AUTOMATIC SECURITY ACTION INVOCATION FOR MOBILE COMMUNICATIONS DEVICE

US 20120210389A1
Filed: 02/28/2012
Published: 08/16/2012
Est. Priority Date: 05/18/2006
Status: Active Grant

First Claim

Patent Images

1. A server for providing security on at least one mobile communications device, the server being configured to communicate with a plurality of mobile communications devices over a wireless network, the server comprising:

a processor;

a communications subsystem connected to the processor for exchanging signals with the wireless network and with the processor; and

a security module for sending policy messages to one or more of the devices in the plurality of mobile communications devices at intervals, the policy messages including instructions for execution by the one or more of the devices to enforce or terminate a data protection policy, the policy messages to enforce a data protection policy comprising instructions for execution by the one or more of the devices to perform a security action comprising erasing or encrypting at least some of the data on a storage element if a subsequent policy message to enforce a data protection policy is not received within a duration from the time at which a previous policy message is received.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, there is provided a mobile communications device comprising: a processor; a communications subsystem operable to exchange signals with a wireless network; a storage element having application modules and data stored thereon, the data comprising at least user application data associated with the application modules and service data including data for establishing communications with the wireless network; and a security module operable to detect policy messages received by the device, and to perform a security action if a first policy message to enforce a first data protection policy is received and a subsequent policy message to enforce a second data protection policy is not received within a predetermined duration from the time at which the first policy message is received; wherein the security action comprises erasing or encrypting at least some of the data on the storage element.

16 Citations

25 Claims

1. A server for providing security on at least one mobile communications device, the server being configured to communicate with a plurality of mobile communications devices over a wireless network, the server comprising:
- a processor;
  
  a communications subsystem connected to the processor for exchanging signals with the wireless network and with the processor; and
  
  a security module for sending policy messages to one or more of the devices in the plurality of mobile communications devices at intervals, the policy messages including instructions for execution by the one or more of the devices to enforce or terminate a data protection policy, the policy messages to enforce a data protection policy comprising instructions for execution by the one or more of the devices to perform a security action comprising erasing or encrypting at least some of the data on a storage element if a subsequent policy message to enforce a data protection policy is not received within a duration from the time at which a previous policy message is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The server of claim 1, wherein each policy message to enforce a data protection policy is one of:
    - (i) a message to initiate a data protection policy, the message including the data protection policy to be enforced;
      
      (ii) a message to maintain an existing data protection policy, the message including the data protection policy or a confirmation that the existing policy is to be enforced;
      
      (iii) a message to modify an existing data protection policy, the message including the modified data protection policy;
      
      or (iv) a message to terminate an existing data protection policy.
  - 3. The server of claim 1, wherein the duration is equal to the length of the interval between sending policy messages.
  - 4. The server of claim 1, wherein the intervals at which the policy messages are sent is configurable.
  - 5. The server of claim 1, wherein the policy messages are sent globally to all mobile communications devices associated with the server.
  - 6. The server of claim 1, wherein the policy messages are sent to groups or classes of mobile communications devices associated with the server.
  - 7. The server of claim 1, wherein the policy messages are sent to one or more individual mobile communications devices associated with the server.
  - 8. The server of claim 1, wherein the policy messages comprise instructions for execution by the one or more of the devices to perform:
    - monitoring, to detect if a first policy message is received by the mobile communications device;
      
      if the first policy message is received, determining if the first policy message specifies a data protection policy is to be enforced; and
      
      if the policy message specifies a data protection policy is to be enforced, initiating a data protection timer for a first duration; and
      
      monitoring, after a data protection timer has been initiated, to detect if a second policy message is received by the mobile communications device;
      
      if a second policy message is received within the first duration of data protection timer, determining if the second policy message specifies a data protection policy is to be enforced;
      
      if the second policy message specifies a data protection policy is to be enforced, resetting the data protection timer to a second duration;
      
      if the second policy message does not specify a data protection policy is be enforced, terminating the data protection policy; and
      
      if a second policy message is not received within the first duration of data protection timer, performing the security action.
  - 9. The server of claim 7, wherein the policy messages comprise instructions for execution by the one or more of the devices to perform monitoring, after a data protection timer has been initiated, to detect for a powering-off of the mobile communications device, and if a powering-off is detected, setting an auto-on time corresponding to the time remaining on the data protection timer, and if the mobile communications device is powered-off at the auto-on time, powering-on the mobile communications device and performing the security action.
  - 10. The server of claim 7, wherein the policy messages comprise instructions for execution by the one or more of the devices to perform monitoring, after a data protection timer has been initiated, to determine if a battery level falls below a threshold, and if the battery power falls below the threshold, performing the security action.
  - 11. The server of claim 7, wherein the policy messages comprise instructions for execution by the one or more of the devices to perform monitoring to detect for a locked state of the mobile communications device, initiating a lockout data protection timer for a duration upon detection of the locked state, and monitoring, after the lockout data protection timer has been initiated, to detect if a password shared by the user and the mobile communications device is entered through the user input device within the duration of the lockout data protection timer, if entry of the password is detected within the duration, terminating the lockout data protection timer, and if entry of the password is not detected within the duration, performing the security action.
  - 12. The server of claim 1, wherein the policy messages comprise instructions for execution by the one or more of the devices to perform:
    - monitoring to detect if a delayed data protection initiate command is received by the mobile communications device, and if a delayed data protection initiate command is received, initiating a delayed data protection timer for a first duration provided in the delayed data protection initiate command; and
      
      monitoring, after the delayed data protection timer has been initiated, to detect for;
      
      (i) entry of a password shared by the user and the mobile communications device through the user input device within the first duration of the delayed data protection timer;
      
      (ii) receipt by the mobile communications device of a terminate command;
      
      or (iii) receipt by the mobile communications device of a delay command;
      
      if entry of the password or receipt of the terminate command is detected within the first duration, terminating the delayed data protection timer;
      
      if receipt of a delay command is detected within the first duration, resetting the delayed data protection timer for a second duration provided in the delay command; and
      
      if entry of the password, receipt of the terminate command, or receipt of a delay command is not detected within the first duration, performing the security action.
  - 13. The server of claim 12, wherein the first duration of the delayed data protection timer is a first absolute time duration relative to a time that the delayed data protection timer is initiated, and wherein the second duration of the delayed data protection timer is a second absolute time duration relative to a time that the delayed data protection timer is initiated.
  - 14. The server of claim 12, wherein the second duration of the delayed data protection timer ends after the first duration thereby extending the duration of the delayed data protection timer, or the second duration of the delayed data protection timer ends prior to the first duration thereby shortening the duration of the delayed data protection timer.
  - 15. The server of claim 1, wherein the security action comprises erasing at least some of the data on the storage element and overwriting the portions of the storage element where the erased data was located.
  - 16. The server of claim 1, wherein the security action comprises encrypting at least some of the data on the storage element.

17. A method for providing security on at least one mobile communications device, the method comprising:
- generating policy messages including instructions for execution by the one or more of the devices to enforce or terminate a data protection policy, the policy messages to enforce a data protection policy comprising instructions for execution by the one or more of the devices to perform a security action comprising erasing or encrypting at least some of the data on a storage element if a subsequent policy message to enforce a data protection policy is not received within a duration from the time at which a previous policy message is received; and
  
  sending the policy messages from a server over a wireless network to one or more of the devices in the plurality of mobile communications devices at intervals.
- View Dependent Claims (18, 19, 20, 21, 22, 24)
- - 18. The method of claim 17, wherein each policy message to enforce a data protection policy is one of:
    - (i) a message to initiate a data protection policy, the message including the data protection policy to be enforced;
      
      (ii) a message to maintain an existing data protection policy, the message including the data protection policy or a confirmation that the existing policy is to be enforced;
      
      (iii) a message to modify an existing data protection policy, the message including the modified data protection policy;
      
      or (iv) a message to terminate an existing data protection policy.
  - 19. The method of claim 17, wherein the duration is equal to the length of the interval between sending policy messages.
  - 20. The method of claim 17, wherein the intervals at which the policy messages are sent is configurable.
  - 21. The method of claim 17, wherein the policy messages are sent globally to all mobile communications devices associated with the server.
  - 22. The method of claim 17, wherein the policy messages are sent to groups or classes of mobile communications devices associated with the server.
  - 24. The method of claim 17, wherein the policy messages are sent to one or more individual mobile communications devices associated with the server.

25. A computer-readable medium having computer-readable instructions stored thereon that when executed cause a processor to execute a method, the method comprising:
- generating policy messages including instructions for execution by the one or more of the devices to enforce or terminate a data protection policy, the policy messages to enforce a data protection policy comprising instructions for execution by the one or more of the devices to perform a security action comprising erasing or encrypting at least some of the data on a storage element if a subsequent policy message to enforce a data protection policy is not received within a duration from the time at which a previous policy message is received; and
  
  sending the policy messages from a server over a wireless network to one or more of the devices in the plurality of mobile communications devices at intervals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blackberry Limited
Original Assignee
Blackberry Limited
Inventors
Brown, Michael S., Adams, Neil, Fyke, Steven, Little, Herbert

Granted Patent

US 8,667,306 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/6218   to a system of files or obj...

G06F 21/88   Detecting or preventing the...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 2209/80   Wireless network architectu...

H04L 63/102   Entity profiles

H04L 9/00   Cryptographic mechanisms or...

H04W 12/02   Protecting privacy or anony...

H04W 12/08   Access security

H04W 12/082   using revocation of authori...

H04W 12/12   Detection or prevention of ...

H04W 12/61   Time-dependent

H04W 8/02   Processing of mobility data...

H04W 8/245   from a network towards a te...

AUTOMATIC SECURITY ACTION INVOCATION FOR MOBILE COMMUNICATIONS DEVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATIC SECURITY ACTION INVOCATION FOR MOBILE COMMUNICATIONS DEVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links