1. Field
This disclosure generally relates to the field of communication devices. More particularly, the disclosure relates to security for communication devices.
2. General Background
Communication devices may include mobile devices, set top boxes, cable modems, and the like. For illustrative purposes, an example utilizing a mobile device is discussed. However, the security issues addressed herein may be pertinent to other types of communication devices.
Many mobile devices are generally locked to accept only a particular kind of Subscriber Identity Module (“SIM”) card. A mobile device may be locked to accept only SIM cards from a particular network. Accordingly, an unlock password is needed to unlock a particular mobile device to allow the mobile device to accept other SIM cards not meeting the specific lock criteria.
The process of locking a mobile device to a particular network begins during manufacturing at a factory. A factory server application generates unlock passwords for each of the mobile devices. Subsequently, the factory server application sends the unlock passwords to a plurality of device provision stations. Further, at each of the device provision stations, one or more devices may be connected for provisioning to receive a password message. The factory server application also uploads the unlock passwords to a centralized password processing center (“PPC”). The PPC is the primary repository for a mobile device's attributes, e.g., subsidy locks, unlock passwords, and unique device identifier, etc. Further, the PPC is the primary mechanism that a service center utilizes to retrieve an unlock password to place a mobile device in a state in which the mobile device may be repaired or unlocked so that the mobile device may be operated on the network of a different carrier.
There are configurations that currently do not protect the unlock passwords within the factory server application, device provision station, or PPC. As a result, the unlock passwords for mobile devices are generated, stored, and distributed in an insecure manner. Accordingly, attackers have obtained unauthorized access to the unlock passwords.