Wireless communication systems, which includes cellular communication systems, have long been in existence. In a typical wireless communication system, a mobile handset employs the wireless network infrastructure to communicate voice and/or data with other telecommunication devices, such as another mobile handset, a land-based telephone, a computer, and the like. The wireless portion typically covers only the last hop between the wireless network infrastructure and the handset.
Generally speaking, the network infrastructure is built, maintained, and improved by one or more wireless service providers. These wireless service providers derive the bulk of their revenues from usage fees charged to the mobile handset subscribers (e.g., wireless phone users). The revenues may come in the form of a fixed monthly fee. More likely, there is, additionally or alternatively, a usage-based fee charged to the mobile handset subscriber based on the services employed (e.g., Internet access versus voice calls), the resources employed (e.g., faster versus slower access speed), and/or the duration of the communication session.
For customer satisfaction reasons and because these usage-based fees constitute a significant portion of the revenues received by wireless service providers, wireless service providers are motivated to ensure that the proper fee is charged to the subscriber for the service requested. If the charge is higher than what the subscriber expects to pay, customer satisfaction suffers. On the other hand, if a subscriber is able to employ a resource-intensive service (such as videoconferencing, for example) but is not charged accordingly, the wireless service provider loses revenue.
Most subscribers tend to be honest in honoring their contracts with their wireless service providers. For example, most subscribers expect that the charge incurred is proportional to the service utilized, and they would pay when billed. However, there are always some subscribers who, for a variety of reasons, attempt to avoid getting charged for services they actually use.
For example, a dishonest subscriber may manipulate his handset so that the handset would appear to the wireless network infrastructure as if that handset is associated with another subscriber's account. The dishonest subscriber is then able to use the network's services without getting personally charged for the services employed. The other innocent subscriber would then receive a surprisingly large invoice at the end of the billing period. Of course these unauthorized charges would be disputed by the innocent subscriber and in a large percentage of cases, the wireless service provider ends up writing off the invoice, receiving nothing for the use of their network infrastructure.
One way to combat the above-mentioned fraud is to use an authentication procedure to authenticate the handset before allowing the communication to take place. With reference to FIG. 1, in a typical GSM (Global System for Mobile Communication) network, an exemplary authentication scenario may involve the use of the Home Location Register/Authentication Center (HLR/AC) 102 to generate an “Authentication Request” using the Shared Secret Data (SSD). The Shared Secret Data (SSD) represents confidential and protected data shared by both the Authentication Center (AC) and the Subscriber Identity Module (SIM) in the handset. The Authentication Request contains a Random Value calculated based on the SSD. As part of the authentication procedure, the HLR/AC also generates a Result (HLR/AC Result) based on the SSD and the Random Value.
The Home Location Register/Authentication Center (HLR/AC) then forwards the Authentication Request (which includes the Random Value) and the HLR/AC Result to the Mobile Switching Center (MSC) 104. The MSC 104 in turn forwards the Authentication Request to the Base Station 106, which broadcasts the Authentication Request to the mobile handset 108. The HLR/AC Result itself is retained in the MSC 104. The mobile handset 108 then takes the Random Value from the Authentication Request and sends it to the Subscriber Identity Module (SIM) 110, which is within the mobile handset.
The SIM 110 then takes the received Random Value and generates its own Result (SIM Result) using its copy of the Shared Secret Data (SSD). The SIM Result is then sent back via the same path to the MSC 104. Note that the SSD never leaves either the HLR/AC 102 or the SIM 110.
The MSC then compares the HLR/AC Result with the SIM Result. If there is a match, then the handset is authenticated and communication can commence. On the other hand, if the HLR/AC Result and the SIM Result fail to match, authentication fails and service is denied.
Other authentication procedures also exist to ensure that the handset is positively identified and matched with the subscriber's account data before communication is authorized. Sophisticated authentication procedures are able to render it almost impossible for a dishonest user to attempt to fraudulent use another subscriber's account, thereby limiting the amount of loss revenue suffered by the wireless service provider.
As technology progresses, improvements and changes are made to the handsets to allow the handsets to handle an increasingly sophisticated array of communication services. Videoconferencing, internet browsing, database access, and interactive gaming are some examples of the services being contemplated. Furthermore, handsets are increasingly configured for expansion and/or update to accommodate new services and/or features. Accordingly, wherein older handsets tend to have their application programs stored in read-only memory (ROM) 112, newer handsets are increasingly storing the application programs in random access memory (RAM) for to facilitate re-programmability and/or updating.
As mobile handsets become more programmable, new opportunities exist for fraud. One of the more serious frauds practiced by dishonest subscribers involves reprogramming the software in the handset and duping the network into believing that the subscriber is employing a low-cost service (e.g., voice calls) while that subscriber is in fact employing a premium or higher cost service (e.g., videoconferencing). This is illustrated in FIG. 2 wherein application programs 202, 204, 206, and 208 are now stored in the RAM memory portion of handset 210 instead of in ROM. By hacking into application program 206 and reprogramming the program 206, a dishonest user can practice the aforementioned fraud on the wireless service provider.
A common way of hacking software 206 involves the unauthorized re-programming the software in the RAM of the mobile handset so that the software no longer correctly identifies to the network infrastructure the service it is actually using. For example, a portion of an application program for facilitating voice calls may be modified to execute videoconferencing code in a manner that does not trigger suspicion. Thus, while the high bandwidth interactive gaming service is used, the dishonest subscriber pays the lower rate associated with the low bandwidth voice calling service.
Note that the aforementioned prior art authentication procedure does nothing to prevent this type of fraud. In this case, the handset is correctly identified as belonging to the subscriber's account. The subscriber is actually paying for a service, albeit a service that is different from the service he is actually using, and in almost all cases, at a lower rate.