The invention relates to a system for preventing electronic memory manipulation, and in particular, to methods and apparatuses for preventing unauthorized manipulation of desirably secure memory contents in an electronic device.
The invention disclosed herein relates to any electronic device whose memory contents are to be maintained in a secure or preferably unaltered state. Such a requirement may be necessitated by security reasons, such as preventing fraudulent manipulation of a cellular telephone memory, or for the purposes maintaining the integrity of electronic device operation in critical applications such as aircraft control or medical instrument operation. As disclosed and described herein, exemplary aspects of the invention are set out in the context of a system and method for securing one or more electronic memories within a cellular telephone. Also described herein is a system that permits access to, and manipulation of, one or more electronic memories in an electronic device, by use of a data transfer device that undergoes an authentication process before being permitted to access an electronic memory. The latter system also is described in the context of a cellular telephone application. Even though exemplary embodiments of the invention disclosed herein are described in the context of a secure cellular telephone memory and a means for securely accessing and altering memory contents in a cellular telephone, it will be readily appreciated by those skilled in the art that systems in accordance with the invention can be applied to any electronic system having one or more memories whose contents are to remain unaltered, or whose memories are to be accessed only by authorized means. Consequently, the scope of the invention is not intended to be limited by the exemplary embodiments set out herein, but rather by the claims appended hereto and equivalents thereof.
In the United States, losses due to cellular telephone fraud were projected at 600 million dollars in 1995. In response, manufacturers, service providers, the Federal Communications Commission (FCC) and industry trade groups have been investigating a number of techniques for combating such fraud. A majority of cellular telephone fraud carried out in the U.S. involves some form of memory manipulation to alter a cellular telephone's electronic serial number (ESN) which a cellular telephone must provide to establish communication. Consequently one fraud prevention technique, under consideration as a ruling by the FCC, is to require cellular telephone manufacturers to make all microprocessor code and the ESN unalterable. Some background on basic cellular communications is provided below to assist in illustrating the cellular telecommunications operating environment and associated problems that are addressed by systems incorporating the present invention.
A simplified layout of a cellular communications system is depicted in FIG. 1. Mobile telephones M1-M10 communicate with the fixed part of a public switched network by transmitting radio signals to, and receiving radio signals from, cellular base stations B1-B10. The cellular base stations B1-B10 are, in turn, connected to the public switched network via a Mobile Switching Center (MSC). Each base station B1-B10 transmits signals within a corresponding area, or "cell" C1-C10. As depicted in FIG. 1, an idealized arrangement of base stations are organized so that the cells substantially cover an area in which mobile telephone communication ordinarily occurs (e.g., a metropolitan area), with a minimum amount of overlap.
When a user activates a mobile telephone within a cell, the mobile telephone transmits a signal indicating the mobile telephone's presence to the cell's base station. The mobile telephone transmits the signal, which may include its ESN, in a designated set-up chamnel that is continuously monitored by each base station. When the base station receives the mobile telephone's signal, it registers the mobile telephone's presence within the cell. This process can be :repeated periodically so that the mobile telephone is appropriately registered in the event that it moves into another cell.
When a mobile telephone number is dialed, a telephone company central office recognizes the number as a mobile telephone and forwards the call to the MSC. The MSC sends a paging message to certain base stations based on the dialed mobile telephone number and current registration information. One or more of the base stations transmits a page on its set-up channel. The dialed mobile telephone recognizes its identification on the set-up channel, and responds to the base station page. The mobile telephone also follows an instruction to tune to an assigned voice channel and then initiates ringing. When a mobile user terminates a communication, a signaling tone is transmitted to the base station, and both sides release the voice channel.
In the aforedescribed operation, mobile telephones are not connected permanently to a fixed network but instead, communicate through a so-called "air interface" with a base station. This, of course, provides the flexibility of cellular communication systems, since a user can readily transport a mobile telephone without the restriction of being physically linked to a communication system. This same feature, however, also creates difficulties with respect to securing information transmitted over cellular telephone systems.
For example, in ordinary wired telephone systems, a central office exchange can identify a particular subscriber to be billed for use of a telephone set by the communication line to which it is physically attached. Thus, fraudulent use of a subscriber's account typically requires that a physical connection be made to the subscriber's line. This presents a risk of discovery to a would-be fraudulent user.
Cellular telecommunication systems, on the other hand, pose no such connection problem for the would-be fraudulent user since these systems communicate over an air interface. Absent protection schemes, fraudulent users can use another subscriber's account by accessing the subscriber's electronic serial number (ESN) which is transmitted by the mobile telephone to the network at various times for establishing and maintaining communications.
In establishing a standard cellular connection, two identification codes are transmitted by a mobile telephone to the system. These are the Mobile Identification Number (MIN) and the ESN. The MIN identifies a subscriber, while the ESN identifies the actual hardware being used by the subscriber. Accordingly, it is expected that the MIN corresponding to a particular ESN can, due to subscribers purchasing new equipment, change over time. The MIN is a 34-bit binary number derived from a 10-digit directory telephone number, while the ESN is a 32-bit binary number that uniquely identifies a mobile telephone. The ESN is typically set by the mobile telephone manufacturer.
A conventional authentication method utilized in setting up communications in, for example, the Advanced Mobile Phone System (AMPS), is illustrated by the flowchart depicted in FIG. 2. Accord'ing to this method, a base station receives both an ESN and a MIN from the mobile telephone at block 200. These identification codes are designated ESN.sub.m and MIN.sub.m to indicate that they are received from the mobile telephone. Next, at block 202 the base station retrieves an ESN.sub.sys which corresponds to MIN.sub.m from a system memory. ESN.sub.sys is then compared with ESN.sub.m at block 204. If the two serial numbers are the same, the flow proceeds to block 206 and system access is permitted. Otherwise, system access is denied at block 208.
One drawback to this system is that it is relatively simple for a fraudulent user to assemble valid MIN/ESN combinations by eavesdropping on the air interface or from other sources. Since accesses according to this conventional system are presumed valid if the MIN and ESN received from the mobile telephone correspond with those stored in system memory, all of the necessary information for fraudulent access can be obtained by electronic eavesdropping.
In systems operating under the European GSM standard (Global System for Mobile Communication), the American TIA/EIA/IS-136 standard and the Japanese Personal Digital Cellular standard radio communication systems, fraud resulting from eavesdropping is prevented by using a challenge-response method. According to the challenge-response method, each mobile telephone is associated with a unique secret key that is stored both in the mobile telephone and in a database in the network. An algorithm, which is unique to the system, is stored in each mobile telephone and in desired network nodes. When a call is set up, authentication is requested whereby the network sends a challenge (random number) to the mobile telephone. Based on the received challenge and the stored secret key, the mobile telephone calculates a response using the algorithm and transmits the response to the network. Simultaneously, the network calculates an "expected" response based on the same challenge and network-stored secret key. The network then receives the mobile telephone's calculated response and compares the mobile telephone's calculated response with the network's calculated response. If a mismatch occurs, appropriate actions will take place, e.g., access is denied or a warning flag is set. A method for carrying out an authentication check between a base station and a mobile telephone in a mobile radio system is set out in U.S. Pat. No. 5,282,250 to P. Dent et al.
In a conventional analog system, such as AMPS, most fraud is perpetrated by fraudulent users who "clone" valid subscribers by acquiring valid MIN/ESN pairs and using the pairs to reprogram a cellular telephone. In more sophisticated cloning arrangements, a cellular telephone's software is reprogrammed with so that it can use several MIN/ESN pairs in a practice called "tumbling." A cellular telephone programmed with a tumbling routine randomly scrolls through and selects a MIN/ESN pair to initiate a call. As the fraud is identified by the service provider or subscriber, the MIN/ESN pairs are invalidated. When an invalid MIN/ESN pair is encountered when attempting to make a call, the tumbling routine simply cancels that MIN/ESN pair and continues scrolling until a valid MIN/ESN pair is found. After all of the MIN/ESN pairs programmed into the cellular telephone are invalidated, the telephone user typically returns to the cloner to have a new set of MIN/ESN pairs programmed into the cellular telephone.
Most cellular fraud involves some degree of memory manipulation. This is described in reference to FIG. 3 which depicts a block diagram of a conventional cellular telephone memory and processor arrangement. A controller 300 communicates with a ROM or flash program memory 320, an EEPROM 310, and a random access memory (RAM) 330, using a memory bus 308. The program memory 320 is a non-volatile read/write memory theat is used to store the majority of code used for general operation of the cellular telephone. The EEPROM 310 is used to store the MIN/ESN pair 314 and 316, and user profile information 312 (e.g., speed dialing numbers) and the RAM is used for read/write scratchpad memory. Cloners have been known to monitor messaging between the memories and the controller 300 to gather information that is used to bypass or modify information stored in the flash memory 320 or the EEPROM 310.
The most common method of telephone fraud has been the illegitimate use of test commands, which commands are intended for telephone servicing and repair, to change the ESN. However, more recently produced telephones are resistant to such tampering and have effectively eliminated this avenue of attack. Consequently, cloners have resorted to more sophisticated modes of attack.
One such technique involves removing the original EEPROM 310 containing the ESN 314 and replacing it. Following its removal, the EEPROM is studied to decipher its contents. The deciphered contents are then used to program a replacement EEPROM with a misappropriated ESN/MIN pair from a valid user's account. This technique may be attractive to the cloner if he or she only wants to change one ESN at one time. But the technique is labor intensive and poorly skilled cloners may damage printed circuits if not extremely careful.
A large step in cloning sophistication involves analyzing a telephone's microprocessor program code and rewriting one or more sections of the code to transmit a fraudulent identity (ESN/MIN pair) to a cellular base station. This often involves reverse engineering portions of the telephone hardware design, and requires significant understanding of imbedded software design. The obvious advantage of this method, however, is that once the modification is complete, the telephone can be reprogrammed with a new identity as often as desired.
The most sophisticated attacks combine alterations of the cellular telephone's microprocessor code as described above, in combination with hardware modification. One example of this technique uses a so-called "shadow memory" to avoid detection by conventional memory validation routines which only execute during the boot-up process when the cellular telephone is first turned on. The boot-up process is carried out pursuant to a small portion of boot code 304 contained in the controller 300 (see FIG. 3) The boot-up process configures the cellular telephone into an in-service condition and sets a program counter in the microprocessor 301 to an appropriate location in the flash memory 320. When the process is complete, the controller 300 may illuminate an LED 318 (or other equivalent signal) indicating to a user that the telephone is in service. A cloner can monitor a connection 306 between the controller 300 and the LED 318 to subvert the execution of normal operating code in the flash memory 320 as described in more detail as follows.
The flash memory 320 contained in a typical modern cellular telephone has an addressable capacity of 512K. A cloner may remove the flash memory 320, and replace it with a 1024K shadow memory 322 after copying the contents of the original flash memory 320 into the first 512K of the 1024K shadow memory 322. During boot-up, any accesses to program memory are successfully directed in the first 512K of the flash memory 320. The cloner may then monitor a signal available in the telephone which indicates the boot process is complete (such as the LED signal 306) in order to switch all future program memory accesses to the shadow memory 322. Thereafter the cellular telephone operates in accordance with instructions found in the shadow memory 322 which memory can be programmed to contain tumbling routine code and corresponding MIN/ESN pairs.
Because most cellular fraud is based on some degree of memory manipulation, the Federal Communications Commission (FCC) is presently considering a solution directed to this aspect of cellular telephone fraud. The solution is incorporated in a proposed FCC Rule designated .sctn. 22.219. As presently written, .sctn. 22.919 prohibits a mobile telephone's operating software from being alterable; requires an ESN to be factory set and incapable of being altered, transferred, removed or manipulated in any manner; and requires the mobile transmitter to become inoperable if any party, including a manufacturer, attempts to remove, tamper with or change the ESN, the system logic, or firmware of the cellular telephone.
From a consumer's standpoint, the present ability of a manufacturer or its factory authorized service representatives to program cellular telephones makes it easy to replace cellular telephones that are not operating properly. For example, if a subscriber's cellular telephone is not operating properly, the subscriber can obtain a new unit from a factory authorized representative and have it programmed to contain the same electronic "personality" of the old unit. The electronic personality of a cellular telephone includes not only the ESN, but also the user profile and a substantial amount of information programmed into the unit by the subscriber such as personal and/or business telephone numbers. Repair/replacement programs and the technology to make quick and easy ESN and other memory changes to cellular telephones have been developed at the insistence of cellular service providers who do not want their subscribers to be inconvenienced by defective terminals.
Under FCC .sctn. 22.919 a subscriber in the situation described above will still be able to obtain a new mobile unit if their old unit is defective. However, because a new, fixed ESN will be associated with the new unit, the new ESN information will have to be communicated to the cellular carrier who will have to program it into their database. This can result in a lengthy period of time during which the subscriber will not have service. The subscriber will also have to reprogram their cellular telephone with any personal or business telephone numbers. A much more significant problem with .sctn. 22.919 is the adverse impact it will have on the ability of cellular service providers to furnish their subscribers with system upgrades by programming or re-programming of their cellular telephones.
The practical impact .sctn. 22.919 may have on the cellular industry's ability to upgrade systems is demonstrated as follows. The use of a digital control channel as specified, for example, in the TIA/EIA/IS-136 standard, enables cellular carriers to offer new extended services such as a short messaging service. If carriers, manufacturers or authorized agents are allowed to make changes to the software and/or firmware of a cellular telephone, such services can be made available to subscribers quickly and efficiently through software upgrades of the terminals. Under .sctn. 22.919 (in its present form), neither a manufacturer, a manufacturer's authorized service representative nor a cellular carrier will be able to make such software changes. The only way a carrier will be able to offer a subscriber a system enhancement will be to require the subscriber to purchase a new cellular telephone.
To ameliorate the impact of .sctn. 22.919 on subscribers as well as on the manufacturing community, the FCC stated that the rule would be applicable to cellular telephones for which applications for initial type acceptance were filed after Jan. 1, 1995. In effect, the FCC has grandfathered the 20 million cellular telephones currently in operation as well as the millions of cellular telephones placed in service after Jan. 1, 1995, based upon applications for type acceptance filed prior to Jan. 1, 1995. The fact that there are so many cellular units already in the marketplace whose electronic information can be manipulated for illegal purposes suggests that .sctn. 22.919 will have very little impact on the fraud problem. Those entities who commit fraud by illegally tampering with ESNs can continue to do so by using the millions of terminals that are not subject to the .sctn. 22.919 restrictions.
As can be appreciated from the foregoing, provision of a cellular telephone having a secure memory is highly desirable. At present there appear to be no solutions for retrofitting cellular telephones to make them resistant to tampering. In addition there appear to be no methods or apparatuses for providing updates to electronic device memories in such a way that only authorized access is ensured.