1. Field of the Invention
The present invention relates to security for a mobile or personal communications device, and more particularly to security for a mobile or personal communications device that is assigned and broadcasts an identification code.
2. Description of Related Art
Personal communications generally and mobile telephony in particular have become important tools in our society. Unfortunately, the widespread popularity of mobile telephones has created opportunities for thieves to steal mobile telephones, and to "clone" legitimate mobile telephones from the stolen telephones for stealing carrier services. Carrier service theft is the unauthorized billing of calls to a legitimate subscriber. Mobile telephone theft and especially carrier service theft have grown to the point where they now have a serious economic impact. Carrier service theft in the United States is costing service providers approximately $480 million per year, although more recent estimates put losses as high as one billion dollars. New York Times, Oct. 19, 1995, p. A13. Theft of service is naturally more of a concern to service providers than to telephone manufacturers, but service providers play a critical role in marketing mobile telephones. These providers would prefer to promote mobile telephones that are difficult to use in cloning because they have a strong interest in reducing the number of cloned mobile telephones that can be used to steal carrier services. End users too would prefer to own mobile telephones that thieves will not steal because they are not easily used to clone legitimate mobile telephones.
The FCC requires that every mobile telephone be identified by an Electronic Ser. No. ("ESN"). The ESN is encoded as a 32 bit number, the high order eight bits of which are a manufacturer's code, the low order 18 bits are uniquely assigned to a mobile station, and the remaining bits are unassigned. ESN security is included in various standards jointly adopted by the Electronics Industries Association and the Telecommunications Industries Association, e.g. EIA/TIA IS54B, IS55, IS85 and IS136. See, e.g., ELA/TIA, Interim Standard: Cellular System Dual-Mode Mobile Station--Base Station Compatibility Standard, IS-54-B, April 1992. The ESN is programmed by the manufacturer, and is not readily susceptible to field modification for security purposes. Under the IS54B standard, for example, the ESN may not be stored in re-programmable memory or in any socketed device. Beyond that restriction, how the manufacturer is to protect against field modification is not specified by the EIA/TIA standards.
The ESN is used in conjunction with a mobile identification number, or MIN, to identify a subscriber of a legally owned mobile telephone. The MIN is essentially the telephone number of the mobile station, and is programmed into the mobile telephone by a service provider when service is established. MIN encodes seven digits as a 24-bit number named MIN1 and a three digit area code that is encoded as a 10-bit number MIN2. During registration, which is the process of identify a subscriber of a legally owned mobile telephone while the telephone is put into service, an ESN secured mobile telephone openly broadcasts its MIN and its ESN.
Even though the MIN is easily changeable, a mobile telephone is secure if its ESN is not vulnerable to field modification. In the event of theft, service to that telephone may be discontinued once the legal owner reports its loss to the service provider. However, when a mobile telephone design does not adequately protect the unit's ESN against modification, the stolen telephone, just like a legally purchased one, can be used to steal service. Mobile phone theft and cloning occur despite the use of ESN security because thieves have developed techniques for defeating it. The first step in cloning a legitimate mobile telephone to a stolen mobile telephone is to collect valid pairs of MIN and ESN numbers, which is typically done by listening to mobile stations registering with base stations. The next step in cloning is to program a legitimate MIN and ESN pair into a stolen or legally acquired mobile telephone.
Techniques for programming legitimate MIN and ESN pair into a stolen or legally acquired mobile telephone are well known by thieves. Manufacturing requirements have in the past caused manufacturers to put the ESN in memory device that can be selectively erased and programmed. In certain older mobile telephones, the MIN and ESN may be changed through the normal service port. In other mobile telephones, the MIN and ESN may be changed by access to the circuit board, which requires opening the case. These modifications may need to be performed each time the MIN/ESN pair is changed, although some units permit modifications to their controller code so that MIN and ESN numbers subsequently can be changed simply by entering them on the telephone keypad. Thieves learn of these techniques by compromising manufacturers security measures, or by a repetitive trial-and-error process of attempted modification known as hacking.
An illustrative implementation for the IS-54B standard is the NEC IS-54 dual mode cellular telephone base band processing solution available from NEC Electronics, Inc. of Mountain View, California. The block diagram of the NEC IS-54 solution is shown in FIG. 1. The NEC IS-54 solution consists of four chips, an IF interface 120, a digital interface 130, a base band processor 140 (a digital signal processor, or DSP), and an audio CODEC 150. Additional components needed to implement a cellular telephone 100 include an antenna 102, an antenna switch 104, a receive amplifier 106, a transmit amplifier 108, an IF/RF unit 110, a speaker 152, a microphone 154, a microcontroller 160 (a host controller), and an ESN ROM 170. Switch 104 directs signals from the antenna 102 to the receive amplifier 106 in receive mode, and from the transmit amplifier 108 to the antenna 102 in transmit mode. The IF/RF unit 110 provides an oscillator and modulation/demodulation functions. The IF interface 120 provides analog-to-digital and digital-to-analog conversion functions. The digital interface 130 provides TDMA control, WBD voice control, and clock signals. The base band processor 140 provides equalization, channel and speech CODEC functions, AMPS audio processing, AMPS SAT processing, and AMPS WBD MODEM processing. These functions require a great deal of bit processing but only modest "intelligence." CODEC 150 provides audio coding and decoding functions. Protocol control, high level system control, message assembly, and security functions of the mobile telephone 100 are handled by the microcontroller 160, which is connected to the digital interface 130 and the base band processor 140. An ESN memory 170, typically a random access memory ("ROM"), containing the ESN is connected to the microcontroller 160. Flash EEPROM and mask ROM are suitable for use as ESN memory, but mask ROM is rarely used because it forces manufacturers to serialize their mobile telephones during manufacture. A JTAG port 180 is coupled to various circuits of the mobile telephone 100, including the digital interface 130, the base band processor 140, and the microcontroller 160.
Generally, a mobile telephone is most vulnerable to cloning through the interfaces between the chips of the mobile telephone chip set. The least vulnerable of these component interfaces are on the RF side of the cellular telephone 100, viz. the interfaces at the IF/RF unit 110 and the IF interface 120, because the data on those interfaces is so intricately coded. Perhaps the most vulnerable of the interfaces is that between the processor carrying out the security functions and the memory device in which the ESN is stored. For example, in the cellular telephone 100 of FIG. 1, the ESN is stored in ESN ROM 170. If the ESN ROM 170 can be removed, then the ESN can be changed.
In another approach to cloning, the ESN memory component is not physically removed from the mobile telephone, but instead logic circuitry is attached at the interface of the memory component to override its behavior. For example, in FIG. 1, a logic circuit may be connected to interconnects between the ESN ROM 170 and the microcontroller 160 which manages the ESN. Similarly, logic may be inserted at the interface between a host controller and a DSP to modify the commands from the host controller that cause the ESN to be transmitted to the base station. For example, in FIG. 1, a logic circuit may be connected to interconnects between the microcontroller 160, which manages the ESN, and the base band processor 140.
ESN security at the ESN memory--host controller interface may be improved by encrypting the stored ESN. In one approach, an external dumb but nonvolatile memory device such as EPROM, EEPROM or Flash memory stores the encrypted ESN. Such memory is readily available in standard form, and advantageously at low cost. A variety of coding schemes and coding keys may be used. Once selected, the coding scheme and coding key are fixed, and provide effective security so long as the coding method is not compromised. However, the fixed nature of the coding scheme affords a thief time to break the coding, and even an encryption scheme that is extremely difficult to break by technical means can be violated by compromising individuals. Still, some deterrence is achieved because cloning is made more difficult.
The JTAG interface of the controller and DSP, which is the communications port for the DSP's debugger, is also a vulnerable point. For example, in FIG. 1, the JTAG functions of the base band processor 140 and the microcontroller 160 is accessible through the JTAG terminal 180. Although the debugger does not permit disassembly or other interrogation of instruction memory, the debugger may be used to set breakpoints in the controller's code and examine the contents of registers and memory to determine whether the ESN resides for any length of time in a particular location in one of the DSP's registers or in data memory. Typically, the ESN will reside in a register at some time. Once the register location is determined, the thief sets a particular breakpoint to allow modification of the ESN.
Another technique for providing mobile telephone security is authentication, as discussed in TIA/EIA Telecommunications Systems Bulletin: Recommended Minimum Procedures for Validation of Authentication of IS-54-B Mobile Stations, TSB46, March 1993. When a base station demands authentication of a mobile station, the mobile station broadcasts a number that is computed from the ESN, the MIN, and some secret data that is shared between the mobile station and the service provider's network. Unfortunately, the authentication procedure has not yet been widely implemented because of complexity and cost issues. To support authentication, the base station must know the secret data of the mobile station. This knowledge must be widely shared on carrier networks, which complicates the implementation of those networks.
A further motivation for manufacturers to improve ESN security is recently promulgated FCC regulation 22.919, which requires of any mobile telephone certified in the future that it not be possible to change the ESN. TIA/CTIA is presently attempting to soften this restriction and allow manufacturers to change the ESN, but some fairly stringent restrictions seem likely to remain.
Accordingly, a need exists for low cost, improved methods and apparatus to prevent or deter cloning.