The present invention is directed, in general, to wireless networks and, more specifically, to a system for performing secure over-the-air (OTA) provisioning of cellular phone handsets and other mobile devices.
Reliable predictions indicate that there will be over 300 million cellular telephone customers worldwide by the year 2000. Within the United States, cellular service is offered by cellular service providers, by the regional Bell companies, and by the national long distance operators. The enhanced competition has driven the price of cellular service down to the point where it is affordable to a large segment of the population.
The current generation of cellular phones is used primarily for voice conversations between a subscriber handset (or mobile station) and another party through the wireless network. A smaller number of mobile stations are data devices, such as personal computers (PCs) equipped with cellular/wireless modems. Because the bandwidth for a current generation mobile station is typically limited to a few tens of kilobits per second (Kbps), the applications for the current generation of mobile stations are relatively limited. However, this is expected to change in the next (or third) generation of cellular/wireless technology, sometimes referred to as xe2x80x9c3Gxe2x80x9d wireless/cellular, where a much greater bandwidth will be available to each mobile station (i.e., 125 Kbps or greater). The higher data rates will make Internet applications for mobile stations much more common. For instance, a 3G cell phone (or a PC with a 3G cellular modem) may be used to browse web sites on the Internet, to transmit and receive graphics, to execute streaming audio and/or video applications, and the like. In sum, a much higher percentage of the wireless traffic handled by 3G cellular systems will be Internet protocol (IP) traffic and a lesser percentage will be traditional voice traffic.
In order to make wireless services as convenient and as affordable as possible, wireless service providers frequently sell cellular handsets (or other types of mobile stations) directly to potential subscribers from display booths in supermarkets and department stores. Simple instructions are provided to guide the buyer through the process of activating the cellular handset and signing up for wireless services to become a subscriber. In conventional cellular systems, the handset buyer activates the new handset and begins the provisioning process by dialing xe2x80x9c*228xxxe2x80x9d on the handset keypad in accordance with the handset instructions. The value of xe2x80x9cxxxe2x80x9d varies according to the identity of the wireless service provider that sells the handset.
Although initially unprovisioned, the new handset must, of necessity, have certain minimum radio frequency (RF) communication capabilities that enable the handset to become provisioned. Dialing xe2x80x9c*228xxxe2x80x9d on the handset keypad automatically initiates a special purpose call that connects the handset buyer to an operator. The operator requests certain account information from the buyer, such as personal information, a credit card number, home billing address, and the like. When the account information is collected and the account is set up, the operator instructs the handset buyer to enter several sequences of passwords, code numbers, menu-selected commands, and the like, that enable certain functions in the handset.
This process is frequently referred to as xe2x80x9cservice provisioning.xe2x80x9d Service provisioning may activate in the cellular handset a Number Assignment Module (NAM), which gives the handset a unique phone number for incoming calls and provides a roaming capability by identifying approved wireless carriers. Service provisioning may also activate in the handset a Preferred Roaming List (PRL), which is a list of frequencies/bands owned by each carrier in each geographical region and which may identify preferred and/or prohibited frequencies in each region as well. Service provisioning also activates an authentication code, sometimes referred to as an xe2x80x9cA-key,xe2x80x9d in the cellular handset. The handset uses the A-key to authenticate the handset when the subscriber attempts to access the wireless network.
The wireless network uses a home location register (HLR) to store the A-key, the phone number, the roaming capability information, and other data related to each handset that has been or is being authenticated and provisioned by the wireless network. The HLR is a permanent database used by the wireless service provider to identify/verify a subscriber and store individual subscriber data related to features and services. The subscriber""s wireless service provider uses the HLR data when the subscriber is accessing the wireless network in the subscriber""s home coverage area. Other wireless service providers also use the HLR data (typically accessed via wireline telephone networks) when the subscriber roams outside the subscriber""s home coverage area.
The conventional provisioning process described above has numerous drawbacks. A human operator must talk the user through the process of pressing keys and verifying screen results. This is time consuming and frequently results in errors, particularly with unsophisticated subscribers. Mistakes may go unnoticed initially and the subscriber may become frustrated that the cellular service does not operate as advertised. When the mistake is finally diagnosed, the provisioning process may need to be at least partially re-performed. The human operator also adds labor costs to the provisioning process.
It would be preferable to automate cellular service provisioning to the greatest extent possible in order to reduce labor costs, eliminate errors, and make the process more user-friendly by minimizing or eliminating subscriber interaction. In particular, it would be far more convenient to perform over-the-air (OTA) cellular service provisioning by accessing a provisioning server from an unprovisioned handset via an Internet connection. In such a scenario, the handset does not place a voice call to an operator, but rather places a xe2x80x9cdata callxe2x80x9d that transmits Internet protocol (IP) packets to, and receives IP packets from, a base station of the wireless network. The 3G systems will make OTA service provisioning of handsets easier and more common.
However, OTA service provisioning of a handset presents serious security problems for the wireless service provider, particularly with respect to fraud. The base station that handles the initial set-up data call from an unprovisioned handset may not store the required provisioning data. Instead, base stations typically access provisioning data from one or more provisioning servers within the wireless service provider""s network and which may or may not be accessible by an intranet or by the Internet. Many wireless service providers operate clusters of base stations that are not directly connected to each other, but rather are connected to the local Bell telephone companies and/or to the major long-distance carriers. Without an Internet or intranet connection, each cluster of base stations would require its own provisioning server. Alternatively, a wireless carrier would have to pay the local Bell companies and/or a long distance company additional line fees to connect the base stations to the provisioning server.
Using an Internet connection allows a wireless service provider to consolidate all service provisioning applications and data in a central repository, rather than maintaining at great expense redundant copies of such information among a large number of provisioning servers. However, it is foreseeable that a sophisticated user could use an unprovisioned handset (possibly with some minor modifications) to access a wireless network under the guise of service provisioning and then use the wireless network to access any IP address on the Internet, not just the IP address of the provisioning server. In effect, the user could defraud the wireless service provider by using the unprovisioned handset to surf the Internet for free. The user may also use the same IP connection to commit other kinds of fraud or illegal activities.
This problem exists for several reasons. First, IP addresses of other services are freely known to the public. Second, conventional wireless networks do not provide a method or an apparatus capable of blocking access to unauthorized IP addresses that is triggered by the network""s knowledge that the mobile is unprovisioned. Third, even if the network provides the mobile with an IP address to be used for provisioning, the mobile must be trusted to use that IP address only.
Therefore, there is a need in the art for improved systems and methods for performing automatic service provisioning of wireless handsets (and other types of mobile stations). In particular, there is a need in the art for systems and methods for performing secure over-the-air provisioning of wireless devices. More particularly, there is a need for systems and methods that are capable of preventing unauthorized persons from using an unprovisioned handset or other type of mobile station to access any IP service other than the provisioning server.
To address the above-discussed deficiencies of the prior art, it is a primary object of the present invention to provide, for use in association with a wireless network comprising a plurality of base stations capable of communicating with a plurality of mobile stations, an interworking function unit capable of transferring data between the wireless network and an Internet protocol (IP) data network coupled to the wireless network. According to an advantageous embodiment of the present invention, the interworking function unit comprises a protocol conversion controller capable of receiving from the wireless network a first plurality of data packets, wherein the first plurality of data packets are generated by a first one of the plurality of mobile stations and are formatted according to a first protocol associated with the wireless network, and converting the first plurality of data packets to a plurality of IP data packets formatted according to an Internet protocol associated with the IP data network. The interworking function unit further comprises a first security controller for preventing unprovisioned mobile stations from accessing the IP data network through the wireless network, wherein the first security controller is capable of receiving at least one of the plurality of IP data packets and replacing an original IP packet header of the at least one IP data packet with a replacement IP packet header comprising an IP address of a selected one of at least one provisioning server coupled to the IP data network and controlled by an operator of the wireless network.
According to one embodiment of the present invention, the interworking function unit further comprises a second security controller capable of determining that the first mobile station is unprovisioned.
According to another embodiment of the present invention, the second security controller is disposed in the protocol conversion controller.
According to still another embodiment of the present invention, the second security controller is disposed in the first security controller.
According to yet another embodiment of the present invention, the second security controller determines that the first mobile station is unprovisioned according to a value of a provisioned bit associated with at least one of the first plurality of data packets.
According to a further embodiment of the present invention, the first security controller selects the at least one provisioning server by selecting the IP address in the replacement IP packet header according to a load spreading algorithm.
According to a still further embodiment of the present invention, the interworking function unit further comprises a memory associated with the first security controller capable of storing load statistics associated with the at least one provisioning server.
According to a yet further embodiment of the present invention, the first security controller selects a least busy one of the at least one provisioning server according to the load statistics.
One job of the IWF (normally) is to assign an IP address to a handset when the handset places a data call. In accordance with the principles of the present invention, after the second security controller determines that the handset is unprovisioned the IP addresses can be assigned from a special pool of addresses allocated only to unprovisioned handsets. Then, in future routing operations, the IWF may rout IP packets with the special IP addresses only to controlled destinations. In other words, packets generated by provisioned handsets may be distinguished from packets generated by unprovisioned handsets simply by looking at the previously assigned IP address.
The foregoing has outlined rather broadly the features and technical advantages of the present invention so that those skilled in the art may better understand the detailed description of the invention that follows. Additional features and advantages of the invention will be described hereinafter that form the subject of the claims of the invention. Those skilled in the art should appreciate that they may readily use the conception and the specific embodiment disclosed as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. Those skilled in the art should also realize that such equivalent constructions do not depart from the spirit and scope of the invention in its broadest form.
Before undertaking the DETAILED DESCRIPTION, it may be advantageous to set forth definitions of certain words and phrases used throughout this patent document: the terms xe2x80x9cincludexe2x80x9d and xe2x80x9ccomprise,xe2x80x9d as well as derivatives thereof, mean inclusion without limitation; the term xe2x80x9cor,xe2x80x9d is inclusive, meaning and/or; the phrases xe2x80x9cassociated withxe2x80x9d and xe2x80x9cassociated therewith,xe2x80x9d as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, or the like; and the term xe2x80x9ccontrollerxe2x80x9d means any device, system or part thereof that controls at least one operation, such a device may be implemented in hardware, firmware or software, or some combination of at least two of the same. It should be noted that the functionality associated with any particular controller may be centralized or distributed, whether locally or remotely. Definitions for certain words and phrases are provided throughout this patent document, those of ordinary skill in the art should understand that in many, if not most instances, such definitions apply to prior, as well as future uses of such defined words and phrases.