the present embodiment, the battery 10 is mounted on the circuit board 1. The battery 10 can be, for example, a disk type (so-called button type) battery, and is attached to the battery mounting portion provided on the circuit board 1 in a removable or impossible manner. The battery 10 is provided at a place covered with the shield case 7 in a state where the shield case 7 is mounted on the circuit board 1.

  FIG. 3 is a block diagram showing the configuration of the in-vehicle device according to the present embodiment. In FIG. 3, the power supply path is indicated by a thick solid line, and the signal transmission path is indicated by a thin solid arrow. In addition, when the shield case 7 is mounted on the circuit board 1, the components covered by the shield case 7 are described in a region surrounded by an alternate long and short dash line denoted by reference numeral 7. The circuit board 1 included in the in-vehicle device according to the present embodiment is provided with the connector 2, the connectors 3a to 3c (not shown in FIG. 2), the microcomputer IC4, the memory IC5, the battery 10, and the like as described above. ing. Furthermore, the circuit board 1 according to the present embodiment is provided with a power supply circuit 11, a detection circuit 12, and the like. In the state where the shield case 7 is mounted on the circuit board 1, the power circuit 11 is not covered with the shield case 7, and the detection circuit 12 is covered with the shield case 7.

  In the present embodiment, one or a plurality of cables including at least a power cable are connected to the connector 2 of the in-vehicle device, and power is supplied from the vehicle battery and the alternator to the in-vehicle device via the power cable. Made. The power supply circuit 11 is connected to the connector 2 via a power supply path, and receives power having a voltage value of about 12 V supplied from a vehicle battery and an alternator. The power supply circuit 11 converts the input power of about 12V into power having an appropriate voltage value and outputs the power, thereby supplying power having a voltage value suitable for each circuit provided on the circuit board 1. In the present embodiment, the power supply circuit 11 outputs power having a voltage value of about 5V and power having a voltage value of about 12V.

  The power having a voltage value of about 5V output from the power supply circuit 11 is supplied to the microcomputer IC4 and the memory IC5 provided on the circuit board 1 (however, the power supply path from the power supply circuit 11 to the memory IC5 in FIG. 2 is not shown). Omitted). The microcomputer IC4, the memory IC5, and the like operate with electric power having a voltage value of about 5 V supplied from the power supply circuit 11. In the present embodiment, the power supply circuit 11 supplies power to the microcomputer IC4 and the memory IC5 with a voltage value of about 5V. However, the present invention is not limited to this. For example, power with a voltage value of about 3.3V is supplied. It is good also as composition to do.

  The microcomputer IC4 includes an arithmetic processing unit 21, a storage unit 22, and the like. The arithmetic processing unit 21 is a so-called CPU (Central Processing Unit) or MPU (Micro-Processing Unit) or the like, and performs various arithmetic processes associated with the operation of the in-vehicle device. The storage unit 22 is configured using a nonvolatile memory element such as an EEPROM (Electrically Erasable Programmable Read Only Memory) or a flash memory. In the present embodiment, the storage unit 22 stores encryption key information used when the in-vehicle device communicates with the inside and outside of the vehicle. The circuit constituting the arithmetic processing unit 21 and the storage unit 22 of the microcomputer IC4 is supplied with electric power having a voltage value of about 5 V supplied from the power supply circuit 11, and the circuit is operated by this electric power.

  Further, the electric power having a voltage value of about 12 V output from the power supply circuit 11 is supplied to the microcomputer IC 4 and the detection circuit 12. As described above, the microcomputer IC4 operates with electric power having a voltage value of about 5V supplied from the power supply circuit 11, and the electric power having a voltage value of about 12V supplied from the power supply circuit 11 is not used for normal operation. The electric power having a voltage value of about 12 V supplied from the power supply circuit 11 to the microcomputer IC4 is used for protecting the encryption key information stored in the storage unit 22 in the information protection circuit 25 in the microcomputer IC4.

  The detection circuit 12 is a circuit that operates with electric power having a voltage value of about 12 V supplied from the power supply circuit 11. The detection circuit 12 detects that the shield case 7 sandwiched by the plurality of clips 6 provided on the circuit board 1 has been removed, and inputs a signal indicating the detection result to the microcomputer IC4. For example, the clip 6 and the shield case 7 are made of a conductive material, and a predetermined electrical signal (for example, a signal having a constant value of 12V) is output from any one of the plurality of clips 6, and this signal passes through the shield case 7. By determining whether or not the other clip 6 has been reached, it can be detected that the shield case 7 has been removed. However, the removal detection method is not limited to this. For example, the circuit board 1 is provided with a push switch, and when the shield case 7 is mounted, the push switch is pressed down, and the press is released when the shield case 7 is removed. Thus, it can be configured to detect removal.

  The output signal of the detection circuit 12 is input to the information protection circuit 25 provided in the microcomputer IC4. The information protection circuit 25 destroys the circuit portion by forcibly applying the power of about 12 V supplied from the power supply circuit 11 to a predetermined circuit portion of the storage unit 22. The information protection circuit 25 has a switch 26 arranged in a power supply path from the input terminal of the microcomputer IC 4 to which power having a voltage value of about 12 V is input to a predetermined part of the storage unit 22. The switch 26 is constituted by a semiconductor element, for example. The information protection circuit 25 performs energization / cutoff switching control of the switch 26 based on the signal input from the detection circuit 12. That is, the information protection circuit 25 performs control to switch the switch 26 to the conductive state when the detection circuit 12 detects the removal of the shield case 7, thereby supplying the power of the voltage value of about 12V to a predetermined value in the storage unit 22. By forcibly applying to the circuit part and destroying the storage unit 22, the encryption key information is made unreadable and protected. The storage unit 22 in which a predetermined circuit part is destroyed can perform operations such as reading and writing even when the shield case 7 is attached and the application of power having a voltage value of about 12 V is released thereafter. I can't. Therefore, the encryption key information stored in the storage unit 22 is permanently unreadable.

  Further, in the in-vehicle device according to the present embodiment, when the power cable is disconnected from the connector 2 and the supply of electric power having a voltage value of about 12 V from the vehicle battery and alternator is interrupted, the microcomputer replaces the power supply circuit 11. A battery 10 for supplying power of about 12 V to the IC 4 and the detection circuit 12 is provided. The battery 10 is connected to a power supply path from the power supply circuit 11 to the microcomputer IC 4 and the detection circuit 12 in parallel with the power supply circuit 11. Although not shown in FIG. 3, a backflow preventing diode or the like for preventing current from flowing from the battery 10 to the power supply circuit 11 and / or from the power supply circuit 11 to the battery 10 may be provided. When power having a voltage value of about 12V is no longer output from the power supply circuit 11, the power having a voltage value of about 12V is supplied from the battery 10 to the microcomputer IC4 and the detection circuit 12 by the power stored in the battery 10, and the shield case 7 The storage unit 22 is destroyed according to the removal.

  As described above, the battery 10 is covered with the shield case 7 attached to the circuit board 1. For this reason, the battery 10 cannot be removed while the shield case 7 is mounted on the circuit board 1. Furthermore, the power supply path from the battery 10 to the microcomputer IC 4 and the detection circuit 12 is also covered with a shield case 7 attached to the circuit board 1. For this reason, fraud such as cutting the power supply path from the battery 10 to the microcomputer IC 4 and the detection circuit 12 cannot be performed. As a result, regardless of whether the power cable is connected to the connector 2 or not, the detection circuit 12 and the information protection circuit 25 are supplied with power having a voltage value of about 12 V, and the shield case 7 is removed. In this case, it is possible to destroy the storage unit 22 and make the encryption key information unreadable.

  The in-vehicle device according to the present embodiment having the above configuration attaches the shield case 7 to the circuit board 1 by sandwiching the shield case 7 between a plurality of clips 6 provided on the circuit board 1, and The arranged microcomputer IC 4 and memory IC 5 are covered with a shield case 7. The information protection circuit 25 of the microcomputer IC 4 switches the switch 26 to the energized state when the detection circuit 12 detects that the shield case 7 has been removed from the circuit board 1, and the voltage value supplied from the power supply circuit 11 or the battery 10. By forcibly applying about 12V of power to a predetermined circuit portion of the storage unit 22, the encryption key information stored in the storage unit 22 cannot be read.

  Further, the in-vehicle device includes a battery 10 that supplies power to the information protection circuit 25 and the detection circuit 12 that make it impossible to read the encryption key information stored in the storage unit 22 of the microcomputer IC 4, separately from the power supply circuit 11. Prepare. Thereby, even when the power supply from the outside to the in-vehicle device is cut off, the information protection circuit 25 and the detection circuit 12 can store the encryption key information stored in the storage unit 22 by the power supplied by the battery 10. It is possible to perform an operation that makes it impossible to read the data. The battery 10 is provided on the circuit board 1 so as to be covered with the shield case 7 in a state where the shield case 7 is attached to the circuit board 1. As a result, it is possible to prevent an unauthorized operation of removing the shield case 7 by cutting off the power supply from the battery 10 in advance, and the encryption key information stored in the storage unit 22 of the microcomputer IC4 is illegal. Reading can be reliably prevented.

  The in-vehicle device receives power from a vehicle battery, an alternator, and the like, and supplies power to the microcomputer IC 4 and the memory IC 5 on the circuit board 1, the detection circuit 12, the information protection circuit 25, and the like. It has. When power supply to the power supply circuit 11 is cut off from the outside, power is supplied from the battery 10 covered with the shield case 7 to the information protection circuit 25, the detection circuit 12, and the like. Thus, when the in-vehicle device is removed from the vehicle, the information protection circuit 25 performs information protection by supplying power from the battery 10, but the in-vehicle device is mounted on the vehicle and supplied with power from the battery, the alternator, and the like. For example, information protection by the information protection circuit 25 is performed by supplying power from the power supply circuit 11.

  The power supply circuit 11 is not covered with the shield case 7 in a state where the shield case 7 is attached to the circuit board 1. In order to cover the power supply circuit 11 with the shield case 7, it is necessary to enlarge the shield case 7. However, since there is little need to cover the power supply circuit 11, the power supply circuit 11 is arranged outside the shield case 7. The enlargement of the shield case 7 can be suppressed.

  In the present embodiment, an ECU that performs wireless communication using ITS is described as an example of the in-vehicle device. However, the in-vehicle device may be various other devices, such as an encryption key for communication or An in-vehicle device having a storage unit that stores highly confidential information such as user personal information is suitable. In the present embodiment, the storage unit 22 storing the encryption key information is provided inside the microcomputer IC 4. However, the present invention is not limited to this. For example, a memory IC having the information protection circuit 25 may be used. . In addition, the information protection circuit 25 according to the present embodiment is configured such that the encryption key information cannot be read by destroying the circuit portion of the storage unit 22, but the present invention is not limited to this. A configuration may be adopted in which reading is not possible by erasing the stored encryption key information.

  In addition, the arrangement of circuit elements and the like on the circuit board 1 shown in FIGS. 1 and 2 is an example, and is not limited to this. The battery 10 is a button type battery, but is not limited to this, and a battery having a shape other than this may be used. The power supply circuit 11 is not covered with the shield case 7, but the present invention is not limited to this, and the power supply circuit 11 may be covered with the shield case 7.

(Modification)
The in-vehicle device according to the above-described embodiment has a configuration in which the battery 10 supplies power to the detection circuit 12 and the information protection circuit 25 when the external power supply is cut off. However, the present invention is not limited thereto. Instead, for example, the configuration shown in the following modification may be employed. FIG. 4 is a block diagram illustrating a configuration of an in-vehicle device according to a modification. The in-vehicle device according to the modification includes a capacitor 110 instead of the battery 10. The capacitor 110 is connected to the power supply path from the power supply circuit 11 to the detection circuit 12 and the information protection circuit 25. The capacitor 110 is covered with the shield case 7 in a state where the shield case 7 is attached to the circuit board 101.

  When power is supplied from the power supply circuit 11 to the detection circuit 12 and the information protection circuit 25, power is stored in the capacitor 110. Thereafter, when the in-vehicle device is removed from the vehicle and the power supply from the battery and the alternator is cut off, and the power supply of the power supply circuit 11 is turned on, the capacitor 110 detects the power stored therein by the detection circuit 12 and the information protection. Supply to circuit 25. Thereby, the detection circuit 12 and the information protection circuit 25 operate, and when the detection circuit 12 detects that the shield case 7 has been removed from the circuit board 101, the information protection circuit 25 is stored in the storage unit 22 of the microcomputer IC4. The reading of the encryption key information can be made impossible.

  The capacitance of the capacitor 110 is determined as appropriate based on the power necessary for the operation of the detection circuit 12, the information protection circuit 25, etc., and the period during which the operation of these circuits needs to be maintained. The capacitor 110 may be configured using one capacitor element, or may be configured by connecting a plurality of capacitor elements.

DESCRIPTION OF SYMBOLS 1 Circuit board 2 Connector 3a-3c Connector 4 Microcomputer IC
5 Memory IC
6 Clip 7 Shield Case 10 Battery (Power Supply Unit)
11 Power supply circuit 12 Detection circuit (detection unit)
21 arithmetic processing unit 22 storage unit 25 information protection circuit (information protection unit)
26 switch 101 circuit board 110 capacitor (power supply unit)

Claims (4)

An IC (Integrated Circuit) disposed on a circuit board having a storage unit for storing information;
A shield case that covers the IC and is attached to the circuit board;
A detection unit for detecting that the shield case has been removed from the circuit board;
An information protection unit that disables reading of information stored in the storage unit of the IC when the detection unit detects that the shield case has been removed;
A power supply unit for supplying power to the information protection unit,
When the shield case is attached to the circuit board, the power supply unit is covered with the shield case. A power supply circuit that receives power from the outside and supplies power to the information protection unit;
The in-vehicle device according to claim 1, wherein the power supply unit supplies power to the information protection unit when power supply to the power supply circuit is interrupted from outside. The in-vehicle device according to claim 2, wherein the power supply unit accumulates electric power supplied from the power supply circuit and supplies the accumulated electric power to the information protection unit. The in-vehicle device according to claim 2, wherein the power supply circuit is not covered with the shield case when the shield case is attached to the circuit board.

Images