1. Field of the Invention
This invention relates to wireless telecommunication. In particular, the various embodiments of the invention relate to monitoring and tracking wireless communications devices and their activities, the construction and management of applications for performing such functions, the monitoring of activities and data stored in mobile devices, and the transparent exfiltration of collected information from monitored mobile devices using wireless links. The present invention has applications in fields of computer science, electronics, telecommunications, and security.
2. The Related Art
Mobile devices include pagers, mobile phones, and combination devices that include the functionality of mobile phones, pagers, and personal digital assistants (PDAs). These devices allow the exchange of textual information (e.g., using pagers, cell phones, or PDAs) as well as voice and data (e.g., using cell phones and PDAs). Mobile devices have also recently been integrated with useful features such as global positioning system (GPS) access, cameras, and scanners (including scanners able to process radio frequency identification (RFID) and barcodes), and magnetic data storage cards. Wireless communication (“wireless”) allows two or more electronic devices to exchange information without the need for a physical connection (i.e., a wire or cable) between the devices, using radio or microwave transmissions; and devices using wireless communications can be fixed or mobile. Unlike traditional “wired” technologies, wireless communication technologies permit users to operate from any location at which there is sufficient wireless signal power to enable the communication. Fixed wireless devices allow wireless communication from a fixed location to mobile device. Mobile wireless permits communication between several mobile devices; and mobile devices generally communicate using radio-frequency transmissions.
Transmitters send a signal from a wireless communication point-of-presence to a mobile device, while receivers process a signal received at a point-of-presence from a device. A point-of-presence is a collection of one or more transmitters and receivers that can communicate with a mobile device. For example, a fixed point-of-presence can be a communication tower in a cellular telephone network or a wireless local area network connection at a coffee shop. Fixed points-of-presence are typically spaced so that their ranges overlap to allow continuous communication as a device moves amongst various locations. A mobile point-of-presence can be any other mobile device that is not a fixed point of presence. An example of a mobile point of presence is a laptop accepting WiFi connections or a mobile telephone handset accepting WiFi or Bluetooth. As long as a connection can be made between the point-of-presence and the mobile device, information can be sent and received appropriate to the capabilities of the device. But in many environments, such constant contact between a mobile device and a point-of-presence is not possible; because areas exist which are not in range of a point-of-presence, and variances of land or building materials may interfere with the signal. As a result, a mobile device can be out of coverage for a few minutes or hours, and mobile phone calls, wireless internet connections, and access to mobile points of presence may be cut off unexpectedly.
More recently, mobile devices have allowed application programs to be written to manage data communication (and not just voice) to and from the device so that more advanced functionality can be enabled in the device without connecting the mobile device to a computer or other device to download and install the application programs. Such applications can communicate with other devices, such as networked computers and other electronic equipment (including other mobile devices). Examples include the ability to send and receive email; review and process calendar, tasks, contacts, and other personal information manager records; retrieve, display and manage stock data; find and display nearby restaurants or clothing stores; and to receive or send documents and files using a mobile device. Alternatively, these applications rely upon an always-available Internet connection, and communicate using standard Internet techniques and protocols (for example, sockets, UDP (User Datagram Protocol), TCP (Transmission Control Protocol), and HTTP (HyperText Transfer Protocol)). In some cases, applications make use of WAP protocols and associated WAP Gateways to access Internet resources when the device's display resolution or other capabilities are inadequate for full Internet access. Wireless Application Protocol (WAP) is a standard implemented through WAP Gateways which are servers that act as communications bridges between wireless devices and internet services, transferring data between devices and services, and transforming data as required between the various protocols used. Each of these methods relies on the wireless connection being available when needed.
A user's employment of a mobile device, and the data stored within a mobile device, is often of interest to individuals and entities that desire to monitor and/or record the activities of a user or a mobile device. Some examples of such individuals and entities include law enforcement, corporate compliance officers, and security-related organizations. As more and more users use wireless and mobile devices, the need to monitor the usage of these devices grows as well. Monitoring a mobile device includes the collection of performance metrics, recording of keystrokes, data, files, and communications (e.g. voice, SMS (Short Message Service), network), collectively called herein “monitoring results”, in which the mobile device participates. Network management applications monitor device performance in order to identify network and device performance issues. Additional applications of monitoring technologies include the protection of corporate information and ensuring information covered by non-disclosure agreements is not inappropriately distributed. For example, recent high profile securities fraud cases have identified users who have sent details of upcoming mergers and acquisitions to accomplices who use the information for personal profit. Similarly, monitoring technologies provide advantages to law enforcement as the criminal element increasingly uses portable mobile devices to communicate and manage their criminal enterprises.
Mobile device monitoring can be performed using “over the air” (OTA) at the service provider, either stand-alone or by using a software agent in conjunction with network hardware such a telephone switch. Alternatively, mobile devices can be monitored by using a stand-alone agent on the device that communicates with external servers and applications. In some cases, mobile device monitoring can be performed with the full knowledge and cooperation of one of a plurality of mobile device users, the mobile device owner, and the wireless service provider. In other cases, the mobile device user or service provider may not be aware of the monitoring. In these cases, a monitoring application or software agent that monitors a mobile device can be manually installed on a mobile device to collect information about the operation of the mobile device and make said information available for later use. In some cases, this information is stored on the mobile device until it is manually accessed and retrieved. In other cases, the monitoring application delivers the information to a server or network device. In these cases, the installation, information collection, and retrieval of collected information are not performed covertly (i.e. without the knowledge of the party or parties with respect to whom the monitoring, data collection, or control, or any combination thereof, is desired, such as, but not limited to, the device user, the device owner, or the service provider). The use of “signing certificates” to authenticate software prior to installation can make covert installation of monitoring applications problematic. When software is not signed by a trusted authority, the software may not be installed, or the device user may be prompted for permission to install the software. In either case, the monitoring application is not installed covertly as required. Additionally, inspection of the mobile device can detect such a monitoring application and the monitoring application may be disabled by the device user. Alternatively, OTA message traffic may be captured using network hardware such as the telephone switch provided by a service provider. This requires explicit cooperation by the service provider, and provides covert monitoring that is limited to message information passed over the air. As a result, service provider-based monitoring schemes require expensive monitoring equipment, cooperation from the service provider, and are limited as to the types of information they can monitor.
Additional challenges are present when the monitoring results are transmitted from a mobile device. First, many mobile devices are not configured to transmit and receive large amounts of information. In some instances, this is because the mobile device user has not subscribed to an appropriate data service from an information provider. In other instances, the mobile device has limited capabilities. Second, transmitting information often provides indications of mobile device activity (e.g. in the form of activity lights, battery usage, performance degradation). Third, transmitting information wirelessly requires operation in areas of intermittent signal, with automated restart and retransmission of monitoring results if and when a signal becomes available. Fourth, many mobile devices are “pay as you go” or have detailed billing enabled at the service provider. The transmission of monitoring results can quickly use all the credit available on a pre-paid wireless plan, or result in detailed service records describing the transmission on a wireless customer's billing statement. Lastly, stored monitoring results can take up significant storage on a mobile device and the stored materials and the use of this storage can be observed by the device user.
Some devices have a removable identity card. SIMs are part of a removable smart card, and the combination of a SIM and the smart card is commonly referred to as a “SIM card”. SIM cards securely store the service-subscriber key used to identify a subscriber to a given wireless network, and they also support the SIM Application Toolkit (STK), which is a standard of the GSM system that enables the SIM to initiate actions that can be used for various value added services, such as payment authorization for purchases. In GSM 2G networks, the STK is defined in the GSM 11.14 standard. In GSM 3G networks, the USIM Application Toolkit (USAT) is the equivalent of STK, and is defined in standard 3GPP 31.111. Both STK and USIM are referred to herein as “STK” when the context does not require specification of the 2G or 3G versions specifically.
The STK consists of a set of functions programmed into the SIM card that define how the SIM can interact directly with the device (commonly referred to in this context as a “handset”), and/or the network. The STK provides functions that can give commands to the handset, for example: to display a menu and ask for user input, to dial phone numbers, or to control or access other device features, such as GPS receivers and RFID readers. These functions enable the SIM to carry out an interactive exchange between a network application and the end user and to provide or control access to the network. Details of STK capabilities and use are defined in the 3rd Generation Partnership Project (3GPP) Specification of the SIM Application Toolkit (STK) for the Subscriber Identity Module-Mobile Equipment (SIM-ME) interface (also known as the 11.14 specification) and related standards documents.
In addition to the STK, SIM cards can implement additional systems for supporting application programs that run on the SIM card. There are a plurality of systems and standards for such support, including the Open Platform and Java Card standards. Some standards support only one operating system or hardware smart card, others, like the Java Card standard, are supported on a plurality of smart cards under a plurality of operating systems. These systems can provide mechanisms for installing applications programs, selecting applications to execute, and means for the application programs to interact with each other or with the world outside of the smart card they are running on. Thus, the open-ended capabilities of applications installed on smart cards pose a potential security hazard to the smart card and to devices in which the cards are installed, similar to that of other general purpose computing devices.
Although SIM cards originated with GSM devices, the cards have proven so useful that other network types have adopted similar mechanisms. For example, CDMA systems have implemented a SIM-like device called a Removable User Identity Module (R-UIM), and a more advanced version of this called a CDMA Subscriber Identity Module (CSIM), which are cards developed for CDMA handsets that are equivalent to a GSM SIM. The CSIM is physically compatible with GSM SIMs, can fit into existing GSM phones, and is an extension of the GSM standard but is capable of working on both CDMA and GSM networks.
Removable identity modules can designate one or more pieces of software to run when a device is powered on with the identity modules. Removable identity modules thus provide a mechanism for surreptitiously installed software to be installed and then moved between devices.
From the foregoing, it will be appreciated that effective covert monitoring of a mobile device requires the combination of several technologies and techniques that hide, disguise, or otherwise mask at least one aspect of the monitoring processes: the covert identification of the mobile devices to be monitored, the covert installation and control of the monitoring applications, and the covert exfiltration of collected monitoring results. As used herein, “covert exfiltration” refers to a process of moving collected monitoring results from a mobile device while it is under the control of another without their knowledge or awareness. Thus covert exfiltration processes can be those using stealth, surprise, covert, or clandestine means to relay monitoring data. “Collected monitoring results” as used herein includes any or all materials returned from a monitored mobile device to other devices, using either mobile or fixed points-of-presence. Examples of collected monitoring results include one or more of the following: command results, call information and call details, including captured voice, images, message traffic (e.g. text messaging, SMS, email), and related items such as files, documents and materials stored on the monitored mobile device. These materials may include pictures, video clips, PIM information (e.g. calendar, task list, address and telephone book), other application information such as browsing history, and device status information (e.g. device presence, cell towers/wireless transmitters/points-of-presence used, SIM data, device settings, location, profiles, and other device information). Additionally, the capability to covertly utilize a mobile device as a covertly managed camera or microphone provides other unique challenges.
Thus covert monitoring of a mobile device's operation poses the significant technical challenges of hiding or masking the installation and operation of the monitoring application, its command and control sessions, hiding the collected monitoring results until they are exfiltrated, surreptitiously transmitting the results, and managing the billing for the related wireless services. The exemplary illustrative technology herein addresses these and other important needs.