Method for determining the state of at least one electronic component in a system, in particular for responding to cybersecurity, counterfeit or non-compliant override issues
A low-cost method using a master component to authenticate and monitor slave components with cryptographic mechanisms and presence frames addresses the complexity of detecting counterfeit parts, ensuring rapid identification and alerting in systems.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- AMPERE SAS
- Filing Date
- 2025-12-18
- Publication Date
- 2026-06-25
AI Technical Summary
Existing methods for detecting counterfeit or unauthorized electronic components in systems, such as vehicles, are complex, costly, and do not provide detailed analysis of abnormal behavior, leading to financial losses and safety compromises.
A method involving a master component that authenticates and monitors slave components using a cryptographic mechanism and presence frames to determine their legality, authenticity, and functionality, with a low-cost configuration that includes an inventory of lawful parts.
Dynamically determines the state of electronic components with low false positives, enabling rapid identification and alerting of counterfeit or unauthorized parts, thereby improving system security and compliance.
Smart Images

Figure EP2025088043_25062026_PF_FP_ABST
Abstract
Description
[0001] Description
[0002] Title of the invention: Method for determining the state of at least one electronic component in a system, particularly to address cybersecurity, counterfeiting, or non-compliant issues
[0003] [1] Technical field
[0004] [2] The present invention relates to a method for determining the state of at least one electronic component (ECU) in a system. The invention also relates to a system configured for implementing such a method.
[0005] [3] The field of the invention is cybersecurity, in particular combating or overcoming counterfeiting. The invention has applications in various sectors of activity: automotive, industry, home automation, etc.
[0006] [4] Prior art
[0007] [5] In these various sectors of activity, it is essential to guarantee the safety and integrity of the electronic components of a system. In particular, in the automotive sector, it is essential to guarantee the safety and integrity of the electronic components of a motor vehicle.
[0008] [6] A first problem relates to counterfeit or stolen parts from other vehicles, which cause significant financial losses for manufacturers and customers, and compromise the safety of occupants. In the event of an accident, it is difficult for the manufacturer to absolve themselves of responsibility related to the counterfeit part and for the customer to prove their innocence if the counterfeit part was present when the vehicle was purchased.
[0009] [7] A second problem relates to non-compliant over-upgrading, i.e., the addition of unauthorized components. It is possible for an attacker to add unauthorized electronic components, such as a salvaged ADAS component, without replacing existing components, thus adding new functionalities to the vehicle without the manufacturer's consent. [8] A third problem relates to the obligations under UNR155 Regulation, which requires the detection of any physical manipulation of the vehicle intended to carry out an attack, thus obligating manufacturers to consider the detection of counterfeit parts.
[0010] [9] US11218476 describes a method for detecting illicit parts by comparing the normal behavior of a vehicle, as measured by CAN messages, with that of a vehicle equipped with counterfeit parts, which exhibits different driving behavior. This method is rather complex, as it requires the intervention of an external server and involves analyzing all exchanged messages, filtering them to retain only the relevant ones, and performing statistical analyses to detect anomalies. Furthermore, this method does not allow for a detailed analysis of the reasons for abnormal behavior, since it cannot determine whether an abnormal situation stems from an illicit, defective, oversized, or counterfeit part.
[0011]
[0010] Description of the invention
[0012]
[0011] The object of the present invention is to remedy the aforementioned problems.
[0013]
[0012] To this end, the invention relates to a method for determining the state of at least one electronic component in a system, the method being characterized in that it comprises the following steps: a system configuration step, comprising: o a master component integrating an inventory of lawful parts intended to equip the system; and o at least one slave electronic component connected to the master component; a step of checking the state of the or each slave electronic component by the master component, this state being defined according to three input states of the slave electronic component considered: o a lawfulness state: present when the master component associates the slave electronic component with a lawful part listed in the inventory, and absent otherwise; o an authenticity state: valid when the master component authenticates the slave electronic component via an authentication mechanism, and invalid otherwise;o a functional state: available when the master component detects the presence frame sent by the slave electronic component, and unavailable otherwise; and a conclusion step on the state of the slave electronic component, from the legality state, the authenticity state and the functional state.;
[0014]
[0013] Thus, the invention makes it possible to determine the state of a slave electronic component dynamically and at low cost, while limiting the number of false positives. For each slave component or each part associated with this slave component, it is possible to determine:
[0015] - either its authenticity,
[0016] - either it is a counterfeit or, if it was stolen, it has been replaced with a part taken from another system,
[0017] - either its malfunction (i.e., a part that is not transmitting a frame or is disconnected),
[0018] - either an illegal addition to the system (overcomes), with a view to improving the performance of the system and reselling it at a higher price (adding a radar to a vehicle for example).
[0019]
[0014] In particular, for a motor vehicle, the implementation cost is low, because regardless of the number of slave electronic components present from one vehicle to another, there is nothing to change except a configuration at the master component level (no private / public key management, nor certificate to provision at the master component level).
[0020]
[0015] According to other advantageous features of the invention, taken individually or in combination:
[0021]
[0016] - The control step and the conclusion step are performed at each system start-up.
[0022]
[0017] - In the control step, the state of each slave electronic component is determined after a supervision period of a few tens of seconds, for example between 30 seconds and 1 minute.
[0023]
[0018] - In the control step, the authentication mechanism is a cryptographic mechanism including a key. The key can be symmetric or asymmetric.
[0024]
[0019] - In the control step, the authentication mechanism is based on an exchange of authentication data including the sending, by the slave electronic component, of at least one MAC-type authentication message to the master component.
[0020] - The presence frame sent by the slave electronic component includes a header incorporating a unique identifier, which is used to determine the legality status in the control step.
[0025]
[0021] - The method also includes a step of classifying the state of a part of the system, according to the state of the or each associated slave electronic component of the part, into one of the following categories: an authenticated part, a missing part, an undefined part, a malfunctioning part, a counterfeit part, or an illegally over-engineered part.
[0026]
[0022] - The method also includes an alert step, consisting of issuing an alert message based on the state of the or each slave electronic component associated with a part, in particular in the event of detection of at least one counterfeit part or an illicit override in the classification step.
[0027]
[0023] The system may be a vehicle, for example a car, agricultural or industrial vehicle. Alternatively, the system may be a home automation, urban, agricultural or industrial installation.
[0028]
[0024] When the system is a vehicle, in the control stage, the presence frame can be chosen from the vehicle speed, the engine temperature value, the steering wheel angle value, the malfunction information from a sensor.
[0029]
[0025] The invention also relates to a system, comprising a master component and at least one slave electronic component, configured to implement the method described above.
[0030]
[0026] Description of the figures
[0031]
[0027] The invention will be better understood upon reading the following description, given solely by way of non-limiting example and made with reference to the accompanying drawings in which:
[0032]
[0028] [Fig. 1] is a schematic representation of a system according to the invention, configured to implement the method according to the invention.
[0033]
[0029] [Fig. 2] is a schematic representation of the method according to the invention, with its successive steps.
[0034]
[0030] [Fig. 3] is a schematic representation of the alerting stage, which may include different alerting solutions.
[0031] Detailed description of the invention
[0035]
[0032] Figure 1 shows a system (10) according to the invention, for example, of the motor vehicle type. The system (10) comprises a master electronic component (20) and slave electronic components (30), configured to exchange data with each other. For example, data exchange between the master component (20) and the slave components (30) can be carried out via the CAN bus and / or an Ethernet bus.
[0036]
[0033] The system (10) is equipped with various parts (12, 14). One objective of the invention is to determine whether the parts (12, 14) are lawful parts (12) or unlawful parts (14), in particular a counterfeit part, or an unlawful overmantel part. In the example in Figure 1, the quality of the parts (12, 14) has not yet been determined, so each part bears a numerical interrogative reference "12 / 14?".
[0037]
[0034] The master component (20) incorporates an inventory (21) of the permissible parts (12) intended to equip the system (10) and of the slave components (30) associated with these parts (12). The master component (20) also includes a data processing device (22), including data from the slave components (30) and data from the inventory (21). The master component (20) also includes means of communication with the slave components (30), for example via a CAN-ED bus and / or an Ethernet bus.
[0038]
[0035] Each slave component (30) performs one or more specific functions in the implementation of the system (10). During normal operation of the system (10), each slave component (30) transmits data frames (T30) to the master component (20) and / or other components of the vehicle. In the context of this invention, these data frames (T30) are used in a specific manner, as detailed below.
[0039]
[0036] Figure 2 shows the method (100) according to the invention and its various steps (110, 120, 130, 140, 150). The method (100) is designed for determining the state (E30) of at least one electronic component (30) of the system (10). The method (100) is designed to address cybersecurity, counterfeiting, override, or malfunction issues.
[0037] The method (100) includes a system (110) configuration step, consisting of configuring the master component (20) and the slave components (30) connected to the master component (20).
[0040]
[0038] In practice, the invention is based in particular on an authentication mechanism between the master component (20) and the N slave components (30). The role of the master component (20) is to authenticate the slave components (30) each time the system (10) starts and to ensure that the number of slave components (30) is correct, i.e., that no component (30) has been added by the system owner (10) or a third party. The choice of the master component (20) is important because the invention presupposes that this component is a trusted component. Indeed, the master component (20) guarantees the verification of the authenticity of all the slave components (30).Ideally, the master component (20) will be chosen if its absence or counterfeiting would be problematic for the proper functioning of the system (10), if it is as little exposed as possible to the external interfaces of the system (10) and if it cannot be counterfeited or modified without impacting the other functions of the system (10).
[0041]
[0039] Generally speaking, an electrical and electronic (EE) architecture in a motor vehicle-type system (10) consists of three zones:
[0042] - Zone 1: includes all computers (e.g. multimedia devices) with wired connectivity interfaces, short-range or long-range, with external devices (e.g. smartphones, charging stations for electric vehicles) or other systems (e.g. backends);
[0043] - Zone 2: secures data exchanges between Zone 1 and Zone 3;
[0044] - Zone 3: contains all the control units responsible for the vehicle's critical main functions, such as braking, steering, and the powertrain, and do not have direct interfaces with the connected world. Preferably, the master component (20) is chosen from among the components in Zone 3.
[0045]
[0040] The method (100) includes a control step (120) of the state (E30) of each slave component (30) by the master component (20). To this end, at each system (10) startup, each supervised slave component (30) initiates a data exchange allowing the master component (20) to authenticate it. In addition, the master component (20) observes the data frames (T30) transmitted by the slave component (30) to define a legality state and a functional state of that component (30).
[0041] In the control step (120), the state (E30) of each component (30) is determined after a monitoring period of a few tens of seconds, for example, between 30 seconds and 1 minute.
[0046]
[0042] As detailed below, the general state (E30) of the slave component (30) is defined according to three input states (E31, E32, E33) of this slave component (30):
[0047] - a state of legality (E31) linked to the inventory (21);
[0048] - an authenticity state (E32) linked to an authentication mechanism of the slave component (30) by the master component (20);
[0049] - a functional state (E33) linked to the observation, by the master component (20) of a specific frame transmitted by the slave component (20), called presence frame (T33).
[0050]
[0043] To determine the authenticity state (E32), the proposed solution relies on an authentication or cryptographic signature mechanism designed to guarantee the message's authenticity, for example, a "message authentication code" or MAC, which operates with a symmetric key, or any signature mechanism operating with an asymmetric key. Each time the system (10) starts, a message exchange takes place between the master component (20) and each slave component (30). Following this exchange, the master component (20) is able to determine the authenticity state (E32) of the slave component (30).
[0051]
[0044] Subsequently, we will discuss the use of a MAC code to determine the authenticity state (E32), but the invention could be applied identically with another identification mechanism. The MAC key is a fixed, secret value, unique per vehicle, communicated to the components (20, 30) during the manufacture of the system (10) or the installation of a component (20, 30) on the system (10), and which is kept secret. The MAC message is a message obtained by the authentication mechanism from a payload and the MAC key. The content of the MAC message payload is not important. In this case, upon initialization of the system (10), each slave component (30) sends the master component (20) an authentication frame containing a MAC message. The master component (20), which knows the MAC key and the sender of the message whose identifier is in the MAC message header, can authenticate the received message.This allows the master component (20) to authenticate the slave component (30) that issued the message, that is to say to prove its identity, to ensure that the slave component (30) in question is the correct component, and that it has not been usurped within the system (10).
[0052]
[0045] However, the authenticity status information (E32) alone is insufficient to distinguish whether a part (12) is malfunctioning (e.g., disconnected part or damaged embedded network), or whether a part (14) is counterfeit or has been added illegally. Therefore, the proposed solution also relies on the analysis of presence frames (T33) of the slave components (30), and on the inventory (21) of the slave components (30) present in the system (10).
[0053]
[0046] As explained above, during their normal operation, the slave electronic components (30) onboard the vehicle regularly send data frames (T30) over the CAN bus or the Ethernet link, as part of their exchanges with the master component (20). The invention consists of observing these data frames (T30) to determine the state (E30) of the slave components (30), based on the input states (E31, E32, E33).
[0054]
[0047] In order to determine the functional state (E32), for each slave component (30), a specific frame to be observed will be identified among the data frames (T30) it sends, which will be referred to hereafter as the presence frame (T33). Preferably, this presence frame (T33) is chosen such that its absence would lead to a serious malfunction of the system (10), rendering the counterfeit ineffective for the attacker. Indeed, a counterfeit part would not be able to generate an authentication message, but could be programmed not to transmit the presence frame (T33) considered by the method, in which case the system would not consider it "counterfeit" but "absent." It could thus potentially continue to function on the vehicle.Therefore, the presence frame used to define the functional state of the slave component (30) must be chosen so that its absence has a significant enough impact on the system's operation to deter an attacker from attempting to counterfeit it. For example, when the system (10) is a vehicle, the presence frame (T33) can be chosen from among the vehicle's speed frame (without which the vehicle is generally immobilized), the engine temperature frame, the steering wheel angle frame, a sensor's operating information frame, etc., which are essential pieces of information without which the vehicle cannot function normally. A component (30) is considered functional when its presence frame (T33) is observed by the master component (20) at least once within a given time window, and non-functional otherwise.
[0055]
[0048] Finally, to determine the legality state (E31), the invention uses the inventory (21) of the slave components (30) present in the system (10). This inventory (21) is loaded during the manufacturing of the system (10) and contains the identifier of each slave component (30) of the system (10). The inventory (21) can be updated by configuration during the lifetime of the system (10) if necessary. The inventory (21) is compared to the identifiers of the slave components (30), obtained, for example, from the presence frames (T33).
[0056]
[0049] Indeed, the data frames (T30) exchanged between the different components (20, 30) systematically have a header, which incorporates a unique frame identifier, associated with the slave component (30). A component is considered "legitimate" when its identifier is listed in the inventory (21), and illicit otherwise.
[0057]
[0050] The method (100) includes a conclusion step (130) on the general state (E30) of the electronic component (30), based on the different input states (E31, E32, E33). At system (10) startup, at the end of the supervision period, which can last, for example, 30 seconds to 1 minute, the master component (20) analyzes and concludes on the state (E30) of each supervised slave component (30).
[0058]
[0051] The general state (E30) of the slave component (30) is defined as follows:
[0059] - legality state (E31): present when an identifier of the slave component (30) is listed in the inventory (21), and absent otherwise;
[0060] - authenticity state (E32): valid when the master component (20) authenticates the slave component (30) via the authentication mechanism, and invalid otherwise;
[0061] - Functional state (E33): available when the master component (20) detects at least one presence frame (T33) sent by the slave component (30), and unavailable otherwise.
[0052] The following table presents the different possible scenarios:
[0062] [Table 1]
[0063]
[0053] The two N / A states correspond to states that cannot be reached, except in the case of a system configuration error (10).
[0064]
[0054] The method (100) includes a classification step (140) of a part of the system (10), based on the state (E30) of the slave electronic component(s) (30) associated with the part (12, 14). Advantageously, this classification step (140) includes classifying the part (12, 14) into one of the following categories:
[0065] - an authenticated document,
[0066] - a missing part,
[0067] - an undefined room,
[0068] - a malfunctioning part,
[0069] - a counterfeit item, or
[0070] - an illicitly constructed overhanging piece.
[0071] The most likely cases of determination to occur are detailed below.
[0072]
[0055] In the event that:
[0073] - the authentication mechanism of the slave component (30) was successful, and therefore the slave component (30) has a valid authentication state (E32);
[0074] - the part (12) is configured as being present in the inventory (21), and therefore the component (30) has a legality state (E31) present; and whatever the reception of the presence frame (T33) on the master component side (20), that is to say that the component (30) has a functional state (E33) available or unavailable; then the state (E30) of the component (30) is said to be "authenticated", and the part is said to be "authenticated".
[0075] Indeed, the slave component (30) must be present for the authentication mechanism to succeed. To determine the state (E30), we then consider that the component (30) is available, even if a presence frame (T33) is not received.
[0076]
[0056] In the event that:
[0077] - the authentication mechanism of the slave component (30) did not succeed, and therefore the slave component has an invalid authentication state (E32);
[0078] - the presence frame (T33) was not detected for the slave component (30), despite its presence in the inventory (21), and therefore a legality state (E31) present, and a functional state (E33) unavailable for the slave component (30); then the state (E30) of the component (30) is said to be "dysfunctional", and the part (12) is said to be "dysfunctional".
[0079] This is the case, for example, if component (30) has been disconnected from the vehicle, or if a network problem prevents it from communicating with the master component (20).
[0080]
[0057] In the event that:
[0081] - the authentication mechanism of the slave component (30) did not succeed, and therefore the slave component has an invalid authentication state (E32);
[0082] - the presence frame (T33) has been detected, and therefore the functional state (E33) is available;
[0083] - the part is listed in the inventory (21), and therefore the legality status (E31) is present; then the status (E30) of the component (30) is said to be "potentially counterfeit", and the part is said to be "potentially counterfeit".
[0084] If after N consecutive starts (with 1) If the same situation occurs for this part, then the state (E30) of component (30) is said to be "counterfeit", and part (14) is said to be "counterfeit".
[0058] This mechanism for confirming the "counterfeit" state of a device helps to avoid false alarms.
[0085]
[0059] In the event that:
[0086] - the authentication mechanism of the slave component (30) did not succeed, and therefore the slave component has an invalid authentication state (E32);
[0087]
[0060] - the presence frame (T33) has been detected, and therefore the functional state (E33) of component (30) is available;
[0088] - but the part is not listed in the inventory (21), that is to say that the legality status (E31) of the component (30) is absent; then the status (E30) of the component (30) and the part (14) are said to be "unlawfully overridden".
[0089]
[0061] In the event that:
[0090] - the authentication mechanism of the slave component (30) did not succeed, and therefore the slave component has an invalid authentication state (E32);
[0091] - the presence frame (T33) was not detected, and therefore the functional state (E33) of component (30) is unavailable;
[0092] - the part is absent from the inventory (21), that is to say that the legality status (E31) of the component (30) is absent; then the status (E30) of the component (30) is said to be "absent", and the part is said to be "absent".
[0093]
[0062] The method may also include an alert step (150), consisting of issuing an alert message, when a slave electronic component (30) is in a state (E30) defined in the conclusion step (130), and in particular in the event of detection of at least one counterfeit part or an illicit overmanufactured part (14) in the classification step (140).
[0094]
[0063] Figure 3 illustrates the alert step (150) in the case where the system (10) is a motor vehicle. When a slave electronic component (30) and its associated part (14) are defined in the "counterfeit" or "illegal override" state, a dual alert mechanism can be activated.
[0064] The first alert mechanism (A1) consists of raising an alert (DTC or Diagnostic Trouble Code), time-stamped at the moment the counterfeit is detected, at the level of the master electronic component (20), which indicates which slave electronic component (30) has been detected as counterfeit. Thanks to this mechanism, an operator performing a review of the vehicle's error messages is able to:
[0095] - Confirm the counterfeit, for example by a visual inspection of the system (10).
[0096] - Replace the counterfeit part with an authentic part, especially in an automotive garage when the system (10) is a vehicle.
[0097] - To have evidence to protect oneself from legal proceedings or to protect the user who is a victim of counterfeiting in the event of accidents caused by this counterfeiting.
[0098]
[0065] The second alert mechanism (A2) consists of transmitting information wirelessly (OTA or Over The Air), including information concerning the system (10) (for example GPS coordinates), to a security operations management infrastructure, so as to be able to alert almost in real time of the counterfeiting and the need to diagnose the system (10) as soon as possible.
[0099]
[0066] These two alert mechanisms (A1, A2) are therefore complementary, allowing for rapid analysis and reaction on the system (10) where counterfeiting is confirmed. They can nevertheless be implemented independently of each other.
[0100]
[0067] By way of non-limiting examples, other possible reactions are as follows:
[0101] - Display an alert on the dashboard.
[0102] - Alert law enforcement by transmitting the vehicle's GPS coordinates, so that they can intervene when multiple cases of counterfeit / stolen parts are detected from the same location.
[0103] - To lock the vehicle using a remotely controlled mechanism.
[0104]
[0068] Thus, thanks to this simple and robust authentication mechanism, the vehicle manufacturer is able to obtain the information necessary to state with a high level of confidence that an electronic component (30) is counterfeit, stolen, or illegally added to the vehicle. Furthermore, the alert also allows the manufacturer to react by replacing the counterfeit part (14) or to obtain information that can protect itself from liability in the event of accidents caused by this counterfeiting.
[0069] In practice, the configuration step (110) is performed during the manufacturing of the system (10), or during a lawful modification of the system (10). Steps (120, 130, 140) are performed each time the system (10) is started. Step (150) is performed if necessary, depending on the results of steps (130, 140).
[0105]
[0070] Furthermore, the system (10) and the method (100) can be configured differently from Figures 1 to 3 without departing from the scope of the invention, which is defined by the claims. In addition, the technical features of the various embodiments and variants mentioned above can be combined, in whole or in part. Thus, the system (10) and the method (100) can be adapted in terms of cost, functionality, and performance.
Claims
Demands
1. Method (100) for determining the state (E30) of at least one electronic component (30) in a system (10), the method being characterized in that it comprises the following steps: a configuration step (110) of the system (10), comprising: o a master component (20) incorporating an inventory (21) of lawful parts (12) intended to equip the system (10); and o at least one slave electronic component (30) connected to the master component (20); a control step (120) of the state (E30) of the or each slave electronic component (30) by the master component (20), this state (E30) being defined according to three input states (E31, E32, E33) of the slave electronic component (30) considered: o a legality state (E31): present when the master component (20) associates the slave electronic component (30) with a legal part (12) listed in the inventory (21), and absent otherwise;o an authenticity state (E32): valid when the master component (20) authenticates the slave electronic component (30) via an authentication mechanism, and invalid otherwise; o a functional state (E33): available when the master component (20) detects a presence frame (T33) sent by the slave electronic component (30), and unavailable otherwise; and a conclusion step (130) on the state (E30) of the slave electronic component (30), from the legality state (E31), the authenticity state (E32) and the functional state (E33).
2. Method according to claim 1, characterized in that the control step (120) and the conclusion step (130) are carried out at each start of the system (10).
3. A method according to any one of claims 1 or 2, characterized in that in the control step (120), the state (E30) of the component electronic slave (30) is determined at the end of a supervision period of a few tens of seconds, for example between 30 seconds and 1 minute.
4. Method according to any one of claims 1 to 3, characterized in that in the control step (120), the authentication mechanism is a cryptographic mechanism including a key.
5. Method according to any one of claims 1 to 4, characterized in that in the control step (120), the authentication mechanism is based on an exchange of authentication data including the sending, by the slave electronic component (30), of at least one MAC type authentication message to the master component (20).
6. Method according to any one of claims 1 to 5, characterized in that the presence frame (T33) sent by the slave electronic component (30) has a header incorporating a unique identifier, which is used to determine the legality state (E31) in the control step (120).
7. A method according to any one of claims 1 to 6, characterized in that the method also comprises a classification step (140) of the state of a part (12, 14) of the system (10), according to the state (E30) of the or each slave electronic component (30) associated with the part (12, 14), into one of the categories: - an authenticated document, - a missing part, - an undefined room, - a malfunctioning part, - a counterfeit item, or - an illicitly constructed overhanging piece.
8. Method according to claim 7, characterized in that the method also includes an alert step (150), consisting of issuing an alert message based on the state (E30) of the or each slave electronic component (30) associated with a part, in particular in the event of detection of at least one counterfeit part or an unlawful overhang (14) in the classification step (140).
9. Method according to any one of claims 1 to 8, characterized in that the system (10) is a vehicle, for example automobile, agricultural or industrial.
10. Method according to any one of claims 1 to 8, characterized in that the system (10) is a home automation, urban, agricultural or industrial installation.
11. System (10), comprising a master component (20) and at least one electronic slave component (30), configured to implement the method according to any one of claims 1 to 10.