MANAGEMENT OF MOBILE STATION
FIELD
The invention relates generally to the management of memory content of a mobile device and particularly to a secure erasure of information stored in the device.
BACKGROUND
Many modern electronic devices include a diversity of data processing features and quite a large amount of memory for storing a user's files. It is also more and more common to store confidential information and documents in equipment used as mobile stations. It is important to develop solutions for hindering the misuse of information stored in mobile stations when, for instance, the mobile station is stolen or lost.
Most mobile communication systems apply replaceable smart cards, which comprise a subscriber's identification application and, e.g. in the GSM system, are often called SIM (subscriber identity module) cards. A SIM card is provided with an IMSI (International Mobile Subscriber Identity) code identifying the SIM card. In the mobile network, an MSISDN (Mobile Subscriber Integrated Services Digital Network Number) number represents the corresponding SIM card IMS) code. Open Mobile Alliance Device Management (OMA DM) specification introduces erasure of data on a mobile station/device by using a lock/wipe command for locking a specified device. However, the command uses the MSISDN number of the SIM card when directing the command to the device, whereby simple removal of the SIM card makes the device unreachable.
SUMMARY
It is an object of the invention to provide an improved solution for a secure erasure of information stored in the memory of a mobile device. The invention relates to a mobile device, a device management system for managing mobile devices, a method, and a computer program product as disclosed in the independent claims.
Some preferred embodiments of the invention are disclosed in the dependent claims.
The invention provides an improved way of action in situations where a mobile device is lost or stolen. DRAWINGS
The invention will now be described in more detail in connection with preferred embodiments and with reference to the attached drawings, in which Figure 1 shows an embodiment of a method,
Figure 2 shows another embodiment of a method, Figure 3 shows another embodiment of a method Figure 4 shows another embodiment of a method, Figure 5 shows another embodiment of a method, and Figure 6 shows an embodiment of an arrangement.
DESCRIPTION OF EMBODIMENTS
Next, embodiments of the invention are explained with reference to the OMA DM system and GSM (Global System for Mobile Communication) and UMTS (Universal Mobile Telecommunications System) radio systems. The invention is, however, not limited to those systems but may be implemented in any corresponding system providing the needed functionality.
In OMA DM, device management takes place by communication between a server and a client. A plurality of data transportation methods between the server and the client may be supported, such as wireline or wireless meth- ods. OMA DM server may support functionalities, such as device configuration, device setup, device monitoring, software provisioning, phone lock-down, phone erasure, battery drain, phone disabling, and custom administrative application development, for instance.
The communication protocol is a request-response protocol. Before the communication, proper validation between the server and client needs to be provided. A communication session, such as a device management session, may be initiated by the server using any available method, for instance WAP_Push of SMS. In some circumstances, the communication session may also be initiated by the client device. In that case, session is initiated without WAP-PUSH notification message from the server. When the communication has been established, a sequence of messages may be exchanged to complete a given device management task.
Figure 1 shows an embodiment of a method. The method presumes that the information relating to a mobile device has been stored in a server managing the device. The stored information may include a mobile device identity, such as the International Mobile Equipment Identity (IMEI) of the GSM or UMTS system, for instance. The server may also store status information of the mobile device, that is, information whether the mobile station is normally in use or whether it has been lost/stolen. When a mobile device is taken into use for the first time and a subscriber module, such as a SIM card is inserted into the phone, the phone may store a subscriber module identity, such as an IMSI (International Mobile Subscriber Identity) number of the GSM/UMTS SIM card into the memory of the phone as an allowed identity of the phone. Storing of the IMSI may, of course, also be done by other means, such as using the device management services offered by the OMA DM system. More than one SIM identities may then also be stored in the memory of the device as allowable SIM identities for the device.
In 102, 104, the mobile device checks whether the SIM identity of the current SIM in the phone equals one of the stored SIM identities. The method steps 102, 104 may be carried out at each startup of the device, for instance. Thus, every time the mobile device is started, the device may check whether the IMSI of the card is the same as previously.
If the check indicates that the SIM has not been changed, that is, the SIM identity is the same as stored in the device the last time before the shutdown of the device, no further action needs to be carried out in the device and the method proceeds to an end.
If, however, the check indicates that the current IMSI is different than the stored one, the device prepares a message to be sent to a server managing the device indicating that a change of the SIM has occurred in the device.
In another embodiment, the device stores more than one allowable subscriber module identity and the server is notified only if the new identity is not in the list of the allowable identities. In such a case, the subscriber module may change from an allowable identity to another allowable identity and no message will then be sent.
In the GSM system, when a device is turned on, the device sends its IMSI number to the network in a so-called IMSI attach procedure. In response to the IMSI, the network replies by providing a temporary identifier TMSI (Temporary Mobile Subscriber Identity), which may be used later in mobile originated/terminating communication as a subscriber module identity. In an embodiment, the device sends an SMS (Short Message System) message to an MSISDN number of an OMA DM server. The SMS message includes the MSISDN number representing the new SIM card inserted into the device and the unique hardware identifier code (IMEI code of the de- vice). The SMS message may have a form where the mobile device MSISDN is in the header field of the SMS signalling message and the IMEI code of the device is in the body of the message.
In addition to these, there may be a further indication in the body of the SMS message indicating that the message relates to a changed SIM in a mobile device. The message may be sent automatically and unnoticed by the user of the device. The server may then carry out checks relating to the IMEI code received in the SMS message.
Step 108 in Figure 1 illustrates the next step from the mobile device's perspective. In a first embodiment, there may be no action. That is, the server may notice that the mobile station has not been reported as stolen and no further action is needed. Alternatively, although there is no indication at the server that the device was lost/stolen, the server may acknowledge the message received from the device and the device may restrain from further actions in this respect. However, if the check at the server indicates that the mobile device is lost/stolen and should be barred from further use, the server may start an OMA DM device management session and subsequently send an OMA DM lock/wipe command. In 110, the mobile device may erase data on the device. The erasure may include erasure of all data or at least user data, such as ad- dress information, files and emails, for instance.
The erasure of the memory content may be arranged by applying one or more data erasure, data destruction, or disk purging methods in order to delete the data and achieve the desired security level. The selected erasure algorithm is thus used for destroying stored data, such as different files and a file structure, from the memory of the device. According to an embodiment, the original data are deleted and the storage areas are overwritten by a specific value (e.g. only zeros or a specific bit pattern) or random data. The memory overwriting may be carried out many times in order to further raise the security level. The memory overwriting may also be implemented only partially, e.g. for every n:th memory sector. These methods may also be combined to achieve a multistep and secure data deletion in such a manner that it is impossible to restore the data from the memory of the apparatus.
It should also be noted that data storage areas to be erased, such as folders or directories allocated to a user, may be predefined in the mobile station. Alternatively, storage areas to be erased are not limited but all addressable memory locations are overwritten several times.
Figure 2 shows the method from the perspective of a network element, such as an OMA DM server, for instance. As mentioned in conjunction with Figure 1, the method presumes that information relating to a mobile de- vice has been stored into a server managing the device. The stored information may include a mobile device identity, such as International Mobile Equipment Identity (IMEI) of the GSM or UMTS system, for instance.
In 202, the server may receive an SMS message from a device that has detected a SIM card change. The SMS message may have a format hav- ing an MSISDN number in the header of the message and an IMEI code of the device in the body of the message, for instance. Instead of an SMS message, the information that the SIM card has been changed may also be conveyed to the server by some other known means.
In 204, the mobile device data may be updated at the server or at an associated database. The MSISDN number received in the SMS may be associated with an existing IMEI received in the message and stored in the database.
In 206, 208 the server may check, on the basis of the received IMEI code, if the device has been reported as lost or stolen. Such information may have been stored on the server if the user of the device has informed the server maintenance responsible of such an incident. If the server is operated by an information technology (IT) department of a company, for instance, an employee that has lost his/her mobile device may indicate so to the IT department, which may mark the device as lost/stolen in the database. If the device carrying the IMEI code in question is indicated as lost/stolen, the server may send a WAP_PUSH (WAP, Wireless Access Protocol) message and start an OMA DM session with the device for erasure of data content on the device. The server may initiate the OMA DM session by using the mobile device MSISDN number from the received SMS message. Figure 3 shows another embodiment of a method. Three nodes have been illustrated, a mobile device (denoted as client/user), the device management server and a database (DB) operated by the server. Physically, the database may be in the server or may be connected to the server via a communication network.
At first, the client device detects that the SIM card has been changed in the device. Upon this, the device generates a notification SMS, which may identify the user (SIM card), the client device (IMEI) and also provides authentication information (device credentials) that may be used in authenticating the device at the server. The server retrieves the client device credentials from the database, and compares these to the credentials received from the mobile device. If these match, the server may conclude that the client device is authorized to communicate with the server.
The server may store into the database the authentication parameter of the client device (nextnonce) that the server shall use in order to get a right to communicate with the client device. The server may then check the status of the client device from the database. The status information may either indicate that the device is lost/stolen or not. Figures 4 and 5 show two embodiments of operation when the device has been identified as lost/stolen.
In Figure 4, when the server has concluded that the device is lost/stolen, it uses the MSISDN number received from the network to initiate an OMA DM session by sending a WAP_PUSH message. Subsequently, an OMA DM session "Device Wipe" is carried out to erase the memory contents of the device. The OMA DM session may use Internet Protocol (IP) for communication. Figure 5 shows another embodiment, where the authentication information (nextnonce) received in the embodiment of Figure 3 is applied to the MD5 (Message-Digest algorithm 5) hash cryptography algorithm, for instance. The client device performs the same operation and compares the results calculated by it and received from the server. If they match, the client device concludes that the server is authenticated to communicate with it. The same authentication mechanism may be carried out in the OMA DM session shown in Figure 4.
The Erase Notification may include a service indication tag, as specified in the Open Mobile Alliance WAP specification, which is used to route the message to a correct application in the client device. Finally, the client de- vice may notify the server with an SMS message of a successful erasure of data.
Figure 6 shows an embodiment of the apparatuses and the arrangement of the total system. The arrangement includes a server 300, which may manage a plurality of mobile devices 310, 312, and 320. The server may be an OMA DM server, for instance. The mobile devices may be mobile phones, portable computers or PDA's (Personal Digital Assistant), for instance. The server may include a user interface 302 allowing user controlled device management. The controller 304 may control the operation of the user interface, as well as some other functionality on the server. The controller may consist of a general-purpose processor, wherein the functionality needed by the invention is implemented by means of software, for instance.
Other units shown in Figure 3 include a transmitter-receiver unit 308 for implementing data transfer between the server and the mobile devices. Technologies such as GSM, WCDMA, Infrared, WAP_Push, or SMS may be applied for this purpose. The database 306 may store an equipment register including IMEI codes of the devices and the associated status information of the device. Each device may be associated with status information, such as "normal" or "stolen/lost" . The controller may thus include software code portions for executing the following tasks, for instance, when loaded and run on a computer. To initiate the operation, the server may receive an SMS relating to a situation where a mobile device has detected that a SIM module has been changed in the device. Indication of the change may be carried out in a plurality of ways. According to an embodiment, the MSISDN number of the SIM module and the IMEI code of the device are positioned in a certain way in the SMS message, such as the former in the header and the latter in the body of the message, for instance.
Upon reception of the SMS message, or some corresponding mes- sage, the controller may initiate a check into the database of the status of the IMEI code. This check, and the whole procedure may be carried out automatically by the server, or may include some user interaction.
If the check indicates that the device has not been lost/stolen, no further action is necessarily needed from the server. In this case, the mobile device receives no acknowledgement to its message and may continue its normal operation. The server may, however, store the received MSISDN num- ber such that if the device is later reported as stolen, the server may initiate an OMA DM session to lock/wipe the device. Alternatively, to acknowledge the message received from the mobile device, the server may initiate an empty OMA DM session including only the authentication steps but no further actions. If the check shows that the device has been reported as lost/stolen, the controller may initiate the generation of an OMA DM session for carrying out lock/wipe of the device. In this session, all the data or at least the user data will be erased from the device and the device may be locked thereafter.
The mobile device 320 includes a user interface 322. The user inter- face is not, however, applied in the context of the present invention, because the device management operations, such as sending of an SMS message and are carrying out the device lock/wipe operations, may be carried out so that the user does not notice their occurrence.
The device also includes a database 326 or memory. The memory may store one or more allowable SIM module identities for the device and user data such as emails and user files, for instance. Each time the device is switched on, or at some other suitable moment of operation, the controller may read the identity of the SIM module inserted into the device and compare the identity to the one or more allowable identities. If the SIM module identity is in the list of allowable identities, no further action is needed. If, however, the current SIM identity is not among the allowable SIM modules, the controller will generate, unnoticed by the user of the device, an SMS message identifying the device and the SIM card. The database may also store the MSISDN number of the server 300 where the SMS is to be sent. The SMS may be sent such that the SMS is not stored into the memory of the device such that the user of the device will not become aware of the SMS transmission in the case the mobile device has been lost/stolen.
The transmitter/receiver unit 328 of the mobile device 320 may then send the SMS message to the server and wait for further action from the server.
If no action is received from the server, the mobile device may try to resend the message immediately or at the next restart of the device, for instance. In another embodiment, the mobile device may conclude that no action means that the device has not been reported as lost/stolen. In these cases the device may interpret the situation to be acceptable and will not carry out further actions in this respect. In another embodiment, if the device was not lost/stolen, the server may initiate an OMA DM session to acknowledge to the mobile device the receipt of the SMS message and inform the device that the device is not lost/stolen. If, however, the check at the server indicates that the device is lost/stolen, the server may initiate an OMA DM lock/wipe session to make the mobile device unusable. Upon such a session, the mobile device will erase at least partly the data content from the memory of the device, and after erasure of data the device may be locked. The invention may be implemented by means of a computer program code to be executed in the control units 304, 324 and/or as a hardware implementation.
It is obvious to a person skilled in the art that as technology advances, the basic idea of the invention may be implemented in various ways. The invention and the embodiments thereof are thus not restricted to the above examples but may vary within the scope of the claims. Different features may thus be left out, processed, or replaced by equivalent ones.