GB2576919A - Security Device - Google Patents

Security Device Download PDF

Info

Publication number
GB2576919A
GB2576919A GB1814541.7A GB201814541A GB2576919A GB 2576919 A GB2576919 A GB 2576919A GB 201814541 A GB201814541 A GB 201814541A GB 2576919 A GB2576919 A GB 2576919A
Authority
GB
United Kingdom
Prior art keywords
data package
user device
security device
timer
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1814541.7A
Other versions
GB201814541D0 (en
Inventor
Mason Terence
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Avalon Microwave Receivers Ltd
Original Assignee
Avalon Microwave Receivers Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Avalon Microwave Receivers Ltd filed Critical Avalon Microwave Receivers Ltd
Priority to GB1814541.7A priority Critical patent/GB2576919A/en
Publication of GB201814541D0 publication Critical patent/GB201814541D0/en
Priority to PCT/GB2019/052483 priority patent/WO2020049311A1/en
Publication of GB2576919A publication Critical patent/GB2576919A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/81Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer by operating on the power supply, e.g. enabling or disabling power-on, sleep or resume operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/72Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
    • H04M1/724User interfaces specially adapted for cordless or mobile telephones
    • H04M1/72448User interfaces specially adapted for cordless or mobile telephones with means for adapting the functionality of the device according to specific conditions
    • H04M1/72463User interfaces specially adapted for cordless or mobile telephones with means for adapting the functionality of the device according to specific conditions to restrict the functionality of the device
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Quality & Reliability (AREA)
  • Human Computer Interaction (AREA)
  • Telephone Function (AREA)

Abstract

The invention relates to a hardware security device for disabling a user device having a removable identity module, the security device comprising: a memory module configured to store a data package A associated with a stored identity of the identity module; a communications interface configured to receive a data package Al from the user device; a trigger interface activatable to disable the user device; and a timer activatable to progress from a start time to a timeout time, progression of the timer to the timeout time causing activation of the trigger interface, wherein the security device is configured to: reset the timer in response to receipt of data package Al from the user device; compare data package Al with data package A; and activate the trigger interface if data package Al is not the same as data package A. The removable identity module may be a subscriber identity module (SIM) or dongle. The timer may preferably be a watchdog timer that counts down to a timeout time: if the identity suggests that the authorized identity module is installed then the timer is reset; if the identity suggests that the authorized identity module is not installed then when the timer reaches the timeout time the user device is disabled.

Description

(54) Title of the Invention: Security Device
Abstract Title: Hardware security device for disabling a user device having a removable identity module (57) The invention relates to a hardware security device for disabling a user device having a removable identity module, the security device comprising: a memory module configured to store a data package A associated with a stored identity of the identity module; a communications interface configured to receive a data package Al from the user device; a trigger interface activatable to disable the user device; and a timer activatable to progress from a start time to a timeout time, progression of the timer to the timeout time causing activation of the trigger interface, wherein the security device is configured to: reset the timer in response to receipt of data package Al from the user device; compare data package Al with data package A; and activate the trigger interface if data package Al is not the same as data package A.The removable identity module may be a subscriber identity module (SIM) or dongle. The timer may preferably be a watchdog timer that counts down to a timeout time: if the identity suggests that the authorized identity module is installed then the timer is reset; if the identity suggests that the authorized identity module is not installed then when the timer reaches the timeout time the user device is disabled.
240
Fig. 1
1/4
200
2/4
200
240
3/4
4/4
120 122
130 132
SECURITY DEVICE
TECHNICAL FIELD
This invention relates to a security device for permanently or reversibly disabling a user device, and in particular to such a device built in hardware and/or firmware.
BACKGROUND
This invention has been developed in the light of a rising level of crime and violence associated with the theft of high value user devices. Where such user devices have software-based electronic security this can in many cases be readily bypassed by reprogramming the device, enabling the device to be sold on to the black market.
SUMMARY OF THE INVENTION
The present invention proposes a solution whereby a security device built in hardware and/or firmware, rather than software, is built into a user device to enable the user device to be rendered unusable once out of the hands of the legal owner.
Key to the invention is the concept of using an identity associated with a removable identity module such as a subscriber identity module (SIM) or dongle to determine whether or not an authorised identity module is installed and, if not, to act to disable the user device. A timer counts down to a timeout time: if the identity suggests that the authorised identity module is installed then the timer is reset; if the identity suggests that the authorised identity module is not installed then when the timer reaches the timeout time the user device is disabled.
In a first aspect, the present invention provides a hardware security device for disabling a user device having a removable identity module, the security device comprising:
a memory module configured to store a data package A associated with a stored identity of the identity module;
a communications interface configured to receive a data package Al from the user device;
a trigger interface activatable to disable the user device; and a timer activatable to progress from a start time to a timeout time, progression of the timer to the timeout time causing activation of the trigger interface, wherein the security device is configured to:
reset the timer in response to receipt of data package Al from the user device;
compare data package Al with data package A; and activate the trigger interface if data package Al is not the same as data package A.
In this way, the user device is disabled if the authorised identity module (associated with data package A) is not installed in the user device, and is therefore unable to provide data package Al corresponding to data package A.
Thus, if the user device is stolen and a third party attempts to modify an identity of the user device by removing and replacing the identity module, then the security device will activate the trigger to start the process of disabling the user device. For example, in the case of a mobile phone if a third party removes the authorised SIM card (having an identity associated with data package A) then the security device will activate the trigger to start the process of disabling the user device.
In preferred embodiments the timer comprises a watchdog timer. A watchdog timer is a timer that counts down until it times out, unless it is reset before that point.
The security device is preferably configured to de-activate the trigger interface in response to a user input. That is, once the trigger interface has been activated in response to data package Al not being identical to data package A, then de-activation is preferably possible by means of a correct user input. Such a user input may be provided as follows.
The memory module is preferably configured to store a data package B representative of a stored user input associated with the user device, the communications interface is preferably configured to receive a data package Bl from the user device in response to the user input, and the security device is preferably configured to compare data package Bl with data package B, and to de-activate the trigger interface if data package Bl is the same as data package B.
Data package B may correspond to any user input, such as a keyboard input of a personal identification number (PIN) or password, a screen input such as an unlock pattern, an image input such as an iris or fingerprint scan, or a sound input such as a voice input, for example.
When the identity module is first installed in the user device the user may be asked to provide the user input to generate data package B. If a replacement identity module is installed then the user may be asked to provide a user input to thereby generate data package Bl that matches data package B. This arrangement enables the identity module to be changed by an authorised user with knowledge of the correct user input.
In preferred embodiments the security device comprises a second timer activatable to progress from a start time to a timeout time, progression of the second timer to the timeout time causing disablement of the user device, activation of the trigger interface causing activation of the second timer, and de-activation of the trigger interface causing the timer to reset.
In this way, a user is given an opportunity to reset the trigger interface before the second timer progresses to the timeout time. In particularly preferred embodiments the trigger interface is de-activated by way of the user input described herein.
In preferred embodiments, the memory module is configured to store two or more copies of data package A.
Similarly, the memory module is preferably configured to store two or more copies of data package B.
The security device preferably consists of firmware and/or hardware. That is, the security device preferably comprises no software.
Firmware in the present application comprises a set of instructions (algorithm, script, program, code, etc.) programmed on (embedded in) the security device, for example in read-only (non-volatile) memory of the security device. That is, firmware comprises a set of instructions specifically designed for a piece of hardware, i.e. in the present application, for the security device. Firmware is permanent or semi-permanent, in the sense that it may or may not be updated, and is tied directly to the hardware. Preferably, firmware is held in a non-volatile memory device such as ROM, EPROM, or flash memory.
By contrast, software comprises a set of instructions (algorithm, script, program, code, etc.) that are not programmed on (embedded in) a hardware device, but instead are operable to be run on, or by, a device such as the user device which the security device is operable to disable. Software is generally used to refer to programs that are designed to be updated often, and to operate at a level above the hardware and firmware. Firmware is sometimes referred to in the art as a particular type of software, but we do not adopt this definition herein. Software is generally held in volatile memory.
In the context of the present invention, the user device will use a great deal of software, including its operating system, e.g. Android™, and the user applications (apps) which come with the user device or are added by the user. Any of this software may become corrupted due to errors induced during normal loading or transfer of the software between storage memory and operating (volatile) memory. The software may also be altered by malicious intent, viruses etc. to cause the user device to perform in ways detrimental to the user.
In contrast, the firmware program of the security device is preferably held in non-volatile memory, so cannot be accessed and corrupted.
The memory module preferably comprises an erasable programmable read-only memory (EPROM).
The security device preferably comprises one or more electronic integrated circuits. The security device may comprise a pre-programmed integrated circuit, for example a preprogrammed microprocessor, or a custom integrated circuit such as an application-specific integrated circuit.
In alternative embodiments the security device may comprise a programmable logic device such as a programmable gate array, the timer being built within the programmable logic device. The programmable logic device may be provided on a microprocessor.
The security device preferably comprises a state machine configured to control the security device. In preferred embodiments the state machine is configured to control the one or more electronic integrated circuits or programmable logic device.
The security device is preferably configured to perform an initialisation sequence on first power up of the user device, the initialisation sequence comprising receiving data package A and storing data package A to the memory module.
In embodiments in which the trigger interface can be de-activated by a user input, the initialisation sequence further comprises receiving data package B and storing data package B to the memory module.
A second aspect of the invention provides a method of disabling a user device having a removable identity module using a security device according to the first aspect, the method including the steps of:
receiving, at the security device, data package Al from the user device;
resetting the timer in response to receipt of data package Al;
comparing data package Al with data package A; and if data package Al is not the same as data package A, activating the trigger interface to disable the user device.
A third aspect of the invention provides a security apparatus comprising a security device according to the first aspect, and a user device comprising a removable identity module, the apparatus comprising a communications link between a processor of the user device and the security device, and a trigger module configured to disable the user device in response to activation of the trigger interface.
The trigger module preferably comprises one or more of: a control path to disrupt a power supply to one or more components of the user device; and a control path to provide a destructive voltage to one or more components of the user device.
The power supply may be disrupted by, for example, opening a switch or blowing a fuse in a power supply line between the user device and the one or more components. The destructive voltage may comprise, for example, a sufficiently high voltage to permanently destroy the one or more components, a negative voltage, or a voltage with a reversed polarity.
The user device preferably comprises a mobile electronic device, computing device, mobile communications device, or vehicle, or any device having one or more components which can be disabled to prevent use, operation or control of the user device.
The identity module has an identity associated with data package A. Normal operation of the user device requires that the identity module is docked with (installed in, or otherwise connected with) the user device, and that the user device recognises the identity module as an authorised identity module.
The identity module preferably comprises a subscriber identity module (SIM) or dongle. For example, the identity module may comprise a SIM card, i.e. a universal integrated circuit card (UICC) or other integrated circuit, smart card or chip. The identity module may comprise a software application stored on the SIM card or dongle. The identity module is preferably operable to transmit the stored identity of the identity module for receipt by the security device.
The identity module is preferably in communication with a processor of the user device when installed in the user device. The identity module can preferably be docked with the user device via a port of the user device or via a communications connection such as a near field communications connection. The port may comprise a dedicated port, such as a SIM card port or USB port.
In embodiments in which the identity module comprises a dongle, the dongle may comprise a USB dongle that can be docked with the user device via a USB port of the user device. The dongle may carry a SIM card as defined above.
The following desirable features of the security device serve to prevent unauthorised access to, or removal of, the security device from the user device, and thus further enhance the ability of the security device to prevent unauthorised use of the user device.
The security device may be embedded within the user device. For example, the security device may be embedded within a printed circuit board (PCB) of the user device. Similarly, the security device may be encapsulated by a physical barrier within the user device.
In embodiments of the invention in which the security device comprises a programmable logic device, such as a programmable gate array, programmed to carry out the functions of the security device, the security device may comprise a lock fuse actuatable to prevent subsequent re-programming, for example by an unauthorised user.
In embodiments of the invention in which the security device comprises a nonprogrammable device, such as a pre-programmed integrated circuit, for example a preprogrammed microprocessor, or a custom integrated circuit such as an application-specific integrated circuit, re-programming of the device is not possible, thus further enhancing security.
Throughout the description and claims of this specification, the words comprise and contain and variations of the words, for example comprising and comprises, mean including but not limited to, and do not exclude other components, integers or steps. Moreover the singular encompasses the plural unless the context otherwise requires: in particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise.
Preferred features of each aspect of the invention may be as described in connection with any of the other aspects. Within the scope of this application it is expressly intended that the various aspects, embodiments, examples and alternatives set out in the preceding paragraphs, in the claims and/or in the following description and drawings, and in particular the individual features thereof, may be taken independently or in any combination. That is, all embodiments and/or features of any embodiment can be combined in any way and/or combination, unless such features are incompatible.
BRIEF DESCRIPTION OF THE DRAWINGS
One or more embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 provides a schematic illustration of a security device according to an embodiment of the invention incorporated into a mobile phone;
Figure 2 provides a schematic illustration of a security device according to an embodiment of the invention incorporated into a vehicle;
Figure 3 illustrates an algorithm carried out by a security device according to an embodiment of the invention during operation; and
Figure 4 provides a schematic illustration of the key hardware and/or firmware modules of a security device according to an embodiment of the invention.
DETAILED DESCRIPTION
The appended figures illustrate a security device 100 according to an embodiment of the invention. The security device 100 comprises hardware, with any program code provided as firmware held in non-volatile memory.
Such security devices 100 are configured to be integrated into high-value user devices such as mobile electronic devices (mobile phones, cell phones, tablet computers, laptop computers, and other portable electronic devices), personal computers, gaming consoles, and vehicles such as cars, vans, scooters, motorbikes, mopeds, or motor boats, for example. The security devices can be integrated into any user device having some form of electronic circuitry essential to its control, operation and/or use, and capable of receiving a removable identity module carrying a data string or other data package representative of a unique identity of the identity module. The identity module may comprise, for example, a subscriber identity module (SIM) or dis-mountable dongle.
Figure 1 shows an example of a security device 100 according to an embodiment of the invention incorporated into a user device 200, which in this embodiment comprises a mobile phone (cell phone). The security device 100 may be incorporated into other types of user device 200 (see above for examples of other such devices) in a similar way, and the following references to a mobile phone are not intended to be limiting.
The security device 100 is in two-way communication with a processor 210 of the mobile phone 200 via a communication link 220, which enables data to be transmitted between the processor 210 and the security device 100.
The identity module 300 is provided in the form of a SIM card which can be inserted into a dedicated port (not shown) of the mobile phone 200 to enable communication with the processor 210. As is known in the art, the SIM card 300 (for example, a Universal Integrated Circuit Card (UICC)) comprises an integrated circuit that securely stores an international mobile subscriber identity (IMSI) number, which is used to identify a subscriber. In the embodiments described herein the identity number is represented by String A, as described below. The SIM card 300 is removable from the mobile phone 200, and can be replaced with an equivalent SIM card having a different identity number.
In embodiments in which the user device 200 comprises an electronic device without a dedicated SIM card port, the SIM card may be provided within a mobile phone that is docked with, or otherwise connected with, the user device 200. In another alternative, the SIM card may be provided within a dongle such as a USB dongle that is inserted into a dedicated port (not shown) of the user device 200.
In embodiments in which the identity module 300 does not comprise a SIM, it may instead comprise a dongle. The dongle may be inserted directly into a dedicated port (not shown), such as a USB port, of the user device 200, and the dongle may carry a data package such as a data string (e.g. String A, as described below) representative of an identity of the dongle.
In all embodiments the identity module 300 is removable from the user device 200 and can be replaced with an equivalent identity module having a different identity and carrying a corresponding different data package (e.g. String A).
The security device 100 is in one-way communication with a trigger driver 230 via a communications link 232 that delivers trigger output instructions from a trigger interface of the security device (described further below) to the trigger driver 230.
The trigger driver 230 can be used to control one or more of three switches 242, 254, 262 via three control paths 234, 236, 238 to deactivate the user device 200 in accordance with trigger output instructions received from the trigger interface of the security device.
A first control path 234 connects the trigger driver 230 with a high voltage source 240. The high voltage source 240 is connected to a voltage-sensitive component or region of the processor 210 via a first switch 242. The first control path 234 can thus be used to deliver a signal from the trigger driver 230 to close the first switch 242 to thereby deliver a high voltage to the processor 210 to thereby permanently disable the processor, e.g. by destroying printed circuit boards or electrical connections in semi-conductor devices within the processor. An appropriate output voltage for the high voltage source 240 is dependent on the particular application, but an appropriate voltage is considered to be around 60 V, with an appropriate range of around 20-100 V, or 40-80 V, or 50-70 V, or 55-65 V. Alternatively, the high voltage source 240 may provide a negative voltage to achieve the same effect as the aforementioned high voltage.
A second control path 236 connects the trigger driver 230 with a display power supply unit (PSU) 252 that provides power to a display 250 of the mobile phone 200 via a second switch 254. The second control path 236 can thus be used to deliver a signal from the trigger driver 230 to open the second switch 254 to thereby interrupt the power supply from the display PSU 252 to the display 250 and thus to reversibly disable the display 250. A particular advantage of this control path is that, while a user is prevented from operating the mobile phone 200, its processor 210 remains functional and can thus be accessed remotely by an administrator such as an administrator of the mobile network over which the mobile phone communicates.
A third control path 238 connects the trigger driver with a processor power supply unit (PSU) 260 that provides a power supply to the processor 210 via a third switch 262. The third control path 238 can thus be used to deliver a signal from the trigger driver 230 to open the third switch 262 to thereby interrupt the power supply from the processor PSU 260 to the processor 210 and thus to reversibly disable the processor 210.
In this way, one or more of the first, second, and third control paths 234, 236, 238 can be used to either permanently (first control path 234) or reversibly (second and third control paths 236, 238) disable the mobile phone 200. In some embodiments only one of the control paths may be provided, or only two of the three illustrated control paths.
Moreover, other possible control paths are envisaged, and the skilled person will have no difficulty in identifying components or circuitry in a mobile phone, or other user device, that could be permanently or reversibly disabled by application of a high voltage or removal of a power supply, respectively. Similarly, the skilled person will be able to readily conceive of other ways of permanently or reversibly disabling such a user device in response to a signal provide by the trigger driver 230.
For example, the second 254 and third 262 switches may each be replaced by fuses and corresponding circuitry to short the power line to ground and cause the fuse to open circuit in response to a signal from the trigger driver 230.
Alternatively, the second 254 and third 262 switches may each be replaced by relays, such as double pole double throw relays, or similar devices, which operate to provide the correct voltage to the user device 200 during normal operation, but in response to a signal from the trigger driver 230 reverse the polarity of the supplied voltage to thereby permanently disable the user device 200, e.g. by destroying printed circuit boards or electrical connections in semi-conductor devices within the user device 200.
Figure 2 shows an example of a security device 100 according to an embodiment of the invention incorporated into a different user device 200, in this case a vehicle. As is apparent from reviewing the figure, the overall architecture of the integration of the security device 100 into the vehicle is very similar to that shown in Figure 1 in relation to integration into a mobile phone. Like features are represented by the same reference numerals, and the description above of those features applies equally to this embodiment. The description below will therefore focus on differences between the embodiments and avoid repetition of corresponding features.
In this embodiment the removable identity module 300 may be provided in the form of a SIM card or dongle such as a USB dongle, the identity module 300 being in communication with the vehicle's processor 210 when the identity module 300 is installed. The processor may, for example, comprise a processor of the vehicle's engine management system. In arrangements comprising a SIM card the SIM card may be inserted directly into a dedicated port (not shown) of the vehicle. Alternatively, the SIM card may be provided within a mobile phone that is docked with, or otherwise connected with (e.g. via a near field communications connection, such as Bluetooth™), the vehicle. In another alternative, the SIM card may be provided within a dongle such as a USB dongle that is inserted into a dedicated port (not shown) of the vehicle. In arrangements comprising a dongle, the dongle may be inserted directly into a dedicated port (not shown), such as a USB port, of the vehicle, and the dongle may carry a data package such as a data string (e.g. String A) representative of an identity of the dongle.
In all embodiments the identity module 300 is removable from the vehicle and can be replaced with an equivalent identity module having a different identity and carrying a corresponding different data package (e.g. String A).
In the illustrated embodiments of the invention the security device 100 comprises a watchdog timer built within an integrated circuit. This circuitry is controlled by a state machine which has multiple states between which the state machine can transition. Software running on the user device in which the security device 100 is installed has no ability to disable or control the security device 100, and in particular no ability to disable or control the state machine, watchdog timer or integrated circuit.
An example of the algorithm carried out by the security device 100 during operation is illustrated in Figure 3. Figure 4 provides a schematic illustration of the key hardware and/or firmware modules of the security device, which in this embodiment are built within an integrated circuit.
The algorithm includes an initialisation sequence which is carried out only when the user device 200 (e.g. mobile phone, vehicle, or other high-value item, as discussed above) is first powered on and each time it is necessary to register a new identity module 300. After the initialisation sequence has been successfully completed a watchdog sequence is carried out each time the device is powered on, i.e. after each power cycle. The watchdog sequence may also be carried out at regular intervals between power cycles.
The first state of the state machine in the initialisation sequence is Awaiting String A 510. String A comprises a data string (or other data package) of up to 20 characters (in this embodiment) corresponding to the identity of the installed identity module 300. In arrangements where the identity module 300 comprises or includes a SIM card String A may correspond to international mobile subscriber identity (IMSI) number. In other arrangements String A may comprise any data set representative of a unique identifier or identity of the installed identity module 300.
In step 512 String A is sent from the user device 200 via the communications link 220, and transmitted to non-volatile message store A 120 where it is stored at step 518. In the illustrated embodiment String A is stored three times in non-volatile message store A 120;
this triple redundant memory arrangement provides additional security in the event of stored data becoming corrupted. After retrieval from the non-volatile message store A 120, the three copies of String A are compared in redundancy comparison module 122 to check for any errors. Other techniques known in the art may be used to ensure data security and accuracy.
After String A is received the state machine then moves to its second state in the initialisation sequence, Awaiting String B 514. String B comprises a data string (or other data package) of up to 20 characters (in this embodiment) corresponding to a user input associated with the user device 200. For example, the user input may comprise a keyboard input in the form of a personal identification number (PIN) or password, an image input in the form of a fingerprint or iris scan, or a voice input in the form of a sound file.
In step 516 String B is sent from the user device 200 via the communications link 220, and transmitted to non-volatile message store B 130, where it is stored at step 518. In the illustrated embodiment String B is stored three times in non-volatile message store B 130; this triple redundant memory arrangement provides additional security in the event of stored data becoming corrupted. After retrieval from the non-volatile message store B 130, the three copies of String B are compared in redundancy comparison module 132 to check for any errors. Other techniques known in the art may be used to ensure data security and accuracy.
In embodiments in which the user device has no means for user input the security device 100 may comprise a GSM (Global System for Mobile communications)-compatible transmitter and receiver (or transceiver) that is able to receive String B from a remote user, for example via a mobile phone having a communications link with the GSM-compatible transmitter and receiver, and transmit String B to the non-volatile message store B 130.
After String A and String B are stored in non-volatile message stores A and B, respectively, the initialisation sequence is complete. The security device 100 is then ready to complete the watchdog sequence, and moves to the third state.
The first step 520 in the watchdog sequence is to start the watchdog timer. At the next step 522 the state machine is at its third state Awaiting String Al. If the identity module 300 has not changed and is still installed in the user device 200 then String Al will correspond to String A. That is, String Al should be identical to String A.
In step 524 String Al is sent from the user device 200 via the communications link 220, and transmitted to volatile message store Al 150 where it is stored at step 526.
Once String Al has been received the watchdog timer is reset to its start time and disabled. If String Al is not received by the security device 100, for example because the identity module 300 has been removed from the user device 200 or the user device 200 has been otherwise tampered with, then the trigger interface steps 530, 532 (described further below) are activated.
In step 528 the copy of String Al stored in volatile message store Al 150 is compared to the copy or copies of String A stored in non-volatile message store A. This comparison is carried out in String A-Al comparison module 160 (see Figure 4).
If String Al is identical to String A then no action is required and the watchdog sequence is ready to restart at the next power cycle or other scheduled interval.
If String Al is different from String A, because a new, unrecognised, identity module 300 has been installed in the user device 200, then the trigger interface steps 530, 532 are activated. The first trigger interface step 530 comprises sending a warning message to a user of the user device 200 via the communications interface 220. The second trigger interface step 532, which occurs concurrently with the first trigger interface step 530, is to start a 30 second timer (in other embodiments the time interval may be different).
The warning message sent to a user of the user device 200 informs the user that deactivation of the user device 200 can be prevented by providing a user input that corresponds to String B stored in non-volatile message store B 130. The state machine is thus in its fourth state of Awaiting String Bl at step 540.
If the user input is provided then String Bl corresponding to the user input is sent from the user device 200 via the communications link 220, and transmitted to volatile message store Bl 170 (see Figure 4), where it is stored at step 542.
In step 544 the copy of String Bl stored in volatile message store Bl 170 is compared to the copy or copies of String B stored in non-volatile message store B 130. This comparison is carried out in String B-Bl comparison module 180 (see Figure 4).
If String Bl is not identical to String B then the process is restarted at step 540 by means of a 'count to three' loop at 546 whereby the user is given two further chances to provide a user input corresponding to a String Bl that is identical to String B. If none of the three user inputs provide a String Bl that is identical to String B then the security device 100 enters a lockout state in which the user device 200 is unusable.
If the user device 200 is subsequently powered on after the lockout state has expired then the user is given a further three chances to provide a correct String Bl. If none of these three user inputs provide a String Bl that is identical to String B then the then the trigger interface steps 530, 532 are activated. If the comparison carried out in the String B-Bl comparison module 180 detects a String Bl that is identical to String B stored in non volatile message store B 130 before the end of the timer period (before 30 seconds has elapsed in this embodiment) then the timer is disabled, the state machine returns to the first state 510 of'Awaiting String A', and the initialisation sequence of steps 510, 512, 514, 516 and 518 is repeated. When the initialisation sequence is repeated the copies (or copy) of String A in non-volatile message store A 120 are overwritten and replaced with a new String A comprising a data string (or other data package) of up to 20 characters (in this embodiment) corresponding to the identity of the newly-installed identity module 300. In some embodiments String B may also be overwritten by way of a new user input as previously described.
If the timer reaches the end point of the timer period (after 30 seconds in this embodiment) without being disabled then the state machine moves to the fifth state of Activate trigger, and trigger output instructions are delivered from a trigger interface of the security device 100 to the trigger driver 230 as described above. The trigger driver 230 then permanently or reversibly deactivates the user device 200 via a control path 234, 236, 238 as described above.

Claims (18)

1. A hardware security device for disabling a user device having a removable identity module, the security device comprising:
a memory module configured to store a data package A associated with a stored identity of the identity module;
a communications interface configured to receive a data package Al from the user device;
a trigger interface activatable to disable the user device; and a timer activatable to progress from a start time to a timeout time, progression of the timer to the timeout time causing activation of the trigger interface, wherein the security device is configured to:
reset the timer in response to receipt of data package Al from the user device;
compare data package Al with data package A; and activate the trigger interface if data package Al is not the same as data package A.
2. A security device according to claim 1, wherein the timer comprises a watchdog timer.
3. A security device according to claim 1 or claim 2, wherein the security device is configured to de-activate the trigger interface in response to a user input.
4. A security device according to claim 3, wherein the memory module is configured to store a data package B representative of a stored user input associated with the user device, the communications interface is configured to receive a data package Bl from the user device in response to the user input, and the security device is configured to compare data package Bl with data package B, and to de-activate the trigger interface if data package Bl is the same as data package B.
5. A security device according to any of claims 1 to 4, wherein the security device comprises a second timer activatable to progress from a start time to a timeout time, progression of the second timer to the timeout time causing disablement of the user device, activation of the trigger interface causing activation of the second timer, and de-activation of the trigger interface causing the timer to reset.
6. A security device according to any preceding claim, wherein the security device consists of firmware and/or hardware.
7. A security device according to any preceding claim, wherein the memory module comprises an erasable programmable read-only memory.
8. A security device according to any preceding claim, comprising an integrated circuit, the timer being built within the integrated circuit.
9. A security device according to any preceding claim, comprising a state machine configured to control the security device.
10. A security device according to any preceding claim, wherein the security device is configured to perform an initialisation sequence on first power up of the user device, the initialisation sequence comprising receiving data package A and storing data package A to the memory module.
11. A security device according to any of claims 4 to 10, wherein the initialisation sequence comprises receiving data package B and storing data package B to the memory module.
12. A method of disabling a user device having a removable identity module using a security device according to any of claims 1 to 11, the method including the steps of:
receiving, at the security device, data package Al from the user device;
resetting the timer in response to receipt of data package Al;
comparing data package Al with data package A; and if data package Al is not the same as data package A, activating the trigger interface to disable the user device.
13. A security apparatus comprising a security device according to any of claims 1 to 11, and a user device comprising a removable identity module, the apparatus comprising a communications link between a processor of the user device and the security device, and a trigger module configured to disable the user device in response to activation of the trigger interface.
14. A security apparatus according to claim 13, wherein the trigger module comprises one or more of: a control path to disrupt a power supply to one or more components of the user device; and a control path to provide a destructive voltage to one or more components of the user device.
15. A security apparatus according to claim 13 or claim 14, wherein the user device comprises a mobile electronic device, computing device, mobile communications device, or vehicle.
16. A security apparatus according to any of claims 13 to 15, wherein the identity
5 module comprises a subscriber identity module (SIM) or dongle.
17. A security apparatus according to any of claims 13 to 16, wherein the security device is embedded within a printed circuit board of the user device.
18. A security apparatus according to any of claims 13 to 17, wherein the security device is encapsulated by a physical barrier within the user device.
Intellectual
Property
Office
Application No: GB1814541.7
Examiner: Mr Aaron Saddington
GB1814541.7A 2018-09-06 2018-09-06 Security Device Withdrawn GB2576919A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1814541.7A GB2576919A (en) 2018-09-06 2018-09-06 Security Device
PCT/GB2019/052483 WO2020049311A1 (en) 2018-09-06 2019-09-06 Security device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1814541.7A GB2576919A (en) 2018-09-06 2018-09-06 Security Device

Publications (2)

Publication Number Publication Date
GB201814541D0 GB201814541D0 (en) 2018-10-24
GB2576919A true GB2576919A (en) 2020-03-11

Family

ID=63921091

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1814541.7A Withdrawn GB2576919A (en) 2018-09-06 2018-09-06 Security Device

Country Status (2)

Country Link
GB (1) GB2576919A (en)
WO (1) WO2020049311A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5377269A (en) * 1992-10-29 1994-12-27 Intelligent Security Systems, Inc. Security access and monitoring system for personal computer
US20090007275A1 (en) * 2007-04-20 2009-01-01 Christian Gehrmann Method and Apparatus for Protecting SIMLock Information in an Electronic Device
EP1203278B1 (en) * 1999-08-13 2012-02-08 Hewlett-Packard Development Company, L.P. Enforcing restrictions on the use of stored data
US20130091564A1 (en) * 2008-04-02 2013-04-11 William Fitzgerald Systems and methods for mitigating the unauthorized use of a device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5377269A (en) * 1992-10-29 1994-12-27 Intelligent Security Systems, Inc. Security access and monitoring system for personal computer
EP1203278B1 (en) * 1999-08-13 2012-02-08 Hewlett-Packard Development Company, L.P. Enforcing restrictions on the use of stored data
US20090007275A1 (en) * 2007-04-20 2009-01-01 Christian Gehrmann Method and Apparatus for Protecting SIMLock Information in an Electronic Device
US20130091564A1 (en) * 2008-04-02 2013-04-11 William Fitzgerald Systems and methods for mitigating the unauthorized use of a device

Also Published As

Publication number Publication date
GB201814541D0 (en) 2018-10-24
WO2020049311A1 (en) 2020-03-12

Similar Documents

Publication Publication Date Title
US9507918B2 (en) Always-available embedded theft reaction subsystem
US20190013947A1 (en) Method and system for responding to an unauthorized action on a mobile communications device
US9734359B2 (en) Always-available embedded theft reaction subsystem
US9558378B2 (en) Always-available embedded theft reaction subsystem
US9454678B2 (en) Always-available embedded theft reaction subsystem
US7979826B1 (en) Computer-readable storage media comprising data streams having mixed mode data correction capability
RU2187147C2 (en) Stealing protection device
US20180046805A1 (en) Hardware-based software-resilient user privacy exploiting ephemeral data retention of volatile memory
US20170098073A1 (en) Method and apparatus for identifying malicious operation in mobile terminal
US8151118B2 (en) Master-slave security devices
US8317878B2 (en) Enabling a service to return lost laptops
US20140020121A1 (en) Always-available embedded theft reaction subsystem
WO2013095596A1 (en) Always-available embedded theft reaction subsystem
ES2319383T3 (en) PROCESS OF FIGHT AGAINST THE THEFT OF MOBILE DEVICES, DEVICE AND INSTALLATION CORRESPONDING.
US9208359B2 (en) Always-available embedded theft reaction subsystem
TWI464617B (en) Always-available embedded theft reaction subsystem
EP2795506A1 (en) Always-available embedded theft reaction subsystem
EP2795515A1 (en) Always-available embedded theft reaction subsystem
EP2795518A1 (en) Always-available embedded theft reaction subsystem
CN111819561A (en) Integrated circuit data protection
CN110532785B (en) Controlled start method of electronic circuit and electronic equipment
EP2795516A1 (en) Always-available embedded theft reaction subsystem
TW202009717A (en) Storage device and program
US7607025B1 (en) Methods of intrusion detection and prevention in secure programmable logic devices
CN101888627B (en) Mobile terminal and system data protection method thereof

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)