Telecommunications device security

US 9,049,597 B2
Filed: 08/29/2008
Issued: 06/02/2015
Est. Priority Date: 08/31/2007
Status: Active Grant

First Claim

Patent Images

1. A terminal for use with a cellular or mobile telecommunications network, the terminal comprising:

a trusted component implemented to perform functionality for providing one or more trusted services that each enable access to one or more capabilities according to a corresponding service interface for the trusted service,a terminal platform upon which a normal execution environment and a trusted area are implemented, andan interface controller implemented within the trusted area and communicatively connected to the trusted component via a communications channel, the interface controller operating to intercept all communications being sent to the trusted component requesting access to any of the one or more trusted services according to the corresponding service interfaces and to restrict access to the trusted component for each intercepted communication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A terminal (1) for use with a cellular or mobile telecommunications network (3) includes authentication means (15) such as a SIM, USIM, UICC etc. for authenticating the terminal with the network. The terminal further includes a normal execution environment (30) and a secure execution environment (34). An interface controller (46) is provided in the secure execution environment and intercepts all communications directed to the authentication means to control access to the authentication means by these communications.

Citations

44 Claims

1. A terminal for use with a cellular or mobile telecommunications network, the terminal comprising:
- a trusted component implemented to perform functionality for providing one or more trusted services that each enable access to one or more capabilities according to a corresponding service interface for the trusted service,a terminal platform upon which a normal execution environment and a trusted area are implemented, andan interface controller implemented within the trusted area and communicatively connected to the trusted component via a communications channel, the interface controller operating to intercept all communications being sent to the trusted component requesting access to any of the one or more trusted services according to the corresponding service interfaces and to restrict access to the trusted component for each intercepted communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The terminal of claim 1, wherein the interface controller is operable to control access to each trusted service provided by the trusted component.
  - 3. The terminal of claim 1, wherein the trusted area also provides at least one trusted service.
  - 4. The terminal of claim 3, wherein the interface controller is also operable to intercept all communications directed to the at least one trusted service provided in the trusted area and further operable to control access to each trusted service provided in the trusted area.
  - 5. The terminal of claim 3, wherein the interface controller is operable to redirect communications requesting access to at least one trusted service provided by the trusted component to a corresponding trusted service provided in the trusted area.
  - 6. The terminal of claim 1, wherein the interface controller is operable to redirect communications requesting access to the at least one trusted service provided in the trusted area to a corresponding trusted service provided by the trusted component.
  - 7. The terminal of claim 3, wherein said at least one trusted service provided in the trusted area is functionally equivalent to at least one of the trusted services provided by the trusted component.
  - 8. The terminal of claim 1, wherein the one or more trusted services include performing an authentication of the terminal with the network.
  - 9. The terminal of claim 1, wherein the one or more trusted services include storage of sensitive data.
  - 10. The terminal of claim 1, wherein the trusted area is a secure execution environment implemented on the terminal platform.
  - 11. The terminal of claim 1, wherein a main operating system of the terminal is provided in the normal execution environment.
  - 12. The terminal of claim 11, wherein the operating system provides a gateway to the interface controller.
  - 13. The terminal of claim 12, wherein the operating system is operable to pass communications towards the interface controller.
  - 14. The terminal of claim 12, wherein the gateway is implemented as a virtual interface controller operable to pass communications requesting access to any of the one or more trusted services to the interface controller in the trusted area such that requests for accessing any of the one or more trusted services handled by the interface controller appear to be handled by the gateway.
  - 15. The terminal of claim 14, wherein the virtual interface controller executes in the normal execution environment.
  - 16. The terminal of claim 1, wherein the trusted component is selected from a SIM, a USIM, and a UICC.
  - 17. The terminal of claim 1, wherein the interface controller is operable to establish a secure channel to the one or more trusted services and to route each intercepted communication that is authorized for at least one of the one or more trusted services from the trusted area to each trusted service for which the communication is authorized via the secure channel.
  - 18. The terminal of claim 1, wherein the interface controller is operable to establish a secure channel to the trusted component and to route each intercepted communication that is authorized for at least one of the one or more trusted services from the trusted area to the trusted component via the secure channel.
  - 19. The terminal of claim 1, wherein the interface controller is operable to filter access to the trusted component for each intercepted communication.
  - 20. The terminal of claim 1, wherein the trusted component is removable.
  - 21. The terminal of claim 1, wherein the interface controller is operable to intercept said communications from any one of a plurality of execution environments implemented on the terminal platform.
  - 22. The terminal of claim 1, wherein the interface controller is operable to intercept said communications from any one of a plurality of applications.

23. A method of controlling access in a mobile terminal for use with a cellular or mobile telecommunications network, the method including:
- providing a trusted component in the mobile terminal that is implemented to perform functionality to provide one or more trusted services that each enable access to one or more capabilities according to a corresponding service interface for the trusted service;
  
  implementing an interface controller within a trusted area that is implemented on a terminal platform of the terminal upon which a normal execution environment is implemented;
  
  communicatively connecting the interface controller to the trusted component via a communications channel such that the interface controller operates to intercept all communications being sent to the trusted component requesting access to any of the one or more trusted services according to the corresponding service interfaces; and
  
  restricting access to the trusted component for each intercepted communication.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 24. The method of claim 23, further including controlling access to each trusted service provided by the trusted component for each intercepted communication.
  - 25. The method of claim 23, further including providing at least one trusted service in the trusted area.
  - 26. The method of claim 25, further including intercepting all communications directed to the at least one trusted service provided in the trusted area and controlling access to each trusted service provided in the trusted area.
  - 27. The method of claim 25, further including redirecting communications requesting access to at least one trusted service provided by the trusted component to a corresponding trusted service provided in the trusted area.
  - 28. The method of claim 23, further including redirecting communications requesting access to the at least one trusted service provided in the trusted area to a corresponding trusted service provided by the trusted component.
  - 29. The method of claim 25, wherein said at least one trusted service provided in the trusted area is functionally equivalent to at least one of the trusted services provided by the trusted component.
  - 30. The method of claim 23, wherein the one or more trusted services include performing an authentication of the terminal with the network.
  - 31. The method of claim 23, wherein the one or more trusted services include storage of sensitive data.
  - 32. The method of claim 23, wherein the trusted area is a secure execution environment implemented on the terminal platform.
  - 33. The method of claim 23, wherein a main operating system of the terminal is provided in the normal execution environment.
  - 34. The method of claim 33, further including providing, in the operating system, a gateway to the interface controller.
  - 35. The method of claim 34, further including passing communications towards the interface controller via the gateway.
  - 36. The method of claim 33, wherein the gateway is a virtual interface controller that simulates the interface controller and passes communications requesting access to any of the one or more trusted services to the interface controller in the trusted area such that requests for accessing any of the one or more trusted services handled by the interface controller appear to be handled by the gateway.
  - 37. The method of claim 36, wherein the virtual interface controller executes in the normal execution environment.
  - 38. The method of claim 23, wherein the trusted component is selected from a SIM, a USIM, and a UICC.
  - 39. The method of claim 23, further including establishing a secure channel to the one or more trusted services via the interface controller, and routing each intercepted communication that is authorized for at least one of the one or more trusted services from the trusted area to each trusted service for which the communication is authorized via the secure channel.
  - 40. The method of claim 23, further including establishing a secure channel to the trusted component via the interface controller, and routing each intercepted communication that is authorized for at least one of the one or more trusted services from the trusted area to the trusted component via the secure channel.
  - 41. The method of claim 23, further including filtering access to the trusted component for each intercepted communication.
  - 42. The method of claim 23, wherein the trusted component is removable.
  - 43. The method of claim 23, further including intercepting said communications from any one of a plurality of execution environments implemented on the terminal platform.
  - 44. The method of claim 23, further including intercepting said communications from any one of a plurality of applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vodafone Group PLC
Original Assignee
Vodafone Group PLC
Inventors
Belrose, Caroline, Bone, Nicholas
Primary Examiner(s)
Figueroa, Marisol

Application Number

US12/675,944
Publication Number

US 20110003580A1
Time in Patent Office

2,468 Days
Field of Search

455/410, 455/558
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/53   by executing in a restricte...

G06F 21/6209   to a single file or object,...

G06F 21/77   in smart cards

G06F 21/85   interconnection devices, e....

G06F 2221/2149   Restricted operating enviro...

H04W 12/08   Access security

H04W 12/086   using security domains

Telecommunications device security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Telecommunications device security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links