FIELD OF INVENTION

The invention relates to an aerosol generating device. In particular, the invention relates to an aerosol generating device with a biometric reader.

BACKGROUND TO THE INVENTION

There is a demand for aerosol generating devices which have improved safety features in order to prevent unwanted users, such as children or thieves, from using the device. Biometric readers have been used as a way of providing user authentication for aerosol generating devices; however, there is a need to protect highly sensitive personal biometric data from attacks. Additionally, aerosol generating devices tend to be limited in size and processing power, and are generally low cost devices. There is therefore a need to protect personal biometric data in a way which is suitable for aerosol generating devices. It is an object of the present invention to address these demands.

SUMMARY OF INVENTION

According to an aspect of the invention, there is provided an aerosol generating device configured to generate an aerosol for inhalation by a user, comprising: a biometric reader configured to acquire biometric data from a user; a memory configured to store encrypted biometric data; a sensor configured to measure a physical characteristic of the aerosol generating device; and a controller configured to generate an encryption key based on the measured physical characteristic and decrypt the stored biometric data using the encryption key; wherein the controller is configured to enable or disable an operation of the aerosol generating device based on a comparison between the biometric data acquired by the biometric reader and the decrypted biometric data.

In this way, the safety of the device is improved because an operation of the device can be disabled unless a verified user’s biometric data is received by the biometric reader. Preferably, the operation is the generation of an aerosol. It is considered that the operation could be any other operation of the aerosol generating device, such as the use of a wireless payment interface to conduct wireless payments. The memory is configured to store encrypted biometric data so that, without the encryption key, an attacker can only obtain encrypted data from the memory. The encryption key is generated based on a measured characteristic of the aerosol generating device. Therefore, an attacker can only obtain the encryption key if they are in physical possession of the aerosol generating device and thus able to perform a measurement to obtain the encryption key. This provides a degree of protection because many attacks are carried out remotely, for example through a wireless interface of the aerosol generating device. Individualised electronics unique to each unit of the aerosol generating device, such as individualised processing chips, can significantly increase the cost of the aerosol generating device. Preferably, the measured physical characteristic varies between individual units of the aerosol generating device due to, for example, natural manufacturing variations. Generating the encryption key based on such a physical characteristic avoids the need for specialised electronics unique to each individual unit of the aerosol generating device.

In one example embodiment, the sensor may comprise an LED configured to illuminate a portion of the aerosol generating device and a photodiode configured to measure the light reflected from the illuminated portion. The illuminated portion may comprise a unique surface which may reflect light to the photodiode with a unique pattern and/or intensity. The biometric reader may comprise a fingerprint sensor, a voice recognition unit, an iris scanner, or any other biometric reader known in the art.

Preferably, the sensor is configured to measure one or more electrical components of the aerosol generating device, and the measured physical characteristic is an electrical property of the one or more electrical components. The one or more electrical components may include one or more resistors, capacitors, or any other electrical component. The one or more components may form or partially form a circuit. The electrical property may be resistance, impedance, resonance, or any other electrical property. The electrical property may be measured individually for the one or more components, or collectively in terms of a circuit formed by the one or more components. Generally, electrical properties of electronic components have a manufacturing tolerance, such as resistance values which typically have tolerances of 10% or 20%. By generating the encryption key based on an electrical property of electrical components, the encryption key can be unique to each unit of the aerosol generating device without providing any expensive specialised electronics.

Preferably, the controller comprises at least one of the one or more electrical components. In this way, the biometric data can be further secured from attacks because physical attacks using an electric probe in communication with the controller can interfere with the measurement performed by the sensor. This prevents the correct key from being generated while the controller is being probed by an attacker. Preferably, the electrical property is resistance, or is related to resistance.

Preferably, the sensor is configured to measure a physical characteristic of one or more components of the aerosol generating device which are provided behind a tamper proof seal configured to inhibit access to an internal component of the aerosol generating device. In this way, the one or more components can be destroyed or otherwise altered by the tamper proof seal when an attacker attempts to gain access to an internal component of the aerosol generating device. The alteration of the components prevents the correct encryption key from being generated based on the measurement of the one or more components. Therefore, an attacker attempting to tamper with the device may permanently prevent the correct encryption key from being generated. In one example, the tamper proof seal may comprise a liquid configured to alter an optical or electrical property of the one or more components when the seal is broken. In another example, tamper proof seal may comprise the one or more components, such that the one or more components must be disturbed, altered or destroyed in order to gain access to an internal component of the device. Preferably, the internal component is the controller or the memory, so that the controller or memory cannot be accessed, for example, by an electrical probe, while the one or more components are undisturbed. In one example, the one or more components may be glued to the controller, the memory, or any or all data lines which connect the controller and the memory.

Preferably, the sensor and the controller are configured to measure the physical characteristic and to generate the encryption key based on the measured physical characteristic, respectively, each time the comparison is performed. In this way, the encryption key does not need to be stored in memory permanently, but instead can be re-generated before each use of the encryption key. This further protects the user’s biometric data because the encryption key cannot be retrieved from the memory during an attack.

Preferably, the controller is configured to store the encryption key in the memory and to delete the encryption key from the memory after use of the encryption key. The encryption key may be temporarily stored in the memory in order to perform the decryption of the received biometric data. By deleting the stored encryption key from memory after each use of the encryption key, the encryption key cannot be obtained from the memory during an attack carried out when the device is not in use.

Preferably, the controller is configured to either delete the decrypted biometric data from the memory or re-encrypt the decrypted biometric data after use of the decrypted biometric data. In this way, the user’s unencrypted biometric data is not permanently stored on the device.

Preferably, the encryption key is generated using analogue-to-digital conversion of the measured physical characteristic. In this way, an analogue measurement can be converted into a number which can be used to generate an encryption key. The analogue-to-digital conversion may be performed using any analogue- to-digital converter known in the art.

According to a second aspect of the invention, there is provided a method of operating an aerosol generating device to enable an operation of the aerosol generating device, comprising the steps of: acquiring biometric data from a user; measuring a physical characteristic of the aerosol generating device; generating an encryption key based on the measured physical characteristic; decrypting biometric data stored in a memory of the aerosol generating device using the generated encryption key; comparing the acquired biometric data with the decrypted biometric data; and enabling or disabling an operation of the aerosol generating device based on the comparison.

According to a third aspect of the invention, there is provided a non-transitory computer readable medium comprising executable instructions that, when executed by a processor on an aerosol generating device, cause the aerosol generating device to perform steps comprising: acquiring biometric data from a user; measuring a physical characteristic of the aerosol generating device; generating an encryption key based on the measured physical characteristic; decrypting biometric data stored in a memory of the aerosol generating device using the generated encryption key; comparing the acquired biometric data with the decrypted biometric data; and enabling or disabling an operation of the aerosol generating device based on the comparison.

According to the first aspect of the invention, there is provided an aerosol generating device configured to generate an aerosol for inhalation by a user, comprising: a biometric reader configured to acquire biometric data from a user; a sensor configured to measure a physical characteristic of the aerosol generating device; and a controller configured to generate an encryption key based on the measured physical characteristic and encrypt the acquired biometric data using the encryption key.

BREIF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are now described, by way of example, with reference to the drawings, in which:

Figure 1 is a cross-sectional schematic diagram of an aerosol generating device in an embodiment of the invention; Figure 2 is a schematic block diagram of a control system of an aerosol generating device in an embodiment of the invention;

Figure 3 is a flowchart showing a control sequence for a registration of user biometric data in an embodiment of the invention;

Figures 4A is a flowchart showing a control sequence for generating an aerosol in an embodiment of the invention; and

Figures 4B is a flowchart showing a control sequence for generating an aerosol in an embodiment of the invention.

DETAILED DESCRIPTION OF THE DRAWINGS

Figure 1 is a cross-sectional schematic diagram of an aerosol generating device or an electronic cigarette according to an embodiment of the invention. An aerosol generating device 100 is provided and comprises a housing 102 configured to house the internal components of the aerosol generating device 100. A reservoir 104 is provided for storing an aerosol generating fluid. A wick 106 is provided in fluid connection with the reservoir 104 and is configured to draw fluid from the reservoir 104 by capillary action. An electrically resistive coil 108 is provided wrapped around the wick 106 and is configured to generate heat when an electric current is passed through the coil 108. The heat generated by the coil 108 can vaporise aerosol generating liquid absorbed by the wick 106. An air inlet 110 is provided on the housing 102 and is in fluid connection with a mouthpiece 112 via an internal air channel (A) to enable a user to draw air through the air inlet 110 via the mouthpiece 112. The wick 106 and the coil 108 are provided within the air channel (A) which enables the user to inhale air through the mouthpiece 112 to carry the generated aerosol to the user. A variety of alternative techniques may be provided for generating an aerosol including techniques that heat, rather than bum, a solid or semi-solid aerosol generating substrate.

A fingerprint sensor 114 is provided on the outer surface of the housing 102 for acquiring biometric fingerprint data from a user. A button 116 is also provided on the outer surface of the housing 102 to receive an input from the user to control an operation of the aerosol generating device 100. A controller 118 is provided internally to the housing 102 for controlling the operations of the device, such as the operation of the coil 108 or the encryption of biometric data acquired by the fingerprint sensor 114. The controller 118 comprises one or more processors configured to execute instructions, and may additionally comprise random access memory, or RAM. A first resistor 120 and a second resistor 122 are provided in electric communication with a resistance sensor 124 and the controller 118 via data lines 126, thus forming a circuit 128. The resistance sensor 124 is configured to determine the resistance of the circuit 128. The aerosol generating device 100 further comprises a battery (not shown) for providing power to the electrical components of the aerosol generating device 100.

The housing 102 may comprise any suitable material known in the art, such as plastic or metal. The reservoir 104 may be a refillable reservoir configured to be refilled via a screw cap or perforable member. Alternatively, the reservoir may be configured as a removable reservoir which is removable via an openable chamber configured to receive the removable reservoir. The removable reservoir could be disposable or refillable. The wick 106 may comprise yam, ceramic, wool, or any other suitable material known in the art. The coil 108 may alternatively be configured as an electrically resistive plate wrapped around the wick 106. The coil 108 may be replaced with any other kind of heater, such as convective heater or a laser heater, as is known in the art. The skilled person would appreciate that the reservoir 104, the wick 106 and the coil 108 may be replaced with any other apparatus used to generate an aerosol from an aerosol generating substance. For example, the reservoir 104, the wick 106 and the coil 108 may be replaced with an oven configured to receive and heat a stick of tobacco-containing material to generate an aerosol.

In an alternative embodiment, the fingerprint sensor 114 may be configured as any other kind of biometric reader configured to acquire biometric data from a user, such as an iris scanner or a voice recognition unit. Any other input device may be used alternatively or in addition to the button 116 in order to receive an input from the user. For example, the button 116 may be used in conjunction with a puff sensor configured to detect a user-generated airflow through the air channel (A). In a further embodiment, the button 116 may be replaced with a touch screen interface. In an alternative embodiment, the button 116 may not be provided. Instead, the user input may be received and relayed to the controller 118 via the fingerprint sensor 114 alone.

The circuit 128 may include other electrical components, such as capacitors or inductors, alternatively or in addition to the first resistor 120 and the second resistor 122. In an alternative embodiment, the resistance sensor 124 may be configured to measure an alternative electrical property of the circuit 128, such as impedance or resonance. Alternatively, the resistance sensor 124 may be configured to measure the resistance of a single electrical component, or only the first resistor 120. The resistance sensor 124 may comprise any suitable resistance sensor as is known in the art, such as an ohmmeter. Alternatively, the resistance sensor may determine or calculate the resistance of the circuit 128 by measuring a property of the circuit 128 which is dependent on the resistance.

Figure 2 is a schematic block diagram of a control system of the aerosol generating device 100. The controller 118 is in electric communication with the other electronic components of the device, i.e. the electric components shown in Figure 2, via power or data lines. A memory 130 is provided as a chip housed internally to the housing 102 for storing instructions and encrypted biometric data. An LED 132 is provided on an external surface of the housing 102 for indicating to the user a status of the device, such as that the battery charge is low or that the generation of an aerosol is enabled. An analogue-to-digital converter 134 is provided internally to the housing 102 for converting an analogue resistance measured by the resistance sensor 124 into a digital number. Any other output device may be used alternatively or in addition to the LED 132 for providing feedback to the user. In one example, a vibration unit may be provided in order to provide haptic feedback to a user. The analogue-to- digital converter 134 may be any kind of analogue-to-digital converter as is known in the art. In a further embodiment, the aerosol generating device 100 may comprise a wireless communication interface, such as a Bluetooth interface, for communicating wirelessly with a user electronic device.

The controller 118 is configured to disable the generation of an aerosol by preventing the provision of power from the battery to the coil 108 unless the fingerprint sensor 114 receives biometric data from an authenticated user. The provision of power to the coil 108 may be enabled or disabled using a switch provided on a power line which is controlled by the controller 118. In order to determine whether or not received biometric data matches authentic biometric data belonging to the authenticated user, the user’s authenticated biometric data must be stored in some way for a comparison or verification to be performed. A user’s biometric data is sensitive information, and therefore must be protected from malicious attackers. The controller 118 is configured to protect the user’s biometric data using encryption.

Encryption is a well-known method of protecting sensitive data, and can be carried out using standard encryption algorithms. One method of encryption involves the use of an encryption key which can be generated using a standard algorithm based on a random or pseudo-random number. The encryption key is used in standard algorithms to convert sensitive data into encrypted data which contains no useful information if taken alone. If an attacker obtains the encrypted data, in general it requires significant computational resources to recover the original sensitive data from the encrypted data without the encryption key. On the other hand, the user can easily re-obtain the sensitive data using an identical encryption key and a corresponding standard decryption algorithm, as is known in the art. There is thus a need to prevent the encryption key from being obtained by an attacker.

The aerosol generating device 100 uses the resistances of the first resistor 120 and the second resistor 122 in order to generate a random number which can be turned into an encryption key by a standard algorithm. To a certain degree of accuracy, the true resistance of two resistors which are denoted to have the same resistance value will generally vary due to minute differences in each resistor which occur during manufacturing. The resistance sensor 124 is configured to measure the resistance of the circuit 128 to sufficient accuracy so that the encryption key can safely be considered to be unique to each unit of the aerosol generating device 100. Thus, a unique encryption key can be generated based on the resistance of the circuit 128 which includes first resistor 120 and the second resistor 122, which cannot be determined by an attacker unless they are also in possession of the aerosol generating device 100 to perform a measurement. In general, it is important that the encryption key is unique to each aerosol generating device so that an attacker cannot infer the encryption key of a first aerosol generating device using a second aerosol generating device.

Advantageously, the resistance sensor 124 is configured to measure the resistance of the circuit 128, which includes the controller 118. This provides an additional degree of protection in the case where an attacker does manage to obtain a user’s aerosol generating device 100. An attacker may attempt to use an electrical probe in connection with the controller 118 or any of the data lines 126, in order to try and steal the encryption key after it has been generated. However, if the resistance sensor 124 performs a measurement while an electrical probe is in contact with the circuit 128, the resistance sensor 124 may measure a different value of resistance for the circuit 128 due to the electrical probe. The encryption key generation algorithm will therefore generate a different, and therefore useless, encryption key, because the number from which it was generated is also different. Thus, even if the aerosol generating device 100 is obtained by an attacker, the user’s biometric data may still be protected.

In a further embodiment, the first resistor 120 or the second resistor 122 may be glued or sealed over the data lines 126 or the controller 118. This further protects against tampering, because the first resistor 120 or the second resistor 122 must be altered, destroyed, or otherwise disturbed in order to gain access the data lines 126 or the controller 118 with a probe. Disturbing the first resistor 120 or the second resistor 122 may change their electrical properties enough such that the resistance sensor 124 measures a different value of resistance for the circuit 128, thereby preventing the correct encryption key from being generated. In this way, the first resistor 120 and the second resistor 122 can form a tamper proof seal which permanently alters the electrical properties of the circuit 128 when the seal is broken.

In an alternative embodiment, the tamper proof seal may comprise a protective casing which contains the controller 118 and the memory 130. The resistance sensor 124 may be configured to measure the resistance of the protective casing. In this case, breaking open the protective casing may permanently alter the resistance of the casing, thereby preventing the correct encryption key from being generated.

The user is required to perform a registration so that their biometric data can be considered as authentic biometric data by the controller 118. In the embodiment of Figure 1 , the user’s biometric data is fingerprint data. This may be carried out during the first use of the aerosol generating device 100 or at the point of purchase. Alternatively, this may be carried out in conjunction with a user electronic device, such as a smartphone, which enables the aerosol generating device 100 to be registered to an online user account. The aerosol generating device 100 may communicate with the smartphone using a wireless communications interface, and the registration of the user’s biometric data may be carried out as part of the registration of the aerosol generating device 100 to the online user account.

Figure 3 is a flowchart showing a control sequence for a registration of user biometric data in an embodiment of the invention.

The registration process begins at step 302. The user may press a finger or thumb against the fingerprint sensor 114, which may optically scan the fingerprint to acquire biometric fingerprint data relating to the fingerprint.

At step 304, the fingerprint sensor acquires the user’s fingerprint data. The acquired fingerprint data may be stored temporarily in the controller 118, for example in a random access memory, or RAM, of the controller 118. Alternatively, the acquired fingerprint data may be stored temporarily in a RAM of the fingerprint sensor 114, or stored temporarily in the memory 130. Typically, biometric data comprises a few dozen to a few hundred numbers for behavioural biometrics or larger sets of numbers for physiological biometrics.

At step 306, the resistance sensor 124 measures the resistance of the circuit 128 and obtains a resistance value. The resistance sensor 124 is configured to measure the resistance of the circuit 128 to a specific degree of accuracy. The degree of accuracy is sufficiently high so that the manufacturing tolerances of the first resistor 120 and the second resistor 122 provide a measurement of resistance which can safely considered to be unique in comparison to other units of the aerosol generating device 100. The degree of accuracy is sufficiently low, however, so that the measurement of the resistance is consistently reproducible. For example, the degree of accuracy may be selected so that the same value of resistance can be obtained when the measurement is performed at a wide range of ambient temperatures. The degree of accuracy may be, for example, 0.1 % or 0.05%, or may take even more accurate values. The value of resistance may be sent to the analogue-to-digital converter 134 via the controller 118.

At step 308, the analogue-to-digital converter 134 receives the measured resistance and converts the measured resistance into a number, using any analogue-to-digital conversion scheme known in the art. The analogue-to-digital converter 134 sends the number to the controller 118.

At step 310, the controller 118 receives the number and uses a known encryption key generation algorithm to generate an encryption key based on the number. The encryption key generation algorithm is configured to produce the same encryption key each time it receives the same number.

At step 312, the fingerprint data is encrypted using the encryption key and a standard encryption algorithm.

At step 314, the encryption key is erased from any permanent or temporary memory in which it may have been stored. At this step, any copies of the unencrypted fingerprint data may also be erased from all permanent or temporary memory storage of the aerosol generating device 100.

At step 316, the encrypted fingerprint data is stored in the memory 130. The encrypted fingerprint data can then be retrieved from the memory 130 for decryption each time the user authentication must be performed.

In some embodiments, the registration process of Figure 3 may be repeated for additional fingerprints of the user.

Operation of the aerosol generating device 100 in use to generate an aerosol will now be described with reference to Figures 4A and 4B. Figures 4A and 4B are a flowchart showing a control sequence for generating an aerosol in an embodiment of the invention.

At step 402, the user touches the fingerprint sensor 114 to indicate to the controller 118 that they intend to generate an aerosol, or start ‘vaping’. The aerosol generating device 100 may be ‘woken up’ from a low power state when the fingerprint sensor 114 detects a fingerprint.

At step 404, the fingerprint sensor 114 acquires fingerprint data from the user. The acquired fingerprint data is to be compared, in a later step, with the stored fingerprint data which is saved in the memory 130 from the registration process of Figure 3, after the stored fingerprint data has been decrypted. The acquired fingerprint data may be sent to the controller 118.

Steps 406 to 410 correspond to steps 306 to 310 of Figure 3 to re-generate the encryption key based on the measured resistance of the circuit 128.

At step 412, the stored fingerprint data is decrypted using the encryption key generated at step 410 and a standard decryption algorithm. The decrypted fingerprint data may be stored temporarily in the memory 130 or in a RAM of the controller 118, in order to perform a comparison at a later step. At step 414, the encryption key is erased from any memory from which it is stored to prevent an attacker from retrieving the key from memory.

At step 416, the controller 118 performs a comparison between the decrypted fingerprint data and the acquired fingerprint data which was acquired at step 404. If the user has registered multiple fingerprints, the acquired fingerprint data may be compared in turn to each of the registered fingerprints. If the controller 118 does not determine a match, the controller 118 proceeds to step 418. In practice, a match may not be determined because: an authentic user has submitted a finger to the fingerprint sensor 114 which has not been registered; an authentic user has not positioned their finger correctly over the fingerprint sensor 114; an inauthentic user has provided unregistered fingerprint data to the fingerprint sensor 114; or an attacker has interfered with the circuit 128, thereby causing the resistance sensor 124 to measure a different value of resistance. In this latter case, the encryption key, which is generated based on the different value of resistance, will be a different encryption key to the key with which the registered fingerprint data was encrypted in the registration process of Figure 3. In general, if encrypted data is decrypted using a different key to that with which it was encrypted, the decrypted data will be unintelligible. Thus, alteration of the circuit 128 by an attacker can permanently change the resistance of the circuit 128, thereby preventing the correct encryption key from being generated.

At step 418, the presence of an error may be indicated using the LED 132 to indicate to the user that authentic fingerprint data was not received at step 404. The controller 118 may send a control signal to the LED 132 to instruct the LED 132 to flash with a particular colour or frequency. In an alternative embodiment, additional indication of an error may be provided, for example using a vibration unit. The control sequence proceeds in Figure 4B.

At step 420, the decrypted fingerprint data is erased from any memory on which it is stored to prevent an attacker from stealing the decrypted fingerprint data from memory. Alternatively, the decrypted fingerprint data may be re-encrypted at this step. At step 422, the controller 118 may return to step 402 and be in an inactive state until the user touches the fingerprint sensor 114 to begin the verification process again.

Returning to step 416, alternatively the controller 118 may determine a match between the fingerprint data received at step 404 and the decrypted fingerprint data. Thus, the controller 118 can determine that the user is an authentic user of the aerosol generating device. In this case, the controller 118 proceeds to step 424.

At step 424, the controller 118 enables the generation of an aerosol. While the generation of an aerosol is enabled, a user can provide an input which is received by the controller 118 and, in response, the controller 118 instructs the battery to provide a current through the coil 108. In some embodiments, the generation of an aerosol may be enabled for a predetermined time period, such as 5 minutes, during which the user can press the button 116, or any other input device, to provide an input to trigger the powering of the coil 108. Once the predetermined time period has lapsed, the user may be required to re-perform the authentication of steps 402 to 424, in order to re-enable the generation of an aerosol. In other embodiments, the generation of an aerosol may not be enabled for a predetermined time period. In this case, the user may simply continue to hold their finger against the fingerprint sensor 114, and the controller 118 may be configured to interpret an extended touch of the fingerprint sensor 114 as an input signal to power the coil 108. In such cases, the authentication process of Figures 4A and 4B may be repeated on each vaping instance, or ‘puff’. When the generation of an aerosol is not enabled, the controller 118 does not instruct the battery to provide power to the coil 118 when a user input is received.

At step 426, the controller 118 receives an input signal, which may be received from the button 116 or the fingerprint sensor 114, as described above.

At step 428, the controller 118 instructs the battery to provide power to the coil 108. The powered coil 108 generates heat, which vaporises the aerosol generating fluid absorbed by the wick 106. The user can then inhale through the mouthpiece 112. This draws air through the air inlet 110 via the air channel (A), thus carrying the generated aerosol to the user for inhalation.

The presence of an error has been indicated at step 418, however the LED 132 may be used to indicate the status of any other steps as appropriate. For example, the controller 118 may instruct the LED 132 to indicate that the generation of an aerosol has been enabled, after step 424.

The steps described in Figures 4A and 4B describe the verification of a user in order to enable the generation of an aerosol. However, it is considered that in other embodiments an operation alternative to the generation of an aerosol may be enabled. For example, the aerosol generating device 100 may be configured to conduct wireless payment systems using, in one example, a near field communication, or NFC, chip. In such embodiments, the verification process of Figures 4A and 4B may be used to enable the operation of the NFC chip to conduct wireless payments.