MOBILE RADIO DEVICE, METHOD FOR OPERATING A MOBILE RADIO DEVICE AND VEHICLE
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Patents
- Current Assignee / Owner
- MERCEDES BENZ GROUP AG
- Filing Date
- 2022-06-30
- Publication Date
- 2026-06-11
AI Technical Summary
Existing IT systems, including mobile devices integrated into vehicles, are vulnerable to attacks through multiple SIM profiles, particularly those that compromise the device via manipulated SIM profiles, leading to unauthorized access, data manipulation, and system disruption, with existing security solutions having limited effectiveness when integrated into the operating system.
An attack detection system is integrated upstream of the operating system in the mobile device's modem, capable of detecting threats early and reconfiguring the system behavior to mitigate attacks, including deep packet inspection and firewall functionality, allowing independent monitoring and control of multiple SIM profiles.
This approach enhances security by detecting and responding to attacks promptly, preventing system compromise and maintaining functionality through secondary connections, even in the face of manipulated SIM profiles, thereby safeguarding critical vehicle systems.
Description
[0001] The invention relates to a method for operating a system consisting of a mobile communication device and a separate computing unit, the mobile communication device with an operating system and at least two SIM profiles for providing several independent mobile communication connections of the type defined in more detail in the preamble of claim 1, and a vehicle with a mobile communication device.
[0002] IT systems such as computers, mobile devices, high-performance computers, distributed systems, database systems, embedded systems, measurement systems, and the like typically have various interfaces for interaction. This interaction can occur with humans, for example, via a human-machine interface, as well as between IT systems themselves, using communication protocols such as the Internet Protocol (IP) or the Transmission Control Protocol (TCP). Attackers can use these interfaces to compromise IT systems. Such attacks typically aim to disrupt the normal operation of IT systems, gain unauthorized access, destroy or disable IT systems, steal or manipulate critical information, or similar actions. Often, IT systems are infected or attacked with malware for this purpose.Malware can include viruses, spyware, adware, botnets, and similar threats. An IT system operator is typically interested in protecting their IT system as reliably as possible against such attacks.
[0003] Mobile devices are increasingly being integrated into vehicles to enable data exchange, for example, for transmitting diagnostic data to a vehicle manufacturer. Such mobile devices can also be equipped with multiple SIM profiles, for example, in the form of multiple SIM cards and / or multiple SIM signatures encoded and stored on a memory device. The provision of additional SIM profiles allows for the integration of customer or third-party SIM profiles, which, unlike a trusted manufacturer SIM profile, can be used relatively easily to compromise the mobile device.For example, malicious data packets can be injected into the mobile device via a mobile network operated by an attacker, such as a mobile network operated via a manipulated femtocell, and used to execute malware on the mobile device or another computing unit of the vehicle.
[0004] Various hardware and / or software solutions for protecting IT systems are generally known from the state of the art. These include, for example, firewalls, antivirus programs, intrusion detection systems (IDS), and intrusion prevention systems (IPS). Intrusion detection systems and intrusion prevention systems are used to detect and / or defend against attacks targeting computer systems and / or computer networks. Such a system is typically run on the hardware being monitored and / or is directly integrated into a firewall. In addition to host-based and network-based intrusion detection systems, hybrid systems are also known. To detect an attack, the intrusion detection system or...The attack detection and defense system analyzes monitored data and / or network traffic for known attack patterns. Such a system includes a database of known attack patterns. If such an attack pattern is detected, the corresponding attack detection system raises an alarm. Using heuristic methods and statistical analyses, even previously unknown attacks can be detected. An attack detection and defense system is also capable of discarding data packets, interrupting a communication connection, and / or modifying transmitted data.
[0005] From WO 2014 / 105309 A1, a system and a method for correlating network information with subscriber information in a mobile network environment are known. Data packets received from a network such as the internet, an intranet, a VPN, or the like are examined by a network security platform using deep packet inspection. With the help of this network security platform and deep packet inspection, operators of wireless networks are able to create behavioral profiles of mobile network subscribers and to associate specific network events, such as accessing certain websites, executing certain applications, receiving and / or sending certain data, or the like, with specific network subscribers. This allows targeted attacks by or from mobile network subscribers to be prevented.For example, the downloading of malware can be detected and prevented, or communication between a network participant and a security-critical website can be detected or stopped. The network security platform is operated by the mobile network operator, meaning that individual participants in the mobile network have no influence on the user behavior profiles assigned to them. In other words, the mobile network operator is able to monitor and control the participants.
[0006] Furthermore, DE 10 2017 128 063 A1 discloses a vehicle with a telematics unit with two SIM profiles for using two separate mobile phone connections. The telematics unit is capable of determining performance indicators of the underlying communication network, such as network strength, data transmission rate, and network stability.
[0007] Furthermore, US patent 2020 / 274851 A1 discloses a network security gateway for monitoring network traffic transmitted within a vehicle's communication network. The network security gateway is implemented externally to an in-vehicle mobile device and downstream of the mobile device in the direction of information flow. The network security gateway includes a firewall with attack detection and mitigation functionality. The firewall, and thus the attack detection and mitigation functionality, is executed as a software module by the network security gateway's operating system.
[0008] A vehicle with a telematics unit having two SIM profiles is also known from DE 10 2016 114 321 A1. If the received signal strength or data transmission rate of one of the mobile connections of the telematics unit is too low, the telematics unit is able to automatically switch the respective mobile connection to another mobile network.
[0009] Furthermore, US patent 2015 / 0271138 A1 discloses a firewall for a mobile device for monitoring and forwarding information exchanged via SMS. The firewall has an attack detection function and an attack detection and prevention function.
[0010] The present invention is based on the objective of providing a method for the particularly secure operation of a mobile communication device with an operating system and at least two SIM profiles for providing several independent mobile communication connections.
[0011] According to the invention, this problem is solved by a method for operating a system consisting of a mobile communication device and a separate computing unit, the mobile communication device having an operating system and at least two SIM profiles for providing several independent mobile communication connections with the features of claim 1. Advantageous embodiments and further developments, as well as a vehicle with such an operable mobile communication device, are described in the dependent claims.
[0012] In a method for operating a system with a mobile communication device, the mobile communication device having an operating system and at least two SIM profiles for providing several independent mobile communication connections, an attack detection system or an attack detection and defense system is provided according to the invention, which is configured to identify at least the information transmitted with the network traffic, wherein the attack detection system or the attack detection and defense system is arranged in an information flow direction of network traffic received from at least one mobile communication connection upstream of the operating system of the mobile communication device and is integrated into a modem, wherein after detecting a security threat to the mobile communication device, the operating system is reconfigured,to adapt system behavior to the security threat and / or to restrict the functionality of at least one hardware and / or software component downstream of the mobile device in the direction of information flow.
[0013] A mobile device can be operated with enhanced security by employing an attack detection system or attack detection and defense system positioned upstream of the operating system. By placing the attack detection or attack detection and defense system upstream of the operating system, attacks can be detected very early. Consequently, appropriate responses to an attack can be taken just as quickly. This also protects the mobile device against attacks on network interfaces, interface drivers, and the operating system's IP stacks. Typically, attack detection or attack detection and defense systems are integrated into a firewall or operating system. However, such integrated attack detection and defense systems have limited capabilities for monitoring and filtering incoming data packets.Furthermore, the host operating system must process the data packets to be analyzed so that the attack detection and defense system can identify attacks, thereby exposing the operating system itself to potential attacks. However, if the data packets contained in the network traffic are examined upstream of the operating system, the operating system cannot be attacked.
[0014] An attack detection system can issue warnings in the event of a detected attack. However, an attack detection and defense system can also initiate appropriate measures directly from the mobile device itself to contain or prevent the attack.
[0015] The mobile device has at least two cellular connections. Using the attack detection system or the attack detection and defense system, attacks on individual cellular connections can be selectively detected. This allows for a specific response to each attack carried out via a particular cellular connection. For example, a security attack on one cellular connection can be handled differently than a security attack on a second cellular connection. Furthermore, in the event of an attack via the first cellular connection, the secure operation of the mobile device can be ensured via at least one other cellular connection. By detecting and responding to security attacks early, it is therefore possible to limit or prevent manipulation of the mobile device and / or to prevent its shutdown for security reasons.For communication, any wireless technology such as cellular networks, Wi-Fi, or similar can be used by the mobile device. Any cellular or communication standards, such as 2G-5G or future communication standards, can be used. For example, Wi-Fi telephony can be provided via at least one cellular connection. A corresponding wireless network can be provided by a stationary base station, such as a cell tower or femtocell, and / or a mobile station such as a satellite, drone, balloon, or similar device.
[0016] As previously described, the attack detection system or the attack detection and defense system is intended to be integrated into a modem. The mobile device uses a modem to establish communication with a mobile network. By integrating the attack detection system or the attack detection and defense system into the modem, network traffic within the mobile device is examined and / or influenced at a particularly early stage. This provides even more reliable protection for the mobile device against attacks. The attack detection system or the attack detection and defense system can be integrated into the modem solely through software, i.e., as a software module. It is also conceivable that the modem includes additional hardware such as storage devices and / or execution devices such as processors, which are dedicated solely to the functionality of the attack detection system.are assigned to attack detection and defense systems.
[0017] As previously described, after a security threat to the mobile device is detected, its operating system is reconfigured to adapt system behavior to the security threat and / or to restrict the functionality of at least one hardware and / or software component downstream of the mobile device in the direction of information flow.
[0018] Reconfiguring the operating system allows the mobile device to remain operational despite a detected security threat. In particular, if an attack occurs via a primary mobile connection, network traffic can continue via at least one secondary connection. Corresponding measures to be implemented by the attack detection system or the attack detection and defense system in an attack scenario can be stored in a database of these systems. It is also possible that, in the event of an attack on a primary mobile connection, the mobile device can receive new instructions for an appropriate response via at least one secondary connection. This allows security vulnerabilities to be closed via the mobile connection that is not directly affected by the attack, and enables a rapid response to new, previously unknown threats.Furthermore, selecting a suitable response to a successful attack may require coordination with a central computing unit, for example, a vehicle manufacturer's backend.
[0019] In addition to reconfiguring the operating system, downstream hardware and / or software components can also be modified in their operation. A hardware component downstream of the mobile device could be a vehicle's processing unit. For example, this could be a central on-board computer, a control unit of a vehicle subsystem, a telematics unit, or similar. The software components could be software running on such a processing unit, such as a navigation app, a radio app, a valve control program, a program for adjusting any controller behavior, or similar applications. This allows for even more comprehensive measures to adequately respond to potential attacks.
[0020] An advantageous further development of the procedure involves placing a firewall downstream of the attack detection system or the attack detection and defense system in the direction of network traffic flow. By implementing a firewall, the mobile device can be operated even more securely. Because the firewall is downstream of the attack detection system or the attack detection and defense system, and the corresponding systems are not integrated into the firewall, the functionality of the attack detection system or the attack detection and defense system can be implemented more comprehensively. This allows for even more secure protection of the mobile device.
[0021] According to a further advantageous embodiment of the method, the attack detection system or the attack detection and defense system is configured to monitor, control, and / or filter network traffic. Monitoring network traffic allows for the detection of dangerous data packets and attack patterns. Individual data packets or components of network traffic can also be examined in detail, i.e., controlled. For example, individual code segments can be executed in a secure environment such as a virtual machine and their impact analyzed. Similarly, individual network traffic components or data packets can be prevented from being forwarded to the operating system or firewall; in other words, network traffic is filtered.This can, for example, prevent the forwarding of dangerous data packets to the operating system and / or downstream computing units in the information flow direction of the mobile device, and / or detect and prevent Denial of Service (DOS) attacks.
[0022] In a further advantageous embodiment of the method, a deep packet inspection module is integrated into the attack detection system or attack detection and defense system. Deep packet inspection allows not only the examination of the header portion of a data packet but also its content. This enables a more comprehensive and therefore more secure analysis of network traffic. Furthermore, deep packet inspection can also be used to regulate data streams. By providing additional security certificates, even encrypted data streams can be decrypted and analyzed, if necessary.
[0023] Preferably, the mobile device is configured as a mobile terminal or telecommunications module of a vehicle. Mobile terminals such as smartphones, tablets, laptops, and the like are widely used today. By implementing such a mobile terminal according to the mobile device of the invention, these terminals can be operated even more securely. Due to their widespread use, a particularly large number of users can be protected. With advancing digitalization, vehicles are also becoming increasingly networked. With the aid of a telecommunications module, vehicles can, for example, transmit diagnostic parameters to the vehicle manufacturer for research and development purposes, receive data for convenience services such as traffic data, weather reports, and the like, or receive firmware or software updates for control units.By implementing such a telecommunications module according to the mobile communication device according to the invention, such vehicles can be protected even more reliably against attacks.
[0024] This is particularly important for automated or autonomously controlled vehicles, such as autonomous trucks. For example, such autonomous vehicles can receive control commands from a vehicle control center. It is conceivable that, through an attack on the telecommunications module of such a vehicle, manipulated control commands could be sent to the vehicle, causing it to be involved in an accident or steered to a different destination, for example, to steal cargo from the autonomous truck. However, by implementing the telecommunications module as a mobile communication device according to the invention, the probability of such an attack being successful is minimized.
[0025] For communication with the vehicle manufacturer, such a telecommunications module has a SIM profile assigned to the manufacturer. Typically, the vehicle manufacturer negotiates terms with a mobile network operator, such as one-time or recurring costs, a data bandwidth, a maximum permissible amount of data sent or received per unit of time, and similar conditions. Buyers of a vehicle with a telecommunications module that has at least two SIM profiles have the option of installing a private SIM profile in the telecommunications unit. This allows for mobile network use independent of the terms negotiated between the vehicle manufacturer and the telecommunications company. However, installing a private customer SIM profile also allows for the implementation of manipulated SIM profiles in the telecommunications unit.However, since the mobile communication device according to the invention is able to monitor and control several mobile communication connections independently of each other, network traffic taking place via a customer's SIM profile can be controlled and managed particularly strictly, whereas network traffic running via the vehicle manufacturer's SIM profile can continue undisturbed.
[0026] A further advantageous development of the method involves adapting the system behavior so that the mobile device logs events and / or information, restricts or disables at least one functionality provided by the mobile device, and / or changes a chosen path for routing network traffic. By logging events and information, attacks can be reconstructed or detected from the logged data. The functionality provided by the mobile device that is restricted could include, for example, making an emergency call, an eCall, conducting telephony, receiving or sending SMS messages, and / or sending and / or receiving digital data via mobile network. A restriction could, for example, be that only a certain number of communication partners can be reached via telephony and / or SMS.With this functionality deactivated, making phone calls and / or sending SMS messages would no longer be possible. It is also conceivable to test data packets received via a mobile connection for correct functionality and content in a secure test environment, such as a virtual machine, before the corresponding network traffic is forwarded to the hardware and / or software components downstream of the mobile device.
[0027] The instructions issued to the mobile device by the attack detection system or the attack detection and defense system to reconfigure its operating system can be implemented in a variety of ways. For example, targeted measures can be taken to manipulate network traffic at one of the seven OSI layers. The mobile device can perform targeted manipulations at the application layer. Network traffic can also be influenced at an OSI layer upstream of the application layer. This involves corresponding communication with a mobile network operator. For example, if the mobile network operator detects manipulated network traffic over a mobile connection of the mobile device that is not affected by an attack, it can issue instructions to the mobile device to reconfigure its operating system.transferred to restrict or disable certain functionalities.
[0028] According to a further advantageous embodiment of the method according to the invention, after a security threat to the mobile device is detected, the functionality of at least one mobile communication connection is restricted. If an attack occurs via a first mobile communication connection, the mobile communication functionalities required for the attack, i.e., the sending and / or receiving of certain data packets, can be restricted or prevented. However, mobile communication via at least one other mobile communication connection can continue uninterrupted. For example, if an attack occurs via a manipulated SIM profile, mobile communication via the vehicle manufacturer's SIM profile can continue uninterrupted. This ensures that diagnostic data can still be sent to the vehicle manufacturer and / or, for example, control commands can still be received from the vehicle.For example, at least one of the functionalities eCall, telephony, SMS, data exchange or the like can be restricted via a first mobile connection, for example the customer connection, and these functionalities can continue to run via a second mobile connection, for example the manufacturer connection.
[0029] Preferably, network traffic exchanged via a primary mobile connection is terminated when the mobile device receives a trigger, particularly one received via a secondary mobile connection. Terminating network traffic in the event of an attack allows for a particularly reliable assessment of the mobile device prior to the attack. Since the mobile device has multiple mobile connections, a corresponding trigger to terminate network traffic can also be received via an active connection even if the functionality of at least one mobile connection is restricted or disabled. For example, network traffic via a customer's SIM profile can be terminated, while network traffic via the vehicle manufacturer's SIM profile continues.The trigger can be sent to the mobile device by the vehicle manufacturer, a service provider, a mobile network operator, or similar entity. For example, if the attack detection system detects an attack on the mobile device, this information can be shared via the mobile connection that is not experiencing an attack with an authorized entity such as the vehicle manufacturer, an IT security company, the mobile network operator, or similar, whereupon the relevant party analyzes the supposed attack. If an attack is incorrectly detected, also known as a false positive, network traffic can continue via the mobile connection that was supposedly under attack.If, however, it is indeed an attack, the trigger to shut down network traffic via the attacked mobile connection can be sent via the corresponding unattacked mobile connection.
[0030] According to the invention, a vehicle comprises a telecommunications module as described above. The vehicle can be any type of vehicle, such as a car, truck, van, bus, or the like. The vehicle can have an internal combustion engine and / or an electric drive motor. Furthermore, the vehicle can be manually, at least partially automatically, or even autonomously controllable. With the aid of a telecommunications module according to the invention, a corresponding vehicle according to the invention can be operated particularly safely.
[0031] Further advantageous embodiments of the mobile communication device and the vehicle according to the invention also result from the exemplary embodiments, which are described in more detail below with reference to the figures.
[0032] This shows: Fig. 1 a schematic representation of a mobile communication device according to the invention; and Fig. 2 a schematic representation of a vehicle according to the invention with a mobile communication device according to the invention in the form of a telecommunications module.
[0033] Figure 1Figure 1 shows a mobile communication device 1 according to the invention, which can be operated using a method according to the invention and has several mobile communication connections, each of which is assigned a separate SIM profile SIM1, SIM2. Using the mobile communication connections, the mobile communication device 1 is able to communicate with several mobile communication networks 3.1, 3.2. Network traffic exchanged between the mobile communication device 1 and the mobile communication network(s) 3.1, 3.2 runs via an OEM data path 10.OEM and an end-user data path 10.EN.
[0034] A modem 6, included by the mobile device 1, receives the network traffic. The modem 6, in turn, includes an attack detection system 4.1 or an attack detection and defense system 4.2. The respective attack detection system 4.1 or attack detection and defense system 4.2 identifies the information transmitted with the network traffic. The attack detection system 4.1 or the attack detection and defense system 4.2 can also include a deep packet inspection module 7 to examine the network traffic using deep packet inspection. In an advantageous embodiment, the attack detection system 4.1 or the attack detection and defense system 4.2 can also not only monitor the network traffic but also control and / or filter it.
[0035] Downstream of modem 6 in the information flow direction, the mobile device 1 has an operating system 2. The operating system 2 may also include a firewall 5. Functionalities such as an OEM function 11.OEM and / or an end-user function 11.EN can be executed on the mobile device 1 using the operating system 2. An OEM function 11.OEM is, for example, a computer program that collects vehicle diagnostic data, processes it if necessary, and sends it to a vehicle manufacturer via one of the mobile connections. An end-user function 11.EN is, for example, a computer program that provides a chat function. The end-user function 11.EN is typically provided by software that runs on separate hardware, such as a vehicle's processing unit 13 or an end-user's mobile device.
[0036] Upstream of the end-user function 11.EN in the direction of information flow on the end-user data path 10.EN is a routing module 12 for the targeted selection of a path for forwarding network traffic.
[0037] If the attack detection system 4.1 or the attack detection and defense system 4.2 detects an attack on mobile device 1, the system behavior of mobile device 1 or operating system 2 is adjusted to respond to the attack. This reconfiguration is described in Figure 1indicated by dashed arrows. For example, the logging of events and / or information can be initiated, a functionality of mobile device 1 can be restricted or deactivated, especially a functionality provided via a separate mobile connection, and / or a path chosen for routing network traffic can be changed. For this purpose, attributes and settings of firewall 5, SIM profiles SIM1 and SIM2, and the OEM function 11.OEM can be adjusted.
[0038] Furthermore, a computing unit 13 can be connected downstream of the mobile device 1. This can be, for example, a personal computer, a control unit, a vehicle telematics unit, or the like. Analogous to the mobile device 1, an OEM function 11.OEM and / or an end-user function 11.EN can also be executed on the computing unit 13.
[0039] Figure 2Figure 1 shows the integration of such a mobile communication device 1 according to the invention, in the form of a telecommunications module 8, into a vehicle 9 according to the invention. By providing at least two SIM profiles SIM1, SIM2, the telecommunications module 8 is simultaneously ready to receive and transmit on both SIM profiles SIM1, SIM2. To provide the SIM profiles SIM1, SIM2, several SIM cards can be integrated into the mobile communication device 1 using multiple SIM slots. Generally, several SIM profiles SIM1, SIM2 can also be provided on a single SIM card and / or on any storage device of the telecommunications module 8. The provision of at least one second SIM profile SIM2 enables the use of an end-user SIM profile in addition to an OEM SIM profile. An end user is thus able to provide a manipulated SIM profile in the telecommunications module 8.This allows manipulated data packets to be injected into the telecommunications module 8 and thus attack the vehicle 9. However, with the aid of a telecommunications module 8 designed as a mobile communication device 1 according to the invention, such attacks can be detected and, if necessary, contained or prevented. For this purpose, for example, a functionality of the mobile communication device 1 can be restricted or deactivated. It is also possible to terminate all communication via at least one of the mobile communication connections.
Claims
1. Method for operating a system consisting of a mobile device (1) and a separate computing unit (13), the mobile device (1) comprising an operating system (2) and at least two SIM profiles (SIM1, SIM2) for providing multiple independent mobile connections, network traffic being exchanged via at least one mobile connection with a mobile network (3.1, 3.2) and information transmitted using the network traffic being identified, characterized in that the mobile device (1) further comprises an attack detection system (4.1) or an attack detection and defense system (4.2) which is configured to identify at least the information transmitted using the network traffic, the attack detection system (4.1) or the attack detection and defense system (4.2) being arranged, in an information flow direction of network traffic received from at least one mobile connection, upstream of the operating system (2) of the mobile device (1), and the attack detection system (4.1) or the attack detection and defense system (4.2) being integrated into a modem (6), wherein, after a security threat to the mobile device (1) is detected, the operating system (2) is reconfigured to adapt a system behavior to the security threat and / or a functionality of at least one hardware and / or software component of the separate computing unit (13) downstream of the mobile device (1) in the information flow direction is restricted.
2. Method according to claim 1, characterized by a firewall (5) which is downstream of the attack detection system (4.1) or the attack detection and defense system (4.2) in the mobile device (1) in the information flow direction.
3. Method according to claim 1 or claim 2, characterized in that the attack detection system (4.1) or the attack detection and defense system (4.2) in the mobile device (1) is configured to monitor, control and / or filter the network traffic.
4. Method according to any of claims 1 to 3, characterized in that a deep packet inspection module (7) is integrated into the attack detection system (4.1) or the attack detection and defense system (4.2) in the mobile device (1).
5. Method according to any of claims 1 to 4, characterized by a design version of the mobile device (1) as a mobile terminal or telecommunications module (8) of a vehicle (9).
6. Method according to any of claims 1 to 5, characterized in that the system behavior is adapted such that the mobile device (1) logs events and / or information, at least one functionality provided by the mobile device (1) is restricted or disabled and / or a chosen path for forwarding network traffic is changed.
7. Method according to any of claims 1 to 6, characterized in that after a security threat to the mobile device (1) is detected, the functionality of at least one mobile connection is restricted.
8. Method according to claim 7, characterized in that network traffic exchanged via a first mobile connection (1) is adjusted when the mobile device (1) receives a trigger, in particular a trigger received via a second mobile connection.
9. Vehicle (9), characterized by a mobile device (1) designed as a telecommunications module (8), and a separate computing unit (13), which device is configured to carry out the method according to claim 5.