Mobile communications devices such as cell phones, smartphones, and PDAs, have advanced well beyond devices that simply carry voice communications. Today's mobile communications devices are frequently used to receive and transmit data as well, including files, email and SMS or text messages. This data may be received through one or more device “entry points,” such as over the cellular network, a data network, WiFi, Bluetooth or others. These device entry points are also known as “network interfaces” because they each provide an interface to a different network. As people rely upon their mobile communications devices to transmit and receive data through these network interfaces, it becomes important to ensure that these network interfaces are secure. Each new network interface corresponds to a different communications protocol, allowing hackers and cyber-terrorists additional ways to discover and exploit vulnerabilities in the different protocols and/or network interfaces.
Since many mobile communications devices are designed to mimic the functionality of traditional desktop and laptop computing platforms, the methods used to protect these traditional platforms are often appropriated for the mobile communications device. However, traditional desktop, laptop and even server computers do not share the same network interface issues found in modern mobile communications devices. This is because traditional platforms typically use a single network interface, such as an Ethernet interface. This network interface typically uses a limited number of communications protocols, such as TCP/IP or other IP-based protocols. As such, protecting that network interface is simply a matter of monitoring the data received by that interface. In other words, unlike a mobile communications device that may have multiple network interfaces, a computer may only be secured at a single network interface.
For those computers that have multiple network interfaces, such as Bluetooth or infrared in addition to Ethernet, present security methods still monitor transmitted and received data, but the data is funneled to single software component tied to the computer's operating system. This component will typically apply what is well-known as the “least common denominator” method to determine if the received data presents any risks or inconsistencies. In essence, however, these prior security methods treat all incoming data as if they are received at the Ethernet interface. More specifically, these prior art security methods treat all data as if they are transmitted using an IP-based communications protocol. Some mobile communications devices mimic this type of security system by monitoring TCP/IP traffic received by the mobile communications device. However, this type of security system ignores the mobile communications device's ability to receive non-TCP/IP traffic. This is illustrated in FIG. 1.
FIG. 1 shows various hardware-implemented network, communications or software-defined interfaces such as infrared transceiver 101, Bluetooth radio 102, WiFi radio 103, USB interface 104, cellular radio receiver 105 including cellular data connection 106 and SMS 107, and near field communication 108. In addition, various software-implemented interfaces, services and communications protocols are shown, including infrared services 111, Bluetooth services including SDP 112, OBEX 113, HFP/HSP 114 and BNEP 115, other network services and applications 116, WAP 122 and WAP services 117, SIM toolkit 118, text messaging 119 and other SMS services 120. Data received utilizing these network interfaces, services and protocols generally travels directly to the operating system subsystem that handles, manages or executes this data. For example, data received by the infrared receiver 101 or data in the form of an infrared communications protocol 131 is managed by the operating system's infrared subsystem 131. Data received by the WiFi radio 103, USB interface 104, Cellular data connection 106, or BNEP 115 is managed by the operating system's networking subsystem 133, where it may be further directed through TCP/IP subsystem 121 to network services and applications 116. FIG. 1 illustrates that various communications pathways a mobile communications device may utilize a variety of network interfaces and communications protocols. However, in prior art mobile communications device security systems, only TCP/IP or other traditional network traffic is monitored and analyzed. In other words, prior art security systems only protect received data traveling through Operating system's networking subsystem TCP/IP subsystem 121 and/or the mobile communications device operating system network subsystem 133. FIG. 1 illustrates that not all data will be transmitted to a mobile communications device using these communications pathways and, as a result, there are a number of vulnerabilities that are ignored by prior art security methods.
FIG. 1 also illustrates that certain communications protocols may be layered. For example, the Bluetooth radio 103 may receive data encoded using the Bluetooth communications protocol stack. As such, the data may be further layered using SDP 112, OBEX 113, HFP/HSP 114, BNEP 115, etc. Not only are prior art systems unable to monitor data received over the non-TCP/IP portions of the Bluetooth network interface, but prior art security systems lack the ability to identify, examine and track lower-level protocol layers for any security threats.
What is therefore needed is a way to monitor all of the different network interfaces and that also tracks all of the protocols used by these network interfaces on a mobile communications device.
Prior art security systems also tend to focus on data as it is received or is stored on the mobile communications device. This does not provide a complete picture of all of the data communications to and from a mobile communications device, and in particular, does not prevent attacks that do not come over TCP/IP and do not utilize the file system before compromising the device. For example, if a mobile communications device receives self-propagating malware such as a worm which uses an exploit to propagate, prior art security systems may not detect the exploit being used to install the malware. After the exploit compromises the system, it can disable any security functionality and be able to install the worm to the file system without hindrance. Further, prior art security systems will not likely prevent the worm from spreading because outbound data transmissions, especially over non TCP/IP networks, are not often monitored. As such, present mobile communications devices are vulnerable to a multitude of attacks, which could not only disrupt daily life, government, and commerce, but also provides a significant vehicle for large-scale cyber-terrorist or criminal attacks.
What is therefore needed is a way to monitor outbound data transmission from a mobile communications device and prevent attacks that compromise the system before passing through the operating system's networking subsystem.