WO2008001375A2 - Tamper-resistant identification device - Google Patents

Tamper-resistant identification device Download PDF

Info

Publication number
WO2008001375A2
WO2008001375A2 PCT/IL2007/000793 IL2007000793W WO2008001375A2 WO 2008001375 A2 WO2008001375 A2 WO 2008001375A2 IL 2007000793 W IL2007000793 W IL 2007000793W WO 2008001375 A2 WO2008001375 A2 WO 2008001375A2
Authority
WO
WIPO (PCT)
Prior art keywords
identification
housing
service
control unit
housing section
Prior art date
Application number
PCT/IL2007/000793
Other languages
French (fr)
Other versions
WO2008001375A3 (en
Inventor
Ido Roseman
Lior Yehoshua
Avidan Gabai
Michael Librus
Original Assignee
Roseman Engineering Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Roseman Engineering Ltd. filed Critical Roseman Engineering Ltd.
Publication of WO2008001375A2 publication Critical patent/WO2008001375A2/en
Publication of WO2008001375A3 publication Critical patent/WO2008001375A3/en

Links

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01VGEOPHYSICS; GRAVITATIONAL MEASUREMENTS; DETECTING MASSES OR OBJECTS; TAGS
    • G01V15/00Tags attached to, or associated with, an object, in order to enable detection of the object
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/073Special arrangements for circuits, e.g. for protecting identification code in memory
    • G06K19/07309Means for preventing undesired reading or writing from or onto record carriers
    • G06K19/07372Means for preventing undesired reading or writing from or onto record carriers by detecting tampering with the circuit
    • G06K19/07381Means for preventing undesired reading or writing from or onto record carriers by detecting tampering with the circuit with deactivation or otherwise incapacitation of at least a part of the circuit upon detected tampering

Definitions

  • the present invention relates to identification devices, and, more particularly, to a tamper-resistant identification device.
  • an identification device which provides identification for a specific object. Such a device can be attached to the specific object and serve to identify that particular object for various purposes.
  • the term “item” is used herein to denote such an object for which identification and related services are desired.
  • the term “identification” herein denotes providing information about an item, including, but not limited to properties, attributes, associations, relationships, and so forth.
  • an identification device can be attached to a vehicle (i.e., the "item” is a vehicle) for identifying that vehicle and any of the following associated information: model and serial number; registration information; owner, odometer reading; and financial account information related to that vehicle's operation and maintenance, such as billing/payment account numbers for fueling the vehicle.
  • Certain identification devices provide identification information in electronic form without requiring contact or connection to the identification devices.
  • a "Radio-Frequency Identification” (RFID) device communicates with an external device, herein denoted as a “scanning unit", which can be located at a distance from the RFID device.
  • the scanning unit typically transmits a radio frequency query to the identification device, which receives the query and responds thereto by transmitting a suitable response back to the scanning unit with the desired information.
  • the scanning unit can be coupled to a fueling system and the identification device can be installed on a vehicle (once again, in this example, the "item" is a vehicle) to respond with billing/payment account information for a fueling operation on that vehicle, hi this fashion, fueling the vehicle can be expedited and made easier by eliminating the need for traditional payment by cash or payment card; instead of requiring the driver of the vehicle to pay or arrange for billing in a separate step, the billing can be handled automatically by a system connected to the scanning unit, based on billing/payment account information received from the RFID device.
  • Roseman ⁇ 719 discloses a method and device for providing anti-theft protection for an electrical device installed on a body, such as a vehicle, by fixing to the body an electrical chip having a unique identification number identifying the body, electrically connecting the electrical device to the electrical chip in a manner such that removal of the electrical device from the body automatically interrupts the electrical connection of the electrical device to the electrical chip, and disabling the operation of the electrical device whenever its electrical connection to the chip is interrupted.
  • Dayan discloses an anti-tampering system for an identification ID component, the system consisting of an ID component housing, for attaching to a surface, a structurally weak region in the housing, and an ID component circuit including the ID component, at least a portion of the circuit being disposed substantially within the structurally weak region, such that a force applied to remove the housing from the surface deactivates the ID component circuit.
  • Patent publications relate to tamper-resistant devices and methods: European Patent Application No. 0509567; US Patent Nos. 6,895,509; 6,982,642; and 5,998,867.
  • a tamper-resistant identification device which can be installed on an item without the use of tools (e.g. screws or other fasteners that require holes or penetration in the item or special installation process (e.g. installation of the ID device at hidden places on the item, such as inner side of a vehicle chassis).
  • tools e.g. screws or other fasteners that require holes or penetration in the item or special installation process (e.g. installation of the ID device at hidden places on the item, such as inner side of a vehicle chassis).
  • a tamper-resistant identification device which can be installed on an outer side of an item.
  • a tamper-resistant identification device which has a high degree of tamper-resistance, both prior to installation as well as after installation.
  • service herein denote any services which are rendered to the item which is identified by the identification device.
  • Non-limiting examples include: fueling (the “service") of a vehicle (the “'item”); and delivery (the “service") of a package ("the item”).
  • the identification device facilitates the service by providing identification information, non-limiting examples of which include: the billing/payment financial account data for fueling a vehicle; and source-destination and billing/payment financial account data for delivering a package.
  • a tamper-resistant identification device for identifying an item to facilitate a service, comprising: an ID element configured for storing identification data; a control unit operative to facilitate the service only in response to receiving the identification data; a housing comprising a first housing section and a second housing section; an coupling electro-magnetic circuit for coupling at least the control unit and the ID element, the electro-magnetic circuit is designed to open in case the first or second housing section are displaced with respect to each other.
  • a tamper- resistant identification method for identifying an item to facilitate a service by an identification device fixed to the item, the method comprising: providing an ID element operable for storing identification data and a control unit operable for facilitating the service only in response to receiving the identification data; housing at least the control unit and the ID element in a housing including at least a first section and a second section, coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section or the second housing section are relatively displaced with respect to each other; and servicing the item by operating the control unit.
  • a method for operating an identification device having a control unit operable for facilitating a service comprising: providing an ID element operable for storing identification data and coupling at least the ID element and the control unit by an electromagnetic circuit that is designed to open in case a first section of the device and a second section of the device, are relatively displaced with respect to each other; switching the device from Inactive Mode to Standby Mode, in response to an activation attempt from an external device; switching the device from Standby Mode to Service Mode, in response to a request from an external device, only if the identification data stored on the ID element is substantially continuously available to the control unit.
  • a method for protecting an identification device having an ID element operable for storing identification data comprising: housing at least a control unit and the ID element in a housing including at least a first section and a second section, and coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section or the second housing section are relatively displaced with respect to each other; and configuring the control unit to perform one of the following in case the electro-magnetic circuit is opened: erasing identification information stored on the ID element;writing over the identification information stored on the ID element; electrically shutting the identification device down; obstructing the identification device from operating at a Service
  • FIGS. IA and IB are conceptual block diagrams of identification devices according to embodiments of the present invention.
  • Figure 2A is an isometric external view of a housing of an identification device according to an embodiment of the present invention.
  • Figure 2B is an exploded isometric view of the housing of Figure 2 A;
  • Figure 3 is an internal cross-section of the housing of an identification device according to an embodiment of the present invention prior to installation;
  • FIGS 4A-4B, 5A-5B, 6A-6B and 7A-7B are more detailed diagrams of an identification device according to an embodiment of the present invention.
  • Figure 8 is a transition state-change diagram illustrating the operating modes of an identification device according to an embodiment of the present invention.
  • Figure 9 is a flow diagram of a sequence of operations carried out in accordance with an embodiment of the present invention.
  • Figure 10 is another flow diagram of a sequence of operations carried out in accordance with an embodiment of the present invention.
  • FIG. 1 is a conceptual block diagram of an identification device 101 according to an embodiment of the present invention.
  • Identification device 101 has two logically-distinct and separate components: a control unit, herein denoted as a control/processing/communications unit (CPCU) 103, and an ID element 107. These two components, although logically distinct and separate, are communicatively coupled to each other.
  • the term "communicatively coupled” herein denotes the ability to actively pass data from one to the other, such as for reading and writing.
  • CPCU 103 contains operating parameters module 105 which is configured for storing operating parameters and for reading information data stored on ID element 107 and relating to one or more operation parameters.
  • CPCU may contain resources including, but not limited to: a radio transceiver capable of transmitting and receiving data; an antenna; a real-time clock-calendar; settable timers and watchdog timers; settable counters; analog-digital and digital-analog converters; a data/arithmetic processor, such as a microprocessor or dedicated microcontroller; data storage; data modem; data coder; random number generator; and a cryptographic unit for symmetrical cryptography and/or asymmetrical (public key) cryptography (not illustrated in Fig. 1).
  • resources including, but not limited to: a radio transceiver capable of transmitting and receiving data; an antenna; a real-time clock-calendar; settable timers and watchdog timers; settable counters; analog-digital and digital-analog converters; a data/arithmetic processor, such as a microprocessor or dedicated microcontroller; data storage; data modem; data coder; random number generator; and a
  • ID element 107 contains identification information storage 109, which may include, but is not limited to: information about the item to be identified, such as model number, serial number, date of manufacture, ownership and/or registration number, insurance, and other parameters and attributes; fuel type authorization codes (for vehicles); authorized service codes; and financial identification data and financial information related to the services which are to be facilitated, such as billing/payment account numbers, credit numbers, bank account numbers, transaction limitation codes, service limitation codes.
  • identification information storage 109 is encrypted and/or authenticated, such as by public key signatures.
  • Identification information 109 is initially set up in ID element 107 when identification device 101 is in a "Programming Mode". In this mode, an external device or system programs identification information 109 into ID element 107 via CPCU 103 through interface 127 in a write operation. Identification data supplied by the external device may be encrypted and/or authenticated; CPCU 103 can also apply additional layers of cryptographic protection and/or authentication.
  • identification device 101 provides information including identification information 109 to an external device for facilitating a service.
  • the required information is provided upon request via CPCU 103, which reads identification information 109 from ID element 107 via an interface 127.
  • CPCU 103 is operable for providing the required information only if reading identification information from ID element 107 is successful.
  • CPCU 103 is operable for reading the identification information e.g. in a periodic manner, e.g. during Standby Mode, or Service Mode (see further below). In case the reading is failed, the information required by the external device for facilitating the service is not provided.
  • the operation of device 101 is shut down.
  • identification information 109 is encrypted and/or authenticated.
  • CPCU 103 can certify that identification information 109 is authentic by validating the digital signature thereof.
  • CPCU 103 can also validate itself to an external scanning device in a similar fashion. This mode of providing identification information is referred to as the "Service Mode", and is discussed additionally below.
  • the active parts of the device itself do not have to be physically damaged during an attempted tampering in order to render the device inoperative (although physical damage may certainly occur).
  • the terms "block”, “erase”, “erasure”, “erasing”, and so forth, as applied to data storage herein denote any blockage or alteration of the data storage to cause permanent, irretrievable loss of the data through means including, but not limited to overwriting of the data, clearing of the data, and initializing the data storage.
  • the process of "erasing" data as defined herein is sometimes referred to as "wiping" data storage, to signify that the erased data is completely non-recoverable from the storage.
  • deactivating identification device 101 can be achieved by interrupting interface 127 and thereby terminating the communicative coupling between CPCU 103 and ID element 107 (e.g. disconnecting the data line/electrical connection between storage 109 and module 105).
  • identification device 101 In an embodiment of the present invention, all sensitive identification data is contained in identification information 109, without which identification device 101 cannot provide any information. In this embodiment, therefore, identification device
  • ID element 107 is deactivated by electrically (or magnetically) causing ID element 107 to block or erase identification information 109.
  • CPCU 103 imposes a predetermined time-out period for reading identification information from ID element 107, such that if ID element 107 does not respond with valid identification information 109 within a predetermined time-out period, CPCU 103 terminates the communicative coupling between CPCU 103 and ID element 107 to deactivate identification device 101.
  • the blockage/erasure of identification information 109 is performed by changing the configuration of switches which provide electrical power to ID element 107 in response to an attempted tampering attack on identification device 101.
  • the erasure of identification information 109 is performed by CPCU 103, such as by a deliberate overwrite of identification information 109 in ID element 107 with meaningless data (e.g., all zero's) via interface 127.
  • control unit CPCU 103 to be able to facilitate a service to the identified item if and only if both of the following conditions are met:
  • ⁇ CPCU 103 is communicatively coupled to ID element 107; and ⁇ ID element 107 contains valid identification information 109 related to the
  • CPCU 103 is not able to facilitate the service, and identification device 101 is said to be "deactivated”.
  • CPCU 103 and ID element 107 are active devices, and in an embodiment of the present invention receive electrical power for operation independently of each other. In this manner, it is possible for ID element 107 to receive electrical power at the same time as CPCU 103 is not receiving full power.
  • Figure 1 shows an embodiment of the present invention whereby this separate power is supplied by a single voltage source 111, and whereby the independent supply of power is governed by a switch 117 to CPCU 103 and switches 119 and 121 to ID element 107.
  • optional diodes 113 and 115 further guarantee the electrical independence of CPCU 103 and ID element 107.
  • CPCU 103 always receives some power, even when switch 117 is open. This minimal power keeps CPCU 103 in a low power-consumption listening state, and allows CPCU 103 to activate switch 117 electronically when necessary for full operation (switch 117 can be implemented with an electronic device, such as a power switching transistor or other power control component).
  • the low power-consumption listening state is used in the Inactive Mode to detect activation attempts from external devices that seek to communicate with an available identification device, after which the identification device switches into the Standby Mode, as discussed in more detail below. For example, in the low power- consumption listening state, CPCU 103 "listens" for query input from a remote RFID scanner. When a remote scanner interrogates identification device 101, CPCU 103 (in the low power-consumption listening state) detects the interrogation and automatically activates switch 117 to provide full power for responding to the query with data processing and transmitting operations.
  • identification device when switches 117, 119 and 121 are closed and ID element 107 is receiving power, identification device is either in "Standby mode", "Programming Mode” or in "Service Mode", as discussed in further detail below.
  • Figure IA illustrates an embodiment of the present invention whereby mere is a multiplicity of switches in series for supplying power. In this case, two switches, switches 119 and 121 are illustrated to show the series concept. In other embodiments, more than two switches are used. These switches are normally closed, so that electrical power is continuously supplied to ID element 107. (hi Figure IA 5 switches 119 and 121 are shown as open for clarity.) Switches 119 and 121 are proximity switches, several embodiments of which are discussed below with respect to Figs.
  • Switches 119 and 121 are designed to open in response to tampering attempts (this would be discussed in detail with respect to Figs. 2A-2B). In the absence of tampering, switches 119 and 121 are closed so that power is normally applied to ID element 107.
  • ID element 107 is a volatile memory device capable of storing data only so long as electrical power is applied. In this embodiment, when electrical power is disconnected, all data is lost.
  • proximity switch 119 detects attempted tampering, proximity switch 119 opens and removes electrical power from ID element 107, thereby erasing identification information 109.
  • identification device 101 requires identification information 109 for functioning, and is thereby disabled and deactivated by the tampering.
  • an optional resistor 125 bleeds off any stored charge in ID element 107 to assure rapid data loss.
  • resistor 125 has a high value of resistance to minimize power drain. With a suitable value of resistor 125, data loss can be fast, while still allowing suitably-long battery life.
  • Figure IA illustrates proximity switches 119 and 121 as being of the SPST configuration.
  • proximity switches are of the SPDT configuration, with one throw connected to ground such that the power input to ID element 107 is grounded when any proximity switch detects tampering, causing immediate erasure of identification information 109. In this particular embodiment, therefore, resistor 125 is unnecessary and is not used.
  • the SPDT proximity switch configuration is also discussed and illustrated below in the case of the magnetic reed proximity switch ( Figure 5 A and Figure 5B).
  • identification information 109 is erased by turning electrical power on to a specific hardware input of ID element 107, instead of turning power off.
  • the electrical circuitry was illustrated as separated from the control unit 109. It should be understood to anyone skilled in the art that the electrical circuitry could be integrated with the control unit 109 e.g. on the same PCB (Printed Circuit Board). It should also be understood that the ID element 107 could be powered via the control unit 109. This is illustrated in Fig. IB. According to the embodiment illustrated in Fig. IB, physical disconnection of the electrical connection between the control unit 109 and the ID component 107 will block reading of information data stored on the ID element by the control unit 109.
  • control unit includes additional components which were not illustrated in Fig. IA for the ease of understanding.
  • One such component an antenna, which is also housed within the housing (e.g. surrounding the battery and the PCB that carries the circuitry of the control unit.
  • FIG 2A is an isometric external view of the housing of an identification device according to an embodiment of the present invention.
  • a lateral housing section 201 surrounds the internal components of the identification device from all directions to the side, and a top housing section 203 covers the internal components from the top (optionally carrying e.g. the logo of the service company) .
  • top housing section 203 is irremovably fastened to lateral housing section 201.
  • An underside area 202 is fitted with an adhesive layer 207 for attaching to the item which is to be identified by the identification device, so that when affixed to the item, the internal components of the identification device are not accessible from any direction. Part of an adhesive layer 207 is visible in Figure 2A. Another adhesive layer is visible in Figure 2B, as discussed below.
  • a removable protective film 204 protects the adhesive layers until the time of being affixed to the item.
  • Figure 2B is an exploded isometric view of the housing of Figure 2 A, but with top housing section 203 removed and not shown.
  • the housing includes two physically distinct and separate sections that have no direct inherent mechanical or structural connection between them.
  • one such section is lateral housing section 201, and the other such section is a bottom housing section 205, which is shown in the exploded view of Figure 2B in a lowered position for clarity.
  • Adhesive layer 207 is in the shape of a ring, and bonds lateral housing section 201 to the surface of the item which is identified by the identification device.
  • an adhesive layer 209 is in the shape of a solid circle, and bonds bottom housing section 205 to the surface of the item.
  • housing sections 201 and 205 are supported by the adhesive layer 207 (and in case each section has its own layer, also by layer 209) together with the protective film 204.
  • the first section 201 and second section 205 are loosely supported by each other, e.g. by one or more stems extending from either sections (or both) thereby providing loose physical connections between sections 201 and 205. The relative displacement (movement) of sections 201 and 205 with respect to each other is thus avoided during manufacture, storage, shipment, distribution and installation of the device.
  • the housing of the identification device has a predetermined surface for affixing to the identified item.
  • Figure 2A and Figure 2B illustrate an embodiment where the predetermined surface is the bottom, and the bottom is flat, for installation on an item that has a substantially plane surface.
  • the housing of the identification device has a curved bottom (conformal bottom), for installation on an item that has a correspondingly curved surface.
  • the housing of the identification device has a bottom that has a saddle-shaped curve.
  • the housing of the identification device is sealed so that there are no seams or joints accessible when the device is affixed to the item.
  • the housing is sealed in a manner defined in safety regulations and standards governing specific services and areas.
  • the housing which contains a battery is sealed and authorized for fueling services.
  • the terms “install”, “installing”, “installation”, and the like with regard to identification devices are herein intended to denote the complete process of setting up an identification device for use.
  • the terms “affix” and “affixing”, and the like with respect to identification devices are herein intended to denote the more limited act of physically attaching an identification device to an item that is to be identified.
  • the terms “activate”, “activating”, “activation”, and the like with respect to identification devices are herein intended to denote the more limited act of enabling an identification device that is affixed to a particular item for facilitating services related to that item.
  • installation implies both an affixing and an activation.
  • the attachment method is essentially limited to the use of a prepared adhesive layer.
  • adhesive layer herein denotes without limitation all configurations of adhesive layers intended to bond one object to another, including, but not limited to: homogeneous layers of adhesive materials; and heterogeneous layers, an outer surface of which has adhesive properties.
  • homogeneous adhesive layers include contact cements and the like.
  • heterogeneous adhesive layers include adhesive tapes and foams, particularly such tapes and foams both sides of which are adhesive.
  • identification device 101 has two logically-distinct and separate components: CPCU 103 and ID element 107.
  • CPCU 103 and ID element 107 are also physically distinct and separate, with no direct inherent mechanical or structural connection between them, and are connected only by an electro-magnetic circuit component.
  • Elements 103 and 107 are disposed within the housing according to the two physically-separate housing sections as detailed above.
  • CPCU 103 is attached to lateral housing section 201
  • ID element 107 is attached to bottom housing 205.
  • CPCU 103 and ID element 107 are physically-connected (such as integrated into the same physical chip). Even though integrated together, however, CPCU 103 and ID element 107 may still feature separate power connections according to previous embodiments as described.
  • identification device 101 both CPCU 103 and ID element 107) is attached to bottom housing section 205. In that embodiment, a portion of the electrical circuit is accommodated in housing section 201. According to another embodiment of the invention, both CPCU 103 and ID element 107 are accommodated in housing section 201 and a portion of the electrical circuit is accommodated in housing section 205.
  • identification devices according to the present invention possess greater flexibility than those of the prior art, because there is no requirement that any component parts except for the electro-magnetic circuit coupling the ID element 107 with the CPCU 103 be physically damaged by attempted tampering.
  • all the circuitry is placed as far away as possible from the sides of the housing, such as on bottom housing section 205, to afford the maximum protection against tampering.
  • Figure 3 is an internal cross-section of the housing of an identification device according to an embodiment of the present invention prior to installation.
  • Lateral housing section 201 is seen in cross-section, and bottom housing section 205 is seen from directly above.
  • the protruding tab of protective film 204 is shown.
  • Spacers maintain proper alignment of lateral housing section 201 and bottom housing section 205 prior to installation are extended from section 201 or 205 or both. These are shown in Figure 3 as a spacer 313, a spacer 315, a spacer 317, and a spacer 319. It should be understood that the spacers to not form part of both sections. According to an embodiment of the invention, all spacers form part of housing section 201. The spacers thus provide loose support for housing section 205.
  • lateral housing section 201 and bottom housing section 205 are bonded to the surface of the item to be identified.
  • the spacers are merely repositioned into a different location within the housing, where they no longer maintain the relative spacing of lateral housing section 201 and bottom housing section 205.
  • These are non-limiting examples only; other configurations of spacers and alignment devices are also possible.
  • a set of proximity switches include proximity switch 119, proximity switch 120, proximity switch 121, and a proximity switch 122.
  • Proximity switch 119 and proximity switch 121 are shown schematically in Figure 1. According to an embodiment of the invention, only one or two switches are provided.
  • the switches are implemented on a PCB housed by section 201 and the ID element that is housed by section 205 is connected by an electrical cord to the PCB. It should be understood that the invention is not limited by the number of switches and the number of spacers. Specifically the invention can be implemented with one or two switches (elements 119 and 121 shown in figure IA), without any spacer.
  • the design of the identification device is susceptible to tampering.
  • the control unit has to be interfered with, and the housing has to be opened.
  • the device is fixed to the item (e.g. a car)
  • tampering requires separation of the housing from the item.
  • the first and second housing separation will be displaced with respect to each other, and as a result, the electro-magnetic connection between the ID element and the control unit will be opened.
  • the structure of the housing is designed to encourage a removal attempt to be performed by pulling the housing in a direction that will cause the proximity switch (e.g. switch 119, 121 illustrated in Figures IA and IB) to open in response to a relatively weak force (e.g. a force caused by a hand pulling the housing away from the item, or by a thin blade of a knife.
  • a relatively weak force e.g. a force caused by a hand pulling the housing away from the item, or by a thin blade of a knife.
  • the electronic circuit is cutoff in response to a tampering attempt, even when separation of one of the housing sections (or both) from the item is not accomplished.
  • the Identification device and method of the present invention are not aimed at providing full-proof tampering resistance. It may be possible to separate the housing from the item without providing relative displacement of the housing sections (e.g. by using a suitable solvent for dissolving the adhesive). However, such an attempt requires special knowledge and equipment, and also time.
  • ID element and the control unit are coupled by an electro-magnetic circuit.
  • this circuit is a double cord circuit.
  • This double cord circuit is opened (e.g. one of the cords is torn) in response to a tampering attempt.
  • Figure 4A is a diagram of a closed contact proximity switch according to a first proximity switch embodiment of the present invention, shown in proper operating position.
  • Figure 4A shows proximity switch 119 implemented as a separable leaf switch having a leaf 401 and a separate leaf 403, such that one of the leaves is attached to lateral housing section 201 and the other of the leaves is attached to bottom housing section 205.
  • lateral housing section 201 is in proper position relative to bottom housing section 205, and switch 119 is therefore closed for delivering electrical power to ID element 107.
  • Figure 4B is a diagram of the open proximity switch of Figure 4A after undergoing a relative displacement due to tampering. Referring briefly to Figure 3, it is seen that the distance between lateral housing section 201 and bottom housing section 205 has increased because of tampering, and thus contact between leaf 401 and leaf 403 has been broken, corresponding to an opening of proximity switch 119.
  • Figure 5 A is a diagram of a closed magnetic reed proximity switch according to a second proximity switch embodiment of the present invention, shown in proper operating position.
  • Figure 5A shows a proximity switch implemented as a magnetic reed switch having a glass envelope 501, a first ferromagnetic reed 503, a second ferromagnetic leaf 505, and a non-ferromagnetic reed 507 connected to ground.
  • a small bar magnet 509 is attached to lateral housing section 201 and glass envelope 501 is attached to bottom housing section 205.
  • FIG 5A lateral housing section 201 is in proper position relative to bottom housing section 205, and magnet 509 is held in proper proximity to the reed switch such that the concentrated magnetic flux passing through ferromagnetic reed 503 and ferromagnetic reed 505 causes them to attract and make contact.
  • the reed switch delivers electrical power to ID element 107.
  • Figure 5B is a diagram of the open magnetic reed proximity switch of Figure 5A after undergoing a relative displacement due to tampering.
  • Figure 6A is a diagram of a closed magnetic Hall Effect proximity switch according to a third proximity switch embodiment of the present invention, shown in proper operating position.
  • Figure 6 A shows proximity switch 119 implemented as a Hall Effect device (a Hall Effect transistor) 601 in proximity to a small magnet 603.
  • magnet 603 is attached to lateral housing section 201 and Hall Effect device 601 is attached to bottom housing section 205.
  • lateral housing section 201 is in proper position relative to bottom housing section 205, and magnet 603 is held in proper proximity to Hall Effect device 601 such that switch 119 is closed for delivering power to ID element 107.
  • Figure 6B is a diagram of the open Hall Effect proximity switch of Figure 6A after undergoing a relative displacement due to tampering.
  • the reduced magnetic flux in the area of Hall Effect device 601 is such that switch 119 is open,- thereby deactivating the identification device.
  • FIG 7A is a diagram of a closed double-magnet proximity switch according to a fourth proximity switch embodiment of the present invention, shown in proper operating position.
  • switch 119 is similar to the leaf switch of Figure 4A, having a leaf 701 and a leaf 703. In this case, however, the closure of switch 119 is effected by the mutual repulsion of a magnet 705 attached to leaf 703 and a magnet 707.
  • Figure 7B is a diagram of the open proximity switch of Figure 7A after undergoing a relative displacement due to tampering.
  • proximity switch embodiments include a "weak cord”, which herein denotes a conducting wire loosely fitted into a connector, such that the connection is broken if the wire is pulled.
  • Proximity switches as disclosed herein are specific instances of the general class of proximity sensors.
  • Proximity sensors include devices for both discrete and continuous position detecting. According to the present invention, tampering attempts may be detected by sensing changes in the position of lateral housing section 201 relative to that of bottom housing section 205.
  • the term "relative displacement” herein denotes any change in the position of one housing section and another housing section.
  • CPCU 103 ( Figure 1) monitors proximity sensors reporting on the position of lateral housing section 201 relative to that of bottom housing section 205, and detect when a predetermined threshold is exceeded. Such an event is construed as an attempted tampering, and CPCU 103 then deactivates identification device 101 by erasing identification information 109 (e.g. by performing a write operation on ID element 107 via interface 127) or by erasing operating parameters stored on element 105.
  • the required identification data is stored only on the control unit (e.g. on module 105 shown in Fig. 1), with no identification data being stored in the ID element.
  • This embodiment (hereinafter denoted as "the 'electrical element' embodiment") will now be described with reference to the embodiment of the invention illustrated in Fig. IA:
  • element 107 (shown in Fig. 1) need not include any memory (element 109) and is merely an electrical element which is connected in serial to the control unit 103.
  • the interface 127 is an electro-magnetic circuit that connects the control unit with the electrical element, or is actually the electrical element 107.
  • Non-limiting examples for such a circuit are an electric double cord, a contact switch, any of the proximity sensors which were described above and below (e.g. illustrated in Figs 4A-4B, 5A- 5B, 6A-6B and 7A-7B) and the like.
  • a spring or any other suitable pressed element is being placed between the first and second housing sections (elements 201 and 205 in Fig. 2A).
  • the spring is pressed between the housing sections as long as they are coupled together within the sealed housing. In case the first and second housing sections are displaced the spring is released and electrical disconnection occurs.
  • a tampering attempt with the device will result in a relative displacement of the two sections of the housing (elements 201 and 205 shown in Fig. 2A).
  • the electrical element is disconnected from the control unit, and in response, the operation of the control unit is shut down e.g. by erasing the identification information stored e.g. on module 105 ( Figure 1).
  • embodiments of the present invention also provide for the placing, within the housing, of means which create a condition of unstable equilibrium between the two sections.
  • a condition of unstable equilibrium implies that at the equilibrium point there are no displacing forces, but a small displacement from the equilibrium point induces larger displacing forces.
  • a condition of unstable equilibrium can be accomplished by an arrangement of springs, magnets, and the like, and is well-known for making g-force shock indicators. In this particular application, however, it is not shock or g-force that is to be detected, but rather a relative displacement between lateral housing section 201 and bottom housing section 205.
  • FIG. 8 is a transition state-change diagram illustrating the operating modes of an identification device according to an embodiment of the present invention for the non-limiting application of facilitating fueling service for a vehicle.
  • a non-limiting sequence of operations is illustrated in Fig. 8, in which:
  • the identification device Immediately after a manufacturing procedure 801, the identification device is not yet initialized and is thus in an "Inactive Mode" 803.
  • CPCU 103 is initialized with operating parameters 105 ( Figure 1), after which the identification device goes into an "Initialized Mode".
  • the identification device is still not activated yet, because identification information 109 ( Figure 1) is still blank.
  • the initialization mode need not be a separate mode and initialization could be performed either during manufacturing or during programming (see further below).
  • the identification device is affixed onto a vehicle and the vehicle is driven into an appropriate fueling station in an operation 809. For non- vehicular applications, the device is simply affixed onto the identified item, which is then taken to an appropriate service location.
  • the identification device When the identification device detects that an external data device, such as a remote scanner, is issuing interrogation requests, the identification device goes into a "Programming Mode" 811, wherein CPCU 103 ( Figure 1) can accept identification information 109 from the external data device for writing to ID element 107.
  • an external data device such as a remote scanner
  • the identification device goes into a "Service Mode" 815, wherein CPCU 103 reads identification 109 from ID element 107 to respond to the external data device to facilitate service.
  • Activation programming is the process of storing the appropriate identification information 109, as previously detailed, in ID element 107 ( Figure 1).
  • the identification device facilitates fueling of the identified vehicle as previously described.
  • the identification device goes into a "Standby Mode” 819, wherein CPCU 103 goes into a low power-consumption "listening" state to detect requests from an external data device.
  • the identification device detects the presence of a remote scanner interrogation and re-enters Service Mode 815.
  • the identified item and the affixed identification device are simply taken to a service location and then taken away from the service location.
  • the identification device In normal operation, from this time onward, the identification device goes only from Service Mode 815 to Standby Mode 819, and vice versa. If, however, tampering 823 is attempted, the identification device goes into a "Shutdown Mode" 825, as described in detail herein. In Shutdown Mode 825, the identification device is deactivated and cannot facilitate any services. Normally, tampering 823 will render the identification device useless, and if not stolen, would typically be discarded and replaced in an operation 827.
  • the identification device may simply have undergone a reversion to initialized mode 807 and require driving back to the station for reprogramming in a procedure 829 (or, for non- vehicular applications, taken back to a service location).
  • a return to programming mode 811 is allowed under such circumstances; in an alternative embodiment, however, programming mode 811 can be performed only once, in which case the device would be discarded and replaced in procedure 827.
  • the identifying device cannot go into Programming Mode until being affixed onto the identifying item.
  • a non-limiting means of preventing programming prior to being affixed is to detect the presence of a spacer, such as spacer 313 ( Figure 3) to determine that affixing to the item has not yet been done, and use this information to prevent the identification device from going into the Programming Mode.
  • An identification device is usable in conjunction with a data network in order to facilitate service.
  • Network communication is implemented e.g. via an antenna, also housed in the device (not shown in Fig. IA).
  • Direct network connection often simplifies facilitating service.
  • the identification device can be connected "on-line" to a data network, and can provide articles of data including, but not limited to: identification device serial number; item identification number; financial identification data; billing/payment account number credit number; bank account number; service specifications; service limitation code; an authorized service code; and transaction limitation code.
  • identification device serial number identification device serial number
  • item identification number financial identification data
  • bank account number also includes, but is not limited to: service limitation code; an authorized service code; and transaction limitation code.
  • service limitation code an authorized service code
  • transaction limitation code for vehicles, this also includes, but is not limited to: vehicle identification number; vehicle registration number; and fuel type authorization code.
  • FIG. 9 is a flow diagram of a sequence of operations 900 carried out in accordance with an embodiment of the present invention:
  • operation 920 providing an ID element operable for storing identification data and coupling at least the ID element and the electrical unit by an electromagnetic circuit that is designed to open in case a first section of the device, housing at least the control unit or a second section of the device, housing at least the ID element, is relatively displaced with respect to each other;
  • operation 940 Switching the device from Standby Mode to Service Mode, in response to a request from an external device, only if said identification data stored on the ID element is substantially continuously available to the control unit, and providing the device with on-line access to the network and registering the device in the network, thereby enabling the service.
  • Figure 10 is another flow diagram of a sequence of operations 1000 carried out in accordance with an embodiment of the present invention:
  • operation 1010 providing an ID element operable for storing identification data
  • operation 1020 providing a control unit operable for facilitating the service only in response to receiving said identification data
  • the device could be fixed on the outer side of the item. This is highly advantageous as e.g. installation of identification devices in the inner side of a vehicle chassis is demanding and costly.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Life Sciences & Earth Sciences (AREA)
  • Geophysics (AREA)
  • Lock And Its Accessories (AREA)
  • Burglar Alarm Systems (AREA)
  • Storage Device Security (AREA)

Abstract

According to an embodiment of the invention, there is provided a tamper-resistant identification device (101) and a method thereof for identifying an item to facilitate a service, the device comprising an ID element (107) configured for storing identification data,- a control unit operative (103) to facilitate the service only in response to receiving said identification data; a housing comprising a first housing (201) section and a second housing section (205); and a coupling electro-magnetic circuit (119) for coupling at least the control unit and the ID element, said electro-magnetic circuit is designed to open in case the first or second housing section are displaced with respect to each other.

Description

TAMPER-RESISTANT IDENTIFICATION DEVICE
FIELD OF THE INVENTION
The present invention relates to identification devices, and, more particularly, to a tamper-resistant identification device.
BACKGROUND OF THE INVENTION
It is often desirable to have a device which provides identification for a specific object. Such a device can be attached to the specific object and serve to identify that particular object for various purposes. The term "item" is used herein to denote such an object for which identification and related services are desired. The term "identification" herein denotes providing information about an item, including, but not limited to properties, attributes, associations, relationships, and so forth. As a non-limiting example, an identification device can be attached to a vehicle (i.e., the "item" is a vehicle) for identifying that vehicle and any of the following associated information: model and serial number; registration information; owner, odometer reading; and financial account information related to that vehicle's operation and maintenance, such as billing/payment account numbers for fueling the vehicle. Certain identification devices provide identification information in electronic form without requiring contact or connection to the identification devices. For example, a "Radio-Frequency Identification" (RFID) device communicates with an external device, herein denoted as a "scanning unit", which can be located at a distance from the RFID device. The scanning unit typically transmits a radio frequency query to the identification device, which receives the query and responds thereto by transmitting a suitable response back to the scanning unit with the desired information. In a non-limiting application of such an identification device and such a scanning unit, the scanning unit can be coupled to a fueling system and the identification device can be installed on a vehicle (once again, in this example, the "item" is a vehicle) to respond with billing/payment account information for a fueling operation on that vehicle, hi this fashion, fueling the vehicle can be expedited and made easier by eliminating the need for traditional payment by cash or payment card; instead of requiring the driver of the vehicle to pay or arrange for billing in a separate step, the billing can be handled automatically by a system connected to the scanning unit, based on billing/payment account information received from the RFID device.
Problems entailed by such a system, however, include those of tampering and theft of the identification device. Possible attacks include, but are not limited to: tampering with the device to obtain confidential identification information, such as financial data, billing/payment account numbers, and so forth; tampering with the device to substitute fraudulent identification information, such as false or fictitious ownership or fraudulent billing/payment account numbers, and so forth; and theft of an identification to impersonate someone else. A prior art device which is responsive to the issue of theft is disclosed in U.S.
Patent 6,900,719 to Roseman (hereinafter referred to as "Roseman '719"). Roseman ς719 discloses a method and device for providing anti-theft protection for an electrical device installed on a body, such as a vehicle, by fixing to the body an electrical chip having a unique identification number identifying the body, electrically connecting the electrical device to the electrical chip in a manner such that removal of the electrical device from the body automatically interrupts the electrical connection of the electrical device to the electrical chip, and disabling the operation of the electrical device whenever its electrical connection to the chip is interrupted.
Another prior art means of protection against such tampering includes designing the identification device in such a manner that tampering will destroy the device or render the device inoperative. An example of such prior art is disclosed in the international patent application WO 03/069536 of Dayan, et al. (hereinafter referred to as "Dayan"). Dayan discloses an anti-tampering system for an identification ID component, the system consisting of an ID component housing, for attaching to a surface, a structurally weak region in the housing, and an ID component circuit including the ID component, at least a portion of the circuit being disposed substantially within the structurally weak region, such that a force applied to remove the housing from the surface deactivates the ID component circuit.
The following Patent publications relate to tamper-resistant devices and methods: European Patent Application No. 0509567; US Patent Nos. 6,895,509; 6,982,642; and 5,998,867.
There is thus a recognized need for, and it would be highly advantageous to have, a tamper-resistant identification device which can be installed on an item without the use of tools (e.g. screws or other fasteners that require holes or penetration in the item or special installation process (e.g. installation of the ID device at hidden places on the item, such as inner side of a vehicle chassis). There is a further need in the art for a tamper-resistant identification device which can be installed on an outer side of an item. There is also a need in the art for a tamper-resistant identification device which has a high degree of tamper-resistance, both prior to installation as well as after installation. There is a need for an identification device that provides high level tamper-resistance, independently of the integrity of the installation personnel. There is a need in the art for reducing expensive working time and other costs involved in installation of ID devices in items (e.g. vehicles). These goals are met by the present invention.
SUMMARY OF THE INVENTION
It is an objective of the present invention to provide a tamper-resistant identification device and method for facilitating services, which may be securely installed in an efficient manner (e.g. quick, cost-effective, clean, reliable) while offering a strong degree of protection against tampering, especially against removal from the item on which the installation was made. It is also an objective of the present invention to provide a tamper-resistant identification device and method that provides a superior degree of protection against attempted removal from the item on which the installation was made.
The term "services" herein denote any services which are rendered to the item which is identified by the identification device. Non-limiting examples include: fueling (the "service") of a vehicle (the "'item"); and delivery (the "service") of a package ("the item"). The identification device facilitates the service by providing identification information, non-limiting examples of which include: the billing/payment financial account data for fueling a vehicle; and source-destination and billing/payment financial account data for delivering a package.
According to an embodiment of the invention there is provided a tamper-resistant identification device for identifying an item to facilitate a service, comprising: an ID element configured for storing identification data; a control unit operative to facilitate the service only in response to receiving the identification data; a housing comprising a first housing section and a second housing section; an coupling electro-magnetic circuit for coupling at least the control unit and the ID element, the electro-magnetic circuit is designed to open in case the first or second housing section are displaced with respect to each other.
According to another embodiment of the invention, there is provided a tamper- resistant identification method for identifying an item to facilitate a service by an identification device fixed to the item, the method comprising: providing an ID element operable for storing identification data and a control unit operable for facilitating the service only in response to receiving the identification data; housing at least the control unit and the ID element in a housing including at least a first section and a second section, coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section or the second housing section are relatively displaced with respect to each other; and servicing the item by operating the control unit.
According to yet another embodiment of the invention, there is provided a method for operating an identification device having a control unit operable for facilitating a service, the method comprising: providing an ID element operable for storing identification data and coupling at least the ID element and the control unit by an electromagnetic circuit that is designed to open in case a first section of the device and a second section of the device, are relatively displaced with respect to each other; switching the device from Inactive Mode to Standby Mode, in response to an activation attempt from an external device; switching the device from Standby Mode to Service Mode, in response to a request from an external device, only if the identification data stored on the ID element is substantially continuously available to the control unit.
According to yet another embodiment of the invention, there is provided a method for protecting an identification device having an ID element operable for storing identification data, the method comprising: housing at least a control unit and the ID element in a housing including at least a first section and a second section, and coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section or the second housing section are relatively displaced with respect to each other; and configuring the control unit to perform one of the following in case the electro-magnetic circuit is opened: erasing identification information stored on the ID element;writing over the identification information stored on the ID element; electrically shutting the identification device down; obstructing the identification device from operating at a Service
Mode; and obstructing network communication.
BRIEF DESCRIPTION OF THE DRAWINGS
In order to understand the present invention and to see how it may be carried out in practice, a preferred embodiment will now be described, by way of non-limiting example only, with reference to the accompanying drawings, wherein:
Figures IA and IB are conceptual block diagrams of identification devices according to embodiments of the present invention;
Figure 2A is an isometric external view of a housing of an identification device according to an embodiment of the present invention;
Figure 2B is an exploded isometric view of the housing of Figure 2 A;
Figure 3 is an internal cross-section of the housing of an identification device according to an embodiment of the present invention prior to installation;
Figures 4A-4B, 5A-5B, 6A-6B and 7A-7B are more detailed diagrams of an identification device according to an embodiment of the present invention;
Figure 8 is a transition state-change diagram illustrating the operating modes of an identification device according to an embodiment of the present invention;
Figure 9 is a flow diagram of a sequence of operations carried out in accordance with an embodiment of the present invention; and
Figure 10 is another flow diagram of a sequence of operations carried out in accordance with an embodiment of the present invention.
DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS
The principles and operation of a tamper-resistant identification device according to embodiments of the present invention may be understood with reference to the drawings and the accompanying description.
Functional Block Organization and Operation Figure 1 is a conceptual block diagram of an identification device 101 according to an embodiment of the present invention. Identification device 101 has two logically-distinct and separate components: a control unit, herein denoted as a control/processing/communications unit (CPCU) 103, and an ID element 107. These two components, although logically distinct and separate, are communicatively coupled to each other. The term "communicatively coupled" herein denotes the ability to actively pass data from one to the other, such as for reading and writing. In an embodiment of the present invention, CPCU 103 contains operating parameters module 105 which is configured for storing operating parameters and for reading information data stored on ID element 107 and relating to one or more operation parameters. These parameters may include, but are not limited to, model and serial number of the identification device, and cryptographic public keys for authentication and validation operations. In an embodiment of the present invention, CPCU may contain resources including, but not limited to: a radio transceiver capable of transmitting and receiving data; an antenna; a real-time clock-calendar; settable timers and watchdog timers; settable counters; analog-digital and digital-analog converters; a data/arithmetic processor, such as a microprocessor or dedicated microcontroller; data storage; data modem; data coder; random number generator; and a cryptographic unit for symmetrical cryptography and/or asymmetrical (public key) cryptography (not illustrated in Fig. 1).
In an embodiment of the present invention, ID element 107 contains identification information storage 109, which may include, but is not limited to: information about the item to be identified, such as model number, serial number, date of manufacture, ownership and/or registration number, insurance, and other parameters and attributes; fuel type authorization codes (for vehicles); authorized service codes; and financial identification data and financial information related to the services which are to be facilitated, such as billing/payment account numbers, credit numbers, bank account numbers, transaction limitation codes, service limitation codes. In an embodiment of the present invention, identification information storage 109 is encrypted and/or authenticated, such as by public key signatures.
Setup and Programming
According to en embodiment of the present invention, Identification information 109 is initially set up in ID element 107 when identification device 101 is in a "Programming Mode". In this mode, an external device or system programs identification information 109 into ID element 107 via CPCU 103 through interface 127 in a write operation. Identification data supplied by the external device may be encrypted and/or authenticated; CPCU 103 can also apply additional layers of cryptographic protection and/or authentication.
Identification Operation
According to an embodiment of the invention, in operation, identification device 101 provides information including identification information 109 to an external device for facilitating a service. The required information is provided upon request via CPCU 103, which reads identification information 109 from ID element 107 via an interface 127. CPCU 103 is operable for providing the required information only if reading identification information from ID element 107 is successful. CPCU 103 is operable for reading the identification information e.g. in a periodic manner, e.g. during Standby Mode, or Service Mode (see further below). In case the reading is failed, the information required by the external device for facilitating the service is not provided. According to en embodiment of the invention, when reading from the ID element 107 fails for a predetermined period of time, the operation of device 101 is shut down.
For higher levels of security, as noted above, identification information 109 is encrypted and/or authenticated. In such a case, CPCU 103 can certify that identification information 109 is authentic by validating the digital signature thereof. CPCU 103 can also validate itself to an external scanning device in a similar fashion. This mode of providing identification information is referred to as the "Service Mode", and is discussed additionally below.
Protection against Tampering
According to embodiments of the present invention, therefore, the active parts of the device itself do not have to be physically damaged during an attempted tampering in order to render the device inoperative (although physical damage may certainly occur). According to embodiments of the present invention, it is sufficient for the sensitive or critical data within the device to be blocked or erased in order to deactivate the identification device, and this can be done electrically (or magnetically) in a variety of ways. The terms "block", "erase", "erasure", "erasing", and so forth, as applied to data storage herein denote any blockage or alteration of the data storage to cause permanent, irretrievable loss of the data through means including, but not limited to overwriting of the data, clearing of the data, and initializing the data storage. The process of "erasing" data as defined herein is sometimes referred to as "wiping" data storage, to signify that the erased data is completely non-recoverable from the storage.
In an embodiment of the present invention, deactivating identification device 101 can be achieved by interrupting interface 127 and thereby terminating the communicative coupling between CPCU 103 and ID element 107 (e.g. disconnecting the data line/electrical connection between storage 109 and module 105).
In an embodiment of the present invention, all sensitive identification data is contained in identification information 109, without which identification device 101 cannot provide any information. In this embodiment, therefore, identification device
101 is deactivated by electrically (or magnetically) causing ID element 107 to block or erase identification information 109.
In an embodiment of the present invention, CPCU 103 imposes a predetermined time-out period for reading identification information from ID element 107, such that if ID element 107 does not respond with valid identification information 109 within a predetermined time-out period, CPCU 103 terminates the communicative coupling between CPCU 103 and ID element 107 to deactivate identification device 101.
In an embodiment of the present invention, the blockage/erasure of identification information 109 is performed by changing the configuration of switches which provide electrical power to ID element 107 in response to an attempted tampering attack on identification device 101. In another embodiment of the present invention, the erasure of identification information 109 is performed by CPCU 103, such as by a deliberate overwrite of identification information 109 in ID element 107 with meaningless data (e.g., all zero's) via interface 127.
The present invention provides for control unit CPCU 103 to be able to facilitate a service to the identified item if and only if both of the following conditions are met:
CPCU 103 is communicatively coupled to ID element 107; and ■ ID element 107 contains valid identification information 109 related to the
identified item. If either or both of the above conditions are not met, then CPCU 103 is not able to facilitate the service, and identification device 101 is said to be "deactivated".
Electrical Power Switching Configuration
CPCU 103 and ID element 107 are active devices, and in an embodiment of the present invention receive electrical power for operation independently of each other. In this manner, it is possible for ID element 107 to receive electrical power at the same time as CPCU 103 is not receiving full power. Figure 1 shows an embodiment of the present invention whereby this separate power is supplied by a single voltage source 111, and whereby the independent supply of power is governed by a switch 117 to CPCU 103 and switches 119 and 121 to ID element 107. In this embodiment, optional diodes 113 and 115 further guarantee the electrical independence of CPCU 103 and ID element 107.
In an embodiment of the present invention, CPCU 103 always receives some power, even when switch 117 is open. This minimal power keeps CPCU 103 in a low power-consumption listening state, and allows CPCU 103 to activate switch 117 electronically when necessary for full operation (switch 117 can be implemented with an electronic device, such as a power switching transistor or other power control component). The low power-consumption listening state is used in the Inactive Mode to detect activation attempts from external devices that seek to communicate with an available identification device, after which the identification device switches into the Standby Mode, as discussed in more detail below. For example, in the low power- consumption listening state, CPCU 103 "listens" for query input from a remote RFID scanner. When a remote scanner interrogates identification device 101, CPCU 103 (in the low power-consumption listening state) detects the interrogation and automatically activates switch 117 to provide full power for responding to the query with data processing and transmitting operations.
According to embodiments of the invention, when switches 117, 119 and 121 are closed and ID element 107 is receiving power, identification device is either in "Standby mode", "Programming Mode" or in "Service Mode", as discussed in further detail below. Figure IA illustrates an embodiment of the present invention whereby mere is a multiplicity of switches in series for supplying power. In this case, two switches, switches 119 and 121 are illustrated to show the series concept. In other embodiments, more than two switches are used. These switches are normally closed, so that electrical power is continuously supplied to ID element 107. (hi Figure IA5 switches 119 and 121 are shown as open for clarity.) Switches 119 and 121 are proximity switches, several embodiments of which are discussed below with respect to Figs. 4A- 4B, 5A-5B, 6A-6B and 7A-7B. Switches 119 and 121 are designed to open in response to tampering attempts (this would be discussed in detail with respect to Figs. 2A-2B). In the absence of tampering, switches 119 and 121 are closed so that power is normally applied to ID element 107. In an embodiment of the present invention, ID element 107 is a volatile memory device capable of storing data only so long as electrical power is applied. In this embodiment, when electrical power is disconnected, all data is lost. As a non-limiting example for this embodiment, when proximity switch 119 detects attempted tampering, proximity switch 119 opens and removes electrical power from ID element 107, thereby erasing identification information 109. As noted, identification device 101 requires identification information 109 for functioning, and is thereby disabled and deactivated by the tampering. In the embodiment shown in Figure IA, an optional resistor 125 bleeds off any stored charge in ID element 107 to assure rapid data loss. It is noted that resistor 125 has a high value of resistance to minimize power drain. With a suitable value of resistor 125, data loss can be fast, while still allowing suitably-long battery life. It is noted that Figure IA illustrates proximity switches 119 and 121 as being of the SPST configuration. In another embodiment of the present invention, proximity switches are of the SPDT configuration, with one throw connected to ground such that the power input to ID element 107 is grounded when any proximity switch detects tampering, causing immediate erasure of identification information 109. In this particular embodiment, therefore, resistor 125 is unnecessary and is not used. The SPDT proximity switch configuration is also discussed and illustrated below in the case of the magnetic reed proximity switch (Figure 5 A and Figure 5B).
Many other variations in the configuration are possible to accomplish the same result of blocking communication between units 103 and 107, and/or erasing identification information 109. As previously mentioned, erasure can be accomplished by software- (or firmware-) executed command from CPCU 103. In another embodiment of the present invention, for example, identification information 109 is erased by turning electrical power on to a specific hardware input of ID element 107, instead of turning power off. For illustration purposes, the electrical circuitry was illustrated as separated from the control unit 109. It should be understood to anyone skilled in the art that the electrical circuitry could be integrated with the control unit 109 e.g. on the same PCB (Printed Circuit Board). It should also be understood that the ID element 107 could be powered via the control unit 109. This is illustrated in Fig. IB. According to the embodiment illustrated in Fig. IB, physical disconnection of the electrical connection between the control unit 109 and the ID component 107 will block reading of information data stored on the ID element by the control unit 109.
It should be understood that the control unit includes additional components which were not illustrated in Fig. IA for the ease of understanding. One such component an antenna, which is also housed within the housing (e.g. surrounding the battery and the PCB that carries the circuitry of the control unit.
Physical Housing Configurations
Figure 2A is an isometric external view of the housing of an identification device according to an embodiment of the present invention. A lateral housing section 201 surrounds the internal components of the identification device from all directions to the side, and a top housing section 203 covers the internal components from the top (optionally carrying e.g. the logo of the service company) .In an embodiment of the present invention, top housing section 203 is irremovably fastened to lateral housing section 201. An underside area 202 is fitted with an adhesive layer 207 for attaching to the item which is to be identified by the identification device, so that when affixed to the item, the internal components of the identification device are not accessible from any direction. Part of an adhesive layer 207 is visible in Figure 2A. Another adhesive layer is visible in Figure 2B, as discussed below. A removable protective film 204 protects the adhesive layers until the time of being affixed to the item.
Housing Configurations for Tampering Detection
Figure 2B is an exploded isometric view of the housing of Figure 2 A, but with top housing section 203 removed and not shown. As described previously, in an embodiment of the present invention, the housing includes two physically distinct and separate sections that have no direct inherent mechanical or structural connection between them. In Figure 2B it is seen that one such section is lateral housing section 201, and the other such section is a bottom housing section 205, which is shown in the exploded view of Figure 2B in a lowered position for clarity. Adhesive layer 207 is in the shape of a ring, and bonds lateral housing section 201 to the surface of the item which is identified by the identification device. Likewise, an adhesive layer 209 is in the shape of a solid circle, and bonds bottom housing section 205 to the surface of the item. It is readily seen that when the position of lateral housing section 201 relative to that of bottom housing section 205 is fixed when the housing is affixed to an item via adhesive layer 207 and adhesive layer 209. As previously noted, a section of the housing, bottom housing section 205, is not externally accessible after being affixed onto the item.
According to an embodiment of the invention, housing sections 201 and 205 are supported by the adhesive layer 207 (and in case each section has its own layer, also by layer 209) together with the protective film 204. According to an embodiment of the invention, the first section 201 and second section 205 are loosely supported by each other, e.g. by one or more stems extending from either sections (or both) thereby providing loose physical connections between sections 201 and 205. The relative displacement (movement) of sections 201 and 205 with respect to each other is thus avoided during manufacture, storage, shipment, distribution and installation of the device.
In embodiments of the present invention, the housing of the identification device has a predetermined surface for affixing to the identified item. Figure 2A and Figure 2B illustrate an embodiment where the predetermined surface is the bottom, and the bottom is flat, for installation on an item that has a substantially plane surface. In another embodiment of the present invention, the housing of the identification device has a curved bottom (conformal bottom), for installation on an item that has a correspondingly curved surface. In a still further embodiment of the present invention, the housing of the identification device has a bottom that has a saddle-shaped curve.
In an embodiment of the present invention, the housing of the identification device is sealed so that there are no seams or joints accessible when the device is affixed to the item. According to another embodiment of the invention, the housing is sealed in a manner defined in safety regulations and standards governing specific services and areas. For example, the housing which contains a battery, is sealed and authorized for fueling services.
The terms "install", "installing", "installation", and the like with regard to identification devices are herein intended to denote the complete process of setting up an identification device for use. In contrast, the terms "affix" and "affixing", and the like with respect to identification devices are herein intended to denote the more limited act of physically attaching an identification device to an item that is to be identified. The terms "activate", "activating", "activation", and the like with respect to identification devices are herein intended to denote the more limited act of enabling an identification device that is affixed to a particular item for facilitating services related to that item. In this regard, "installation" implies both an affixing and an activation.
The attachment method is essentially limited to the use of a prepared adhesive layer. The term "adhesive layer" herein denotes without limitation all configurations of adhesive layers intended to bond one object to another, including, but not limited to: homogeneous layers of adhesive materials; and heterogeneous layers, an outer surface of which has adhesive properties. Non-limiting examples of homogeneous adhesive layers include contact cements and the like. Non-limiting examples of heterogeneous adhesive layers include adhesive tapes and foams, particularly such tapes and foams both sides of which are adhesive.
Disposition of internal Components within the Housing
As previously noted, in an embodiment of the present invention, identification device 101 (e.g. as illustrated in Figure IA) has two logically-distinct and separate components: CPCU 103 and ID element 107. CPCU 103 and ID element 107 are also physically distinct and separate, with no direct inherent mechanical or structural connection between them, and are connected only by an electro-magnetic circuit component. Elements 103 and 107 are disposed within the housing according to the two physically-separate housing sections as detailed above. In a non-limiting example, CPCU 103 is attached to lateral housing section 201, and ID element 107 is attached to bottom housing 205.
According to yet a further embodiment of the present invention, however, CPCU 103 and ID element 107, while logically distinct, are physically-connected (such as integrated into the same physical chip). Even though integrated together, however, CPCU 103 and ID element 107 may still feature separate power connections according to previous embodiments as described. In a non-limiting example, identification device 101 (both CPCU 103 and ID element 107) is attached to bottom housing section 205. In that embodiment, a portion of the electrical circuit is accommodated in housing section 201. According to another embodiment of the invention, both CPCU 103 and ID element 107 are accommodated in housing section 201 and a portion of the electrical circuit is accommodated in housing section 205.
It is thus seen that identification devices according to the present invention possess greater flexibility than those of the prior art, because there is no requirement that any component parts except for the electro-magnetic circuit coupling the ID element 107 with the CPCU 103 be physically damaged by attempted tampering. In an embodiment of the present invention all the circuitry is placed as far away as possible from the sides of the housing, such as on bottom housing section 205, to afford the maximum protection against tampering.
Installation and Tamper Detection
Figure 3 is an internal cross-section of the housing of an identification device according to an embodiment of the present invention prior to installation. Lateral housing section 201 is seen in cross-section, and bottom housing section 205 is seen from directly above. The protruding tab of protective film 204 is shown. Spacers maintain proper alignment of lateral housing section 201 and bottom housing section 205 prior to installation are extended from section 201 or 205 or both. These are shown in Figure 3 as a spacer 313, a spacer 315, a spacer 317, and a spacer 319. It should be understood that the spacers to not form part of both sections. According to an embodiment of the invention, all spacers form part of housing section 201. The spacers thus provide loose support for housing section 205.
Once the adhesive affixing to the item has been accomplished, lateral housing section 201 and bottom housing section 205 are bonded to the surface of the item to be identified. According to an embodiment of the present invention, the spacers are merely repositioned into a different location within the housing, where they no longer maintain the relative spacing of lateral housing section 201 and bottom housing section 205. These are non-limiting examples only; other configurations of spacers and alignment devices are also possible. Also shown in Figure 3 is a set of proximity switches. These include proximity switch 119, proximity switch 120, proximity switch 121, and a proximity switch 122. Proximity switch 119 and proximity switch 121 are shown schematically in Figure 1. According to an embodiment of the invention, only one or two switches are provided. According to an embodiment of the invention, only two spacers are provided. According to another embodiment of the invention, no spacers are provided. According to another embodiment of the invention, not shown in Fig. 3, the switches are implemented on a PCB housed by section 201 and the ID element that is housed by section 205 is connected by an electrical cord to the PCB. It should be understood that the invention is not limited by the number of switches and the number of spacers. Specifically the invention can be implemented with one or two switches (elements 119 and 121 shown in figure IA), without any spacer.
The design of the identification device, as described above, is susceptible to tampering. In order to tamper with the operation of the identification device, the control unit has to be interfered with, and the housing has to be opened. As the device is fixed to the item (e.g. a car), tampering requires separation of the housing from the item. During separation, the first and second housing separation will be displaced with respect to each other, and as a result, the electro-magnetic connection between the ID element and the control unit will be opened. According to the embodiment of the invention illustrated in Figures 2A and
2B, the structure of the housing is designed to encourage a removal attempt to be performed by pulling the housing in a direction that will cause the proximity switch (e.g. switch 119, 121 illustrated in Figures IA and IB) to open in response to a relatively weak force (e.g. a force caused by a hand pulling the housing away from the item, or by a thin blade of a knife. This increases sensitivity of the device to tampering. According to an embodiment of the invention, the electronic circuit is cutoff in response to a tampering attempt, even when separation of one of the housing sections (or both) from the item is not accomplished.
It should be understood that the Identification device and method of the present invention are not aimed at providing full-proof tampering resistance. It may be possible to separate the housing from the item without providing relative displacement of the housing sections (e.g. by using a suitable solvent for dissolving the adhesive). However, such an attempt requires special knowledge and equipment, and also time.
Proximity Switch Embodiments
As described before, ID element and the control unit (elements 107 and 103 shown in Fig. IA) are coupled by an electro-magnetic circuit. According to an embodiment of the invention, this circuit is a double cord circuit. This double cord circuit is opened (e.g. one of the cords is torn) in response to a tampering attempt.
The following embodiments of the present invention are presented as non- limiting examples of proximity switch 119 (Figure 1), except for the switch shown in Figure 5A and Figure 5B, which is an implementation of a switch in the SPDT configuration.
Figure 4A is a diagram of a closed contact proximity switch according to a first proximity switch embodiment of the present invention, shown in proper operating position. Figure 4A shows proximity switch 119 implemented as a separable leaf switch having a leaf 401 and a separate leaf 403, such that one of the leaves is attached to lateral housing section 201 and the other of the leaves is attached to bottom housing section 205. In Figure 4A, lateral housing section 201 is in proper position relative to bottom housing section 205, and switch 119 is therefore closed for delivering electrical power to ID element 107. Figure 4B is a diagram of the open proximity switch of Figure 4A after undergoing a relative displacement due to tampering. Referring briefly to Figure 3, it is seen that the distance between lateral housing section 201 and bottom housing section 205 has increased because of tampering, and thus contact between leaf 401 and leaf 403 has been broken, corresponding to an opening of proximity switch 119.
Figure 5 A is a diagram of a closed magnetic reed proximity switch according to a second proximity switch embodiment of the present invention, shown in proper operating position. Figure 5A shows a proximity switch implemented as a magnetic reed switch having a glass envelope 501, a first ferromagnetic reed 503, a second ferromagnetic leaf 505, and a non-ferromagnetic reed 507 connected to ground. In a non-limiting example of this embodiment, a small bar magnet 509 is attached to lateral housing section 201 and glass envelope 501 is attached to bottom housing section 205. In Figure 5A, lateral housing section 201 is in proper position relative to bottom housing section 205, and magnet 509 is held in proper proximity to the reed switch such that the concentrated magnetic flux passing through ferromagnetic reed 503 and ferromagnetic reed 505 causes them to attract and make contact. In this closed position, the reed switch delivers electrical power to ID element 107. Figure 5B is a diagram of the open magnetic reed proximity switch of Figure 5A after undergoing a relative displacement due to tampering. The reduced magnetic flux in the area of the switch is insufficient to cause reed 503 and 505 to make contact, so reed 503 instead makes contact with non-ferromagnetic reed 507, which is connected to the ground. As previously discussed, when used in the circuit of Figure 1 this immediately causes loss of identification information 109.
Figure 6A is a diagram of a closed magnetic Hall Effect proximity switch according to a third proximity switch embodiment of the present invention, shown in proper operating position. Figure 6 A shows proximity switch 119 implemented as a Hall Effect device (a Hall Effect transistor) 601 in proximity to a small magnet 603. In a non-limiting example of this embodiment, magnet 603 is attached to lateral housing section 201 and Hall Effect device 601 is attached to bottom housing section 205. In Figure 6A, lateral housing section 201 is in proper position relative to bottom housing section 205, and magnet 603 is held in proper proximity to Hall Effect device 601 such that switch 119 is closed for delivering power to ID element 107. Figure 6B is a diagram of the open Hall Effect proximity switch of Figure 6A after undergoing a relative displacement due to tampering. The reduced magnetic flux in the area of Hall Effect device 601 is such that switch 119 is open,- thereby deactivating the identification device.
Figure 7A is a diagram of a closed double-magnet proximity switch according to a fourth proximity switch embodiment of the present invention, shown in proper operating position. Here switch 119 is similar to the leaf switch of Figure 4A, having a leaf 701 and a leaf 703. In this case, however, the closure of switch 119 is effected by the mutual repulsion of a magnet 705 attached to leaf 703 and a magnet 707. Figure 7B is a diagram of the open proximity switch of Figure 7A after undergoing a relative displacement due to tampering.
One of the advantages of this double magnet proximity switch is that static magnetic repulsion is typically unstable, and this configuration by itself would tend to push lateral housing section 201 and bottom housing section 205 out of alignment. Thus, if adhesive layer 207 or adhesive layer 209 (Figure 2B) were neutralized or removed by tampering, the mutual repulsion of the double magnet configuration would tend to accelerate and amplify the displacement, thereby increasing the certainty of deactivating the identification device, as discussed below for the use of means for introducing unstable equilibrium.
Other proximity switch embodiments include a "weak cord", which herein denotes a conducting wire loosely fitted into a connector, such that the connection is broken if the wire is pulled. Other Proximity Sensor Configurations
Proximity switches as disclosed herein are specific instances of the general class of proximity sensors. Proximity sensors include devices for both discrete and continuous position detecting. According to the present invention, tampering attempts may be detected by sensing changes in the position of lateral housing section 201 relative to that of bottom housing section 205. The term "relative displacement" herein denotes any change in the position of one housing section and another housing section.
Many variations on proximity sensors are possible. In an embodiment of the present invention, CPCU 103 (Figure 1) monitors proximity sensors reporting on the position of lateral housing section 201 relative to that of bottom housing section 205, and detect when a predetermined threshold is exceeded. Such an event is construed as an attempted tampering, and CPCU 103 then deactivates identification device 101 by erasing identification information 109 (e.g. by performing a write operation on ID element 107 via interface 127) or by erasing operating parameters stored on element 105.
According to another embodiment of the invention, the required identification data is stored only on the control unit (e.g. on module 105 shown in Fig. 1), with no identification data being stored in the ID element. This embodiment (hereinafter denoted as "the 'electrical element' embodiment") will now be described with reference to the embodiment of the invention illustrated in Fig. IA: According to the 'electrical element' embodiment, element 107 (shown in Fig. 1) need not include any memory (element 109) and is merely an electrical element which is connected in serial to the control unit 103. According to the electrical element embodiment, the interface 127 is an electro-magnetic circuit that connects the control unit with the electrical element, or is actually the electrical element 107. Non-limiting examples for such a circuit are an electric double cord, a contact switch, any of the proximity sensors which were described above and below (e.g. illustrated in Figs 4A-4B, 5A- 5B, 6A-6B and 7A-7B) and the like.
Optionally, a spring or any other suitable pressed element is being placed between the first and second housing sections (elements 201 and 205 in Fig. 2A). The spring is pressed between the housing sections as long as they are coupled together within the sealed housing. In case the first and second housing sections are displaced the spring is released and electrical disconnection occurs.
According to the 'electrical element' embodiment, a tampering attempt with the device will result in a relative displacement of the two sections of the housing (elements 201 and 205 shown in Fig. 2A). In turn, the electrical element is disconnected from the control unit, and in response, the operation of the control unit is shut down e.g. by erasing the identification information stored e.g. on module 105 (Figure 1).
Enhancing Internal Displacement Due to Tampering with Unstable Equilibrium It is desirable to enhance the tendency of lateral housing section 201 and bottom housing section 205 to become relatively displaced when there is tampering, because doing so increases the sensitivity of the identification device to attempted tampering.
Taking note of the fact that in normal operation it is only the adhesive bonding of the independent housing sections to the item that maintains the relative position of the housing sections, embodiments of the present invention also provide for the placing, within the housing, of means which create a condition of unstable equilibrium between the two sections. A condition of unstable equilibrium implies that at the equilibrium point there are no displacing forces, but a small displacement from the equilibrium point induces larger displacing forces.
It is therefore beneficial to introduce components into the housing which create a condition of unstable equilibrium between lateral housing section 201 and bottom housing section 205, such that at their proper relative position, there is no relative force between them, but that even a small relative displacement induces a force to increase that displacement. A condition of unstable equilibrium can be accomplished by an arrangement of springs, magnets, and the like, and is well-known for making g-force shock indicators. In this particular application, however, it is not shock or g-force that is to be detected, but rather a relative displacement between lateral housing section 201 and bottom housing section 205. Operational Modes and Mode Transitions
Figure 8 is a transition state-change diagram illustrating the operating modes of an identification device according to an embodiment of the present invention for the non-limiting application of facilitating fueling service for a vehicle. For non- vehicular applications, there are corresponding procedures that do not involve the particular properties associated with vehicles (such as "driving", "fueling station"). A non-limiting sequence of operations is illustrated in Fig. 8, in which:
Immediately after a manufacturing procedure 801, the identification device is not yet initialized and is thus in an "Inactive Mode" 803.
In an optional factory initialization procedure 805, CPCU 103 is initialized with operating parameters 105 (Figure 1), after which the identification device goes into an "Initialized Mode". The identification device is still not activated yet, because identification information 109 (Figure 1) is still blank. The initialization mode need not be a separate mode and initialization could be performed either during manufacturing or during programming (see further below). The identification device is affixed onto a vehicle and the vehicle is driven into an appropriate fueling station in an operation 809. For non- vehicular applications, the device is simply affixed onto the identified item, which is then taken to an appropriate service location.
When the identification device detects that an external data device, such as a remote scanner, is issuing interrogation requests, the identification device goes into a "Programming Mode" 811, wherein CPCU 103 (Figure 1) can accept identification information 109 from the external data device for writing to ID element 107.
In the non-limiting example of Fig. 8, after an activation programming operation 813, the identification device goes into a "Service Mode" 815, wherein CPCU 103 reads identification 109 from ID element 107 to respond to the external data device to facilitate service. Activation programming is the process of storing the appropriate identification information 109, as previously detailed, in ID element 107 (Figure 1).
In Service Mode 815, the identification device facilitates fueling of the identified vehicle as previously described. When the vehicle is driven out of the station in an operation 817, the identification device goes into a "Standby Mode" 819, wherein CPCU 103 goes into a low power-consumption "listening" state to detect requests from an external data device. Later, if the vehicle is again driven into the station in an operation 821, the identification device detects the presence of a remote scanner interrogation and re-enters Service Mode 815. For non-vehicular applications, the identified item and the affixed identification device are simply taken to a service location and then taken away from the service location. In normal operation, from this time onward, the identification device goes only from Service Mode 815 to Standby Mode 819, and vice versa. If, however, tampering 823 is attempted, the identification device goes into a "Shutdown Mode" 825, as described in detail herein. In Shutdown Mode 825, the identification device is deactivated and cannot facilitate any services. Normally, tampering 823 will render the identification device useless, and if not stolen, would typically be discarded and replaced in an operation 827. In some cases, however, if the identification device was subjected only to shock or mishandling that may have caused a transient interruption of power to ID element 107, the identification device may simply have undergone a reversion to initialized mode 807 and require driving back to the station for reprogramming in a procedure 829 (or, for non- vehicular applications, taken back to a service location). In an embodiment of the present invention, a return to programming mode 811 is allowed under such circumstances; in an alternative embodiment, however, programming mode 811 can be performed only once, in which case the device would be discarded and replaced in procedure 827. In an embodiment of the present invention, the identifying device cannot go into Programming Mode until being affixed onto the identifying item. This would prevent programming an unaffixed identifying device, which would then be vulnerable to theft without tampering or deactivation, and would be subject to fraudulent usage. A non-limiting means of preventing programming prior to being affixed is to detect the presence of a spacer, such as spacer 313 (Figure 3) to determine that affixing to the item has not yet been done, and use this information to prevent the identification device from going into the Programming Mode.
Network Usage
An identification device according to an embodiment of the present invention is usable in conjunction with a data network in order to facilitate service. Network communication is implemented e.g. via an antenna, also housed in the device (not shown in Fig. IA). Direct network connection often simplifies facilitating service. While in Service Mode, the identification device can be connected "on-line" to a data network, and can provide articles of data including, but not limited to: identification device serial number; item identification number; financial identification data; billing/payment account number credit number; bank account number; service specifications; service limitation code; an authorized service code; and transaction limitation code. For vehicles, this also includes, but is not limited to: vehicle identification number; vehicle registration number; and fuel type authorization code.
Figure 9 is a flow diagram of a sequence of operations 900 carried out in accordance with an embodiment of the present invention:
In operation 920: providing an ID element operable for storing identification data and coupling at least the ID element and the electrical unit by an electromagnetic circuit that is designed to open in case a first section of the device, housing at least the control unit or a second section of the device, housing at least the ID element, is relatively displaced with respect to each other;
In operation 930: Switching the device from Inactive Mode to Standby Mode, in response to an activation attempt from an external device.
In operation 940: Switching the device from Standby Mode to Service Mode, in response to a request from an external device, only if said identification data stored on the ID element is substantially continuously available to the control unit, and providing the device with on-line access to the network and registering the device in the network, thereby enabling the service.
Figure 10 is another flow diagram of a sequence of operations 1000 carried out in accordance with an embodiment of the present invention:
In operation 1010: providing an ID element operable for storing identification data; In operation 1020: providing a control unit operable for facilitating the service only in response to receiving said identification data;
In operation 1030: housing at least the control unit and the ID element in a housing including at least a first housing section and a second housing section, coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section and the second housing section are relatively displaced with respect to each other, and fixing the structure to the item by an adhesive layer;
In operation 1040: Servicing the item by operating the control unit.
Based on the high level of protection provided by the device and method of the present invention, the device could be fixed on the outer side of the item. This is highly advantageous as e.g. installation of identification devices in the inner side of a vehicle chassis is demanding and costly.
While the invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications and other applications of the invention may be made.

Claims

CLAIMS:
1. A tamper-resistant identification device for identifying an item to facilitate a service, comprising: an ID element configured for storing identification data; a control unit operative to facilitate the service only in response to receiving said identification data; a housing comprising a first housing section and a second housing section; an coupling electro-magnetic circuit for coupling at least the control unit and the ID element, said electro-magnetic circuit is designed to open in case the first or second housing section are displaced with respect to each other.
2. The identification device of Claim 1 , wherein said control unit is powered by a battery contained within said housing.
3. The identification device of Claim 2, wherein said ID element is directly powered by said battery or is powered via said control unit.
4. The tamper-resistant identification device according to Claim 1 further comprising an adhesive layer for affixing a predetermined surface of said housing to the item.
5. The identification device of Claim 4, wherein said adhesive layer comprises one of the following: a single adhesive layer that affixes both said first housing section and said second housing section; - a first adhesive layer and a second adhesive layer, wherein said first adhesive layer and said second adhesive layer are distinct and independent of each other, wherein said first adhesive layer affixes said first housing section to the item, and wherein said second adhesive layer affixes said second housing section to the item.
6. The identification device of Claim I5 wherein said predetermined surface of said housing is a plane surface or a curved surface.
7. The identification device of Claim I5 wherein said identification data is indicative of at least one of the following: identification device serial number; a cryptographic key; financial identification data; financial information related to the service; a billing/payment account number; a credit number; a bank account number; a transaction limitation code; an authorized service code; and a service limitation code.
8. The identification device of Claim 1, wherein the item is a vehicle and the service is a fueling service, and said identification data is indicative of at least one of the following: a vehicle identification number; a vehicle registration number; and a fuel type authorization code.
9. The identification device of Claim 1 further operative to be in a mode selected from the group consisting of: an Inactive Mode, wherein said control unit includes a low power- consumption listening state for detecting activation attempt from external device, and is further operable, in response thereto, for switching to Standby Mode; - a Programming Mode, wherein said control unit is operative to receive identification information from an external data device, for writing into said ID element; a Standby Mode, wherein said control unit is operative for detecting a request from an external service device and in response thereto, switching to Service Mode; a Service Mode, wherein said control unit is operative to read said identification information from said ID element and respond to an external service device to facilitate the service.
10. The identification device of Claim 1, wherein the control unit is further operable for periodical reading of the identification data from the ID element, and in case the reading fails for a predetermined period of time, shutting down operation of the device.
11. The device according to Claim 10 wherein said shutting down includes one of the following: - erasing of said identification data from the ID element; erasing of information stored on the control unit; electrical shutting down of the control unit.
12. The device according to Claim 9 wherein upon responding to the external service device, the identification device is provided with on-line access to a data network.
13. The device according to Claim 1 wherein said first and second housing sections have at least one contact point therebetween.
14. The identification device of Claim 1, wherein said electro-magnetic circuit comprises at least one component selected from the group consisting of: a weak cord; a separable leaf switch; a magnetic reed switch; a Hall Effect device; a spring and a magnet.
15. The identification device of Claim 1, wherein said second housing section is contained at least partly within said first housing section and is not externally accessible when said housing is affixed to the item.
16. The identification device of Claim 1, wherein disposition of internal components within the housing is in accordance with one of the following: the first housing section is adapted for housing at least the control unit and the second housing section is adapted for housing at least the
ID element; the second housing section is adapted for housing at least the control unit and the ID element and the first housing section is adapted for housing at least a portion of the coupling -magnetic circuit; - the second housing section is adapted for housing at least the control unit and the first housing section is adapted for housing at least the ID element; the first housing section is adapted for housing at least the control unit and the ID element and the second housing section is adapted for housing at least a portion of the coupling electro-magnetic circuit;
17. A tamper-resistant identification method for identifying an item to facilitate a service by an identification device fixed to the item, the method comprising: - providing an ID element operable for storing identification data and a control unit operable for facilitating the service only in response to receiving said identification data; housing at least the control unit and the ID element in a housing including at least a first section and a second section, coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section or the second housing section are relatively displaced with respect to each other; and servicing the item by operating the control unit.
18. The identification method of Claim 17, wherein said identification data is indicative of at least one of the following: identification device serial number; a cryptographic key; financial identification data; financial information related to the service; a billing/payment account number; a credit account number; a bank account number; a transaction limitation code; an authorized service code; and a service limitation code.
19. The identification method according to Claim 17, further comprising: periodically reading the identification data from the ID element, and in case the reading fails for a predetermined period of time, shutting down operation of the control unit.
20. A method for operating an identification device having a control unit operable for facilitating a service, the method comprising: providing an ID element operable for storing identification data and coupling at least the ID element and the control unit by an electro- magnetic circuit that is designed to open in case a first section of the device and a second section of the device, are relatively displaced •with respect to each other; switching the device from Inactive Mode to Standby Mode, in response to an activation attempt from an external device; - switching the device from Standby Mode to Service Mode, in response to a request from an external device, only if said identification data stored on the ID element is substantially continuously available to the control unit.
21. A method according to Claim 20 wherein the service is facilitated in a communication network, the method further comprising: in Service Mode, providing the device with on-line access to the network.
22. A method according to Claim 21 further comprising: - registering the device in the network by programming the ID element with at least one data item from the following group of data items: identification device serial number; item identification number; financial identification data; financial information related to the service; credit number; bank account number; billing/payment account number; service specifications; service limitation code; transaction limitation code.
23. The method of Claim 20, wherein the item is a vehicle and the service is a fueling service, the method further comprising sending over the data network at least one article of data selected from the group consisting of: a vehicle identification number; a vehicle registration number; and a fuel type authorization code.
24. A method for protecting an identification device having an ID element operable for storing identification data, the method comprising: housing at least a control unit and the ID element in a housing including at least a first section and a second section, and coupling at least the ID element and the control unit by an electro-magnetic circuit that is designed to open in case the first housing section or the second housing section are relatively displaced with respect to each other; and configuring the control unit to perform one of the following in case said electro-magnetic circuit is opened: erasing identification information stored on said ID element;writing over the identification information stored on said ID element; electrically shutting the identification device down; obstructing the identification device from operating at a Service Mode; and obstructing network communication.
PCT/IL2007/000793 2006-06-29 2007-06-28 Tamper-resistant identification device WO2008001375A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US81707806P 2006-06-29 2006-06-29
US60/817,078 2006-06-29

Publications (2)

Publication Number Publication Date
WO2008001375A2 true WO2008001375A2 (en) 2008-01-03
WO2008001375A3 WO2008001375A3 (en) 2008-07-03

Family

ID=38698413

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2007/000793 WO2008001375A2 (en) 2006-06-29 2007-06-28 Tamper-resistant identification device

Country Status (1)

Country Link
WO (1) WO2008001375A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010130857A1 (en) * 2009-05-12 2010-11-18 Carlos Fontes Vila Bluetooth-controlled access and presence control system comprising the biometric reading of parts of the hand
ES2352621A1 (en) * 2009-05-12 2011-02-22 Carlos Fontes Vila System of control of access and presence for biometric reading of the fingerprint with control by bluetooth. (Machine-translation by Google Translate, not legally binding)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0283376A1 (en) * 1987-03-05 1988-09-21 FICHET-BAUCHE SociétÀ© dite: Magnetically controlled detector of the movement of a mobile part with respect to a fixed part for the opening of an enclosure
GB2262015A (en) * 1991-11-27 1993-06-02 Us Energy Non-contact tamper sensing by electronic means
FR2727226A1 (en) * 1994-11-17 1996-05-24 Schlumberger Ind Sa Security device holding information within electronic IC memory
WO2003069536A2 (en) * 2002-02-17 2003-08-21 Orpak Industries (1983) Ltd. Id component anti-tampering system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0283376A1 (en) * 1987-03-05 1988-09-21 FICHET-BAUCHE SociétÀ© dite: Magnetically controlled detector of the movement of a mobile part with respect to a fixed part for the opening of an enclosure
GB2262015A (en) * 1991-11-27 1993-06-02 Us Energy Non-contact tamper sensing by electronic means
FR2727226A1 (en) * 1994-11-17 1996-05-24 Schlumberger Ind Sa Security device holding information within electronic IC memory
WO2003069536A2 (en) * 2002-02-17 2003-08-21 Orpak Industries (1983) Ltd. Id component anti-tampering system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010130857A1 (en) * 2009-05-12 2010-11-18 Carlos Fontes Vila Bluetooth-controlled access and presence control system comprising the biometric reading of parts of the hand
ES2352621A1 (en) * 2009-05-12 2011-02-22 Carlos Fontes Vila System of control of access and presence for biometric reading of the fingerprint with control by bluetooth. (Machine-translation by Google Translate, not legally binding)

Also Published As

Publication number Publication date
WO2008001375A3 (en) 2008-07-03

Similar Documents

Publication Publication Date Title
CN104778767B (en) Possess the RFID Bluetooth adapters and its initial configuration method of selectivity function
US6264108B1 (en) Protection of sensitive information contained in integrated circuit cards
EP1760900B1 (en) Rfid tag and rfid tag communication distance modification method
JP5077591B2 (en) Security document or important document with at least two display devices
US20120241524A1 (en) Activation and indication of an rf field on a device including a chip
US20070019349A1 (en) Method of installing IC tag
US20070271544A1 (en) Security sensing module envelope
WO2006063051A2 (en) Device and method for selectively controlling the utility of a taget
US20070290858A1 (en) Apparatus for storing and wirelessly transmitting data
US9262649B2 (en) Security between electronic components of a portable secured electronic unit
US20170098150A1 (en) Tamper-resistant transaction card and method of providing a tamper-resistant transaction card
JP2006510983A (en) Securing device for security module connector
US11354554B2 (en) Tamper-resistant transaction card and method of providing a tamper-resistant transaction card
US7167077B2 (en) Portable data carrier assembly comprising a security device
WO2008001375A2 (en) Tamper-resistant identification device
WO2008057057A1 (en) A state control sensor activating and/or deactivating an anti-fraud device and a magnetic card reader/writer for an sst or an atm
CN206193868U (en) Prevent vehicle -mounted electronic label of cheating
US8581692B2 (en) Electronic system and method of operating an electronic system
JP2002530726A (en) System for secure contactless communication between mobile devices such as terminals and smart cards
JP4698985B2 (en) Non-contact IC tag with sensor and environmental security method
US20130282968A1 (en) Initial operation of a portable data carrier
JP2008537197A (en) Apparatus and method for selectively controlling utilization of an integrated circuit device
JP2004135045A (en) System and method for preventing illegal use of electronic equipment, electronic equipment, security control unit, and communication processing unit
JP4178286B2 (en) Surveillance system and gaming machine
IL279973B1 (en) Device for automated fuel delivery and authorization

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07766824

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

NENP Non-entry into the national phase in:

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07766824

Country of ref document: EP

Kind code of ref document: A2