The present invention generally relates to mobile devices such as mobile telephones. More particularly, this invention relates to security systems and methods for mobile devices and other communication devices.
Current technology provides for communications between a plethora of devices via a variety of communication media. For example, computers routinely communicate via the Internet. Mobile devices such as mobile telephones and personal digital assistants (PDAs) are used to communicate with a variety of devices via wireless, analog, digital and other means. Mobile devices may be used, for example, to communicate with other mobile units, computer systems and networks, analog telephone systems and other devices.
The connectivity and functionality of mobile devices provide a broad venue for multimedia, multifunctional use. For example, a mobile telephone is commonly used to communicate with other mobile (wireless) telephones and analog telephones; to download and run game packs; to download and play music; to download and view video; to perform commercial transactions (m-commerce) such as buying and selling products using electronic payment methods; as cameras; to transmit all variety of data and information to other devices; and to run applications such as calendaring and address applications, electronic wallet software, and more.
Innate to the functionality of a mobile telephone, however, is the significant opportunity for intentional security breaches, with significant adverse effects. For example, identity theft (theft of personal information used for fraudulent and criminal purposes) is currently one of the fastest growing crimes, with an estimated associated cost of $1.5 billion annually.
Software piracy (illegal theft or copying of software) is currently estimated to result in annual losses of around $13 billion. Statistically, one in every three software applications will be pirated. Content theft, such as the theft and redistribution of movies or music, results in losses of $3 billion in theft of analog content alone. Theft of digital content is estimated at 350,000 illegal copies of movies alone per day. Further to the tangible losses, the intangible considerations are enormous. For example, device manufacturers may face potential liability for security breaches; potential exclusion from market segments; and damage to investor and business relationships.
Such breaches are accomplished via various means and via various hardware, software, and communications components and channels. For example, simple measures taken to exploit vulnerabilities include packet forging or spoofing at the network level. Other means range from stealth diagnostics, sniffers, hijacking sessions, and back door attacks to self-replicating code. For any single hardware component, software component, or communication link currently in use today, there are at least one—if not many—means to compromise the device, the code, the associated information, or a combination of the same.
Such attack models include, for example, modem misuse, identity theft, and digital rights management (DRM) violations. In devices relying on modems for communication, a user may inadvertently download an application containing malicious code. The code executes, reconfiguring the memory management units (MMUs), which, in turn, permits the code to take control of the hardware components for its own purposes.
In the attack model of identity theft, a user's private information such as a private key, user name, and password is extracted from their mobile telephone. The information is then used to pass secure authentication systems, permitting misuse. For example, stolen information may be used to electronically gain access to a credit account and complete buying transactions charged against the account.
The attack model for digital rights management, or violations of transactions that involve downloading multimedia content such as music, requesting a license to use the content, authenticating the request, and purchasing the license, is frequently employed to defraud the owner of the intellectual property interests in the content. For example, after securing a license for use of an MP3 file on a single device, the licensee may “superdistribute” the file to multiple devices without renegotiating the license, thus mulcting significant use without payment of licensing fees or royalties to the content owner.
Furthermore, attempts to address security issues have, in the past, resulted in new adverse issues. Software solutions still have high potential for security holes. Software solutions are also very difficult to validate. Debugging operations and security are orthogonal concepts. Physical separation between trusted and non-trusted (vulnerable) components offers some protection. For example, hardware components such as microchip sets—such as those used in PC platforms—may have embedded, immutable security modules. Such “secure domains”, however, are virtually impossible to increase without hardware changes. Thus, wholesale purchasers of such manufactured devices may settle for the features and functionality initially provided in the chip by the manufacturer. This is not a viable solution for chip manufacturers and other providers that provide a product line to vendors. Vendors may have the ability to access the embedded operating system and other code to enable compatibility and functionality between the chip and the vendor's hardware. Such access, however, may be misused to infiltrate the system and controvert its intended purpose. A prevalent example of this is mobile telephones. The manufacturers may forego embedded security options to permit vendors access to the chip and other components for customization purposes. After customization and sale to a retailer or customer (user) of the device, any number of parties may gain unauthorized access to various components of the mobile telephone with catastrophic results. For example, the dynamic environment in which a mobile telephone operates permits the download of third party applications to mobile telephones. An attack may be carried out in the form of such a download, whereafter the application gains control of the power amplifier and the radio frequency communications between the host (mobile telephone) and other mobile telephones in the same city, potentially resulting in paralysis of an entire communication network within a given geographical region.
As can be seen, there is a need to secure all aspects related to the use of mobile devices. In particular, it is desirable to provide economical security systems and methods for mobile devices and for such systems and methods to permit authorized access to hardware and software components yet prevent security breaches.