JP2017118411A - Remote destruction system and remote destruction method for storage device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect, after instructing to destroy a storage device included in an information processing device, whether or not the target storage device has been destroyed correctly.SOLUTION: A remote destruction system S comprises: a management server 1 connected to a network; a smart phone 3 that is capable of communicating with the management server 1 and includes a flash memory and a remote control tool for controlling the flash memory according to an instruction from the management server 1; and a registration terminal 5 that is capable of communicating with the management server 1 through the network and includes instruction means for instructing the management server 1. The instruction means in the registration terminal 5 instructs the management server 1 to destroy a storage device included in the smart phone 3. The management server 1 instructs the smart phone 3 to destroy the storage device included in the smart phone 3. The smart phone 3 destroys the flash memory included in the smart phone 3 by using the remote control tool before determining a destruction result, and transmits the destruction result of the flash memory to the management server 1 through the network.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a remote destruction system for a storage device included in an information processing apparatus.

  Information processing devices such as personal computers, tablets, smartphones, and mobile devices are indispensable as the infrastructure of today's information society. Technology that stores and uses information on the Internet cloud has become available as a matter of course with the development of communication technology, but the WiFi (registered trademark) environment, relay stations, and other infrastructure are congested and communication is impossible. It may be necessary to use it in the environment. Therefore, as long as information is stored in a storage device included in the information processing apparatus, it can be used at any time without being influenced by the use environment.

  In such a situation, even if these information processing devices are stolen or lost, if the owner's ID and password set in advance are not correctly entered even if the information processing device is started, the information inside the information device Information security measures have been taken, such as operation locks and information access locks to prevent access. This corresponds to a service called remote lock or Omakase Lock (registered trademark) provided by NTT DOCOMO.

  In addition, if a predetermined function such as remote initialization is registered in advance in the information processing apparatus by remote control and a password or the like as execution permission information is set, the execution of the predetermined function is transmitted to the information processing apparatus as a remote command. Functions such as sending, resetting the information processing device, initializing stored information, and initializing information on the memory card are provided, and provided as a service that can be reassured by the user in case of emergency. This corresponds to a service called remote initialization provided by NTT DOCOMO.

  Further, the means for solving the abstract of Patent Document 1 includes: “One or more relay base stations in which the information security system 1 of the portable terminal device is connected to the portable terminal device 7 via radio wave communication means”. 6, an authentication device 4 that performs personal authentication processing for identifying whether or not the user is an owner, and a management device 5 that generates a remote operation packet for performing information security processing of the mobile terminal device 7. When an information integrity request for the terminal device 7 is made, personal authentication processing is performed by the authentication device 4, and when this personal authentication matches, a remote operation packet is generated by the management device 5 and carried from the relay base station 6. It is transmitted to the terminal device 7, the remote operation packet is received by the portable terminal device 7, and a predetermined information maintenance process corresponding to this is performed. "

JP 2006-303817 A

  However, in order to protect the information stored in the information processing device, if the operation lock function is enabled by remote operation or the initialization function from remote is not set in advance, those functions are executed. For example, when a password for execution is not set, there is a problem that those functions cannot be used.

  In addition, if the password is set to be executed by a third party, it may not be executed because the specified password is different from the actual password even if the function is enabled. Under such circumstances, there is a growing need for preventing information stored in the information processing device from being accessed by unauthorized third parties when the information processing device is stolen or lost. It has become.

  Therefore, an object of the present invention is to correctly detect whether or not the target storage device is destroyed after instructing the destruction of the storage device included in the information processing apparatus.

In order to solve the above-described problem, a remote destruction system for a storage device according to the present invention includes a management device that is communicably connected to a network, can communicate with the management device via the network, A first device comprising a remote control means for controlling the storage device according to a command from the management device; a second device comprising a command means capable of communicating with the management device via the network and for giving a command to the management device; Is provided. The command means of the second device instructs the management device to destroy the storage device provided in the first device, and the management device instructs the first device to destroy the storage device provided in the first device. The remote control means of the first device determines the destruction result after destroying the storage device included in the first device, and transmits the destruction result of the storage device to the management device via the network.
Other means will be described in the embodiment for carrying out the invention.

  According to the present invention, it is possible to correctly detect whether or not the target storage device has been destroyed after instructing the destruction of the storage device included in the information processing apparatus.

It is a schematic block diagram which shows the remote destruction system in 1st Embodiment. It is a block diagram of a registration terminal and a management server. It is a block diagram of a smart phone and a customer terminal. It is a figure which shows the structure of a user database and a destruction information database. It is a figure which shows an initial registration dialog. It is a sequence diagram which shows the operation | movement of initial registration. It is a figure which shows a destruction command dialog. It is a sequence diagram which shows operation | movement of a destruction command. It is a figure which shows the example of execution result of a destruction command. It is a flowchart which shows the SIM monitoring process by a smart phone. It is a sequence diagram which shows the memory | storage device destruction operation | movement at the time of SIM replacement | exchange. It is a schematic block diagram which shows the remote destruction system in 2nd Embodiment. It is a block diagram of a death management server and a death information monitoring server. It is a block diagram of NAS. It is a figure which shows the structure of a user database and a destruction information database. It is a sequence diagram which shows destruction operation | movement at the time of death.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings.
FIG. 1 is a schematic configuration diagram showing a remote destruction system S in the first embodiment.
The remote destruction system S of 1st Embodiment is for destroying the flash memory (memory | storage device) which this smart phone 3 has at the time of theft and loss of the smart phone 3 which a user owns by remote control.

The remote destruction system S includes a registration terminal 5 and a management server 1. The management server 1 can communicate with the customer terminal 4 and can communicate with the smartphone 3 via the router 21 and the base station 22.
The smartphone 3 (first device) can communicate with the management server 1 via a network, and includes a storage device and remote control means for controlling the storage device according to a command from the management server 1.
The registration terminal 5 (second device) is configured by, for example, a personal computer or a tablet, and has a function of inputting information of a user who uses the service when using the service of the remote destruction system S and transmitting it to the management server 1. Have. The registration terminal 5 is communicable with the management server 1 via a network, and includes a command unit that commands the management server 1. Details of the registration terminal 5 will be described with reference to FIG.
The customer terminal 4 is, for example, a notebook personal computer, and has a function of receiving information notified to other than the smartphone 3 owned by the user. Details of the customer terminal 4 will be described with reference to FIG.
The management server 1 (management device) is communicably connected to a network, and has a CPU (Central Processing Unit), a memory such as a ROM (Read Only Memory) and a RAM (Random Access Memory), a communication function, a display function, and an HDD (Hard). It is a general information processing apparatus including an auxiliary storage device such as a disk drive. Details of the management server 1 will be described later with reference to FIG.

The base station 22 is connected to a mobile phone exchange (not shown) connected to a core network (not shown) of a fixed telephone network by wire or wirelessly. The router 21 is connected to any line of the Internet by wire or wireless.
The management server 1 can communicate with the user's smartphone 3 via the core network, the mobile phone exchange, and the base station 22 or via the Internet and the router 21.

FIG. 2A is a configuration diagram of the registration terminal 5.
The registration terminal 5 includes a CPU 51, a RAM 52, a ROM 53, a display 54, a communication unit 55, and an HDD 56 that stores remote control software 561. The registration terminal 5 is connected to an input / output device such as a mouse 57 and a keyboard 59 and a reading device 58 for reading biometric information such as fingerprints, irises and veins.
The CPU 51 reads and executes a BIOS (Basic Input / Output System) stored in the ROM 53 and remote control software 561 stored in the HDD 56. The RAM 52 is a volatile storage device, and is used for the CPU 51 to temporarily store various programs and data. The HDD 56 is a nonvolatile auxiliary storage device, and preferably stores programs, large-capacity data, and the like.
The communication unit 55 is, for example, a NIC (Network Interface Controller), and transmits and receives information and commands to and from the management server 1 and the like via a network.
The display 54 is configured by, for example, a liquid crystal panel, and is a display device that displays a program operation screen, an execution result, and the like to a user who operates the registration terminal 5.
The remote control software 561 (command means) is a software program for setting the user's smartphone 3 to be remotely controllable to the management server 1 and giving a command to the management server 1.

FIG. 2B is a configuration diagram of the management server 1.
The management server 1 includes a CPU 11, a RAM 12, a ROM 13, a display 14, a communication unit 15, and an HDD 16 that stores a user database 161 and a destruction information database 162. In each figure, the database is abbreviated as “DB”. The CPU 11, RAM 12, ROM 13, display 14, and communication unit 15 have the same functions as the CPU 51, RAM 52, ROM 53, display 54, and communication unit 55 provided in the registration terminal 5.
The user database 161 stores information related to the user of the remote destruction system S. Details of the user database 161 will be described later with reference to FIG.
The destruction information database 162 stores information on storage devices destroyed by the remote destruction system S. Details of the destruction information database 162 will be described with reference to FIG.

FIG. 3A is a configuration diagram of the smartphone 3.
The smartphone 3 includes a CPU 31, a RAM 32, a ROM 33, a touch panel display 34, a flash memory 36 (storage device) that stores a remote control tool 361, a WiFi communication unit 35, and a 3G communication unit 37.
The CPU 31, RAM 32, and ROM 33 included in the smartphone 3 have the same functions as the CPU 51, RAM 52, and ROM 53 included in the registration terminal 5. The touch panel display 34 has a display function for displaying various kinds of information and an input function for detecting a position where a finger or a touch pen is touched.
The WiFi communication unit 35 communicates with the management server 1 via the router 21, and the 3G communication unit 37 communicates with the management server 1 via the base station 22 and the carrier network.
The remote control tool 361 (remote control means) is a software program executed by the CPU 31 and embodies a function of destroying the flash memory 36 in response to a destruction command from the management server 1.

FIG. 3B is a configuration diagram of the customer terminal 4.
The customer terminal 4 includes a CPU 41, a RAM 42, a ROM 43, a display 44, a communication unit 45, and an HDD 46 that stores an e-mail program 461. The CPU 41, RAM 42, ROM 43, display 44, and communication unit 45 have the same functions as the CPU 51, RAM 52, ROM 53, display 54, and communication unit 55 provided in the registration terminal 5.
The electronic mail program 461 causes the CPU 41 to receive and transmit mail related to the user's account.

FIG. 4A is a diagram showing the configuration of the user database 161.
The user database 161 includes a user identification information column, an authentication information column, and a notification destination column, and further stores a plurality of information columns composed of combinations of a registration flag, terminal identification information, and storage device identification information. The user database 161 is a database that stores information related to the user of the remote destruction system S.

The user identification information is unique information in the remote destruction system S and is generated by the management server 1. User identification information is information generated without duplication by combining letters and numbers. The user identification information may be information generated without duplication such as a serial number, for example, input from a registration terminal and determined so as not to overlap with information registered on the received management server 1 side. It may be done.
The authentication information is biometric information, and is used to authenticate whether the user of the remote destruction system S is an authorized user of a desired service. This authentication information is read from the user's fingerprint or iris by the reading device 58. However, the present invention is not limited to this, and the authentication information is not limited as long as it is information that can identify the user, such as a password.

The notification destination is an email address to which the management server 1 of the remote destruction system S notifies the destruction result. Information on whether or not the storage device of the user's smartphone 3 has been destroyed is transmitted to the email address of the notification destination.
The registration flag defines a remote control operation for the registered terminal. When the registration flag is “0”, the terminal is not registered or the operation for the terminal is invalid. When the registration flag is “1”, the management server 1 operates to immediately destroy the storage device of the terminal. When the registration flag is “2”, the management server 1 operates so as to destroy the storage device of the terminal after the user dies.
The terminal identification information is information for identifying a registered terminal. The management server 1 remotely controls registered terminals based on this terminal identification information.
The storage device identification information is information for identifying a storage device included in a registered terminal, and is, for example, a serial number of the storage device.

FIG. 4B is a diagram showing the configuration of the destruction information database 162.
The destruction information database 162 includes terminal identification information, remote control information, destruction command issue date / time, destruction command reception date / time, destruction command execution date / time, execution phase, execution result, storage device identification information, storage device activation frequency, terminal activation frequency, etc. Storing. The destruction information database 162 stores the result of the destruction instruction of the storage device.

The terminal identification information is information for identifying a registered terminal.
The remote control information is information indicating the type of destruction command. For example, when the remote control information is “9999”, the command is an instruction to destroy the terminal immediately. When the remote control information is “1111”, it is a command to destroy the storage device of the terminal after the user dies.
The destruction command issue date and time is the date and time when the user issued a destruction command to the management server 1. The destruction command reception date and time is the date and time when the registered terminal receives the destruction command. The destruction command execution date and time is the date and time when the registered terminal executes the destruction command.

The execution phase indicates a phase related to execution of the destruction command. When the execution phase is “0”, it is before the start of the destruction command. When “1”, the destruction command is issued to the terminal. When “2”, the destruction command is received by the registered terminal. When “3”, the destruction command is executed by the terminal. When “8”, the destruction is suspended by the terminal, and when “9”, the destruction command is canceled.
The storage device identification information is information for uniquely identifying the destroyed storage device, for example, a serial number of the storage device. Whether the target storage device could be destroyed by comparing the storage device identification information in the destruction information database 162 and the storage device identification information in the user database 161, or whether the storage device provided in the terminal was replaced. It can be determined whether or not.
The number of activations of the storage device is the total number of times that the destroyed storage device has been activated after shipment from the factory. For example, in a solid state drive (SSD) or HDD, self-monitoring, analysis and reporting technology (SMA. RT) can be read from the storage device, but acquisition of the number of activations of the storage device is performed by S.T. M.M. A. R. It is not limited to T. The number of terminal activations is the total number of times this terminal has been activated after shipment from the factory, and is counted up each time the terminal firmware or OS is activated and stored in a flash memory or the like built in the terminal. By comparing the number of times the storage device is activated and the number of times the terminal is activated, it is possible to determine whether or not the storage device has been activated by being connected to another terminal other than this terminal.

<Initial setting phase>
In the initial setting phase, the user registers information about the user who wants to use the remote control execution service and registers an information processing apparatus that wants to perform remote control so that it can communicate with the management server 1. Further, the user sets the remote control tool 361 for executing a command received from the management server 1. The initial setting phase is executed when the CPU 51 of the registration terminal 5 executes the remote control software 561.

FIG. 5A shows an initial registration dialog 61. The initial registration dialog 61 is displayed on the display 54 when the CPU 51 of the registration terminal 5 executes the remote control software 561.
In the initial registration dialog 61, a user identification information text box 611, a notification address text box 612, a terminal identification information text box 613, and a terminal identification information text box 614 are displayed, respectively, and an OK button 615 and a cancel button 616 are also displayed. Is done.

The user identification information text box 611 is a text box in which user identification information is displayed. The notification address text box 612 is a text box for inputting a notification e-mail address of the destruction result. Terminal identification information text boxes 613 and 614 are text boxes for inputting terminal identification information.
The user appropriately inputs the user identification information, the e-mail address for notification of the destruction result, and the terminal identification information, and then clicks an OK button 615. As a result, the biometric information is read by the reader 58, and a transition is made to an initial registration dialog 62 described later. When the user clicks a cancel button 616, a series of terminal registration operations are canceled and the process ends.

FIG. 5B is a diagram showing the initial registration dialog 62. The initial registration dialog 62 is displayed on the display 54 when the CPU 51 of the registration terminal 5 executes the remote control software 561.
The initial registration dialog 62 displays “Fingerprint reading by the authentication device is completed”, and further displays an initial registration button 621 and a cancel button 622. When the user clicks the initial registration button 621, the terminal is registered. When the user clicks a cancel button 622, a series of terminal registration operations are canceled and the process ends.

FIG. 6 is a sequence diagram showing an initial registration operation.
First, the registration terminal 5 displays a menu (not shown) of the remote execution control service for the user to apply for the remote control execution service (sequence Q10).
When the user selects “initial registration” from the menu, registration terminal 5 transmits an initial registration request to management server 1 (sequence Q11).
When management server 1 receives the initial registration request, user identification information is generated and stored in user database 161, and this user identification information is transmitted to registration terminal 5 (sequence Q12). Note that the user identification information may be determined so as not to overlap with information registered on the management server 1 side after being input from the registration terminal.

The registration terminal 5 displays the user identification information received by the initial registration dialog 61 (see FIG. 5A) and waits for input of the terminal identification information and the user information. The person in charge inputs user information such as an email address for receiving a notification and terminal identification information for designating the smartphone 3 to the registration terminal 5. The initial registration dialog 61 may be configured so that the user's name, address, and telephone number can be input.
Thereafter, authentication information for identifying whether the user is an authorized user of the desired service is input by the reading device 58 (sequence Q13). When the authentication information is input to the registration terminal 5, an initial registration dialog 62 shown in FIG. 5B is displayed on the display 54 of the registration terminal 5.

  The terminal identification information is different for each terminal so that a user can identify a plurality of terminals. For example, the terminal model name or model number may be used, and when a plurality of information processing apparatuses subject to remote execution control are registered. As long as the user can distinguish, it is not limited to the above.

  Registration terminal 5 transmits the input information (authentication information, terminal identification information) and user identification information received from management server 1 to management server 1 (sequence Q14). The management server 1 stores the authentication information and the terminal identification information in the user database 161 in association with the received user identification information (sequence Q15), and the remote control tool 361 and the remote control tool 361 refer to when starting up The activation information file including the user identification information and terminal identification information to be generated is generated (sequence Q16).

The management server 1 notifies the smartphone 3 newly registered as a terminal of the URL (Uniform Resource Locator) of the generated activation information file (sequence Q17). Thereafter, the user performs initial registration in the smartphone 3.
The user downloads the remote control tool 361 and the activation information file from the management server 1 based on the URL notified to the smartphone 3 (sequence Q18). The user installs the remote control tool 361 on the target smartphone 3 to be remotely controlled (sequence Q19). When the installation is completed, the remote control tool 361 is activated. The CPU 31 reads the user identification information and the terminal identification information from the activation information file by the remote control tool 361 and executes a process for storing them in the flash memory 36.

  CPU 31 executes a process of storing the ID of SIM (Subscriber Identity Module Card) 371 in flash memory 36 by remote control tool 361 (sequence Q20). The CPU 31 further executes processing for obtaining a serial number from the storage device (sequence Q21) and processing for transmitting a registration completion signal to the management server 1 (sequence Q22). Along with transmission of this registration completion signal, the serial number of the storage device is also transmitted to the management server 1.

  When the management server 1 receives the registration completion signal, the management server 1 sets the registration flag corresponding to the terminal identification information associated with the user identification information in the user database 161 to “1”, and enables the immediate destruction process. . Note that if the registration flag is “0” and is not registered or invalid, the management server 1 does not accept a destruction command. The management server 1 further registers the serial number of the storage device in the user database 161.

  Thereafter, the remote control tool 361 is executed by the CPU 31 every time the smartphone 3 is powered on. Although the remote control tool 361 is installed in the smartphone 3 in the first embodiment, a configuration in which the remote control tool 361 is incorporated in the firmware of the smartphone 3 in advance may be used. In addition, as long as the same function can be realized, the present invention is not limited to software implementation means, and may be realized by combining hardware and software.

<< Destruction Command Phase >>
The destruction command phase is an operation in which the user issues a command to destroy the storage device of the smartphone 3 (information processing device) by remote execution control when the smartphone 3 is stolen or lost. Say. The destruction command phase is executed when the CPU 51 of the registration terminal 5 executes the remote control software 561. Since the storage device of the smartphone 3 is destroyed, personal information and trade secrets stored in the storage device cannot be read, and thus leakage of personal information and trade secrets can be suppressed.
When the smartphone 3 is stolen or lost, the user delivers the smartphone 3 to the police and tries to find and collect it. However, when there is no discovery contact from the police and it is determined that it is not found and the search is abandoned, a destruction instruction is transmitted to the smartphone 3 in order to prevent leakage of information stored in the smartphone 3.

FIG. 7A shows the destruction command dialog 63. The destruction instruction dialog 63 is displayed on the display 54 when the CPU 51 of the registration terminal 5 executes the remote control software 561.
In the destruction command dialog 63, a user identification information text box 631 and a terminal identification information text box 632 are displayed, and an OK button 633 and a cancel button 634 are further displayed.
The user identification information text box 631 is a text box for inputting user identification information. The terminal identification information text box 632 is a text box for inputting terminal identification information.
The user clicks an OK button 633 after appropriately inputting user identification information and terminal identification information. As a result, the biometric information is read by the reader 58, and a transition is made to a destruction command dialog 64 described later. When the user clicks a cancel button 634, a series of destruction command operations are canceled and the process ends.

FIG. 7B is a diagram showing the destruction command dialog 64. The destruction instruction dialog 64 is displayed on the display 54 when the CPU 51 of the registration terminal 5 executes the remote control software 561.
In the destruction command dialog 64, “Fingerprint reading by the authentication device is completed” is displayed, and an OK button 641 and a cancel button 642 are further displayed. When the user clicks the OK button 641, a transition is made to the destruction command dialog 65. When the user clicks the cancel button 642, a series of destruction command operations are canceled and the process is terminated.

FIG. 7C is a diagram showing the destruction command dialog 65. The destruction instruction dialog 65 is displayed on the display 54 when the CPU 51 of the registration terminal 5 executes the remote control software 561.
In the destruction command dialog 65, a one-time password text box 651 and a re-input text box 652 are displayed, respectively, and a destruction command button 653 and a cancel button 654 are further displayed.
The one-time password text box 651 is a text box that displays a one-time password. The re-input text box 652 is a text box for re-inputting the one-time password.
The user re-enters the one-time password in the re-entry text box 652, and then clicks the destruction command button 653. As a result, the destruction command related to the storage device of the designated terminal is executed. When the user clicks a cancel button 654, a series of destruction command operations are canceled and the process ends.

FIG. 8 is a sequence diagram showing the operation of the destruction command.
First, the registration terminal 5 displays a menu (not shown) of the remote execution control service in order for the user to apply for the remote control execution service (sequence Q30).
When the user selects “destruction command” from the menu, the registration terminal 5 acquires user identification information by the destruction command dialog 63, acquires authentication information from the reading device 58, and displays the destruction command dialog 64. Then, the destruction instruction, the user identification information and the authentication information are transmitted to the management server 1 (sequence Q31). Authentication information is not limited to fingerprint authentication, but if it is obtained by biometric authentication such as iris authentication or finger vein authentication, it can be confirmed that the user is a legitimate user, and the password is stored by the user. The effect of preventing spoofing is also high.

  The management server 1 searches the user database 161 to check whether the received user identification information and authentication information have been registered (sequence Q32). Here, since the user identification information and the authentication information are already registered in the user database 161, the management server 1 acquires the terminal identification information from the user database 161 and generates a one-time password that is valid for a predetermined time. The one-time password and terminal identification information are transmitted to registration terminal 5 (sequence Q33).

  Here, when the user identification information and the authentication information are not registered in the user database 161, or when the user identification information and the authentication information are registered but do not match (not shown), the one-time password is used. Is not generated, and the management server 1 transmits error information to the registration terminal 5. The registration terminal 5 displays this error information on the display 54. When a predetermined number of consecutive errors have occurred, the management server 1 cannot accept processing relating to user identification information in which an error has occurred over a predetermined period. As a result, it is possible to prevent a user who does not have proper authority from issuing a destruction command illegally.

  After the sequence Q33, the registration terminal 5 displays the one-time password by the destruction command dialog 65 and waits for input (sequence Q34). The user re-enters the same password as the displayed one-time password in re-entry text box 652 (sequence Q35). Registered terminal 5 transmits the input password and terminal identification information to management server 1 (sequence Q36).

  When the one-time password received from the registration terminal 5 matches the one-time password generated within a predetermined time, the management server 1 records the current date and time in the destruction information database 162 as the destruction command issue date and waits for destruction. (Sequence Q37). Note that if a predetermined time has elapsed after generating the one-time password, the management server 1 does not enter the phase of waiting for destruction even if the one-time password is received from the registration terminal 5. As a result, it is possible to suppress an illegal destruction command due to leakage of the one-time password.

  In order to avoid execution of a destruction command due to incorrect selection of terminal identification information, before selecting a destruction command from the menu, the remote control tool 361 is executed on the terminal to be excluded from the destruction command, It may be configured to be temporarily excluded from the destruction target by transmitting the terminal identification information that is not the destruction target and the one-time password displayed on the registration terminal 5. In this case, the management server 1 that has received the terminal identification information of the terminal selected for destruction by the registered terminal 5 confirms that the terminal identification information has been specified to be excluded. Returns error information.

<< Destruction command execution phase >>
In the destruction command execution phase, the management server 1 registers terminal identification information indicating the terminal that executes the destruction command as a password for accessing the destruction information database 162, and associates and registers the destruction command code. The destruction instruction code indicates the timing of executing the destruction, and indicates whether the user wants to destroy immediately or destroys after the death of the user.
When smartphone 3 is connected to the network, a data link with management server 1 is established (sequence Q40). The CPU 31 of the smartphone 3 uses the remote control tool 361 to access the destruction information database 162 of the management server 1 every predetermined time including when the power is turned on. The CPU 31 of the smartphone 3 transmits terminal identification information to the management server 1 by executing the remote control tool 361. The management server 1 searches whether the received terminal identification information is stored in the destruction information database 162. Here, since the terminal identification information of the smartphone 3 is registered in the destruction information database 162, the destruction instruction code and the terminal identification information are transmitted to the smartphone 3 (sequence Q41), and the date and time when the destruction instruction code is received is indicated in the destruction information database. 162.

When the CPU 31 of the smartphone 3 receives the destruction instruction code by executing the remote control tool 361, the CPU 31 checks whether the registration completion signal has been received. If the registration completion signal has been received, check the destruction command code. Here, since the destruction instruction code is immediate destruction, the CPU 31 of the smartphone 3 acquires the identification information and activation count information of the storage device (flash memory 36) (sequence Q42) and executes the destruction of the storage device (flash memory 36). (Sequence Q43). This makes it impossible to access information stored in the flash memory 36.
The CPU 31 of the smartphone 3 transmits the execution result of the destruction process and information on the storage device to the management server 1 (sequence Q44), and the management server 1 notifies the execution result of the destruction process to the person by mail (sequence). Q45). Thereby, the CPU 41 of the customer terminal 4 can confirm the result of the destruction process by executing the e-mail program 461.

  There are various methods for destroying the storage device, such as destroying it in a hardware unreadable state, or erasing data with software. It is not limited. The flash memory can be destroyed in a short time by adding a booster circuit and applying a high voltage to the memory chip. Also, in HDDs, the magnetic information is erased by heating above the Curie temperature, and the platter rotation speed is controlled so that the head does not float up. By doing so, it can be destroyed in a short time. According to such a method for instantaneously destroying the storage device of the terminal, the safety of information leakage is further enhanced as compared with data erasure by software or the like.

Although the state recorded in the execution phase of the destruction information database 162 indicates “command issuance” of “1”, the power supply of the smartphone 3 is switched between the management server 1 and the smartphone 3 within a predetermined period. A case where a data link cannot be established is considered.
For example, if the smartphone 3 to be destroyed is in a power-off state, the destruction command cannot be acquired from the management server 1 or received via the base station 22. This smartphone 3 is in a situation where the power is not turned on or radio waves do not reach. The base station 22 notifies the management server 1 of this information. The management server 1 records this information as log information in the destruction information database 162.

Thereafter, when the smartphone 3 is powered on, the remote control tool 361 is automatically activated. The smartphone 3 receives the destruction command at the timing of accessing the destruction information database 162 of the management server 1 or the communication timing via the base station 22 and transmits the execution result to the management server 1.
In this case, the management server 1 stores the date and time information of execution completion in the destruction information database 162 and the destination of the registered terminal 5 requested to be destroyed and the customer terminal 4 registered in the notification destination notified to the user when execution is completed. Notify by e-mail.
In addition, when the smartphone 3 cannot acquire the destruction command (when it does not shift to command reception), the destruction command may be canceled because the remote control service cannot be executed within a predetermined period. As a result, it is possible to interrupt the service when it is in the middle of the destruction command when the predetermined period is exceeded, and to correctly inform the user that it is difficult to provide the destruction service.

FIGS. 9A and 9B are diagrams illustrating examples of execution results of the destruction command.
The received mail window 66 shown in FIG. 9A describes the result of destroying the registered storage device. The received mail window 66 is displayed on the display 44 of the customer terminal 4.
In the received mail window 66, the identification information of the storage device at the time of registration and the identification information of the storage device at the time of destruction are described so as to be comparable. Here, the identification information of the storage device at the time of registration and the identification information of the storage device at the time of destruction are the same, and the storage device intended by the user can be destroyed.
The received mail window 66 further describes that the number of activations of the storage device and the number of activations of the smartphone 3 can be compared. Here, the number of activations of the storage device and the number of activations of the smartphone 3 are the same, and it can be confirmed that the storage device (flash memory 36) is not connected to any device other than the smartphone 3.

In the received mail window 67 shown in FIG. 9B, the result of destruction of the storage device different from that at the time of registration is described.
In the received mail window 66, the identification information of the storage device at the time of registration and the identification information of the storage device at the time of destruction are described so as to be comparable. Here, the identification information of the storage device at the time of registration is different from the identification information of the storage device at the time of destruction, indicating that a storage device different from the one intended by the user has been destroyed.
The received mail window 66 further describes that the number of activations of the storage device and the number of activations of the smartphone 3 can be compared. Here, since the storage devices are replaced, the number of activations of the storage device is different from the number of activations of the smartphone 3.

  In some cases, after the storage device of the terminal is removed, the storage device is copied by being connected to another terminal, and is connected to the original terminal again. Also in this case, information stored in the storage device leaks. In the received mail window 66 of the first embodiment, the number of activations of the storage device and the number of activations of the smartphone 3 are described so as to be comparable. This makes it possible to detect that the storage device has been connected to another terminal and started up.

<< When SIM is removed or changed >>
It is conceivable that the smartphone 3 is stolen and the theft person removes or changes the SIM of the smartphone 3. At this time, communication with the carrier network cannot be performed, and therefore there is a possibility that the destruction instruction of the management server 1 cannot be received. In this case, the smartphone 3 may destroy the storage device itself, triggered by removal or change of the SIM.

FIG. 10 is a flowchart showing SIM monitoring processing by the smartphone 3.
When the power of the smartphone 3 is turned on, the remote control tool 361 is activated and the SIM monitoring process is started.
If the CPU 31 of the smartphone 3 determines that the ID of the SIM 371 has not been stored (step S10 → No), it stores this ID in the flash memory 36 (step S11). The SIM 371 stored here is referred to as a regular SIM 371.
The CPU 31 compares the stored regular SIM 371 ID with the current SIM 371 ID to determine the SIM change (step S12).

If the SIM has been removed or changed, the CPU 31 displays a message prompting the user to install the SIM 371 that was originally mounted, and starts a monitoring timer to count down for a predetermined time (step S13). Even if the power is turned on again after the power is turned off in order to attach the regular SIM 371, the monitoring timer is continuously counted. Only when a regular SIM 371 is mounted, the monitoring timer is initialized. Thereby, the avoidance operation state due to the time reset of the regular SIM 371 monitoring by repeatedly turning on and off the information processing apparatus does not occur.
If the predetermined time has elapsed (step S14 → Yes), the CPU 31 acquires information such as the serial number and the number of activations of the flash memory 36 as a storage device (step S15), and destroys the flash memory 36 (step S15). Step S16). The CPU 31 further transmits the execution result to the management server 1 via the WiFi communication unit 35 (step S17), and ends the process of FIG.

FIG. 11 is a sequence diagram showing the storage device destruction operation when the SIM 371 is replaced.
After the smartphone 3 is stolen by an unauthorized user, the SIM 371 is replaced (sequence Q50). When the power of the smartphone 3 is turned on, the remote control tool 361 is activated to detect a change in the SIM 371 (sequence Q51), and executes a countdown for a predetermined time (sequence Q52).
When a predetermined time elapses with the regular SIM 371 not attached (sequence Q61), the smartphone 3 acquires information on the flash memory 36 as a storage device (sequence Q62), and then executes destruction of the flash memory 36 ( Sequence Q63).
Thereafter, the smartphone 3 transmits the execution result of destruction of the flash memory 36 to the management server 1 (sequence Q64). Management server 1 transmits the execution result to customer terminal 4 by transmitting the execution result to the notification destination mail address (sequence Q65). When the user activates the e-mail program 461 of the customer terminal 4 and receives the execution result e-mail, the execution result is notified to the user (sequence Q66).

  In addition, when a user changes registration to another SIM as a regular SIM 371, a destruction hold instruction is transmitted to the smartphone 3 through the registration information change menu, and after the smartphone 3 reads and updates the ID of the new SIM, The update completion may be transmitted to the management server 1. At this time, the management server 1 returns the execution phase of the destruction information database 162 to the state before the destruction suspension by receiving the update completion.

<< Second Embodiment >>
In the first embodiment, when a user performs user registration of the remote execution control service and wants to execute destruction, a target information processing apparatus is specified and a destruction instruction is executed. In the second embodiment, the storage device can be destroyed under a predetermined condition set in advance by the user. Specifically, when the user dies, the user wants to destroy all the storage devices included in the information processing device by the remote execution control service of the registered information processing device.
Here, a mode in which a network-connected storage device called NAS (Network Attached Storage) is destroyed after the user dies will be described.

FIG. 12 is a schematic configuration diagram showing a remote destruction system S in the second embodiment. The same elements as those in the remote destruction system S shown in FIG.
The remote destruction system S of the second embodiment includes a NAS 9 instead of the smartphone 3 of the first embodiment, and further includes a death management server 7 and a death information monitoring server 8.
The death management server 7 is, for example, a privately-linked service of an administrative organization, corresponds to the My Portal / My Government of the My Number system, and is a server that manages the life / death information of users.
The death information monitoring server 8 (second device) is a server that monitors whether or not the death information of the user is registered in the death management server 7. When the death information monitoring server 8 acquires the death information of the owner of the NAS 9 from the portal site of the My Number system, the death information monitoring server 8 instructs the management server 1 to destroy the storage device included in the NAS 9.
The NAS 9 (first device) is an external storage device that is directly connected to a network and can be accessed via a network from a computer, a smartphone, or the like.

FIG. 13A is a configuration diagram of the death management server 7.
The death management server 7 includes a CPU 71, a RAM 72, a ROM 73, a display 74, a communication unit 75, and an HDD 76 that stores a life / death database 77. The CPU 71, RAM 72, ROM 73, display 74, and communication unit 75 have the same functions as the CPU 51, RAM 52, ROM 53, display 54, and communication unit 55 provided in the registration terminal 5.
The life / death database 77 is a database for storing life / death information of each user. Based on the user's death report, life / death information of the user is registered in the life / death database 77.

FIG. 13B is a configuration diagram of the death information monitoring server 8.
The death information monitoring server 8 includes a CPU 81, a RAM 82, a ROM 83, a display 84, a communication unit 85, an HDD 86 that stores a registration monitoring program 87 and a monitoring subject database 88. The CPU 81, RAM 82, ROM 83, display 84, and communication unit 85 have the same functions as the CPU 51, RAM 52, ROM 53, display 54, and communication unit 55 provided in the registration terminal 5.
The CPU 81 accesses the death management server 7 by executing the registration monitoring program 87 and monitors the presence / absence of the death information of the user.
The monitoring target person database 88 is a database for storing a target person who monitors the presence or absence of death information.

FIG. 14 is a configuration diagram of the NAS 9.
The NAS 9 includes a CPU 91, a RAM 92, a ROM 93, a communication unit 95, an HDD 96, a flash memory 97 in which an HDD management program 971 and a remote control program 972 are stored. The CPU 91, RAM 92, ROM 93, and communication unit 95 have the same functions as the CPU 51, RAM 52, ROM 53, and communication unit 55 provided in the registration terminal 5.
The HDD 96 is a non-volatile storage device that stores data and programs.
The HDD management program 971 is executed by the CPU 91 to embody a function that makes the HDD 96 accessible from an external device via a network.
The remote control program 972 is executed by the CPU 91 and embodies a function of destroying the flash memory 36 in response to a destruction command from the management server 1.

  As in the first embodiment, the user performs initial setting in the initial setting phase, registers user identification information, authentication information, terminal identification information, and the like in the management server 1. The terminal identification information is stored in the information processing terminal. Is memorized.

FIG. 15A is a diagram showing the configuration of the user database 161A.
The user database 161A has a configuration similar to that of the user database 161 (see FIG. 4A) of the first embodiment, and further includes a survivor notification destination column. The survivor notification address stores the mail address of the user's survivor. In the initial setting phase, the user inputs the survivor's email address in addition to the user's email address, and the survivor's email address is stored in the survivor notification address field.

  After the initial setting, in the destruction command phase, the user operates the registration terminal 5 to set the registration flag, which is a condition for executing the destruction command, to “destruction after death”. If it is set to destruction after death, it is executed for the information processing apparatus designated by the death information of the user.

FIG. 15B is a diagram showing the configuration of the destruction information database 162A.
The destruction information database 162A is configured in the same manner as the destruction information database 162 (see FIG. 4B) of the first embodiment.
Here, since it is a destruction command for the HDD 96 of the NAS 9, “Taro NAS — 54321” is stored in the terminal identification information. Since this HDD 96 is destroyed when the user dies, “9999” is stored in the remote control information.

<< Collecting and monitoring user information >>
FIG. 16 is a sequence diagram showing a destructive operation at the time of death.
Here, the registration flag associated with the terminal identification information registered in the user database 161A is set to “9999” indicating destruction after death.
When the bereaved family submits the death notice of the user to My Portal / My Government (sequence Q70), the life / death information 77 of the user is registered in the life / death database 77 of the death management server 7 related to My Portal / My Government. (Sequence Q70).
Death management server 7 notifies death information monitoring server 8 of the fact of the user's death (sequence Q71). The death information monitoring server 8 accesses the my portal / my government in a predetermined cycle (for example, every day) and monitors the death information of the user.

Death information monitoring server 8 notifies the death of the user to management server 1 (sequence Q72). In the death information monitoring server 8, address information of the management server 1 and login information to the management server 1 are registered.
The management server 1 specifies a terminal (storage device) to be destroyed when the user dies (sequence Q73), and thereafter proceeds to the destruction command execution phase.

<< Destruction command execution phase >>
Management server 1 transmits a destruction command and terminal identification information to NAS 9 (sequence Q74). When the CPU 91 of the NAS 9 receives the destruction instruction code by executing the remote control program 972, it confirms whether the registration completion signal has been received. If the registration completion signal has been received, check the destruction command code. Here, since the destruction command code is destruction at the time of death, the CPU 91 of the NAS 9 acquires the identification information and the activation count information of the storage device (HDD 96) (sequence Q75), and executes the destruction of the storage device (HDD 96) (sequence Q76). ). This makes it impossible to access information stored in the HDD 96.

The CPU 91 of the NAS 9 transmits the execution result of the destruction process and the storage device information to the management server 1 (sequence Q77), and the management server 1 notifies the execution result of the destruction process to the bereaved family by mail (sequence Q78). ). As a result, the bereaved family can confirm the result of the destruction process.
(Modification)
The present invention is not limited to the above-described embodiment, and can be modified without departing from the spirit of the present invention. For example, there are the following (a) to (d).
(A) The present invention is not limited to smartphones and NAS, but also targets stationary computers such as desktop personal computers and portable personal computers such as notebook personal computers. Further, it may be a mobile device such as a tablet or a mobile phone that is smaller than a personal computer.

(B) The smartphone 3 may have a function of displaying information on the addressee after the destruction process. Thereby, the destination of the smartphone 3 can be known in the destruction processing of the smartphone 3, and in the case of loss, the user can be relieved by collecting the destroyed terminal. The delivery destination of the smartphone 3 may be a remote control execution service provider, for example.

(C) In the first embodiment, the smartphone 3 acquires and confirms the presence / absence of information on the destruction command in the management server 1. However, the present invention is not limited to this, and the management server 1 may transmit a destruction command by wired communication or wireless communication, and the smartphone 3 may receive the relay command via the relay station or the base station 22. When the smartphone 3 receives the terminal identification information and the destruction command, the date and time information when the destruction command is received is transmitted to the management server 1 to destroy the flash memory 36 included in the smartphone 3. When the flash memory 36 becomes unreadable, the smartphone 3 transmits the execution result to the management server 1, and the management server 1 notifies the execution result to the mail address of the person. The user can know the time, execution time, and execution result when the smartphone 3 receives the command from the notification mail from the management server 1, and whether or not the flash memory 36 of the designated smartphone 3 is surely destroyed. I can know.

(D) When the NAS is configured with a plurality of HDDs by mirroring or the like, the removal of the HDDs may be monitored. As a result, if the HDD is removed and the information is copied to another HDD and then returned to the NAS, the NAS information is copied to the other when all the HDDs constituting the NAS are destroyed. The possibility of being able to know by notification mail.

S Remote Destruction System 1 Management Server 161 User Database 162 Destruction Information Database 21 Router 22 Base Station 3 Smartphone 35 WiFi Communication Unit 36 Flash Memory 361 Remote Control Tool 37 3G Communication Unit 371 SIM
4 Customer terminal 461 E-mail program 5 Registration terminal 561 Remote control software 7 Death management server 77 Life / death database 8 Death information monitoring server 87 Registration monitoring program 88 Monitored person database 9 NAS
96 HDD
972 Remote control program

Claims (9)

A management device communicably connected to the network;
A first device that is communicable with the management device via the network, and includes a storage device, and remote control means for controlling the storage device according to a command from the management device;
A second device that is communicable with the management device via the network and comprises command means for commanding the management device;
A remote destruction system comprising:
The command means of the second device commands the management device to destroy the storage device provided in the first device,
The management device instructs the first device to destroy the storage device included in the first device;
The remote control means of the first device determines the destruction result after destroying the storage device included in the first device, and transmits the destruction result of the storage device to the management device via the network.
A remote destruction system for storage devices. The management device further transmits a result of destruction of the storage device included in the first device to an email address of the owner of the first device.
The remote destruction system for a storage device according to claim 1. When the management device receives the same one-time password from the command device of the second device after transmitting the one-time password to the command device of the second device, the management device receives the same one-time password from the command device of the second device. To accept and execute
The remote destruction system for a storage device according to claim 2. When the second device acquires the death information of the owner of the first device from the portal site of the My Number system, it instructs the management device to destroy the storage device provided in the first device.
The remote destruction system for a storage device according to claim 1. The management device further transmits a result of destruction of the storage device included in the first device to a mail address of a bereaved family of the owner of the first device.
The remote destruction system for a storage device according to claim 4. The remote control unit of the first device monitors whether or not the storage device included in the first device is replaced,
After destroying the storage device included in the first device, the destruction result of the storage device and the presence or absence of replacement are transmitted to the management device.
The remote destruction system for a storage device according to claim 1. The remote control unit of the first device monitors the presence or absence of replacement based on the identification information of the storage device included in the first device.
The remote destruction system for a storage device according to claim 6. The remote control unit of the first device monitors the presence / absence of replacement of the storage device included in the first device based on the startup number information of the first device and the startup number information of the storage device included in the first device.
The remote destruction system for a storage device according to claim 6. A management device communicably connected to the network;
A first device that is communicable with the management device via the network, and includes a storage device, and remote control means for controlling the storage device according to a command from the management device;
A second device that is communicable with the management device via the network and comprises command means for commanding the management device;
A remote destruction method executed by a remote destruction system comprising:
The command means of the second device commands the management device to destroy the storage device provided in the first device;
The management device instructs the first device to destroy the storage device included in the first device;
The remote control means of the first device determines the destruction result after destroying the storage device included in the first device, and transmits the destruction result of the storage device to the management device via the network;
A method for remotely destroying a storage device, comprising:

Images