US20200288317A1 - Security protection to prevent unauthorized use of mobile network extenders - Google Patents
Security protection to prevent unauthorized use of mobile network extenders Download PDFInfo
- Publication number
- US20200288317A1 US20200288317A1 US16/291,833 US201916291833A US2020288317A1 US 20200288317 A1 US20200288317 A1 US 20200288317A1 US 201916291833 A US201916291833 A US 201916291833A US 2020288317 A1 US2020288317 A1 US 2020288317A1
- Authority
- US
- United States
- Prior art keywords
- extender
- router
- sim
- host
- host router
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 239000004606 Fillers/Extenders Substances 0.000 title claims abstract description 390
- 238000000034 method Methods 0.000 claims abstract description 78
- 230000001413 cellular effect Effects 0.000 claims abstract description 33
- 238000012795 verification Methods 0.000 claims abstract description 25
- 230000004044 response Effects 0.000 claims description 49
- 238000004590 computer program Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 abstract description 33
- 238000004891 communication Methods 0.000 abstract description 29
- 238000010586 diagram Methods 0.000 description 25
- 230000006870 function Effects 0.000 description 13
- 230000007704 transition Effects 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H04W12/003—
-
- H04W12/04031—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H04W12/0609—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H04W12/1206—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/50—Secure pairing of devices
Definitions
- the present disclosure relates generally to mobile network extenders for use with host routers, and more particularly relates to security protection to prevent unauthorized use of such mobile network extenders.
- Mobile network extenders such as 4G/5G extenders, also known as Extended Input/Output (EIO) modules, may be used with host routers to provide wide area network (WAN) access to (e.g. enterprise) private networks.
- WAN wide area network
- An enterprise private network may use an extender for primary or backup WAN access.
- An extender typically includes a network interface for connection to the host router and a cellular modem to provide a wireless link to a mobile network.
- the extenders are typically mounted in a relatively high location of a building, such as a rooftop, of the enterprise.
- FIG. 1A is an illustrative representation of a communication system which includes a mobile network extender for use with a host router;
- FIG. 1B is an illustrative representation of the communication system of FIG. 1A , but where the extender has been stolen and used in an unauthorized manner;
- FIG. 1C is an illustrative representation of the communication system of FIG. 1A , where an extender of the present disclosure has been stolen but prevented from unauthorized use according to security protection techniques of the present disclosure;
- FIG. 2 is a schematic block diagram of a mobile network extender according to some implementations of the present disclosure
- FIG. 3A is a flowchart for describing a method for use in providing security protection to prevent unauthorized use of a mobile network extender, in a standalone configuration, according to some implementations of the present disclosure
- FIG. 3B is an operating state diagram of basic operating states of a mobile network extender in a standalone configuration according to some implementations of the present disclosure
- FIG. 3C is a more detailed operating state diagram of operating states of a mobile network extender in a standalone configuration according to some implementations of the present disclosure
- FIGS. 4A-4F are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender, in a standalone configuration, according to some implementations of the present disclosure
- FIG. 5 is a flowchart for describing a method for use in providing security protection to prevent unauthorized use of a mobile network extender, in a cloud-based configuration, according to some implementations of the present disclosure.
- FIGS. 6A-6D are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender, in a cloud-based configuration, according to some implementations of the present disclosure.
- a mobile network extender may have a network interface configured to connect with a host router and a cellular modem configured to provide a wireless link for communications via a cellular mobile network.
- the cellular modem may include one or more subscriber identity module (SIM) interfaces, each of which is configured to receive a SIM.
- SIM subscriber identity module
- the extender may be used in a “standalone configuration” with the host router.
- the extender may establish a secure encrypted channel with the host router via the network interface.
- the extender may receive information from the host router over the secure encrypted channel and verify the information. This information may be extender information and/or SIM information.
- the extender may be set in a locked state in which the extender is logically locked to the host router.
- the extender may also lock a SIM connected at the SIM interface.
- the extender may also receive and store a secret session key from the host router, and permit the host router to acquire the extender for communications via the wireless link.
- the extender may permit or deny subsequent router acquisition upon router reconnection based on verifying, using the secret session key, authentication data received via the network interface.
- the extender may permit subsequent router acquisition upon router reconnection based on verifying that the authentication data matches the stored secret session key, and deny subsequent router acquisition upon router reconnection if the authentication data fails to match the stored secret session key.
- the extender may be set, by the host router, from the locked state to an unlocked state in which the extender is logically unlocked from the host router.
- the secret session key may be erased or deleted from memory.
- the extender may permit subsequent router acquisition upon router reconnection without verification of authentication data using the old, secret session key. Rather, in the unlocked state, the extender may permit subsequent router acquisition upon reconnection based again on the verification of the extender information (e.g. the extender information and/or the SIM information).
- the extender may be used in a “cloud-based configuration” with a host router.
- the extender may perform a verification procedure which includes verifying a security pass P received from a host router via the network interface with a “cross-reference” security pass P 1 calculated at the extender.
- the security pass P may be calculated as a function of a device certificate of the host router, an extender security token associated with the extender, and a random number.
- the security pass P 1 may also be calculated a function of the device certificate of the host router, the extender security token associated with the extender, and the random number.
- a cloud server may generate the extender security token based on information associated with the extender and send it to the extender and the host router for calculation of the security passes.
- the extender may be set in a locked state in which the extender is logically locked to the host router.
- the extender may also lock a SIM connected at the SIM interface.
- the extender may then permit the host router to acquire the extender for communications via the wireless link.
- the extender may permit or deny subsequent router acquisition of the extender upon reconnection based on a result of again performing the verification procedure.
- FIG. 1A is an illustrative representation of a communication system 100 a .
- a mobile network extender 102 (“extender” 102 ) may be provided for use with a host router 104 .
- Extender 102 may have a network interface configured to connect with host router 104 and a cellular modem configured to provide communications via a wireless link 110 for communications via a mobile network 150 .
- Extender 102 may be alternatively referred to as an Extended Input/Output (EIO) module.
- EIO Extended Input/Output
- extender 102 may be connected to and paired with host router 104 via a wired connection 106 , which may be an ethernet or fiber optic connection. Extender 102 may be positioned in a suitable location in a building 180 , such as a rooftop 182 or other relatively high location in or on the building 180 .
- the cellular modem of the extender 102 may include an antenna 208 (shown in FIG. 2 ) for the wireless communications 110 with a base station 154 (e.g. eNB or gNB) of the mobile network 150 .
- the cellular modem of the extender 102 may also include one or more subscriber identity module (SIM) interfaces each of which is used for connection with a SIM.
- SIM subscriber identity module
- Host router 104 may be connected as part of a private (enterprise) network 158 associated with an enterprise. Host router 104 may be configured to acquire the extender 102 for communications via the wireless link 110 to provide wide area network (WAN) access for the private network 158 .
- the private network 158 may utilize the extender 102 for primary WAN access or secondary (e.g. backup) WAN access.
- Mobile network 150 may include a mobile network core 152 and the one or more base stations 154 . Gateways of the mobile network 150 may provide access to other communication networks. For example, a gateway 160 of mobile network 150 may provide access to a WAN, such as the Internet 156 having one or more servers 164 and the like. A gateway 162 of mobile network 150 may provide access to enterprise private network 158 having one or more endpoints 166 (e.g. computers, tablets, smartphones, etc.) and one or more servers 168 and the like.
- endpoints 166 e.g. computers, tablets, smartphones, etc.
- extender 102 may be mounted at a location in or on a building 180 , such as the rooftop 182 (e.g. the building's exterior). Unfortunately, such exposure makes the extender 102 a likely target for theft.
- extender 102 may be connected to, paired with, and acquired by (see e.g. an acquisition link 195 ) an alternate host router 190 (e.g. of similar make and construction as authorized host router 104 ).
- the alternate host router 190 may acquire the extender 102 for communications via a wireless link to mobile network 150 to provide, in some situations, unauthorized access to the private network 158 (e.g. via an enterprise APN gateway).
- private network 158 is subject to a malware attack or the like.
- a scenario is depicted in a communication system 100 c of FIG. 1C , where an extender 202 of the present disclosure has been disconnected from a host router 204 and used in an unauthorized manner.
- extender 202 has been set in a locked state in which the extender is logically locked for (exclusive) use with host router 204 , until it has been unlocked by the same host router 204 or other authorized means.
- extender 202 may be connected to alternate host router 190 but be prevented from being acquired by the alternate host router 190 (see e.g. an acquisition link establishment prevention 197 ).
- an acquisition link establishment prevention 197 e.g.
- FIG. 2 is a schematic block diagram 200 of the mobile network extender 202 according to some implementations of the present disclosure.
- the extender 202 of FIG. 2 may include one or more processors 220 , a memory 206 , and an input/output (I/O) device 214 .
- the I/O device 214 may be or include one or more user input switches and/or a visual display.
- Extender 202 may also include a network interface 216 and a cellular modem 207 with an antenna 208 .
- Network interface 216 may be configured to connect with a host router 204 via a wired connection (e.g. Ethernet or Fiber Optic).
- Cellular modem 207 may be configured to provide a wireless link for communications via a cellular mobile network.
- one or more SIM interfaces 210 may be provided, each one of which is configured to receive a SIM 212 .
- One of the SIM interfaces 210 may be an active SIM interface which is active and in-use with cellular modem 207
- FIG. 3A is a flowchart 300 a for describing a method of providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure.
- the extender may include a network interface configured to connect with a host router and a cellular modem configured to provide a wireless link for communications via a cellular mobile network.
- the cellular modem may include one or more SIM interfaces each configured to receive a SIM.
- the extender may include one or more processors and memory coupled to the one or more processors.
- the method may be embodied as a computer program product including a non-transitory computer readable medium and instructions stored in the computer readable medium, where the instructions are executable on one or more processors of the extender for performing the steps of the method.
- the extender may be used in a “standalone configuration” with the host router.
- the extender may participate in a pairing process with a host router.
- the extender may establish a secure encrypted channel with the host router via the network interface (step 304 of FIG. 3A ).
- the extender may then participate in a locking process with the host router, which may be initiated by a locking request from the host router.
- the extender may receive information from the host router over the secure encrypted channel and verify the information (step 306 of FIG. 3A ).
- the information may be extender information and/or SIM information.
- the extender may be set in a locked state in which the extender is logically locked to the host router (step 308 a of FIG. 3A ).
- the extender may also lock the SIM via the SIM interface (step 308 b of FIG. 3A ).
- the extender may receive a secret session key from the host router and store it in memory (step 310 of FIG. 3A ), and permit the host router to acquire the extender for communications via the wireless link (step 312 of FIG. 3A ).
- the extender may permit or deny subsequent router acquisition upon reconnection based on verifying, using the stored secret session key, authentication data received via the network interface (an indication 314 of FIG. 3A ).
- the extender may permit subsequent router acquisition upon router reconnection based on verifying that the authentication data matches the stored secret session key, and deny subsequent router acquisition upon router reconnection if the authentication data fails to match the stored secret session key.
- the extender may receive, from the host router, one or more messages indicating a request for unlocking the extender.
- the extender may be set from the locked state to an unlocked state in which the extender is logically unlocked from the host router.
- the secret session key may be erased or deleted from memory.
- the unlocked state after router disconnection, the extender may permit subsequent router acquisition upon reconnection without verification of authentication data using the old, secret session key. Rather, in some implementations, in the unlocked state, the extender may permit subsequent router acquisition upon reconnection based again on the verification of the extender information (e.g. the extender information and/or the SIM information).
- the information to be verified prior to locking may be or include information associated with the extender (“extender information”) and information associated with the SIM (“SIM information”).
- the extender information may be or include an International Mobile Equipment Identity (IMEI).
- the SIM information may be or include one or more of an International Mobile Subscriber Identity (IMSI), an Integrated Circuit Card ID (ICCID), and a Card Holder Verification 1 (CHV1).
- the extender may verify the information in step 306 by verifying that a received IMEI matches the IMEI of the extender.
- the extender may verify the information in step 306 by verifying that a received IMSI, ICCID, and/or CHV1 matches the IMSI, ICCID, and/or CHV1 associated with the SIM. Note that, when setting the extender in the locked state, the extender may lock the SIM using the CHV.
- the stored secret session key may be calculated as a function of one or more data items which include a device certificate associated with the host router, the IMEI of the extender, the IMSI of the SIM, and the ICCID of the SIM.
- the pairing process may involve performing a trust establishment process in response to receiving a request for pairing from the host router.
- the extender may participate in an exchange of device certificates with the host router and establish trust based on the device certificate of the host router.
- the secure encrypted channel may be established with the host router in response to establishing trust based on the device certificate.
- the device certificates may be Secure Unique Device Identifier (SUDI) certificates.
- FIG. 3B is an operating state diagram 300 b of a mobile network extender according to some implementations of the present disclosure.
- Operating state diagram 300 b indicates a plurality of basic operating states of the extender in a standalone configuration with a host router.
- the operating states may include an unlocked state 350 and a locked state 352 .
- a transition 354 from the unlocked state 350 to the locked state 352 may be made in response to receiving a request for locking with a host router and verifying information (e.g. extender and SIM information) from the host router.
- the extender In the locked state 352 , the extender may be logically locked for (e.g. exclusive) use with the host router. Also, the SIM associated with the extender may be locked.
- the extender may or may not be physically connected to the host router (e.g. via the Ethernet connection). If the extender is connected to the host router, the extender may be in an acquired state for facilitating communications via the wireless link, where the extender is considered to be “online”; otherwise, the extender may be considered to be disconnected and “offline.”
- the host router may have the proper authentication data (e.g. the secret session key) stored in memory.
- the extender may permit or deny subsequent router acquisition upon router reconnection based on verifying, using the stored secret session key, authentication data received via the network interface (e.g. the secret session key received from the same host router).
- a transition 356 from the locked state 352 to the unlocked state 350 may be made in response to receiving a request for unlocking the extender from the host router.
- the unlocking of the extender may erase or delete the secret session key from memory.
- FIG. 3C is a more detailed operating state diagram 300 c of a mobile network extender according to some implementations of the present disclosure.
- Operating state diagram 300 c indicates a plurality of operating states 362 , 364 , 366 , and 368 of the extender for a standalone configuration with a host router. Other operating states may also exist and be realized.
- Operating state diagram 300 c may involve similar operating states and operation as those previously described above in relation to FIG. 3B , and are not repeated here for conciseness.
- State 362 (“State 1”) may be an unpaired and unlocked state
- state 364 (“State 2”) may be a paired and unlocked state
- state 366 (“State 3”) may be a locked and online state
- state 368 (“State 4”) may be a locked and offline state.
- the extender In state 362 (unpaired, unlocked), the extender may be unpaired and unlocked. Also, the SIM of the extender may be unlocked.
- a transition 370 from state 362 (unpaired, unlocked) to state 364 (paired, unlocked) may be made after connection with a host router, and in response to a pairing request and the establishment of trust based on a device certificate of the host router.
- State 364 (paired, unlocked) may include the maintenance of a secure encrypted channel with the host router.
- a transition 372 from state 364 (paired, unlocked) to state 366 (locked, online) may be made in response to a pairing/locking request, the verification of information (e.g. extender information and SIM information) from a host router, and extender acquisition.
- the extender In state 366 (locked, online), the extender may be logically locked for (e.g. exclusive) use with the host router. Also, the SIM associated with the extender may be locked. Also, the extender has been acquired for use of the wireless link for WAN traffic and is “online.”
- a transition 376 from state 366 (locked, online) to state 368 (locked, offline) may be made in response to the extender and host router being disconnected from each other.
- state 368 (locked, offline) the extender is disconnected and offline, but still logically locked to the host router.
- the host router e.g. and only this host router
- the host router may store the proper authentication data (e.g. the secret session key) in its memory, to be able to subsequently acquire the extender for communications via the wireless link.
- the extender may permit or deny subsequent router acquisition upon the router reconnection based on verifying, using the secret session key, authentication data received via the network interface.
- a transition 374 from state 368 (locked, offline) to state 366 (locked, online) may be made after reconnection and pairing, in response to the verification of authentication data using the stored secret session key.
- a transition 378 from state 366 (locked, online) to state 362 (unpaired, unlocked) may be made in response to the receipt of an (authorized) unpairing/unlocking request from the host router.
- the secret session key may be erased or deleted from memory.
- the extender In state 362 (unpaired, unlocked), the extender is unpaired and unlocked from the host router. In the state 362 (unpaired, unlocked), the extender may permit subsequent router acquisition upon reconnection and re-pairing based on verifying of extender information (e.g. the extender information and/or the SIM information).
- FIGS. 4A-4F are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure. These process flow diagrams relate to an extender having a standalone configuration with a host router.
- the extender 202 may be in a state which includes an unpaired, unlocked state 404 .
- the extender 202 and the host router 204 may be connected to each other and powered on (step 406 of FIG. 4A ).
- Host router 204 may send to extender 202 one or more messages which indicate a request for pairing (step 408 of FIG. 4A ).
- the extender 202 and host router 204 may exchange device certificates with each other (step 410 of FIG. 4A ).
- the device certificates may be SUDI certificates.
- the extender 202 and host router 204 may establish trust with each other based on the device certificates (step 412 of FIG. 4A ).
- the extender 202 and host router establish a secure encrypted channel therebetween for communications (step 414 of FIG. 4A ).
- the extender 202 may be in a state which includes a paired, unlocked state 416 .
- the extender 202 is in the state which includes the paired, unlocked state 416 .
- a computer or suitable host 402 may be used to initiate a locking request for locking the extender 202 to the host router 204 .
- host 402 may configure a command line interface (CLI), sending one or more messages to host router 204 for locking (step 418 of FIG. 4B ).
- the one or more messages may include information for the host router 204 .
- the information may be information associated with the extender 202 (“extender information”) and information associated with the SIM (“SIM information”) of the extender 202 .
- the extender information may be or include IMEI which identifies the extender 202 .
- the SIM information may be or include one or more of IMSI, ICCID, and a CHV1.
- host router 204 may send to the extender 202 , over the secure encrypted channel, one or more messages which indicate a request for locking (step 420 of FIG. 4B ).
- the one or more messages may include the information for verification (e.g. the extender and/or the SIM information).
- the extender 202 may verify the information (step 422 of FIG. 4B ).
- the extender 202 may verify the extender information, for example, that the received IMEI matches the IMEI of the extender.
- the extender may verify the SIM information, for example, that the received IMSI, ICCID, and/or CHV1 match the known IMSI, ICCID, and/or CHV1 associated with the SIM.
- the extender 202 may be set in a locked state (step 423 of FIG. 4B ). In the locked state, the extended may be logically locked for (exclusive) use with the host router. In addition, the extender 202 may lock the SIM (step 424 of FIG. 4B ). In step 424 , the extender 202 may apply the CHV1 to lock the SIM. Thus, the SIM is now locked.
- the extender 202 may send to host router 204 one or more messages indicating a (positive) response or acknowledgement (ACK) (step 426 of FIG. 4B ). Otherwise, based on a lack of verification, the extender 202 may send one or more messages indicating a negative response or negative ACK (NACK).
- NACK negative response or negative ACK
- the extender 202 is in the state which includes the locked, offline state 428 .
- the host router 204 may now acquire the extender 202 for communications via the wireless link.
- host router 204 may generate a secret session key (step 430 of FIG. 4C ).
- the secret session key may be calculated as a function of one or more data items which include the device certificate (e.g. the SUDI certificate) associated with the host router, the IMEI of the extender, the IMSI of the SIM, and/or the ICCID of the SIM.
- the host router 204 may send to the extender 202 , over the secure encrypted channel, one or more messages for pushing the secret session key that was generated in step 430 (step 432 of FIG. 4C ).
- the extender 202 may store the secret session key (e.g. for future use) (step 434 of FIG. 4C ).
- the extender 202 may then send to host router 204 one or more messages which indicate a response or ACK (step 436 of FIG. 4C ).
- the host router 204 may then send to extender 202 one or more messages for acquiring the extender 202 for communicating via the wireless link (step 438 of FIG. 4C ).
- WAN traffic may be communicated (step 440 of FIG. 4C ).
- the extender 202 is now in a state which includes a locked, online state 442 .
- the extender 202 is in the state which includes the locked, online state 442 .
- the computer or host 402 may be used to initiate a request for unpairing/unlocking for unlocking the extender 202 from the host router 204 .
- host 402 may execute CLI, sending one or more messages to host router 204 to request the unlocking/unpairing (step 444 of FIG. 4D ).
- host router 204 may send to the extender 202 , over the secure encrypted channel, one or more messages which indicate a request for unpairing/unlocking (step 446 of FIG. 4D ).
- extender 202 may perform an unlocking process.
- the extender 202 may unlock the SIM (step 448 of FIG. 4D ).
- extender 202 may use the CHVI to unlock the SIM.
- extender 202 may be set from the locked state to an unlocked state (step 450 of FIG. 4D ). If successful, the extender 202 may send to host router 204 one or more messages indicating a (positive) response or ACK (step 452 of FIG. 4D ). Otherwise, the extender 202 may send one or more messages indicating a negative response or NACK.
- Host router 402 may remove extender information of the extender 202 from its access list (step 454 of FIG. 4D ). The extender 202 is now in a state which includes the unpaired, unlocked state 404 .
- the extender 202 is in the state which includes the locked, online state 442 (as acquired in, for example, FIG. 4C ). However, the extender 202 and the host router 204 may be disconnected from each other (step 460 of FIG. 4E ). This disconnection may be, for example, an intentional disconnection, a cable fault, an extender “crash,” etc.
- the extender 202 is now in a state which includes the locked, offline state 428 . Sometime later, the connection between the extender 202 and the host router 204 is reestablished (step 464 of FIG. 4E ). A pairing process between the extender 202 and the host router 204 is performed (step 466 of FIG.
- Host router 204 may also recalculate the secret session key (step 468 of FIG. 4E ).
- the secret session key may be calculated as a function of one or more data items which include the device certificate (e.g. the SUDI certificate) associated with the host router, the IMEI of the extender, the IMSI of the SIM, and/or the ICCID of the SIM.
- the host router 204 may then send to the extender 202 , over the secure encrypted channel, one or more messages which indicate a request (step 470 of FIG. 4E ).
- the one or more messages may include the secret session key, generated in step 468 .
- the information generated and sent to the extender 202 may be more generally referred to as authentication data.
- the extender 202 may verify the authentication data (step 472 of FIG. 4E ). More particularly, the extender 202 may compare the received authentication data and the stored secret session key to identify a match.
- the extender 202 may then send to host router 204 one or more messages which indicate a positive response or ACK (step 474 of FIG. 4E ).
- the extender 202 may send one or more messages indicating a negative response or NACK.
- the host router 204 may perform an acquisition process for communicating via the wireless link (step 476 of FIG. 4E ). After acquisition, WAN traffic may be communicated (step 478 of FIG. 4E ).
- the extender 202 is now in a state which includes the locked, online state 442 .
- the extender 202 is in the state which includes the locked, online state 442 (as acquired in, for example, FIG. 4C ). However, the extender 202 and the host router 204 may be disconnected from each other (step 460 of FIG. 4F ). The extender 202 is now in a state which includes the locked, offline state 428 .
- the disconnection may be, for example, an intentional disconnection, a cable fault, an extender “crash,” etc. In this example, the disconnection is the result of a theft of the extender 202 , where the extender 202 is intentionally, physically disconnected from the host router 204 .
- a new (physical) connection 482 between the extender 202 and alternate host router 190 (e.g. of the same or similar make and construction as the previous host router 204 ) is made, and connectivity therebetween is established (step 464 of FIG. 4F ).
- a pairing process between the extender 202 and alternate host router 190 may be performed (step 486 of FIG. 4F ).
- the alternate host router 190 may send to extender 202 one or more messages which indicate a request, such as an acquisition request (step 488 of FIG. 4F ).
- alternate host router 190 would need to have the proper authentication data for authentication (e.g. the secret session key) for acquiring the extender 202 for communications via the wireless link.
- alternate host router 190 does not have the proper data for authentication (e.g. the stored secret key).
- the extender 202 may attempt to verify (any) data received from alternate host router 190 in a comparison process (step 490 of FIG. 4F ), identify that there is no match (step 492 of FIG. 4F ), and deny the alternate host router 190 from acquiring the extender 202 for communications via the wireless link (step 494 of FIG. 4F ).
- FIG. 5 is a flowchart 500 for describing a method of providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure.
- the extender may include a network interface configured to connect with a host router and a cellular modem configured to provide a wireless link for communications via a cellular mobile network.
- the cellular modem may include one or more SIM interfaces each configured to receive a SIM.
- the extender may include one or more processors and memory coupled to the one or more processors.
- the method may be embodied as a computer program product including a non-transitory computer readable medium and instructions stored in the computer readable medium, where the instructions are executable on one or more processors of the extender for performing the steps of the method.
- the method of FIG. 5 involves the extender being used in a “cloud-based configuration” with the host router.
- the host router may have a primary WAN link for primary use and intend to use the extender as a backup WAN link.
- the host router may use its primary WAN link and the extender may use its wireless link with the cellular mobile network.
- the extender may perform a verification procedure in association with the host router (step 504 of FIG. 5 ).
- the verification procedure may involve the following steps.
- the extender may receive a security pass P from the host router via the network interface.
- the security pass P may be calculated a function of the device certificate of the host router, an extender security token associated with the extender, and a router-selected, random number or RAND.
- the extender may also calculate a “cross-reference” security pass P 1 as a function of the device certificate of the host router, the extender security token associated with the extender, and the RAND received from the host router.
- the extender may verify the received security pass P based on the calculated security pass P 1 . For example, the extender may positively verify that the security pass P matches the security pass P 1 .
- a cloud server may be used to generate and distribute the extender security token.
- the cloud server may implement a lightweight machine-to-machine (LWM2M) or other suitable service.
- the cloud server may generate the extender security token based on information associated with and received from the extender.
- the cloud server may generate the extender security token based on extender information, such as the IMEI and/or the SUDI of the extender.
- the cloud server may send the extender security token to both the extender and the host router.
- the cloud server may also receive the router SUDI from the host router and send the router SUDI to the extender. After this information is received, the security passes may be appropriately calculated by the host router and the extender as described earlier above.
- the extender may be set in a locked state in which the extender is logically locked to the host router (step 506 of FIG. 5 ).
- the extender may also lock a SIM connected at the SIM interface.
- the extender may then permit the host router to acquire the extender for communications via the wireless link (step 508 of FIG. 5 ).
- subsequent router acquisition of the extender upon router reconnection may be permitted or denied based on a result of again performing the verification procedure (indication 510 of FIG. 5 ).
- the extender may permit subsequent router acquisition upon router reconnection based on verifying a match between the security pass and the cross-reference security pass, and deny subsequent router acquisition upon router reconnection if the security pass fails to match the cross-reference security pass.
- the extender may be unlocked.
- the extender may again perform the verification procedure with the host router based on the security pass P. Based on verifying the received security pass, the extender may be set from the locked state to an unlocked state in which the extender is logically unlocked from the host router.
- FIGS. 6A-6D are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure.
- These process flow diagrams relate to an extender having a cloud-based configuration with a host router.
- the locking and unlocking processes may be facilitated with use of one or more cloud servers (e.g. using LWM2M or other suitable cloud service).
- the cloud-based configuration may assume that the host router 204 already has a primary WAN link, which will be used to access the cloud server, and intends to use the extender 202 as a backup WAN link.
- the extender 202 be use its cellular modem to register to the mobile network 150 and to access the cloud server (step 602 of FIG. 6A ).
- the extender 202 may send to the cloud server one or more messages which include extender information.
- the extender information may include the device certificate (e.g. SUDI certificate) of extender 202 and the IMEI of the extender 202 .
- the extender information may further include the IMSI, the ICCID, and the CHV1 associated with a SIM.
- the cloud server may register and authenticate the extender 202 based on the device certificate of the extender 202 (step 603 of FIG. 6A ).
- the cloud server may calculate a security token associated with the extender (step 604 of FIG. 6A ).
- the extender security token may be calculated based on at least some of the extender information.
- the extender security token may be calculated as a function of the device certificate of the extender 202 , the IMEI, the IMSI, the ICCID, and the CHV1 (see e.g. FIG. 6D at a calculation 670 for the extender security token).
- the cloud server may send to the extender 202 one or more messages indicating a response which includes the extender security token (step 606 of FIG. 6A ).
- the extender 202 may start to regularly broadcast its IMEI (step 608 of FIG. 6A ).
- the host router 402 will receive the broadcasted IMEI of the extender 202 .
- extender 202 could be connected to an ethernet switch or the like, where one or more hosts may be listening and receiving the broadcasted IMEI.
- the computer or host 402 may execute CLI, sending one or more messages to host router 204 which includes SIM information of the SIM of the extender 202 (step 609 of FIG. 6A ).
- the SIM information may include the IMSI and the CHV1 of the SIM.
- the host router 204 may then proceed to register with the cloud server (e.g. connecting to the cloud server with its primary WAN link) (step 610 of FIG. 6A ).
- the host router 204 may register with its device certificate (e.g. SUDI certificate).
- the cloud server may register and authenticate the host router 204 based on the device certificate (step 611 of FIG. 6A ).
- the host router 402 may then send to the cloud server one or more messages indicate a request for pairing/locking with the extender 202 (step 612 of FIG. 6A ).
- the one or more messages may include information associated with the extender 202 that it desires to pair and lock with, namely, extender information and SIM information of the extender 202 .
- the extender information may include the IMEI of the extender 202 and the SIM information of the SIM may include the IMSI and the CHV1.
- the cloud server may process the request and send to host router 204 one or more messages indicating a response which includes the extender security token (step 614 of FIG. 6A ).
- the cloud server may also send to the extender 202 to be paired/locked one or more messages which include the device certificate of the host router 204 and the CHVI of the SIM.
- the host router 204 and the extender 202 are properly pre-configured to for pairing and locking. Notably, both the host router 204 and the extender 202 have the extender security token.
- the host router 204 may send to extender 202 one or more messages which indicate a request for pairing/locking (step 617 of FIG. 6B ).
- a verification procedure which may involve the following steps between the host router 204 and the extender 202 may be performed.
- the host router 204 may calculate a security pass P (step 618 of FIG. 6B ).
- the security pass P may be calculated as a function of the device certificate of the host router 204 , the extender security token, as well as a router-selected, random number (RAND) (see e.g. FIG. 6D at a calculation 680 for the security pass P).
- the host router 204 may send to extender 202 one or more messages which include the security pass P and the RAND (step 620 of FIG. 6B ).
- the extender 202 may also calculate a “cross-reference” security pass P 1 (step 622 of FIG. 6B ).
- This security pass P 1 is also calculated as a function of the device certificate of the host router 204 , the extender security token, and the received RAND (see e.g. FIG. 6D at a calculation 682 for the cross-reference security pass P 1 ).
- the extender 202 may send to the host router 204 one or more messages which include the calculated security pass P 1 .
- the extender 202 may verify the received security pass P with the calculated security pass P 1 (step 626 of FIG. 6B ). For example, the extender 202 may verify whether the received security pass P matches the calculated security pass P 1 . If there is a match, the extender 202 will allow service and acquisition by the host router 204 (step 628 of FIG. 6B ). The extender 202 may notify the cloud server of this result (step 630 of FIG. 6B ), and also cease the regular broadcasting of its IMEI (step 632 of FIG. 6B ).
- the host router 204 may verify its received security pass P 1 with its calculated security pass P (step 634 of FIG. 6B ). For example, the host router 204 may verify whether its received security pass P 1 matches its calculated security pass P. If there is a match, the host router 204 will allow itself to acquire the extender 202 for communicating via the wireless link (step 636 of FIG. 6B ). The host router 204 will notify the cloud server of this result (step 638 of FIG. 6B ). After acquisition, WAN traffic may be communicated. The extender 202 is now in a state which includes a locked, online state 640 .
- the host router 204 may send to the cloud server one or more messages which indicate a request for unpairing/unlocking (step 642 of FIG. 6C ).
- the one or more messages may include the device certificate of the host router 204 and the security pass P.
- the cloud server may send to extender 202 one or more messages indicating a request for unpairing/unlocking (step 644 of FIG. 6C ).
- the one or more messages may include the device certificate of the host router 204 and the security pass P.
- the extender 202 may then verify the received security pass P with its own calculated security pass P 1 (step 646 of FIG. 6C ).
- the extender 202 may verify whether its received security pass P matches its calculated security pass P 1 . If there is a match, the extender 202 will notify the cloud server of this result (a response or ACK) (step 648 of FIG. 6C ), which will in turn notify the host router 204 of this result (step 650 of FIG. 6C ). In response, host router 204 may remove extender information of the extender 202 from its access list (step 651 of FIG. 6C ). Also in response to the verification, the extender 202 will perform an unlocking process. For one, the extender 202 may unlock the SIM (step 652 of FIG. 6C ). Here, extender 202 may use the CHVI to unlock the SIM.
- extender 202 may be set from the locked state to an unlocked state (step 654 of FIG. 6C ).
- the extender 202 may begin to again regularly broadcast its IMEI for any new host router to receive (step 656 of FIG. 6C ).
- the extender 202 is now in a state which includes an unpair, unlocked state 658 .
- An extender of the present disclosure may be set in a locked state in which the extender is logically locked for (exclusive) use with a host router, until it has been unlocked by the same host router or other authorized means.
- unauthorized access to a private network due to theft of the extender may be prevented, further preventing cybersecurity (e.g. malware) attacks in the private network.
- first could be termed a second router
- second router could be termed a first router, without changing the meaning of the description, so long as all occurrences of the “the first router” are renamed consistently and all occurrences of the “the second router” are renamed consistently.
- the first router and the second router are both routers, but they are not the same router.
- the term “if” may be construed to mean “when” or “upon” or “in response to determining” or “in accordance with a determination” or “in response to detecting,” that a stated condition precedent is true, depending on the context.
- the phrase “if it is determined [that a stated condition precedent is true]” or “if [a stated condition precedent is true]” or “when [a stated condition precedent is true]” may be construed to mean “upon determining” or “in response to determining” or “in accordance with a determination” or “upon detecting” or “in response to detecting” that the stated condition precedent is true, depending on the context.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
- The present disclosure relates generally to mobile network extenders for use with host routers, and more particularly relates to security protection to prevent unauthorized use of such mobile network extenders.
- Mobile network extenders, such as 4G/5G extenders, also known as Extended Input/Output (EIO) modules, may be used with host routers to provide wide area network (WAN) access to (e.g. enterprise) private networks. An enterprise private network may use an extender for primary or backup WAN access.
- An extender typically includes a network interface for connection to the host router and a cellular modem to provide a wireless link to a mobile network. For good cellular signal reception, the extenders are typically mounted in a relatively high location of a building, such as a rooftop, of the enterprise.
- Unfortunately, such exposure makes the extender a likely target for theft. In some situations, a stolen extender may provide unauthorized access to the private network, which may then be made vulnerable to a malware attack or the like.
- So that the present disclosure can be understood by those of ordinary skill in the art, a more detailed description may be had by reference to aspects of some illustrative implementations, some of which are shown in the accompanying drawings.
-
FIG. 1A is an illustrative representation of a communication system which includes a mobile network extender for use with a host router; -
FIG. 1B is an illustrative representation of the communication system ofFIG. 1A , but where the extender has been stolen and used in an unauthorized manner; -
FIG. 1C is an illustrative representation of the communication system ofFIG. 1A , where an extender of the present disclosure has been stolen but prevented from unauthorized use according to security protection techniques of the present disclosure; -
FIG. 2 is a schematic block diagram of a mobile network extender according to some implementations of the present disclosure; -
FIG. 3A is a flowchart for describing a method for use in providing security protection to prevent unauthorized use of a mobile network extender, in a standalone configuration, according to some implementations of the present disclosure; -
FIG. 3B is an operating state diagram of basic operating states of a mobile network extender in a standalone configuration according to some implementations of the present disclosure; -
FIG. 3C is a more detailed operating state diagram of operating states of a mobile network extender in a standalone configuration according to some implementations of the present disclosure; -
FIGS. 4A-4F are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender, in a standalone configuration, according to some implementations of the present disclosure; -
FIG. 5 is a flowchart for describing a method for use in providing security protection to prevent unauthorized use of a mobile network extender, in a cloud-based configuration, according to some implementations of the present disclosure; and -
FIGS. 6A-6D are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender, in a cloud-based configuration, according to some implementations of the present disclosure. - Numerous details are described in order to provide a thorough understanding of the example implementations shown in the drawings. However, the drawings merely show some example aspects of the present disclosure and are therefore not to be considered limiting. Those of ordinary skill in the art will appreciate that other effective aspects and/or variants do not include all of the specific details described herein. Moreover, well-known systems, methods, components, devices and circuits have not been described in exhaustive detail so as not to obscure more pertinent aspects of the example implementations described herein.
- Techniques for security protection to prevent unauthorized use of mobile network extenders are described herein.
- According to the present disclosure, a mobile network extender may have a network interface configured to connect with a host router and a cellular modem configured to provide a wireless link for communications via a cellular mobile network. The cellular modem may include one or more subscriber identity module (SIM) interfaces, each of which is configured to receive a SIM.
- In one illustrative example, the extender may be used in a “standalone configuration” with the host router. As a result of a pairing process, the extender may establish a secure encrypted channel with the host router via the network interface. As part of a locking process, the extender may receive information from the host router over the secure encrypted channel and verify the information. This information may be extender information and/or SIM information. In response to a positive verification, the extender may be set in a locked state in which the extender is logically locked to the host router. The extender may also lock a SIM connected at the SIM interface. The extender may also receive and store a secret session key from the host router, and permit the host router to acquire the extender for communications via the wireless link.
- In the locked state, the extender may permit or deny subsequent router acquisition upon router reconnection based on verifying, using the secret session key, authentication data received via the network interface. In some implementations, the extender may permit subsequent router acquisition upon router reconnection based on verifying that the authentication data matches the stored secret session key, and deny subsequent router acquisition upon router reconnection if the authentication data fails to match the stored secret session key.
- Further, the extender may be set, by the host router, from the locked state to an unlocked state in which the extender is logically unlocked from the host router. Here, the secret session key may be erased or deleted from memory. In the unlocked state, the extender may permit subsequent router acquisition upon router reconnection without verification of authentication data using the old, secret session key. Rather, in the unlocked state, the extender may permit subsequent router acquisition upon reconnection based again on the verification of the extender information (e.g. the extender information and/or the SIM information).
- In another illustrative example, the extender may be used in a “cloud-based configuration” with a host router. The extender may perform a verification procedure which includes verifying a security pass P received from a host router via the network interface with a “cross-reference” security pass P1 calculated at the extender. At the host router, the security pass P may be calculated as a function of a device certificate of the host router, an extender security token associated with the extender, and a random number. At the extender, the security pass P1 may also be calculated a function of the device certificate of the host router, the extender security token associated with the extender, and the random number. Prior to the verification procedure, a cloud server may generate the extender security token based on information associated with the extender and send it to the extender and the host router for calculation of the security passes.
- In response to a positive security pass verification, the extender may be set in a locked state in which the extender is logically locked to the host router. The extender may also lock a SIM connected at the SIM interface. The extender may then permit the host router to acquire the extender for communications via the wireless link. In the locked state, the extender may permit or deny subsequent router acquisition of the extender upon reconnection based on a result of again performing the verification procedure.
- More detailed and alternative techniques and implementations are provided herein as described below.
-
FIG. 1A is an illustrative representation of acommunication system 100 a. Incommunication system 100 a, a mobile network extender 102 (“extender” 102) may be provided for use with ahost router 104.Extender 102 may have a network interface configured to connect withhost router 104 and a cellular modem configured to provide communications via awireless link 110 for communications via amobile network 150.Extender 102 may be alternatively referred to as an Extended Input/Output (EIO) module. - As shown in
FIG. 1A ,extender 102 may be connected to and paired withhost router 104 via awired connection 106, which may be an ethernet or fiber optic connection.Extender 102 may be positioned in a suitable location in abuilding 180, such as arooftop 182 or other relatively high location in or on thebuilding 180. The cellular modem of theextender 102 may include an antenna 208 (shown inFIG. 2 ) for thewireless communications 110 with a base station 154 (e.g. eNB or gNB) of themobile network 150. The cellular modem of theextender 102 may also include one or more subscriber identity module (SIM) interfaces each of which is used for connection with a SIM. -
Host router 104 may be connected as part of a private (enterprise)network 158 associated with an enterprise.Host router 104 may be configured to acquire theextender 102 for communications via thewireless link 110 to provide wide area network (WAN) access for theprivate network 158. Theprivate network 158 may utilize theextender 102 for primary WAN access or secondary (e.g. backup) WAN access. -
Mobile network 150 may include amobile network core 152 and the one ormore base stations 154. Gateways of themobile network 150 may provide access to other communication networks. For example, agateway 160 ofmobile network 150 may provide access to a WAN, such as theInternet 156 having one ormore servers 164 and the like. Agateway 162 ofmobile network 150 may provide access to enterpriseprivate network 158 having one or more endpoints 166 (e.g. computers, tablets, smartphones, etc.) and one ormore servers 168 and the like. - As described above,
extender 102 may be mounted at a location in or on abuilding 180, such as the rooftop 182 (e.g. the building's exterior). Unfortunately, such exposure makes the extender 102 a likely target for theft. - A scenario where the
extender 102 has been stolen and used in an unauthorized manner is depicted in acommunication system 100 b ofFIG. 1B . Here,extender 102 may be connected to, paired with, and acquired by (see e.g. an acquisition link 195) an alternate host router 190 (e.g. of similar make and construction as authorized host router 104). Thealternate host router 190 may acquire theextender 102 for communications via a wireless link tomobile network 150 to provide, in some situations, unauthorized access to the private network 158 (e.g. via an enterprise APN gateway). Here, it may be possible thatprivate network 158 is subject to a malware attack or the like. - According to the present disclosure, security protection to prevent unauthorized use of extenders may be provided, in order to eliminate or at least greatly reduce the likelihood of such problems. A scenario is depicted in a
communication system 100 c ofFIG. 1C , where anextender 202 of the present disclosure has been disconnected from ahost router 204 and used in an unauthorized manner. According to the present disclosure,extender 202 has been set in a locked state in which the extender is logically locked for (exclusive) use withhost router 204, until it has been unlocked by thesame host router 204 or other authorized means. Thus,extender 202 may be connected toalternate host router 190 but be prevented from being acquired by the alternate host router 190 (see e.g. an acquisition link establishment prevention 197). Thus, unauthorized access to theprivate network 158 is prevented as access to the wireless link is prevented. -
FIG. 2 is a schematic block diagram 200 of themobile network extender 202 according to some implementations of the present disclosure. Theextender 202 ofFIG. 2 may include one ormore processors 220, amemory 206, and an input/output (I/O)device 214. The I/O device 214 may be or include one or more user input switches and/or a visual display.Extender 202 may also include anetwork interface 216 and acellular modem 207 with anantenna 208.Network interface 216 may be configured to connect with ahost router 204 via a wired connection (e.g. Ethernet or Fiber Optic).Cellular modem 207 may be configured to provide a wireless link for communications via a cellular mobile network. In addition, one ormore SIM interfaces 210 may be provided, each one of which is configured to receive aSIM 212. One of the SIM interfaces 210 may be an active SIM interface which is active and in-use withcellular modem 207. -
FIG. 3A is aflowchart 300 a for describing a method of providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure. The extender may include a network interface configured to connect with a host router and a cellular modem configured to provide a wireless link for communications via a cellular mobile network. The cellular modem may include one or more SIM interfaces each configured to receive a SIM. The extender may include one or more processors and memory coupled to the one or more processors. The method may be embodied as a computer program product including a non-transitory computer readable medium and instructions stored in the computer readable medium, where the instructions are executable on one or more processors of the extender for performing the steps of the method. - In this illustrative example, the extender may be used in a “standalone configuration” with the host router. Beginning at a
start block 302 ofFIG. 3A , the extender may participate in a pairing process with a host router. As a result of the pairing process, the extender may establish a secure encrypted channel with the host router via the network interface (step 304 ofFIG. 3A ). The extender may then participate in a locking process with the host router, which may be initiated by a locking request from the host router. Here, the extender may receive information from the host router over the secure encrypted channel and verify the information (step 306 ofFIG. 3A ). The information may be extender information and/or SIM information. In response to verifying the information, the extender may be set in a locked state in which the extender is logically locked to the host router (step 308 a ofFIG. 3A ). The extender may also lock the SIM via the SIM interface (step 308 b ofFIG. 3A ). The extender may receive a secret session key from the host router and store it in memory (step 310 ofFIG. 3A ), and permit the host router to acquire the extender for communications via the wireless link (step 312 ofFIG. 3A ). - In the locked state, after router disconnection, the extender may permit or deny subsequent router acquisition upon reconnection based on verifying, using the stored secret session key, authentication data received via the network interface (an
indication 314 ofFIG. 3A ). In some implementations, the extender may permit subsequent router acquisition upon router reconnection based on verifying that the authentication data matches the stored secret session key, and deny subsequent router acquisition upon router reconnection if the authentication data fails to match the stored secret session key. - In some implementations, the extender may receive, from the host router, one or more messages indicating a request for unlocking the extender. In response, the extender may be set from the locked state to an unlocked state in which the extender is logically unlocked from the host router. Here, the secret session key may be erased or deleted from memory. In the unlocked state, after router disconnection, the extender may permit subsequent router acquisition upon reconnection without verification of authentication data using the old, secret session key. Rather, in some implementations, in the unlocked state, the extender may permit subsequent router acquisition upon reconnection based again on the verification of the extender information (e.g. the extender information and/or the SIM information).
- Again, in some implementations, the information to be verified prior to locking may be or include information associated with the extender (“extender information”) and information associated with the SIM (“SIM information”). The extender information may be or include an International Mobile Equipment Identity (IMEI). The SIM information may be or include one or more of an International Mobile Subscriber Identity (IMSI), an Integrated Circuit Card ID (ICCID), and a Card Holder Verification 1 (CHV1). Here, the extender may verify the information in
step 306 by verifying that a received IMEI matches the IMEI of the extender. Also, the extender may verify the information instep 306 by verifying that a received IMSI, ICCID, and/or CHV1 matches the IMSI, ICCID, and/or CHV1 associated with the SIM. Note that, when setting the extender in the locked state, the extender may lock the SIM using the CHV. - In some implementations, the stored secret session key may be calculated as a function of one or more data items which include a device certificate associated with the host router, the IMEI of the extender, the IMSI of the SIM, and the ICCID of the SIM.
- In some implementations, the pairing process may involve performing a trust establishment process in response to receiving a request for pairing from the host router. Here, the extender may participate in an exchange of device certificates with the host router and establish trust based on the device certificate of the host router. The secure encrypted channel may be established with the host router in response to establishing trust based on the device certificate. Here, the device certificates may be Secure Unique Device Identifier (SUDI) certificates.
-
FIG. 3B is an operating state diagram 300 b of a mobile network extender according to some implementations of the present disclosure. Operating state diagram 300 b indicates a plurality of basic operating states of the extender in a standalone configuration with a host router. - The operating states may include an
unlocked state 350 and a lockedstate 352. Atransition 354 from theunlocked state 350 to the lockedstate 352 may be made in response to receiving a request for locking with a host router and verifying information (e.g. extender and SIM information) from the host router. In the lockedstate 352, the extender may be logically locked for (e.g. exclusive) use with the host router. Also, the SIM associated with the extender may be locked. - In the locked
state 352, the extender may or may not be physically connected to the host router (e.g. via the Ethernet connection). If the extender is connected to the host router, the extender may be in an acquired state for facilitating communications via the wireless link, where the extender is considered to be “online”; otherwise, the extender may be considered to be disconnected and “offline.” - In the locked
state 352, the host router may have the proper authentication data (e.g. the secret session key) stored in memory. Here, after router disconnection, the extender may permit or deny subsequent router acquisition upon router reconnection based on verifying, using the stored secret session key, authentication data received via the network interface (e.g. the secret session key received from the same host router). - A
transition 356 from the lockedstate 352 to theunlocked state 350 may be made in response to receiving a request for unlocking the extender from the host router. The unlocking of the extender may erase or delete the secret session key from memory. -
FIG. 3C is a more detailed operating state diagram 300 c of a mobile network extender according to some implementations of the present disclosure. Operating state diagram 300 c indicates a plurality of operatingstates FIG. 3B , and are not repeated here for conciseness. - State 362 (“
State 1”) may be an unpaired and unlocked state, state 364 (“State 2”) may be a paired and unlocked state, state 366 (“State 3”) may be a locked and online state, and state 368 (“State 4”) may be a locked and offline state. In state 362 (unpaired, unlocked), the extender may be unpaired and unlocked. Also, the SIM of the extender may be unlocked. Atransition 370 from state 362 (unpaired, unlocked) to state 364 (paired, unlocked) may be made after connection with a host router, and in response to a pairing request and the establishment of trust based on a device certificate of the host router. State 364 (paired, unlocked) may include the maintenance of a secure encrypted channel with the host router. - A
transition 372 from state 364 (paired, unlocked) to state 366 (locked, online) may be made in response to a pairing/locking request, the verification of information (e.g. extender information and SIM information) from a host router, and extender acquisition. In state 366 (locked, online), the extender may be logically locked for (e.g. exclusive) use with the host router. Also, the SIM associated with the extender may be locked. Also, the extender has been acquired for use of the wireless link for WAN traffic and is “online.” - A
transition 376 from state 366 (locked, online) to state 368 (locked, offline) may be made in response to the extender and host router being disconnected from each other. In state 368 (locked, offline), the extender is disconnected and offline, but still logically locked to the host router. Although disconnected from the extender, the host router (e.g. and only this host router) may store the proper authentication data (e.g. the secret session key) in its memory, to be able to subsequently acquire the extender for communications via the wireless link. In state 368 (locked, offline), the extender may permit or deny subsequent router acquisition upon the router reconnection based on verifying, using the secret session key, authentication data received via the network interface. Accordingly, atransition 374 from state 368 (locked, offline) to state 366 (locked, online) may be made after reconnection and pairing, in response to the verification of authentication data using the stored secret session key. - A
transition 378 from state 366 (locked, online) to state 362 (unpaired, unlocked) may be made in response to the receipt of an (authorized) unpairing/unlocking request from the host router. Here, the secret session key may be erased or deleted from memory. In state 362 (unpaired, unlocked), the extender is unpaired and unlocked from the host router. In the state 362 (unpaired, unlocked), the extender may permit subsequent router acquisition upon reconnection and re-pairing based on verifying of extender information (e.g. the extender information and/or the SIM information). -
FIGS. 4A-4F are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure. These process flow diagrams relate to an extender having a standalone configuration with a host router. - Beginning with a process flow diagram 400 a of
FIG. 4A , theextender 202 may be in a state which includes an unpaired,unlocked state 404. Theextender 202 and thehost router 204 may be connected to each other and powered on (step 406 ofFIG. 4A ).Host router 204 may send to extender 202 one or more messages which indicate a request for pairing (step 408 ofFIG. 4A ). In response, theextender 202 andhost router 204 may exchange device certificates with each other (step 410 ofFIG. 4A ). In some implementations, the device certificates may be SUDI certificates. Theextender 202 andhost router 204 may establish trust with each other based on the device certificates (step 412 ofFIG. 4A ). In a response to mutually establishing trust, theextender 202 and host router establish a secure encrypted channel therebetween for communications (step 414 ofFIG. 4A ). Now, theextender 202 may be in a state which includes a paired,unlocked state 416. - Continuing with a process flow diagram 400 b of
FIG. 4B , theextender 202 is in the state which includes the paired,unlocked state 416. A computer orsuitable host 402 may be used to initiate a locking request for locking theextender 202 to thehost router 204. Here, host 402 may configure a command line interface (CLI), sending one or more messages tohost router 204 for locking (step 418 ofFIG. 4B ). The one or more messages may include information for thehost router 204. The information may be information associated with the extender 202 (“extender information”) and information associated with the SIM (“SIM information”) of theextender 202. The extender information may be or include IMEI which identifies theextender 202. The SIM information may be or include one or more of IMSI, ICCID, and a CHV1. In response,host router 204 may send to theextender 202, over the secure encrypted channel, one or more messages which indicate a request for locking (step 420 ofFIG. 4B ). The one or more messages may include the information for verification (e.g. the extender and/or the SIM information). In response, theextender 202 may verify the information (step 422 ofFIG. 4B ). In particular, theextender 202 may verify the extender information, for example, that the received IMEI matches the IMEI of the extender. Also, the extender may verify the SIM information, for example, that the received IMSI, ICCID, and/or CHV1 match the known IMSI, ICCID, and/or CHV1 associated with the SIM. - Based on a matching of this information, the
extender 202 may be set in a locked state (step 423 ofFIG. 4B ). In the locked state, the extended may be logically locked for (exclusive) use with the host router. In addition, theextender 202 may lock the SIM (step 424 ofFIG. 4B ). Instep 424, theextender 202 may apply the CHV1 to lock the SIM. Thus, the SIM is now locked. When the verification is successful and completed, theextender 202 may send to hostrouter 204 one or more messages indicating a (positive) response or acknowledgement (ACK) (step 426 ofFIG. 4B ). Otherwise, based on a lack of verification, theextender 202 may send one or more messages indicating a negative response or negative ACK (NACK). Theextender 202 is now in a state which includes a locked,offline state 428. - Continuing with a process flow diagram 400 c of
FIG. 4C , theextender 202 is in the state which includes the locked,offline state 428. Thehost router 204 may now acquire theextender 202 for communications via the wireless link. Prior to this occurring,host router 204 may generate a secret session key (step 430 ofFIG. 4C ). The secret session key may be calculated as a function of one or more data items which include the device certificate (e.g. the SUDI certificate) associated with the host router, the IMEI of the extender, the IMSI of the SIM, and/or the ICCID of the SIM. Thehost router 204 may send to theextender 202, over the secure encrypted channel, one or more messages for pushing the secret session key that was generated in step 430 (step 432 ofFIG. 4C ). In response to receiving the secret session key, theextender 202 may store the secret session key (e.g. for future use) (step 434 ofFIG. 4C ). Theextender 202 may then send to hostrouter 204 one or more messages which indicate a response or ACK (step 436 ofFIG. 4C ). Thehost router 204 may then send to extender 202 one or more messages for acquiring theextender 202 for communicating via the wireless link (step 438 ofFIG. 4C ). After acquisition, WAN traffic may be communicated (step 440 ofFIG. 4C ). Theextender 202 is now in a state which includes a locked,online state 442. - Continuing with a process flow diagram 400 d of
FIG. 4D , theextender 202 is in the state which includes the locked,online state 442. The computer orhost 402 may be used to initiate a request for unpairing/unlocking for unlocking theextender 202 from thehost router 204. Here, host 402 may execute CLI, sending one or more messages tohost router 204 to request the unlocking/unpairing (step 444 ofFIG. 4D ). In response,host router 204 may send to theextender 202, over the secure encrypted channel, one or more messages which indicate a request for unpairing/unlocking (step 446 ofFIG. 4D ). In response,extender 202 may perform an unlocking process. For one, theextender 202 may unlock the SIM (step 448 ofFIG. 4D ). Here,extender 202 may use the CHVI to unlock the SIM. Also,extender 202 may be set from the locked state to an unlocked state (step 450 ofFIG. 4D ). If successful, theextender 202 may send to hostrouter 204 one or more messages indicating a (positive) response or ACK (step 452 ofFIG. 4D ). Otherwise, theextender 202 may send one or more messages indicating a negative response or NACK.Host router 402 may remove extender information of theextender 202 from its access list (step 454 ofFIG. 4D ). Theextender 202 is now in a state which includes the unpaired,unlocked state 404. - Continuing with a process flow diagram 400 e of
FIG. 4E , theextender 202 is in the state which includes the locked, online state 442 (as acquired in, for example,FIG. 4C ). However, theextender 202 and thehost router 204 may be disconnected from each other (step 460 ofFIG. 4E ). This disconnection may be, for example, an intentional disconnection, a cable fault, an extender “crash,” etc. Theextender 202 is now in a state which includes the locked,offline state 428. Sometime later, the connection between theextender 202 and thehost router 204 is reestablished (step 464 ofFIG. 4E ). A pairing process between theextender 202 and thehost router 204 is performed (step 466 ofFIG. 4E ), for again establishing the secure encrypted channel.Host router 204 may also recalculate the secret session key (step 468 ofFIG. 4E ). Again, the secret session key may be calculated as a function of one or more data items which include the device certificate (e.g. the SUDI certificate) associated with the host router, the IMEI of the extender, the IMSI of the SIM, and/or the ICCID of the SIM. - The
host router 204 may then send to theextender 202, over the secure encrypted channel, one or more messages which indicate a request (step 470 ofFIG. 4E ). The one or more messages may include the secret session key, generated instep 468. The information generated and sent to theextender 202 may be more generally referred to as authentication data. In response to receiving the request and associated authentication data (e.g. the secret session key), theextender 202 may verify the authentication data (step 472 ofFIG. 4E ). More particularly, theextender 202 may compare the received authentication data and the stored secret session key to identify a match. Theextender 202 may then send to hostrouter 204 one or more messages which indicate a positive response or ACK (step 474 ofFIG. 4E ). Otherwise, theextender 202 may send one or more messages indicating a negative response or NACK. Thehost router 204 may perform an acquisition process for communicating via the wireless link (step 476 ofFIG. 4E ). After acquisition, WAN traffic may be communicated (step 478 ofFIG. 4E ). Theextender 202 is now in a state which includes the locked,online state 442. - Continuing with a process flow diagram 400 f of
FIG. 4F , theextender 202 is in the state which includes the locked, online state 442 (as acquired in, for example,FIG. 4C ). However, theextender 202 and thehost router 204 may be disconnected from each other (step 460 ofFIG. 4F ). Theextender 202 is now in a state which includes the locked,offline state 428. The disconnection may be, for example, an intentional disconnection, a cable fault, an extender “crash,” etc. In this example, the disconnection is the result of a theft of theextender 202, where theextender 202 is intentionally, physically disconnected from thehost router 204. - Sometime later, a new (physical)
connection 482 between theextender 202 and alternate host router 190 (e.g. of the same or similar make and construction as the previous host router 204) is made, and connectivity therebetween is established (step 464 ofFIG. 4F ). A pairing process between theextender 202 andalternate host router 190 may be performed (step 486 ofFIG. 4F ). Also, thealternate host router 190 may send to extender 202 one or more messages which indicate a request, such as an acquisition request (step 488 ofFIG. 4F ). - As the
extender 202 is in the locked state with a different host router,alternate host router 190 would need to have the proper authentication data for authentication (e.g. the secret session key) for acquiring theextender 202 for communications via the wireless link. In this example,alternate host router 190 does not have the proper data for authentication (e.g. the stored secret key). Theextender 202 may attempt to verify (any) data received fromalternate host router 190 in a comparison process (step 490 ofFIG. 4F ), identify that there is no match (step 492 ofFIG. 4F ), and deny thealternate host router 190 from acquiring theextender 202 for communications via the wireless link (step 494 ofFIG. 4F ). -
FIG. 5 is aflowchart 500 for describing a method of providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure. The extender may include a network interface configured to connect with a host router and a cellular modem configured to provide a wireless link for communications via a cellular mobile network. The cellular modem may include one or more SIM interfaces each configured to receive a SIM. The extender may include one or more processors and memory coupled to the one or more processors. The method may be embodied as a computer program product including a non-transitory computer readable medium and instructions stored in the computer readable medium, where the instructions are executable on one or more processors of the extender for performing the steps of the method. - The method of
FIG. 5 involves the extender being used in a “cloud-based configuration” with the host router. In the cloud-based configuration, the host router may have a primary WAN link for primary use and intend to use the extender as a backup WAN link. In order to access the cloud server, the host router may use its primary WAN link and the extender may use its wireless link with the cellular mobile network. - Beginning at a
start block 502 ofFIG. 5 , the extender may perform a verification procedure in association with the host router (step 504 ofFIG. 5 ). The verification procedure may involve the following steps. For one, the extender may receive a security pass P from the host router via the network interface. At the host router, the security pass P may be calculated a function of the device certificate of the host router, an extender security token associated with the extender, and a router-selected, random number or RAND. The extender may also calculate a “cross-reference” security pass P1 as a function of the device certificate of the host router, the extender security token associated with the extender, and the RAND received from the host router. The extender may verify the received security pass P based on the calculated security pass P1. For example, the extender may positively verify that the security pass P matches the security pass P1. - Prior to the above, a cloud server may be used to generate and distribute the extender security token. Here, the cloud server may implement a lightweight machine-to-machine (LWM2M) or other suitable service. The cloud server may generate the extender security token based on information associated with and received from the extender. In some implementations, the cloud server may generate the extender security token based on extender information, such as the IMEI and/or the SUDI of the extender. After generating the extender security token, the cloud server may send the extender security token to both the extender and the host router. The cloud server may also receive the router SUDI from the host router and send the router SUDI to the extender. After this information is received, the security passes may be appropriately calculated by the host router and the extender as described earlier above.
- In response to a positive verification of the security pass P, the extender may be set in a locked state in which the extender is logically locked to the host router (step 506 of
FIG. 5 ). The extender may also lock a SIM connected at the SIM interface. The extender may then permit the host router to acquire the extender for communications via the wireless link (step 508 ofFIG. 5 ). In the locked state, subsequent router acquisition of the extender upon router reconnection may be permitted or denied based on a result of again performing the verification procedure (indication 510 ofFIG. 5 ). Here, for example, the extender may permit subsequent router acquisition upon router reconnection based on verifying a match between the security pass and the cross-reference security pass, and deny subsequent router acquisition upon router reconnection if the security pass fails to match the cross-reference security pass. - Subsequently, the extender may be unlocked. In response to receiving, from the host router, one or more messages indicating a request for unlocking the router, the extender may again perform the verification procedure with the host router based on the security pass P. Based on verifying the received security pass, the extender may be set from the locked state to an unlocked state in which the extender is logically unlocked from the host router.
-
FIGS. 6A-6D are process flow diagrams for use in describing methods for use in providing security protection to prevent unauthorized use of a mobile network extender according to some implementations of the present disclosure. These process flow diagrams relate to an extender having a cloud-based configuration with a host router. Here, the locking and unlocking processes may be facilitated with use of one or more cloud servers (e.g. using LWM2M or other suitable cloud service). The cloud-based configuration may assume that thehost router 204 already has a primary WAN link, which will be used to access the cloud server, and intends to use theextender 202 as a backup WAN link. - Beginning with a process flow diagram 600 a of
FIG. 6A , theextender 202 be use its cellular modem to register to themobile network 150 and to access the cloud server (step 602 ofFIG. 6A ). Theextender 202 may send to the cloud server one or more messages which include extender information. The extender information may include the device certificate (e.g. SUDI certificate) ofextender 202 and the IMEI of theextender 202. The extender information may further include the IMSI, the ICCID, and the CHV1 associated with a SIM. The cloud server may register and authenticate theextender 202 based on the device certificate of the extender 202 (step 603 ofFIG. 6A ). The cloud server may calculate a security token associated with the extender (step 604 ofFIG. 6A ). The extender security token may be calculated based on at least some of the extender information. For example, the extender security token may be calculated as a function of the device certificate of theextender 202, the IMEI, the IMSI, the ICCID, and the CHV1 (see e.g.FIG. 6D at acalculation 670 for the extender security token). - The cloud server may send to the
extender 202 one or more messages indicating a response which includes the extender security token (step 606 ofFIG. 6A ). In response, theextender 202 may start to regularly broadcast its IMEI (step 608 ofFIG. 6A ). As theextender 202 is connected to hostrouter 402, thehost router 402 will receive the broadcasted IMEI of theextender 202. In some implementations,extender 202 could be connected to an ethernet switch or the like, where one or more hosts may be listening and receiving the broadcasted IMEI. - Continuing with process flow diagram 600 a, the computer or
host 402 may execute CLI, sending one or more messages tohost router 204 which includes SIM information of the SIM of the extender 202 (step 609 ofFIG. 6A ). The SIM information may include the IMSI and the CHV1 of the SIM. Thehost router 204 may then proceed to register with the cloud server (e.g. connecting to the cloud server with its primary WAN link) (step 610 ofFIG. 6A ). Thehost router 204 may register with its device certificate (e.g. SUDI certificate). The cloud server may register and authenticate thehost router 204 based on the device certificate (step 611 ofFIG. 6A ). Thehost router 402 may then send to the cloud server one or more messages indicate a request for pairing/locking with the extender 202 (step 612 ofFIG. 6A ). The one or more messages may include information associated with theextender 202 that it desires to pair and lock with, namely, extender information and SIM information of theextender 202. The extender information may include the IMEI of theextender 202 and the SIM information of the SIM may include the IMSI and the CHV1. In response, the cloud server may process the request and send to hostrouter 204 one or more messages indicating a response which includes the extender security token (step 614 ofFIG. 6A ). In addition, the cloud server may also send to theextender 202 to be paired/locked one or more messages which include the device certificate of thehost router 204 and the CHVI of the SIM. - Now, the
host router 204 and theextender 202 are properly pre-configured to for pairing and locking. Notably, both thehost router 204 and theextender 202 have the extender security token. Continuing at a process flow diagram 600 b ofFIG. 6B , thehost router 204 may send to extender 202 one or more messages which indicate a request for pairing/locking (step 617 ofFIG. 6B ). A verification procedure which may involve the following steps between thehost router 204 and theextender 202 may be performed. For one, thehost router 204 may calculate a security pass P (step 618 ofFIG. 6B ). The security pass P may be calculated as a function of the device certificate of thehost router 204, the extender security token, as well as a router-selected, random number (RAND) (see e.g.FIG. 6D at acalculation 680 for the security pass P). Thehost router 204 may send to extender 202 one or more messages which include the security pass P and the RAND (step 620 ofFIG. 6B ). In response, theextender 202 may also calculate a “cross-reference” security pass P1 (step 622 ofFIG. 6B ). This security pass P1 is also calculated as a function of the device certificate of thehost router 204, the extender security token, and the received RAND (see e.g.FIG. 6D at acalculation 682 for the cross-reference security pass P1). Theextender 202 may send to thehost router 204 one or more messages which include the calculated security pass P1. - The
extender 202 may verify the received security pass P with the calculated security pass P1 (step 626 ofFIG. 6B ). For example, theextender 202 may verify whether the received security pass P matches the calculated security pass P1. If there is a match, theextender 202 will allow service and acquisition by the host router 204 (step 628 ofFIG. 6B ). Theextender 202 may notify the cloud server of this result (step 630 ofFIG. 6B ), and also cease the regular broadcasting of its IMEI (step 632 ofFIG. 6B ). - In addition, the
host router 204 may verify its received security pass P1 with its calculated security pass P (step 634 ofFIG. 6B ). For example, thehost router 204 may verify whether its received security pass P1 matches its calculated security pass P. If there is a match, thehost router 204 will allow itself to acquire theextender 202 for communicating via the wireless link (step 636 ofFIG. 6B ). Thehost router 204 will notify the cloud server of this result (step 638 ofFIG. 6B ). After acquisition, WAN traffic may be communicated. Theextender 202 is now in a state which includes a locked,online state 640. - Continuing at a process flow diagram 600 c of
FIG. 6C , thehost router 204 may send to the cloud server one or more messages which indicate a request for unpairing/unlocking (step 642 ofFIG. 6C ). The one or more messages may include the device certificate of thehost router 204 and the security pass P. In turn, the cloud server may send to extender 202 one or more messages indicating a request for unpairing/unlocking (step 644 ofFIG. 6C ). The one or more messages may include the device certificate of thehost router 204 and the security pass P. Theextender 202 may then verify the received security pass P with its own calculated security pass P1 (step 646 ofFIG. 6C ). For example, theextender 202 may verify whether its received security pass P matches its calculated security pass P1. If there is a match, theextender 202 will notify the cloud server of this result (a response or ACK) (step 648 ofFIG. 6C ), which will in turn notify thehost router 204 of this result (step 650 ofFIG. 6C ). In response,host router 204 may remove extender information of theextender 202 from its access list (step 651 ofFIG. 6C ). Also in response to the verification, theextender 202 will perform an unlocking process. For one, theextender 202 may unlock the SIM (step 652 ofFIG. 6C ). Here,extender 202 may use the CHVI to unlock the SIM. Also,extender 202 may be set from the locked state to an unlocked state (step 654 ofFIG. 6C ). Theextender 202 may begin to again regularly broadcast its IMEI for any new host router to receive (step 656 ofFIG. 6C ). Theextender 202 is now in a state which includes an unpair,unlocked state 658. - Thus, techniques for security protection to prevent unauthorized use of mobile network extenders have been described. An extender of the present disclosure may be set in a locked state in which the extender is logically locked for (exclusive) use with a host router, until it has been unlocked by the same host router or other authorized means. Advantageously, unauthorized access to a private network due to theft of the extender may be prevented, further preventing cybersecurity (e.g. malware) attacks in the private network.
- Note that, although in some implementations of the present disclosure, one or more (or all) of the components, functions, and/or techniques described in relation to the figures may be employed together for operation in a cooperative manner, each one of the components, functions, and/or techniques may indeed be employed separately and individually, to facilitate or provide one or more advantages of the present disclosure.
- While various aspects of implementations within the scope of the appended claims are described above, it should be apparent that the various features of implementations described above may be embodied in a wide variety of forms and that any specific structure and/or function described above is merely illustrative. Based on the present disclosure one skilled in the art should appreciate that an aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method may be practiced using any number of the aspects set forth herein. In addition, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to or other than one or more of the aspects set forth herein.
- It will also be understood that, although the terms “first,” “second,” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are used to distinguish one element from another. For example, a first router could be termed a second router, and similarly, a second router could be termed a first router, without changing the meaning of the description, so long as all occurrences of the “the first router” are renamed consistently and all occurrences of the “the second router” are renamed consistently. The first router and the second router are both routers, but they are not the same router.
- The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the claims. As used in the description of the embodiments and the appended claims, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term “and/or” as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
- As used herein, the term “if” may be construed to mean “when” or “upon” or “in response to determining” or “in accordance with a determination” or “in response to detecting,” that a stated condition precedent is true, depending on the context. Similarly, the phrase “if it is determined [that a stated condition precedent is true]” or “if [a stated condition precedent is true]” or “when [a stated condition precedent is true]” may be construed to mean “upon determining” or “in response to determining” or “in accordance with a determination” or “upon detecting” or “in response to detecting” that the stated condition precedent is true, depending on the context.
Claims (21)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/291,833 US10750368B1 (en) | 2019-03-04 | 2019-03-04 | Security protection to prevent unauthorized use of mobile network extenders |
US16/884,604 US11310664B2 (en) | 2019-03-04 | 2020-05-27 | Security protection to prevent unauthorized use of mobile network extenders |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/291,833 US10750368B1 (en) | 2019-03-04 | 2019-03-04 | Security protection to prevent unauthorized use of mobile network extenders |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/884,604 Continuation US11310664B2 (en) | 2019-03-04 | 2020-05-27 | Security protection to prevent unauthorized use of mobile network extenders |
Publications (2)
Publication Number | Publication Date |
---|---|
US10750368B1 US10750368B1 (en) | 2020-08-18 |
US20200288317A1 true US20200288317A1 (en) | 2020-09-10 |
Family
ID=72045980
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/291,833 Active US10750368B1 (en) | 2019-03-04 | 2019-03-04 | Security protection to prevent unauthorized use of mobile network extenders |
US16/884,604 Active US11310664B2 (en) | 2019-03-04 | 2020-05-27 | Security protection to prevent unauthorized use of mobile network extenders |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/884,604 Active US11310664B2 (en) | 2019-03-04 | 2020-05-27 | Security protection to prevent unauthorized use of mobile network extenders |
Country Status (1)
Country | Link |
---|---|
US (2) | US10750368B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210336774A1 (en) * | 2020-04-23 | 2021-10-28 | Mark Kenneth Sullivan | System for Secure Remote Access |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7188180B2 (en) * | 1998-10-30 | 2007-03-06 | Vimetx, Inc. | Method for establishing secure communication link between computers of virtual private network |
US7813314B2 (en) * | 2005-08-02 | 2010-10-12 | Waav Inc. | Mobile router device |
ES2385838T3 (en) * | 2006-04-18 | 2012-08-01 | Research In Motion Limited | System and method to provide access to information on portable devices |
US7822209B2 (en) * | 2006-06-06 | 2010-10-26 | Red Hat, Inc. | Methods and systems for key recovery for a token |
WO2009111522A1 (en) | 2008-03-04 | 2009-09-11 | Alcatel-Lucent Usa Inc. | System and method for securing a base station using sim cards |
ES2369681B1 (en) | 2009-11-25 | 2012-10-15 | Telefónica, S.A. | REPEATER, METHOD AND SYSTEM OF PROVISION OF A SERVICE. |
US8971209B2 (en) | 2009-12-04 | 2015-03-03 | Cradlepoint, Inc. | System to configure and manage routers through wireless communication |
BR112012032371B1 (en) * | 2010-06-18 | 2020-11-10 | Akamai Technologies, Inc | EXPANSION OF A CONTENT SUPPLY NETWORK (CDN) INSIDE A MOBILE OR WIRELESS NETWORK |
US9542237B2 (en) * | 2012-09-04 | 2017-01-10 | Red Hat Israel, Ltd. | Shared locking for storage centric exclusive locks |
US9814084B2 (en) | 2014-08-07 | 2017-11-07 | Belkin International Inc. | Location and pairing of devices on a local area network using a unique identifier |
US9832173B2 (en) | 2014-12-18 | 2017-11-28 | Afero, Inc. | System and method for securely connecting network devices |
US10044674B2 (en) | 2016-01-04 | 2018-08-07 | Afero, Inc. | System and method for automatic wireless network authentication in an internet of things (IOT) system |
US10237301B2 (en) | 2016-06-16 | 2019-03-19 | Fortinet, Inc. | Management of cellular data usage during denial of service (DoS) attacks |
US9913127B1 (en) | 2016-10-26 | 2018-03-06 | Fortinet, Inc. | Provisioning and configuration of cellular modems |
-
2019
- 2019-03-04 US US16/291,833 patent/US10750368B1/en active Active
-
2020
- 2020-05-27 US US16/884,604 patent/US11310664B2/en active Active
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210336774A1 (en) * | 2020-04-23 | 2021-10-28 | Mark Kenneth Sullivan | System for Secure Remote Access |
Also Published As
Publication number | Publication date |
---|---|
US20200322801A1 (en) | 2020-10-08 |
US10750368B1 (en) | 2020-08-18 |
US11310664B2 (en) | 2022-04-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6457698B2 (en) | How to control access to non-vehicle wireless networks | |
US11272361B2 (en) | Zero-touch onboarding in a network | |
JP6632713B2 (en) | Method and apparatus for establishing a direct communication key | |
EP3700124B1 (en) | Security authentication method, configuration method, and related device | |
EP1864442B1 (en) | Secure switching system for networks and method for secure switching | |
KR101626453B1 (en) | Group based bootstrapping in machine type communication | |
CN101232372B (en) | Authentication method, authentication system and authentication device | |
US8732458B2 (en) | Method, system and terminal device for realizing locking network by terminal device | |
EP3086586B1 (en) | Terminal authentication method, device and system | |
US11159940B2 (en) | Method for mutual authentication between user equipment and a communication network | |
US20070165582A1 (en) | System and method for authenticating a wireless computing device | |
WO2016077013A1 (en) | Method to authenticate peers in an infrastructure-less peer-to-peer network | |
CN108023873B (en) | Channel establishing method and terminal equipment | |
CN102026180A (en) | M2M transmission control method, device and system | |
CN112105021B (en) | Authentication method, device and system | |
CN109561413B (en) | Bluetooth authentication and authorization method and system of BLE equipment | |
US20140157373A1 (en) | Authentication apparatus and method thereof, and computer program | |
US11310664B2 (en) | Security protection to prevent unauthorized use of mobile network extenders | |
EP3149884B1 (en) | Resource management in a cellular network | |
WO2008122224A1 (en) | Method, system and base station for locking the mobile terminal copied lawlessly | |
CN105873059A (en) | United identity authentication method and system for power distribution communication wireless private network | |
CN103152730B (en) | Anti-DoS (Denial of Service) radio access method for universal mobile telecommunications system | |
WO2012068801A1 (en) | Authentication method for mobile terminal and mobile terminal | |
CN116847350A (en) | D2D communication method, terminal and medium | |
KR20130062965A (en) | System and method for access authentication for wireless network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DIWANE, SHIVAJI PUNDLIK;YANG, HUNGJEN SEAN;THIRUMALAIAPPAN, SUNDARA PAAL RANI;AND OTHERS;REEL/FRAME:048503/0189 Effective date: 20190228 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |