DCT
1:23-cv-01169
Sheelds Cyber Ltd v. NXP USA Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: SheeldS Cyber Ltd. (Israel)
- Defendant: NXP USA, Inc. (Delaware)
- Plaintiff’s Counsel: Skiermont Derby LLP
- Case Identification: 1:23-cv-01169, W.D. Tex., 09/26/2023
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant has committed acts of infringement in the district and maintains regular and established places of business, including its "Oak Hill" and "Ed Bluestein" facilities in Austin.
- Core Dispute: Plaintiff alleges that Defendant’s secure CAN (Controller Area Network) transceivers infringe a patent related to protecting vehicle communication buses using timing-based rules.
- Technical Context: The technology addresses cybersecurity vulnerabilities in modern vehicles, where interconnected electronic control units (ECUs) communicate over insecure networks like the CAN bus, creating potential attack vectors for malicious actors.
- Key Procedural History: The complaint details an extensive pre-suit history, alleging that the parties discussed a potential business relationship under a non-disclosure agreement in 2015, during which Plaintiff disclosed its technology. The complaint further alleges that Defendant subsequently attempted to patent similar technology, was rejected by the USPTO over Plaintiff's prior art, and launched the accused products despite multiple notice letters from Plaintiff beginning in 2018.
Case Timeline
| Date | Event |
|---|---|
| 2012-03-29 | U.S. Provisional Application 61/617,188 filed ('088 Patent Priority Date) |
| 2015-03-26 | Parties enter into Non-Disclosure Agreement (NDA) |
| 2015-08-26 | SheeldS Cyber and NXP personnel meet to discuss technology |
| 2016-02-12 | NXP files its own patent application on secure CAN technology |
| 2018-01-31 | NXP announces development of accused secure CAN transceiver family |
| 2018-02-11 | SheeldS Cyber sends first notice letter to NXP regarding infringement |
| 2018-12-21 | SheeldS Cyber sends another letter identifying NXP's TJA115X product line |
| 2019-03-11 | SheeldS Cyber provides NXP with evidence-of-use claim charts |
| 2023-05-16 | U.S. Patent No. 11,651,088 issues |
| 2023-09-26 | Complaint filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,651,088 - “Protecting A Vehicle Bus Using Timing-Based Rules”
The Invention Explained
- Problem Addressed: The patent describes the increasing computerization of vehicles, where critical components like brakes and airbags are controlled by ECUs communicating over a non-secure CAN bus. This architecture creates a hacking threat, where a compromised ECU can send malicious messages, potentially causing severe damage and endangering passengers (’088 Patent, col. 2:46-61).
- The Patented Solution: The invention is a security system, described as a "communication filter/proxy," that is placed in the communication path to protect the vehicle's electronic system. This filter selectively intervenes to prevent malicious messages from reaching their destination by blocking them, changing their content, or—crucially—limiting the rate at which they can be sent by using preconfigured timing rules and buffering (’088 Patent, Abstract; col. 9:42-53). Figure 9 of the patent illustrates an embodiment where the security system (703) is integrated directly into an ECU (905), sitting between the ECU's logic (900) and the physical connection (904) to the vehicle's communication bus.
- Technical Importance: The technology provides a method for retrofitting or integrating security into existing vehicle network architectures that rely on the inherently insecure but widely adopted CAN bus standard, without requiring a complete redesign of the vehicle's electronic system (’088 Patent, col. 12:46-48).
Key Claims at a Glance
- The complaint asserts independent claim 30 (’088 Patent, col. 27:14-49; Compl. ¶31).
- The essential elements of independent claim 30 are:
- A device for exchanging messages in a vehicle over a CAN bus.
- The device comprises a non-volatile memory, a first communication interface (to a "second device"), and a second communication interface (to the communication bus), all "housed within a single package."
- The memory stores at least a first rule and a second rule, where the second rule is a "timing rule" with one or more timing values.
- The device is configured to receive a first message from the CAN bus and, based on the first rule, pass, block, or change it before sending it to the "second device."
- The device is also configured to receive a second message from the "second device" that is associated with timing information and, based on a comparison to the timing rule values, pass, block, or change it before sending it to the CAN bus.
- The device is part of, or comprises, an ECU.
- The complaint reserves the right to assert additional claims (Compl. ¶32, n.2).
III. The Accused Instrumentality
Product Identification
The complaint accuses NXP’s TJA115x family of Secure CAN Transceivers (including models TJA1152AT, TJA1152BT, and TJA1153ATK) and development platforms incorporating them (e.g., GOLDBOX, ORANGEBOX, S32G-VNP-EVB3) (Compl. ¶32).
Functionality and Market Context
- The accused products are described as secure CAN transceivers that provide security features without cryptography (Compl. ¶21). The complaint alleges these transceivers implement features called "spoofing protection" and "flooding protection" (Compl. ¶39-41). The "spoofing protection" allegedly functions via a "Bus Blocklist" to filter incoming messages, while the "flooding protection" uses a "leaky bucket" algorithm with a "configurable threshold" to prevent a local host controller from overwhelming the CAN bus (Compl. ¶39, ¶40).
- The complaint includes a screenshot from NXP's website showing the TJA1152AT available for purchase in the Americas, indicating its commercial availability in the United States (Compl. ¶42, p.18). This screenshot shows NXP and its distributors offering the accused product for sale.
IV. Analysis of Infringement Allegations
'088 Patent Infringement Allegations
| Claim Element (from Independent Claim 30) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A device for exchanging messages in a vehicle over a communication bus that ... is compatible with, a Controller Area Network (CAN) | The NXP TJA1152 is a secure CAN transceiver with a communication interface (CANH and CANL differential signals) for exchanging messages over a CAN bus. | ¶34 | col. 2:50-53 |
| a non-volatile memory configured to store first and second rules; | The TJA1152 allegedly includes a non-volatile memory for storing configuration settings such as "filter settings" and rules for blocking messages, which can be permanently locked. | ¶35 | col. 11:7-9 |
| a first communication interface for transmitting messages to, and for receiving messages from, a second device; and | The TJA1152 includes transmit (TXD) and receive (RXD) interfaces used to exchange messages with a second device, identified as a microcontroller in NXP's block diagram. | ¶36 | col. 13:27-33 |
| a second communication interface for transmitting CAN messages to, and for receiving CAN messages from, the communication bus, | The TJA1152 includes a communication interface with CANH (High) and CANL (Low) signals for exchanging messages over the CAN bus. | ¶37 | col. 13:34-40 |
| wherein the memory, the first communication interface, and the second communication interface are housed within a single package, | The TJA1152 is offered for sale as an SO8 plastic small outline package. The complaint provides a photograph of the integrated circuit package to support this allegation. (Compl. ¶38, p. 14). | ¶38 | col. 27:26-29 |
| wherein the second rule comprises a timing rule that includes one or more timing rule values, | The TJA1152's "flooding protection" feature allegedly functions as a timing rule, using a "configurable threshold" that sets a maximum number of messages or frames that can be transmitted over a certain period of time. | ¶39 | col. 18:1-12 |
| wherein the device is configured to receive, from the communication bus, a first message, and responsive to the first rule, to pass, to block, or to change and then pass, the first message to the second device via the first communication interface, | The TJA1152's "spoofing protection" allegedly includes a "Bus Blocklist" that functions as the first rule by comparing a received message's CAN identifier to a list of permitted identifiers to either pass or block the message. | ¶40 | col. 6:11-15 |
| wherein the device is configured to receive, from the second device, a second message that is associated with a timing information, and responsive to a comparison of the timing information to the timing rule values, to pass, to block, or to change and then pass, the second message to the communication bus via the second communication interface, and | NXP's "flooding protection" allegedly measures the duration of frames from the host controller, and if a "configurable threshold" is exceeded, it "invalidates the message with an active error frame," which constitutes changing and then passing the message. | ¶41 | col. 18:13-20 |
| wherein the device is part of, or comprises, an Electronic Control Unit (ECU). | The claim requires the device to be part of or comprise an ECU. The complaint's theory positions the accused transceiver as a component within a larger ECU system. | ¶31 (Claim text) | col. 13:25-27 |
Identified Points of Contention
- Technical Questions: The complaint alleges NXP's "flooding protection" feature meets the "timing rule" limitations. A central question will be whether the accused "leaky bucket" algorithm, which measures cumulative bus load against a threshold, operates in the same way as the "timing rule" described in the patent, which limits the rate of messages or sends them in "preconfigured intervals" (’088 Patent, col. 9:46-49).
- Scope Questions: Claim 30 requires a "device... housed within a single package" that includes memory and two distinct interfaces. The complaint's infringement theory identifies the TJA1152 transceiver chip as this "device." (Compl. ¶38). This raises the question of whether the components of the accused product (e.g., the transceiver chip) and its interaction with external components (e.g., the microcontroller) fall within the scope of the claimed "device" and its constituent elements as defined by the patent.
V. Key Claim Terms for Construction
The Term: "timing rule"
Context and Importance: This term is central to the inventive concept and appears in multiple limitations of the asserted claim. The infringement analysis hinges on whether NXP's "flooding protection" feature (Compl. ¶39, ¶41) constitutes a "timing rule." Practitioners may focus on this term because its construction will likely determine whether a key feature of the accused product infringes.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes an action of the rule as limiting "the rate that such messages can be delivered... to a predetermined value per time unit" (’088 Patent, col. 6:17-20). This language could support an interpretation that includes any mechanism that controls message frequency or bus load over time, such as the accused "leaky bucket" algorithm.
- Evidence for a Narrower Interpretation: The patent also describes the timing rule in the context of "buffering the messages and sending them only in preconfigured intervals" (’088 Patent, col. 9:47-49). This could support a narrower construction requiring a specific mechanism of timed release from a buffer, which may differ from the accused product's alleged function of invalidating a message upon exceeding a threshold.
The Term: "housed within a single package"
Context and Importance: This limitation defines the physical nature of the claimed device. The dispute may turn on whether the accused TJA1152 chip, which the complaint shows as a single integrated circuit (Compl. ¶38, p. 14), satisfies this requirement in the context of the entire claim, which also recites interfaces to a separate "second device" (the microcontroller).
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself is relatively straightforward. The complaint's evidence of an SO8 plastic small outline package (Compl. ¶38) appears to align with a plain and ordinary meaning of the term.
- Evidence for a Narrower Interpretation: A defendant might argue that when read in light of the specification, which discusses integrating the security system "inside an existing ECU" to save on "power supply, mechanical casing, physical drivers etc." (’088 Patent, col. 13:35-39), the term implies a more complete, self-contained system than just the accused transceiver chip alone.
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement under 35 U.S.C. § 271(b), stating that NXP actively encourages infringement by providing customers with user manuals, product documentation, datasheets, application notes, and development tools that instruct them on how to implement and use the accused products in an infringing manner (Compl. ¶44-45).
- Willful Infringement: The complaint alleges willful infringement based on a long history of pre-suit knowledge. It cites a 2015 meeting under NDA, NXP's own patent prosecution history where Plaintiff's patent family was cited as prior art, and a series of notice letters and claim charts sent by Plaintiff to NXP between February 2018 and March 2019, all occurring years before the complaint was filed (Compl. ¶43, ¶48).
VII. Analyst’s Conclusion: Key Questions for the Case
The resolution of this case will likely depend on the answers to two central questions:
- A core issue will be one of technical operation: Does NXP’s "flooding protection" feature, which allegedly uses a "leaky bucket" algorithm to measure cumulative bus load, function as the "timing rule" claimed in the patent, which is described as limiting message rates and using "preconfigured intervals"? The case may turn on whether these two mechanisms are technically and legally equivalent.
- A key question will be one of claim scope and interpretation: Can the "device... housed within a single package" of Claim 30 be read to cover the accused TJA1152 transceiver chip, while the separate microcontroller it communicates with is considered the claimed "second device"? The court's construction of these structural elements will be critical to the infringement analysis.