The present invention is directed, in general, to wireless networks and, more specifically, to a system for performing secure over-the-air (OTA) provisioning of cellular phone handsets and other mobile devices.
Reliable predictions indicate that there will be over 300 million cellular telephone customers worldwide by the year 2000. Within the United States, cellular service is offered by cellular service providers, by the regional Bell companies, and by the national long distance operators. The enhanced competition has driven the price of cellular service down to the point where it is affordable to a large segment of the population.
The current generation of cellular phones is used primarily for voice conversations between a subscriber handset (or mobile station) and another party through the wireless network. A smaller number of mobile stations are data devices, such as personal computers (PCs) equipped with cellular/wireless modems. Because the bandwidth for a current generation mobile station is typically limited to a few tens of kilobits per second (Kbps), the applications for the current generation of mobile stations are relatively limited. However, this is expected to change in the next (or third) generation of cellular/wireless technology, sometimes referred to as xe2x80x9c3Gxe2x80x9d wireless/cellular, where a much greater bandwidth will be available to each mobile station (i.e., 125 Kbps or greater). The higher data rates will make Internet applications for mobile stations much more common. For instance, a 3G cell phone (or a PC with a 3G cellular modem) may be used to browse web sites on the Internet, to transmit and receive graphics, to execute streaming audio and/or video applications, and the like. In sum, a much higher percentage of the wireless traffic handled by 3G cellular systems will be Internet protocol (IP) traffic and a lesser percentage will be traditional voice traffic.
In order to make wireless services as convenient and as affordable as possible, wireless service providers frequently sell cellular handsets (or other types of mobile stations) directly to potential subscribers from display booths in supermarkets and department stores. Simple instructions are provided to guide the buyer through the process of activating the cellular handset and signing up for wireless services to become a subscriber. In conventional cellular systems, the handset buyer activates the new handset and begins the provisioning process by dialing xe2x80x9c*228xxxe2x80x9d on the handset keypad in accordance with the handset instructions. The value of xe2x80x9cxxxe2x80x9d varies according to the identity of the wireless service provider that sells the handset.
Although initially unprovisioned, the new handset must, of necessity, have certain minimum radio frequency (RF) communication capabilities that enable the handset to become provisioned. Dialing xe2x80x9c*228xxxe2x80x9d on the handset keypad automatically initiates a special purpose call that connects the handset buyer to an operator. The operator requests certain account information from the buyer, such as personal information, a credit card number, home billing address, and the like. When the account information is collected and the account is set up, the operator instructs the handset buyer to enter several sequences of passwords, code numbers, menu-selected commands, and the like, that enable certain functions in the handset.
This process is frequently referred to as xe2x80x9cservice provisioning.xe2x80x9d Service provisioning may activate in the cellular handset a Number Assignment Module (NAM), which gives the handset a unique phone number for incoming calls and provides a roaming capability by identifying approved wireless carriers. Service provisioning may also activate in the handset a Preferred Roaming List (PRL), which is a list of frequencies/bands owned by each carrier in each geographical region and which may identify preferred and/or prohibited frequencies in each region as well. Service provisioning also activates an authentication code, sometimes referred to as an xe2x80x9cA-key,xe2x80x9d in the cellular handset. The handset uses the A-key to authenticate the handset when the subscriber attempts to access the wireless network.
The wireless network uses a home location register (HLR) to store the A-key, the phone number, the roaming capability information, and other data related to each handset that has been or is being authenticated and provisioned by the wireless network. The HLR is a permanent database used by the wireless service provider to identify/verify a subscriber and store individual subscriber data related to features and services. The subscriber""s wireless service provider uses the HLR data when the subscriber is accessing the wireless network in the subscriber""s home coverage area. Other wireless service providers also use the HLR data (typically accessed via wireline telephone networks) when the subscriber roams outside the subscriber""s home coverage area.
The conventional provisioning process described above has numerous drawbacks. A human operator must talk the user through the process of pressing keys and verifying screen results. This is time consuming and frequently results in errors, particularly with unsophisticated subscribers. Mistakes may go unnoticed initially and the subscriber may become frustrated that the cellular service does not operate as advertised. When the mistake is finally diagnosed, the provisioning process may need to be at least partially re-performed. The human operator also adds labor costs to the provisioning process.
It would be preferable to automate cellular service provisioning to the greatest extent possible in order to reduce labor costs, eliminate errors, and make the process more userfriendly by minimizing or eliminating subscriber interaction. In particular, it would be far more convenient to perform over-the-air (OTA) cellular service provisioning by accessing a provisioning server from an unprovisioned handset via an Internet connection. In such a scenario, the handset does not place a voice call to an operator, but rather places a xe2x80x9cdata callxe2x80x9d that transmits Internet protocol (IP) packets to, and receives IP packets from, a base station of the wireless network. The 3G systems will make OTA service provisioning of handsets easier and more common.
However, OTA service provisioning of a handset presents serious security problems for the wireless service provider, particularly with respect to fraud. The base station that handles the initial set-up data call from an unprovisioned handset may not store the required provisioning data. Instead, base stations typically access provisioning data from one or more provisioning servers within the wireless service provider""s network and which may or may not be accessible by an intranet or by the Internet. Many wireless service providers operate clusters of base stations that are not directly connected to each other, but rather are connected to the local Bell telephone companies and/or to the major long-distance carriers. Without an Internet or intranet connection, each cluster of base stations would require its own provisioning server. Alternatively, a wireless carrier would have to pay the local Bell companies and/or a long distance company additional line fees to connect the base stations to the provisioning server.
Using an Internet connection allows a wireless service provider to consolidate all service provisioning applications and data in a central repository, rather than maintaining at great expense redundant copies of such information among a large number of provisioning servers. However, it is foreseeable that a sophisticated user could use an unprovisioned handset (possibly with some minor modifications) to access a wireless network under the guise of service provisioning and then use the wireless network to access any IP address on the Internet, not just the IP address of the provisioning server. In effect, the user could defraud the wireless service provider by using the unprovisioned handset to surf the Internet for free. The user may also use the same IP connection to commit other kinds of fraud or illegal activities.
This problem exists for several reasons. First, IP addresses of other services are freely known to the public. Second, conventional wireless networks do not provide a method or an apparatus capable of blocking access to unauthorized IP addresses that is triggered by the network""s knowledge that the mobile is unprovisioned. Third, even if the network provides the mobile with an IP address to be used for provisioning, the mobile must be trusted to use that IP address only.
Therefore, there is a need in the art for improved systems and methods for performing automatic service provisioning of wireless handsets (and other types of mobile stations). In particular, there is a need in the art for systems and methods for performing secure over-the-air provisioning of wireless devices. More particularly, there is a need for systems and methods that are capable of preventing unauthorized persons from using an unprovisioned handset or other type of mobile station to access any IP service other than the provisioning server.
To address the above-discussed deficiencies of the prior art, it is a primary object of the present invention to provide a security apparatus for use in a wireless network comprising a plurality of base stations capable of communicating with a plurality of mobile stations. The security apparatus prevents unprovisioned mobile stations from accessing an Internet protocol (IP) data network via the wireless network. In an advantageous embodiment of the present invention, the security apparatus comprises a database capable of storing a first server IP address of a first provisioning server associated with the wireless network; and a first controller capable of receiving a first IP data packet transmitted by a first one of the plurality of mobile stations, the first IP data packet comprising a first source IP address and a first destination IP address, wherein the first controller is capable of 1) determining if the first mobile station is provisioned, 2) transmitting the first IP data packet to the IP data network if the first mobile station is provisioned, and 3) if the first mobile station is unprovisioned, one of: a) transmitting the first IP data packet to the IP data network if the first destination IP address matches the first server IP address and b) preventing transmission of the first IP data packet to the IP data network if the first destination IP address does not match the first server IP address.
According to one embodiment of the present invention, the security apparatus is disposed in an interworking function unit capable of transferring data between the wireless network and IP data network coupled to the wireless network.
According to another embodiment of the present invention, the first controller determines whether the first mobile station is provisioned by comparing the first source IP address to a plurality of IP addresses of provisioned mobile stations stored in the database.
According to still another embodiment of the present invention, the first controller determines whether the first mobile station is provisioned by comparing the first source IP address to a plurality of IP addresses of unprovisioned mobile stations stored in the database.
According to yet another embodiment of the present invention, the first controller is capable of comparing the first destination IP address to a plurality of server IP addresses stored in the database.
According to a further embodiment of the present invention, the first controller transmitting the first IP data packet to the IP data network if the first destination IP address matches any one of the plurality of server IP addresses.
According to a still further embodiment of the present invention, the first controller prevents transmission of the first IP data packet to the IP data network if the first destination IP address does not match any of the plurality of server IP addresses.
In one embodiment of the present invention, the first controller is further capable of receiving from the IP data network a second IP data packet directed to a second one of the plurality of mobile stations, the second IP data packet comprising a second source IP address and a second destination IP address, wherein the first controller is capable of 1) determining if the second mobile station is provisioned, 2) transmitting the second IP data packet to the second mobile station if the second mobile station is provisioned, and 3) if the second mobile station is unprovisioned, one of: a) transmitting the second IP data packet to the second mobile station if the second source IP address matches the first server IP address and b) preventing transmission of the second IP data packet to the second mobile station if the second source IP address does not match the first server IP address.
In another embodiment of the present invention, the first controller determines whether the second mobile station is provisioned by comparing the second destination IP address to a plurality of IP addresses of provisioned mobile stations stored in the database.
In yet another embodiment of the present invention, the first controller determines whether the second mobile station is provisioned by comparing the second destination IP address to a plurality of IP addresses of unprovisioned mobile stations stored in the database.
The foregoing has outlined rather broadly the features and technical advantages of the present invention so that those skilled in the art may better understand the detailed description of the invention that follows. Additional features and advantages of the invention will be described hereinafter that form the subject of the claims of the invention. Those skilled in the art should appreciate that they may readily use the conception and the specific embodiment disclosed as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. Those skilled in the art should also realize that such equivalent constructions do not depart from the spirit and scope of the invention in its broadest form.
Before undertaking the DETAILED DESCRIPTION OF THE INVENTION, it may be advantageous to set forth definitions of certain words and phrases used throughout this patent document: the terms xe2x80x9cincludexe2x80x9d and xe2x80x9ccomprise,xe2x80x9d as well as derivatives thereof, mean inclusion without limitation; the term xe2x80x9cor,xe2x80x9d is inclusive, meaning and/or; the phrases xe2x80x9cassociated withxe2x80x9d and xe2x80x9cassociated therewith,xe2x80x9d as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, or the like; and the term xe2x80x9ccontrollerxe2x80x9d means any device, system or part thereof that controls at least one operation, such a device may be implemented in hardware, firmware or software, or some combination of at least two of the same. It should be noted that the functionality associated with any particular controller may be centralized or distributed, whether locally or remotely. Definitions for certain words and phrases are provided throughout this patent document, those of ordinary skill in the art should understand that in many, if not most instances, such definitions apply to prior, as well as future uses of such defined words and phrases.