Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
METHODS OF REMOTELY IDENTIFYING, SUPPRESSING AND/OR DISABLING WIRELESS DEVICES OF INTEREST
Document Type and Number:
WIPO Patent Application WO/2007/016641
Kind Code:
A2
Abstract:
Techniques for causing a wireless device in some prescribed operational area to respond on demand to a suitably designed interrogator and thereby expose its presence and identifying information while minimizing the required power and collateral interference outside of the predefined operational area. Having established the presence of the wireless device, the interrogator can subsequently establish it as friend or foe and proceed to either quarantine, disable, filter for access or elicit continuous transmission from the device for purposes of location while allowing friendly devices to continue to function normally in the same operational area or similarly prevent said friendly devices from becoming the source of constant false alarms. The methods described herein can be extended to interrogating a wireless device to discover its location, the encryption keys it is using, or interrogating the network to discover the actual dialing number of the wireless device.

Inventors:
HAVERTY JAMES D (US)
Application Number:
PCT/US2006/030159
Publication Date:
February 08, 2007
Filing Date:
August 01, 2006
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
COMHOUSE WIRELESS LP (US)
HAVERTY JAMES D (US)
International Classes:
H04K3/00
Foreign References:
US20030143943A1
US6195529B1
US6654589B1
US20030021418A1
US20050138433A1
Attorney, Agent or Firm:
NELSON, Gordon, E. (P.o. Box 782Rowley, MA, US)
Download PDF:
Claims:
i. A method ot suppressing a given beacon so that a wireless device cannot interact with the given beacon, the given beacon and the wireless device obeying a wireless communication standard and the method comprising the steps of: determining a characteristic of the signal produced by the given beacon, the characteristic being required by the standard for interaction between the wireless device and the given beacon; and generating an interference signal that is specifically adapted to the characteristic and that interferes with the characteristic at the wireless device such that the wireless device cannot interact with the given beacon.

2. The method set forth in claim 1 wherein: in the step of generating the interference signal, the interference signal is limited to the channel upon which the given beacon is operating.

3. The method set forth in claim 2 wherein: the interference signal is a noise signal that is limited to the channel and is stronger at the wireless device than the signal in the channel.

4. The method set forth in claim 1 wherein: in the step of generating the interference signal, the interference signal's power is determined by the power of the given beacon at the wireless device.

5. The method set forth in claim 1 wherein: the interference signal defines an operational area surrounding the wireless device wherein the interference signal interferes with the characteristic such that the wireless device cannot interact with the given beacon.

6. The method set forth in claim 1 wherein: the characteristic is a part of the signal that contains information which the wireless device requires to interact with the given beacon; and in the step of generating the interference signal, the interference signal is generated such that the interference signal interferes with the part of the signal from

the given beacon and thereby prevents the wireless device from interacting with the given beacon.

7. The method set forth in claim 6 wherein: the given beacon generates the part of the signal at discrete times; and in the step of generating the interference signal, the interference signal is generated at times that are determined by the times at which the part of the signal is generated by the given beacon.

8. The method set forth in claim 6 wherein: the part of the signal is a pilot signal which the wireless device uses to synchronize itself with the given beacon; and the interference signal interferes with the pilot signal such that the wireless device cannot use the pilot signal to synchronize itself with the given beacon.

9. The method set forth in claim 8 wherein: the given beacon generates the information in the pilot signal which the wireless device uses to synchronize itself with the given beacon at first discrete times; and in the step of generating the interference signal, the interference signal is generated at second discrete times such that the wireless device synchronizes itself with the interference signal instead of the pilot signal.

10. The method set forth in claim 8 wherein: the signal produced by the given beacon includes symbols representing data carried by the signal and a quality indicator for the data; the wireless device discards the data as indicated by the quality indicator; the wireless device synchronizes itself with the pilot signal to read the symbols; and in the step of generating the interference signal, the interference signal is generated at discrete times such that the wireless device erroneously reads certain of the symbols with the result that the quality indicator indicates that the data should be discarded.

11. The method set forth in claim 6 wherein: the signal produced by the given beacon includes symbols representing data carried by the signal and a quality indicator for the data; the wireless device discards the data as indicated by the quality indicator; and in the step of generating the interference signal, the interference signal is generated at times such that certain of the symbols are corrupted with the result that the quality indicator indicates that the data should be discarded.

12. The method set forth in claim 6 wherein: the characteristic is a signaling channel that carries signaling information; and the interference signal disrupts the signaling information.

13. The method set forth in claim 1 further comprising the step of: providing a baiting beacon with which the wireless device may interact instead of the given beacon.

14. The method set forth in claim 13 wherein the method further includes the step of: detecting timing differences between the baiting beacon and the given beacon; and in the step of generating the interference signal, the timing differences are used in generating the interference signal.

15. The method set forth in claim 13 wherein: the interference signal defines an operational area surrounding the wireless device wherein the interference signal interferes with the characteristic such that the wireless device cannot interact with the given beacon; the power of the baiting beacon is such that the wireless device will not interact with the baiting beacon outside the operational area.

16. The method set forth in claim 14 wherein: the standard requires that a beacon authenticate itself to the wireless device and that a wireless device not interact with a beacon that does not authenticate itself; and

the baiting beacon does not authenticate itself to the wireless device, whereby the wireless device is disabled in the operational area.

17. The method set forth in claim 13 wherein: the baiting beacon is different from the given beacon at least in that the baiting beacon specifies a different registration area from that specified by the given beacon; the only beacon with which the wireless device can interact in the operational area is the baiting beacon, whereby the wireless device is forced to reregister with the baiting beacon.

18. The method set forth in claim 17 wherein: the baiting beacon is further different from the given beacon in that the baiting beacon provides the wireless device with parameters which maximize the conspicuousness of the wireless device in the operational area.

19. The method set forth in claim 18 wherein: the baiting beacon is otherwise a clone of the given beacon.

20. The method set forth in claim 13 wherein: the baiting beacon operates on a channel which is different from the channel on which the given beacon operates.

21. The method set forth in claim 1 wherein: there is a plurality of the given beacons; in the step of generating the interference signal, an interference signal is generated for each of the given beacons, the interference signals defining an operational area surrounding the wireless device in which the wireless device cannot interact with any of the given beacons.

22. The method set forth in claim 21 further comprising the step of: providing a baiting beacon in the operational area with which the wireless device may interact instead of the given beacon.

23. The method set forth in claim 22 wherein:

in the step of providing the baiting beacon, the power of the baiting beacon is such that the wireless device will not interact with the baiting beacon outside the operational area.

24. The method set forth in claim 22 wherein: in the step of providing the baiting beacon, a baiting beacon is provided for each of the given beacons.

25. The method set forth in claim 24 wherein: in the step of providing the baiting beacon, a baiting beacon that is provided for a given beacon differs from the given beacon in that the baiting beacon specifies a different registration area from that specified by the given beacon.

26. The method set forth in claim 25 wherein: the baiting beacon that is provided for a given beacon further differs from the given beacon in that the baiting beacon provides the wireless device with parameters which maximize the conspicuousness of the wireless device in the operational area.

27. The method set forth in claim 26 wherein: the baiting beacon is otherwise a clone of the given beacon.

28. The method set forth in claim 25 wherein: a baiting beacon operates on a channel which is different from any of the channels on which the given beacons operate.

29. The method set forth in claim 13 further comprising the step of: causing the baiting beacon to interact with the wireless device when the wireless device reregisters with the baiting beacon.

30. The method set forth in claim 29 wherein: the baiting beacon interacts with the wireless device such that the baiting beacon obtains information from the wireless device, the wireless device responding during the interaction as specified in the standard.

31. The method set forth in claim 30 wherein: the information is identification information for the wireless device.

32. The method set forth in claim 30 wherein. the identification information includes temporary identification information that is temporarily assigned to the wireless device and permanent identification information that is permanently assigned to the wireless device; and in the step of causing the baiting beacon to interact, the baiting beacon fails to respond when the wireless device provides the temporary identification information, the failure to respond causing the wireless device to respond by providing the permanent identification information.

33. The method set forth in claim 30 further comprising the steps of: using the identification information to query a data base; and performing a further interaction between the baiting beacon and the wireless device based on the query result.

34. The method set forth in claim 33 wherein: in the step of performing the further interaction, the further interaction is disabling the wireless device.

35. The method set forth in claim 29 wherein: the baiting beacon interacts with the wireless device such that the baiting beacon disables the wireless device.

36. The method set forth in claim 35 wherein: the baiting beacon disables the wireless device by using a disablement command specified in the wireless communication standard.

37. The method set forth in claim 35 wherein the baiting beacon disables the wireless device by performing the further step of:

herding the wireless device to a channel wherein the only beacon the wireless device can interact with is a baiting beacon that neither provides incoming calls to the wireless device nor responds to outgoing calls from the wireless device.

38. The method set forth in claim 35 wherein: the wireless device has a cipher key and identification information that is in phase with the cipher key and the baiting beacon disables the wireless device by performing the step of : changing the cipher key in the wireless device so that it is out of phase with the wireless device's identification.

39. The method set forth in claim 38 wherein the baiting beacon disables the wireless device by performing the step of: using the challenge which the baiting beacon employs in authenticating the wireless device to change the wireless device's cipher key.

40. The method set forth in claim 38 wherein the baiting bacon reenables the wireless device by performing the step of: restoring the change so that the identification information is again in phase with the cipher key.

41. The method set forth in claim 35 wherein the wireless communication standard specifies that a wireless device will not interact with a beacon unless the beacon has authenticated itself to the wireless device; the wireless device is able to interact with one or more given beacons; and the baiting beacon disables the wireless device by performing the further steps for each of the given beacons of: overriding the given beacon; and thereupon failing to authenticate itself to the wireless device, whereby the wireless device no longer interacts with any of the given beacons.

42. The method set forth in claim 13 wherein:

the baiting beacon interacts with the wireless device by performing a network operation in place of the wireless device.

43. The method set forth in claim 42 wherein: the network has caller identifier functionality; the network operation is making a call from the wireless device to a destination; and the network uses the caller identifier functionality to supply the telephone number of the wireless device to the destination.

44. The method set forth in claim 29 further comprising the step of: providing a further baiting beacon on a different channel; and the baiting beacon interacts with the wireless device such that the wireless device switches to the further baiting beacon's channel.

45. The method set forth in claim 44 wherein: the wireless device is the only wireless device operating on the further baiting beacon's channel, whereby the wireless device is more easily located.

46. Apparatus for suppressing a given beacon so that a wireless device cannot interact with the given beacon, the given beacon and the wireless device obeying a wireless communication standard and the apparatus comprising: an analyzer that determines a characteristic of the signal produced by the given beacon that is required by the standard for interaction between the wireless device and the given beacon; and a signal generator that generates a signal that is specifically adapted to the characteristic and that interferes with the characteristic at the wireless device such that the wireless device cannot interact with the given beacon.

47. A method employed in a baiting beacon of performing a given interaction with a wireless device that is monitoring the baiting beacon, the method comprising the steps of:

during authentication of the wireless device to the baiting beacon, refusing to respond to temporary identification information that temporarily identifies the wireless device, thereby causing the wireless device to provide permanent identification information that permanently identifies the wireless device to the baiting beacon; querying a database associated with the baiting beacon with the provided permanent identification information; and performing the given interaction with the wireless device only if the result of the query indicates that given interaction may be performed.

48. The method set forth in claim 47 wherein: the given interaction disables the wireless device.

49. A method employed in a baiting beacon being monitored by a wireless device of locating the wireless device, the method comprising the steps of: requesting a report from the wireless device of the signal strength of signals from a plurality of beacons at known locations in the wireless device; for each beacon of the plurality, using the beacon's signal strength at the wireless device to determine the distance of the wireless device from the beacon; and using the determined distances to determine the location of the wireless device.

50. The method set forth in claim 49 further comprising the step of: obtaining sector orientation and aperture information for each beacon of the plurality, the sector orientation and aperture information being employed in the step of using the beacon's signal strength to refine the determination of the distance of the wireless device from the beacon.

51. A method of employing a baiting beacon to obtain the telephone number of a wireless device which is monitoring the baiting beacon, the wireless device interacting with a network which has caller identification capability and the method comprising the steps of:

using the baiting beacon to obtain identification information for the wireless device from the wireless device; using the identification information in the baiting beacon to set up a call to a destination device that has access to the network's caller identification capability; and obtaining the telephone number of the wireless device from the destination device.

52. A method of employing a GSM baiting beacon to interact with a UMTS wireless device comprising the steps of: establishing a relationship between the signal of the GSM baiting beacon and the signal at the UMTS wireless device of any UMTS beacons such that the UMTS wireless device falls back to GSM and attempts to register with the GSM baiting beacon; and in the GSM beacon, responding to the registration attempt by interacting with the UMTS wireless device.

53. The method set forth in claim 52 wherein: the step of establishing the relationship includes the step of interfering with the UMTS beacons.

54. A method of employing a baiting beacon to obtain permanent identification information for a wireless device that is monitoring the baiting beacon, the method comprising the steps of: requesting identification information from the wireless device; and when the wireless device returns temporary information, failing to respond further, the wireless device responding to the failure of the baiting beacon to respond further by returning permanent identification information.

55. A method of employing a baiting beacon to disable a wireless device that is monitoring the baiting beacon, the wireless communication standard under which the wireless device operates specifying that that a wireless device will not interact with a beacon unless the beacon has authenticated itself to the wireless device, the wireless device being potentially able to interact with one or more given beacons other than the baiting beacon, and

the method comprising the steps performed by the baiting beacon for each of the given beacons of: overriding the given beacon; and thereupon failing to authenticate itself to the wireless device, whereby the wireless device no longer interacts with any of the given beacons.

56. A method of moving a given wireless device that is monitoring a given beacon to a different channel, the method comprising the steps of: using a first baiting beacon to override the given beacon such that the given wireless device monitors the first baiting beacon instead of the given beacon in an operational area that surrounds the given wireless device; establishing a second baiting beacon on the different channel, the second baiting beacon acting in the operational area to override any beacons operating on the different channel; and using the first baiting beacon to command the wireless device to operate on the different channel.

57. A method of disabling a wireless device comprising the steps of: determining an area that potentially contains the wireless device; and irradiating the area with sufficient energy to trip the wireless device's protection circuitry.

58. A method of employing a baiting beacon to disable a wireless device of a type wherein identification information and a cipher key must be in phase in order for the wireless device to interact with the wireless network, the method comprising the steps of: enticing the wireless device to register with the baiting beacon; and employing the baiting beacon to change the cipher key in the wireless device so that the identification information is out of phase with the wireless device's cipher key.

59. The method of employing a baiting beacon set forth in claim 58 further comprising the step of:

employing the baiting beacon to reenable the wireless device by restoring the change so that the identification information is again in phase with the cipher key.

Description:

TITLE OF THE APPLICATION

Methods of Remotely Identifying, Suppressing and/or Disabling Wireless Devices of Interest

CROSS-REFERENCE TO RELATED APPLICATIONS

The present patent application claims priority from the following U.S. provisional patent applications:

• 60/704,808, Haverty, Methods of remotely identifying, suppressing, and or disabling wireless devices of interest, filed 8/2/2005;

• 60/712,704, Haverty, Methods of surgical wireless device access filtering and threat suppression using signal timing, filed 8/29/05; and

• 60/717,131, Haverty, Methods of power consumption minimization as applied to the remote interrogation and/or suppression of wireless devices, filed 9/14/2005.

Each of these applications is incorporated by reference into the present patent application in its entirety and for all purposes.

STATEMENTREGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not applicable.

REFERENCE TO A SEQUENCE LISTING

Not applicable.

BACKGROUND OF THE INVENTION

1. Field of the invention

The invention relates to the methods of controlling a transceiver to remotely interrogate wireless devices on demand in some prescribed operational area so as to identify the presence of said device, whether it is friend or foe, and subsequently disabling the device based on its disposition or enticing it to transmit to facilitate its location.

2. Description of related art

The widespread use of wireless devices in criminal and terrorist activities has made it desirable for law enforcement officials to be able to identify and subsequently suppress, ring, locate, or when necessary even disable clandestine wireless devices. Such devices may be concealed in containers or on persons, may be connected to detonators or other activators, or may be being used for purposes of terrorism, unauthorized intelligence collection. In some cases, the wireless device may even have been inadvertently enabled in a secure environment by legitimate subscribers. Law enforcement officials further need to be able to identify and quarantine wireless devices in emergency situations or in situations where use of wireless devices is prohibited, such as prisons, hospitals or baggage screening areas and to determine the identifying information of a wireless device prior to locating and intercepting the wireless device and collecting either voice or data from the wireless device.

Wireless devices operate as described in wireless communications standards such as CDMA, GSM, or UTMS. All of these standards prescribe specific conditions under which a wireless device registers for service with a providing system. Examples of such conditions include: upon power up of the wireless device; after some prescribed period of time determined by system parameters regularly broadcast by beacons contained in cell towers belonging to the providing system; or when movement of a wireless device requires re-registration. Re-registration is required when a wireless device moves from its current registration area to another registration area so as to facilitate the orderly routing of all incoming calls. Once a wireless device has registered or reregistered itself with a beacon, it begins interacting with the beacon. Until the wireless device again reregisters itself, it will interact with no other beacon. A wireless device is said to be monitoring the beacon it is currently interacting with.

The wireless standards further prescribe that a wireless device register (or re-register) with the system when the wireless device detects a beacon in its registration area that is "better" than the beacon the wireless device is currently monitoring. The "better" beacon has either greater signal strength or better quality compared to the beacon which the wireless device is currently monitoring. The wireless device obtains the thresholds for making such determinations from parameter settings in the beacon currently being monitored. For example, all beacons broadcast one or more messages that include parameters for determining when a wireless device monitoring the beacon is to register with the "better" beacon.

Enticing a wireless device to register with a baiting beacon

The key to dealing with wireless devices that pose a security risk in an area of interest to the law enforcement personnel (termed herein an operational area) is to entice such a device to reregister with a baiting beacon that is under the control of the law enforcement personnel. A baiting beacon is a counterfeit beacon, i.e., a beacon that appears to the wireless device to belong to the network with which the wireless device interacts but is in fact not one of the network's beacons. A known method for making a wireless device register with a baiting beacon is to generate a baiting beacon that is like one in the current registration area but differs from it in two respects:

• it has a power level which is greater than the power level of the strongest beacon that is detected in the operational area by more than the strongest beacon's threshold amount; and

• it has broadcast settings that indicate that it is in a different registration area.

In response to this combination of greater power and different registration area, the wireless devices in the operational area will automatically re-register with the baiting beacon.

The technique of proffering a baiting beacon has been further refined in prior art to include a directional antenna so as to focus the baiting beacon's signal in a direction (where a wireless device of interest is presumed to be located). Directional focusing the baiting beacon both reduces both the required power consumption and the amount

of interference with wireless devices that are not of interest. Such interference is termed in the following collateral interference. The obvious limitations of this technique are that it presumes some knowledge of where a device of interest is located and that it limits but does not eliminate collateral interference: any wireless device that is located within the directional beam will be affected, even if the device is outside the operational area.

Merely offering a baiting beacon whose signal in the operational area is stronger than that of any other beacon in the operational area has the intrinsic and fundamental limitation that collateral interference cannot be limited to the operational area. Because the baiting beacon's signal must be greater than that of the strongest beacon in the operational area, and that in turn means that the signal will reach far beyond the operational area. Merely offering a stronger baiting beacon further means that the minimum power level for the beacon must be a level which is just above the threshold of the strongest legitimate beacon in the operational area. The need for such high power levels makes it difficult to design portable baiting beacons that are both light in weight and have sufficient power to operate in close proximity to a legitimate beacon. Finally, the parameters received by the wireless devices from the legitimate beacon dictate how long the wireless device must detect the stronger signal before attempting to reregister, and that in turn determines how quickly a wireless device can be made to register with the baiting beacon.

Once a wireless device has been enticed to register with a baiting beacon, the wireless device can be interrogated. Many interrogation techniques can be derived directly from a reading of the cellular standards. However, in the case of GSM or UMTS wireless devices only the International Standard Mobile Identifier (IMSI), the Temporary Mobile Identifier (TMSI) and the equipment electronic serial number (IMEI) can be queried. The actual dialed number of the wireless device, known in the art as the Mobile Identification Number (MIN) is not stored in the wireless device but instead is stored in the network and hence cannot be queried using these standard interrogation techniques.

Also known are techniques for temporarily disabling a wireless device once interrogated. In the case of the GSM standard, this includes issuing an authentication rejection which tells the subscriber identity module (SIM) chip embedded in the wireless device to prohibit all incoming and outgoing calls or hijacking the wireless device and issuing an artificial IMSI detach. The IMSI detach tells the network that the wireless device is powering down. The network responds to the message by ceasing to route incoming calls to the wireless device. The effect of the authentication rejection on the SIM is reversed when the wireless device is power cycled. The effect of the IMSI detach is reversed when the wireless device is power cycled or it spontaneously reregisters with the network. Once a wireless device is disabled as described using these techniques, there are no ways of reversing these effects at the baiting beacon. Instead, action by either the network or the user of the wireless device is required. Disablement by way of the authentication rejection further alerts the user to the fact that the wireless device has been disabled.

The prior art solutions for GSM enumerated in the foregoing do not lend themselves to the UMTS standard, which includes measures to thwart such attacks. For example, in UMTS, the wireless device authenticates the beacon it is monitoring, and consequently, a baiting beacon operating according to the UMTS standard must be able to authenticate itself to the wireless device.

Problems not solved by known techniques of enticing wireless devices to reregister with a baiting beacon include: limiting or eliminating collateral interference and false alarms in some operational area; minimizing the power required for the baiting beacon; minimizing the time required for the baiting beacon to elicit a registration; and distinguishing wireless devices that are permitted in the operational area from those that are not permitted there.

Problems not solved by known techniques of querying enticed wireless devices include: disabling a wireless device without alerting the subscriber, re-enabling a wireless device from the baiting beacon; determining the telephone number of the wireless device; and immunity of UMTS wireless devices to some of the techniques. It is an object of the inventions disclosed herein to solve these and other problems related to remotely interrogating, identifying, and disabling wireless devices and

thereby to provide improved techniques for remote interrogation, identification, and disablement of wireless devices.

SUMMARY OF THE INVENTION

The object of the invention is attained first by a method of suppressing a given beacon in a wireless communication system so that a wireless device cannot interact with the given beacon. The wireless device and the given beacon obey a wireless communication standard and the steps of the method include:

• Determining a characteristic of the signal produced by the given beacon. The characteristic is one which is required by the standard for interaction between the wireless device and the given beacon; and

• generating an interference signal that is specifically adapted to the characteristic and that interferes with the characteristic at the wireless device such that the wireless device cannot interact with the given beacon.

The interference signal may be limited to the channel upon which the given beacon is operating. The signal may be white noise in the channel and its power may be determined by the power of the given beacon at the wireless device.. The interference signal defines an operational area around the wireless device. In the operational area, the interference signal interferes with the characteristic such that the wireless device cannot interact with the given beacon.

The characteristic may be a part of the signal from the given beacon that contains information which the wireless device requires to interact with the given beacon. In the step of generating the interference signal, the interference signal is generated such that the interference signal interferes with the part of the signal that contains the information and in that way prevents the wireless device from interacting with the given beacon. The interference signal may be generated at times that are determined by the times at which the part of the signal are generated by the given beacon. The part of the signal may be a pilot signal which the wireless device requires to synchronize itself with the given beacon or it may be a part of the signal that includes symbols that represent data. The integrity of the data may by protected by a quality indicator and the interference signal may be generated at times such that certain of the symbols are corrupted and the quality indicator indicates that the wireless device should discard the data.

The method may further include the step of providing a baiting beacon with which the wireless device may interact instead of the given beacon. The power of the baiting beacon is such that the wireless device will not interact with the baiting beacon outside the operational area. The method may additionally include the step of detecting timing differences between the baiting beacon and the given beacon. The timing differences are used in generating the interference signal. The baiting beacon differs from the given beacon in that the baiting beacon operates on a channel which is different from the channel upon which the given beacon operates and in that the baiting beacon provides parameters to the wireless device which maximize the conspicuousness of the wireless device in the operational area.

The method further includes the step of causing the baiting beacon to interact with the wireless device when the wireless device re-registers with the baiting beacon. The baiting beacon may interact with the wireless device to obtain information from the wireless device, to disable the wireless device, to herd the wireless device to another channel, or to perform a network operation in place of the wireless device. The physical location of the wireless device may be determined as a result of the interaction between the baiting beacon and the wireless device.

In another aspect, the invention is apparatus for suppressing a given beacon so that a wireless device cannot interact with it. The apparatus includes an analyzer and a signal generator. The analyzer determines a characteristic of the signal produced by the given beacon that is required by the standard for interaction between the wireless device and the given beacon. The signal generator generates a signal that is specifically adapted to the characteristic and that interferes with the characteristic at the given wireless device such that the wireless device cannot interact with the given beacon.

Other aspects of the invention include methods employed in a baiting beacon of interacting with a wireless device. The methods include:

• obtaining the wireless device's permanent identification from the wireless device and using the permanent identification to query a database to determine whether the baiting beacon is to perform an interaction with the wireless device.

• requesting a report from the wireless device of the signal strength of a number of beacons at known locations, using the signal strength to compute the distance from the wireless device to each beacon, and using the distance to locate the wireless device.

• using the wireless device's identification information to set up a call to a destination which has caller ID and then obtaining the telephone number for the wireless device from the destination.

• overriding any UMTS beacons with a GSM beacon, which forces the UMTS wireless devices to register with the GSM baiting beacon, and then interacting with the UMTS wireless device.

• In a wireless system that is operating under a standard which requires that a wireless device not interact with a beacon unless the beacon has authenticated itself with the wireless device, performing the steps in a baiting beacon for a number of beacons of overriding the beacon and thereupon failing to authenticate itself to the wireless device, with the result that the wireless device no longer interacts with any of the number of beacons.

• Using a first baiting beacon to override a given beacon with regard to a wireless device, establishing a second baiting beacon on a different channel that overrides any beacons operating on the given channel, and using the first beacon to command the wireless device to operate on the different channel.

• Using a baiting beacon to disable a wireless device by enticing the wireless device to register with the baiting beacon and then employing the baiting beacon to render the wireless device's identification information and cipher key out of phase with one another.

Other objects and advantages will be apparent to those skilled in the arts to which this invention pertains, upon perusal of the following Detailed Description and drawings, wherein:

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 - shows one embodiment of an interrogation system including an interrogation transceiver and a lookup database to detect heretofore unknown wireless devices in some predefined operational area.

FIG. 2 - shows one embodiment of the interrogation transceiver.

FIG.3 - shows a typical registration operation of a wireless device.

FIG. 4 - describes the functionality of registration areas and the general baiting process.

FIG. 5a - shows a spectral representation of a conventional baiting technique.

FIG. 5b - shows a new method for forcing a wireless device to register using minimal ( power and minimum response time while having minimal collateral interference.

FIG. 5c - shows a method of locating a wireless device as part of the interrogation process.

FIG 6 - shows an example of extending the suppression technique to multiple baiting beacons.

FIG. 7 - shows a simplified representation of a CDMA forward channel signal.

FIG. 8 - shows an example of using commercially available test signal generation equipment and the associated beacon settings that are used to bait a CDMA wireless device.

FIG. 9 - shows methodologies for creating and placing both baiting beacons and interferers.

FIG. 10a — shows examples (non-exhaustive) of surgical CDMA interfering signals which minimize power consumption and conspicuity.

FIG. 10b — shows specific example refinements of surgical CDMA interfering signals which minimize power consumption and conspicuity.

FIG. 1 I—shows methods for herding of a CDMA wireless device.

FIG. 12 — shows examples (non-exhaustive) of surgical GSM interfering signals which minimize power consumption and conspicuity.

FIG. 13 - shows an example of using commercially available test signal generation equipment and the associated beacon settings that are used to bait a GSM wireless device.

FIG. 14 - shows GSM wireless device interrogation methods.

FIG. 15 - shows a method of hijacking a GSM wireless device so as to co-opt the network to provide the MTN of the wireless device.

FIG. 16 - shows GSM wireless device herding methods.

FIG 17 - shows a method whereby a GSM wireless device can be selectively disabled and re-enabled.

FIG 18 - shows a method for disabling any or all UMTS wireless devices. DETAILED DESCRIPTION OF THE INVENTION

Certain Definitions:

Cellular - Wireless communication in any of the generally accepted bands allocated for individual commercial subscriber based voice or data communications.

PCS - Personal Communications Systems (synonymous with 'cellular' for purposes of this invention)

Handset - A mobile device used by a subscriber for voice communication and is a particular type of wireless device. This term is often used interchangeably with wireless device.

Wireless Device - any device be it a mobile wireless device, a portable data assistant or pager that operates on any cellular, PCS or similar system that nominally provides for voice and data communications.

Standards - The governing technical standards describing the operation of certain cellular or other wireless systems.

CDMA (CDMA 2000) - Code Division Multiplexed Access as governed by the TIA IS-95 and IS-2000 standards.

GSM - Global System for Mobile Communications - ETSI standard describing a second generation system for mobile wireless communications.

UMTS - Universal Mobile Telephone System - ETSI standard describing a third generation system for mobile wireless communications.

Collateral Wireless Devices - Any wireless device operating outside of the operational area or approved wireless devices operating in the operational area.

Beacon - A generic term used for the signal broadcast by a cell tower that continuously provides cell tower and system level information as well as timing so as to aid a wireless device in gaining access to a wireless network.

Operational Area - A predefined area in which all wireless devices will be affected by the interrogator.

IMSI - International Mobile Standard Identifier - A unique identifier that is either associated with a specific subscriber or a wireless device used thereby.

TMSI - Temporary Mobile Standard Identifier - A temporary identification number used as local shorthand while the wireless device is operational in a system.

Registration Area - A contiguous geographic region encompassing some number of cell towers. A wireless device will reregister with the cellular network each time it enters a new registration zone so as to facilitate the routing of incoming calls.

MIN - Mobile Identification Number - for purposes of describing this invention, this is synonymous with the "dialed" phone number of a wireless device as opposed to the subscriber identity codes such as IMSI or TMSI. In some standards the MIN and IMSI are de facto synonymous but the term MIN is used when it necessary to refer to specifically the dialed number without regard to standard.

CRC - Cyclic Redundancy Check - A collection of bits that is appended to a packet of data which is used to detect if one or more bits in said packet was erroneously received.

Forward Channel - transmission in the direction from the beacon to the wireless device.

General principles of the techniques for baiting, interrogating, and/or disabling wireless devices

While the detailed techniques described herein are specific to the standards under which a wireless device may be operating, the specific techniques for the various standards all share the same core operational premises. These will be described in turn for baiting, interrogation, and disablement. The device which carries out the baiting, interrogation, and disablement operations is called in the following an interrogation system. A preferred embodiment of the interrogation system is shown FIG. 1. The interrogation system consists of a transceiver (101) that is capable of acting as both a baiting beacon and a wireless device. A functional block diagram of the transceiver is shown in FIG. 2. In a preferred embodiment, the interrogation system is made by configuring testing equipment for wireless networks such as the WideFire™ testing equipment manufactured by ComHouse Wireless LP of Chelmsford, MA, USA. The transceiver first scans the environment in search of beacons (102) that can be detected in some operational area (105). It then transmits some number of interfering signals (103) that are tailored to the signals (102) from the beacons in both strength and bandwidth so as to blind all of the wireless devices present in operational area (105) to the beacons. From the point of view of the wireless device, operational area 105 is determined by the effect of the interference signal on the wireless device. Operational area (105) is shown in FIG. 1 as a circle having some radius from transceiver (101). Other geometries may be obtained by manipulating the placement or orientation of the transceiver or by using directional antennas. By controlling the level of interfering signals (103), it is possible to control the effective radius of operational area (105) from perhaps a few yards (such as container security or baggage screening) to several thousand yards (such as locating wireless devices in a disaster area). The transceiver then proffers a baiting beacon (104) paired with a receiver (not shown) that will entice all wireless devices within some smaller radius (up to and including the whole of the operational area to register (105). By controlling the signal level of baiting beacon (104), it is possible to precisely control the proximity in which wireless devices will attempt to register. When a wireless device registers it can be subsequently interrogated (106) and checked against a friend or foe data base (107). Wireless devices that are not on an approved list can subsequently be acted upon as selected by the operator of the

interrogation system. Actions can range from raising an alarm to automatically disabling a wireless device (108). The information in data base (107) enables the system to allow pre-approved subscribers or classes of subscribers to operate unmolested in the operational area while unapproved devices are disabled. An important feature of this technique is that it is not necessary to precisely know the location of the wireless device being acted upon. An example is a prison situation where only the ability to disable a wireless device is required. Data base (107) in this example indicates that the prison staff may carry wireless devices on their persons but that any other wireless device is forbidden and consequently may be disabled (109). If it is desired to know the location of a wireless device, then the interrogation system can force the wireless device to transmit in a quiescent part of the spectrum. The transmissions can then be used to locate the wireless device. An even simpler technique for locating the wireless device is to force it to ring. Further still the wireless device can be interrogated to derive or otherwise facilitate the discovery of secondary information such as encryption keys and/or sequences or the dialed number (known in the art as the Mobile Identification Number - MIN).

A preferred embodiment of a transceiver that implements the interrogation system is shown in FIG. 2. The transceiver consists of a receiver subsystem (201) and a generation subsystem (202). The generation subsystem is synchronized to the receiver subsystem through the use of the baiting beacon feedback (203). The signal broadcast by the baiting beacon includes specially encoded parameters that distinguish it from other beacons but do not affect the behavior of wireless devices. One such parameter is the addition of a message that is not prescribed in the standard that the baiting beacon is obeying. The baiting beacon is turned on at some low power and then the receiver subsystem scans the environment. The receiver automatically detects the baiting beacon as well as all of the relevant beacons in the operational area. The receiver notes the timing differences (204) between each relevant beacon and the baiting beacon with sub-microsecond precision. The receiver then passes the timing for the relevant beacon differences to the generator along with the parameters (205) needed to clone the relevant beacon. The generator then clones the relevant beacon and uses the differential timing information to produce the interference signals (103) that suppress the relevant beacon.

Because the timing used to generate the interference signals (103) is based on the difference in timing between the baiting beacon and the beacon to be suppressed, there is no need to take any timing relationships between the receiver and generator into account when generating the interference signals. This completely decouples the receiver and generator and makes it unnecessary to calibrate timing relationships between the receiver and generator.

The high degree of timing precision with which the interference signals (103) can be generated for a relevant beacon makes it possible to suppress the relevant beacon by means of attacks on critical sections of the signaling waveforms produced by the relevant beacon. Among the advantages of being able to attack a critical section of the signal as opposed to the entire signal is a substantial reduction in the average power needed to suppress the beacon. Often, the average power required to attack a critical section of the signaling waveform is several orders of magnitude less than the average power required to attack the entire waveform. This power reduction is particularly relevant with regard to beacons that operate according to standards such as CDMA which are intrinsically resistant to jamming attacks based on noise alone.

A transceiver that may be used to implement baiting beacons and interference signals is the ComHouse Wireless Network Subscriber Test (NST), which may be purchased from ComHouse Wireless LP, 221 Chelmsford St., Chelmsford, MA 01824. The unit is a software defined radio capable of testing both wireless devices and base stations using the GSM and CDMA standards. NST can interrogate wireless devices by acting as a beacon and can scan cellular environments so as to identify and analyze beacons, and can generate multiple simultaneous signals which can be used as interference signals. The interference signals may be customized to surgically attack or manipulate cellular signals with sub-microsecond precision. The unit can also make and receive outgoing and incoming phone calls.

Baiting Overview

When being used to establish a baiting beacon, the interrogation system scans the cellular environment (102) and identifies all of the viable beacons in some defined operational environment. It then clones one or more of the beacons with certain

important deviations to create bating beacons while simultaneously generating interfering signals that blind the wireless device to the aforementioned legitimate beacons and thereby forces the wireless device to search for and register with the proffered baiting beacons (103, 104). The baiting beacon is chosen such that it is not on a legitimate channel in the operational or surrounding areas. This makes it possible to distinguish wireless devices that are in the operational area from those legitimately operating outside of the operational area. This is ensured by controlling the power of the baiting beacon such that it is not detectable outside of the operational area by collateral wireless devices. This further eliminates the need for directional antennas to control collateral interference and achieves a solution having the minimal transmitted power and thereby power consumption.

Typical operation of wireless devices

The novelty of this approach to baiting is better understood from a general description of the typical operation of most wireless devices as illustrated in FIG. 3. Upon power up, the wireless device will scan prescribed bands looking for beacons (301). If one or more beacons are identified the wireless device will chose the best beacon (be it for quality, signal strength or compatibility) and attempt a registration (302). The purpose of registration is to indicate to the wireless network that the wireless device is on and therefore able to accept incoming calls or connections. As part of registration, the wireless device identifies a set of neighbor beacons taken from either its own measurements or from a list broadcast by one or more of the beacons (303). The wireless device then enters an idle state where it continues to monitor the beacon on which it is registered for pages from the network that indicate incoming calls or connections (304).

Cellular networks employ the notion of a registration area (referred to variously in the particular standards as a location area or registration zone) as illustrated in FIG. 4. The use of a registration area frees a wireless device from being tethered to the original registration (401) beacon and thereby creates more fluidity for the wireless device to roam. Specifically, a registration area is defined by a set of beacons distributed over some geographic area. All of the beacons in the set have a common identifying code for the registration area embedded in their signals. All pages

intended for a wireless device are then dispatched simultaneously to all beacons (towers) belonging to the set of beacons that define the registration area in which the wireless device is currently registered (402). As long as the beacon currently being monitored by the wireless device is one of the set of beacons that defines the registration area the wireless device is currently registered in, the beacon need not be the one that the wireless device originally registered with. The wireless device can thus instead itself determine which beacon to monitor in registration area (403).

Wireless devices can also initiate registration. An example is timed registration, in which a wireless device will automatically reregister with a beacon in the registration area at some periodic interval which is defined by a parameter that is provided to the wireless device by the beacon. However the registration interval is strictly at the discretion of the wireless network and can be both arbitrary and highly variable with periods of tens of minutes or more being typical. Therefore a technique of simply waiting for a wireless device to spontaneously register with a baiting beacon is not viable. Furthermore an interrogation system that worked in this fashion would have to monitor one or more reverse channels associated with each beacon in the operational area. Without the use of highly specific directional antennas or location technology, it is extremely difficult to distinguishing reverse channel message from clandestine wireless devices from those from collateral devices.

Baiting to Force Re-registration

As described in the overview, the standards prescribe that a wireless device will reregister when it senses that it has entered a new registration area. More specifically when a new beacon is detected from a different registration area that is sufficiently stronger than any beacon in the current registration area, the wireless device will attempt to re-register in the new area (404). A newly-appearing beacon which is enough stronger than an existing beacon that the wireless device attempts to register with it is said to override the existing beacon. In order to keep the wireless device from flip-flopping between registrations when in an area that is on a border between two registration areas, the standards provide for a hysteresis parameter that the beacon broadcasts to the wireless device and indicates to the wireless device how much stronger the new signal must be than any signal which the wireless device is

receiving from beacons in the wireless device's current registration area. The hysteresis parameter generally requires that the new beacon signals be many times greater (typical is a factor of 4 to 10) than beacon signals from the current registration are before the newly-appearing beacon overrides the beacon with which the wireless device is currently registered.

A known method of forcing re-registration with a baiting beacon is to make the baiting beacon by cloning a beacon in the registration area, modifying the baiting beacon's registration area identifier, and then provide the baiting beacon with enough signal power to satisfy the hysteresis parameter with regard to the most powerful beacon in the operational (405). The high signal power required to satisfy the hysteresis parameter has two undesirable side effects: the power required to produce the signal and the amount of collateral interference caused by the signal (406) outside the operational area. FIG. 5 presents a spectral representation of the known technique of using a single stronger beacon to bait the wireless devices and contrasts the known technique with the technique disclosed herein for baiting a phone to register in terms of power consumption, time to respond, the inconspicuousness of the attack, and collateral interference.

FIG. 5a shows the known technique. The baiting beacon has a signal strength greater than that of strongest legitimate beacon by the hysteresis setting broadcast in the strongest beacon (501). The hysteresis setting typically requires that the baiting beacon be 4 to 10 times stronger than the strongest beacon in the wireless device's registration area.

FIG 5b shows the technique disclosed herein for surgically suppressing all relevant beacons (502) and then proffering a much lower powered beacon in some quiescent portion of the spectrum (503), preferably but not necessarily using a channel identified as a neighbor of a relevant beacon. Use of a neighbor channel is likely to speed the registration process because it prevents the wireless device from having to rescan the entire spectrum in search of new beacons. Suppressing all of the relevant beacons also prevents the wireless device from simply moving to monitor an unsuppressed beacon in the same registration area. It furthermore decreases the time it takes to force a wireless device to register because when a wireless device is cut off

trom its networκ, me wireless device immediately begins searching for new beacons. By contrast, when a baiting beacon is used without suppression, the baiting beacon must be detected for some period of time (perhaps 10s of seconds) as determined by a parameter provided by the relevant beacon the wireless device is monitoring before the wireless device will accept the baiting beacon as viable and attempt to register with it.

Another important refinement of the technique is that the interrogation apparatus automatically adjusts the individual baiting beacon and interference signals to both limit interference with and false alarms from collateral wireless devices. Specifically the power level and bandwidth of an interfering signal which is intended to suppress a relevant beacon may be limited to only that needed to suppress the relevant beacon (504) within the operational area. With all of the relevant beacons thus suppressed, the baiting beacon's power level is adjusted to the minimum required for a wireless device that is within the operational area to respond to the baiting beacon. (505). Power consumption, collateral interference, and false alarms from collateral devices can be further minimized by placing the operational area within a containment housing such as might be used for screening baggage for active handsets that may be used as detonators.

Often wireless devices are programmed to only respond to particular beacons as determined by the service provider. Furthermore the cellular spectrum is normally divided into sub-bands. An extension of this technique is thus to provide a baiting beacon corresponding to each relevant beacon belonging to the service provider as shown in FIG 6. However it is not necessary to do so simultaneously. Instead, a single baiting beacon can be move from one sub-band to another, dwelling in each sub-band for a period that will permit detection of wireless devices that are using the sub-band in the operational area. Detecting all the wireless devices in the operational area will of course take longer when done this way than when done with a baiting beacon corresponding to each relevant beacon.

Interrogation. Herding and Location.

The interrogation system includes a receiver (201) that is paired with the baiting beacon that detects the wireless device as it attempts to register with the baiting beacon (202). The interrogation process also makes use of a data base to store identifying information to create a friend or foe list (107). This makes it possible to filter legitimate subscribers from as yet detected wireless devices that may be of interest and subsequently allow access to the legitimate network of friendly wireless devices (109). This makes it further possible for legitimate subscribers to keep wireless devices on their persons even while in the operational area without provoking false alarms.

Wireless devices that are enticed to register with the baiting beacon can be subsequently interrogated to determine whether they are friend or foe (104). The interrogator uses the paired baiting beacon and receiver to interact with the wireless device as it attempts to register so as to elicit identifying information such as the mobile identification number (i.e., the wireless device number), the international mobile subscriber identity IMSI, the temporary mobile subscriber identity TMSI or the serial number. The concept can be extended further to entice the wireless device to transmit continuously and possibly be sequestered on a unique channel so as to facilitate its location. A further extension of the concept is to use the neighbor beacon list obtained from the relevant beacons on the initial scan to find a quiescent channel. The baiting beacon then forces the wireless device of interest to move to this channel and to transmit on demand. In some situations it may even be desirable to force the wireless device to ring.

Once the baiting beacon is interacting with a wireless device, it is also possible for the interrogation system to compute approximate location of the wireless device, as shown in FIG. 5c. Specifically the standards specify that a wireless device continually scan all of its neighbors (507) while it is actively communicating with the current serving tower and to insert regular measurement reports on the absolute signal strength of the beacons as received by the wireless device. This information is then passed on to the network for purposes of determining when a phone should be handed off to another tower. If the wireless device is indicating to the network that it can sense a tower with much better signal strength and/or quality, the network will direct the wireless device to move to said tower. This is known in the art as Mobile Assisted

Hand-Off (or Hand-Over) - MAHO. The wireless device of course offers these reports to the interrogation system's baiting beacon (508). If a user of the interrogation system knows the location of the neighboring towers (presumably from a previous survey), it is possible to derive, or as a minimum narrow, the position of the wireless device based on these power measurements as shown in FIG. 5c. During the period in which the wireless device is collecting data for a measurement report, the interference signals are turned off so that the wireless device can detect the relevant beacons and the baiting beacon is given a signal strength sufficient to prevent the wireless device from monitoring another beacon. Specifically the received power implies a distance to the tower (509). Therefore if a circle is drawn around each tower, the circle having a radius which is a function of the detected signal strength reported by the wireless device, the wireless device will be located at or near the intersection of the circles. The location technique may be further refined by using sector orientation and aperture information from the surrounding legitimate beacons. For example, a tower survey is likely to include not just the frequency channel settings and the position of the tower but also the orientation and aperture (beam width) of the sectors mounted thereupon (e.g., pointing with respect to true north and aperture in degrees - typically 120 degrees out of 360 for a three sector tower). The location of the wireless device is therefore refined by overlaying on a map the projections of the sectors that can be heard by the wireless device with the intersection of said being the presumed area in which the device is transmitting.

Disablement

Wireless devices that are deemed to be foes can subsequently be quarantined or temporarily disabled. All standards provide for dealing with a malfunctioning wireless device by having the beacons in the registration area issue a command to the wireless device to which the wireless device responds by disabling itself until it is power cycled. The baiting beacon can use this command to disable wireless devices in the operational area.

In other cases, wireless devices can be disabled by irradiating them with large signal levels in the frequency band in which such devices are known to operate and thereby tripping protection circuitry that can only be reset by power cycling. The technique is further refined by either matching the bandwidth of the interferer to the operational

bandwidth of the device so as to concentrate the energy and then sweeping this energy across the operational band over time or detecting the frequencies on which the cellular or paging systems are operating in the operational area and concentrating the energy in those channels. This technique is particularly useful for disabling strictly passive wireless devices such as one-way pagers that cannot be interrogated. Furthermore collateral interference is controlled by controlling the tripping signal power so that only devices within the operational area will be affected. One example is baggage screening where the apparatus operates in close proximity to the wireless device. Collateral interference may be further limited by the use of either radio- opaque containers or directional antennas.

Determination of the MIN

In the case of wireless devices that operate according to the GSM standard the interrogation system can hijack the device and make a phone call on the network and use the network's caller ID functionality to detect the calling number of the wireless device.

Standard-specific Methods

CDMA and CDMA 2000

CDMA is governed by two standards: CDMA (TIA/EIA IS-95 A/B) and CDMA 2000 (TIA/EIA IS-2000). These standards are hereby incorporated by reference into the present patent application. The two standards are indistinguishable for purposes of the present discussion except where the baiting beacon is required to be specific to the standard. Both are therefore collectively referred to as CDMA. A preferred embodiment of the interrogation system deals with IS-2000 beacons and wireless devices by suppressing all IS-2000 beacons and forcing IS-2000 wireless devices to fall back to an IS-95 baiting beacon. This simplifies the complexity of the interrogation system. Other embodiments of the interrogation system may, however, use both types of beacons simultaneously if there are features in the IS-2000 beacon that can improve the detection and/or location of wireless devices.

CDMA signals use a direct sequence spread spectrum modulation technique to allow multiple beacons and wireless devices to simultaneously share RP spectrum. The signal for each wireless device is distinguished by modulating the signal with a unique orthogonal time coded sequence. A simplified representation is shown in FIG. 7. The times used for the time sequences are synchronized directly to the Global Positioning System (GPS). The synchronization permits sub-microsecond time coding.

The signal produced by the CDMA beacon operating on the forward link includes a pilot (701) and sync channel (702) and some number of paging and traffic channels (703) all operating on the same frequency channel but distinguished by different code sequences as shown in FIG. 7. When the wireless device powers up, the wireless device searches a set of programmed RF operational band(s) for the pilot channel of a beacon. The wireless device will then use the pilot channel to acquire the sync channel. Using the information in the sync channel, the wireless device synchronizes itself to the timing of the beacon and then extracts a set of messages, known in the art as "overhead" messages, that the beacon repeatedly broadcasts on the first paging channel. These messages are used by the wireless device to identify the network on which the beacon is operating as well as to receive parameters for the behavior of the wireless device when interacting with the network from the beacon. The parameters include how to formulate access probes to gain access to the network.

An important feature of the forward CDMA channel is that all of its code channels are based on the pilot code channel, which is in turn expressly locked to GPS. Consequently, in order to employ any given code channel, the wireless device must necessarily synchronize to the pilot. Furthermore, several beacons can share a CDMA channel simultaneously (704). Each of the beacons synchronizes to a different part of the pilot (specified by the pilot PN offset for the beacon).

Baiting and Suppression

Creating baiting beacons

As a first step in suppressing the relevant beacons in the operational area, receiver subsystem (201) of the interrogation system will perform a scan of the environment in the operational area and analyze the relevant beacons. Receiver subsystem (201) then sets up the generation subsystem (203) so that it generates a baiting beacon at some signal level on some frequency channel with some pilot PN offset. The baiting beacon's parameters will normally be set to make it a clone of the most conspicuous existing beacon. The baiting beacon will be slightly modified so that it appears to be in a different registration area from that of the beacon the baiting beacon was cloned from. There may also be other parameter settings in the baiting beacon that maximize the conspicuousness of any wireless devices that register on the baiting beacon. The baiting beacon also has some additional feature which enables the interrogation system's receiver to recognize the baiting beacon as such. Examples of such features are:

• including a special code in a message which the standard requires the beacon to transmit. The special code may be either unexpected or impossible on the networks seen in the operational area; or

• introducing a nonstandard or obsolete message. Because the message is non standard or obsolete, it is ignored by the wireless devices.

After the baiting beacon has been set up, the receiver repeats the scan. This time, it picks up the relevant beacons as well as the baiting beacon. The receiver then computes the timing differences between the baiting beacon and the relevant beacons using any available signal processing techniques for doing so - such as direct or indirect signal cross-correlation and subsequent demodulation.

FIG. 8 shows an example of using WideFire® Dragon series test equipment to create a baiting beacon. A description of WideFire Dragon series test equipment could be found in July, 2006 at comh . com/products/products . asp . The baiting beacon is created from a clone of an existing beacon (801) with a few modifications such changing the registration area (802) and then set to be on a desired channel (803) at a signal level that is set such that it can only be detected in the operational area (804). Other parameters can be set to increase the conspicuousness of the registering wireless device. For example, the parameters that specify the duration and signal

strength of an access probe from a wireless device to the beacon can be selected to maximize the duration and signal strength (805).

FIG. 9 shows two possibilities for the placement and nature of interfering signals and baiting beacons. As shown at 901, the interfering signals can be produced by artificial beacons having a different pilot PN offset from the PN offset of the relevant beacons. This arrangement baits the wireless devices on all of the frequency channels used by the relevant beacons simultaneously (901). However this method is inferior to that proposed in the interrogation system because the receiver must monitor all of the back channels associated with the beacons to detect registration attempts. Making a receiver that does this is much more complex and expensive than making a receiver that only modifies the forward channels. Instead, the interrogation system uses interference signals to force all the wireless devices in the operational area to register on a single baiting beacon operating on a single frequency channel (902).

A preferred location for a beacon in the spectrum is on the lowest unused pilot PN offset on what is the generally the first channel in the particular network that is scanned by the wireless device in the particular network. If the first channel to be scanned is occupied by an existing legitimate beacon then the baiting beacon can transmit at a level such that it acts as both an interferer with regard to the legitimate beacon and a baiting beacon (903). Operating on the first channel to be scanned minimizes the time the wireless device requires to register with the baiting beacon, but other channels could be used as well.

In some cases the interrogation system will choose to bait on an unused channel so as to eliminate any co-channel interference intrinsic to CDMA and thereby simplify the process of subsequently locating a wireless device that is operating on the unused channel by using techniques such as direction finding, angle of arrival or time difference arrival (904). Specifically the CDMA standard provides for configuring a beacon such that a wireless device that attempts to register with a beacon in the wireless device's registration area signal is redirected to another beacon for registration. In this technique, the interrogation system provides two baiting beacons - a first baiting beacon for baiting devices in the operational area and a second baiting beacon that operates in a quiescent portion of the spectrum. The first baiting beacon

redirects the wireless device to the second baiting beacon. In one embodiment of the interrogation system, how the baiting beacons are placed is up the user of the interrogation system. If the user does not specify the placement, the interrogation system provides a default placement for the baiting beacons.

It may be necessary to generate several baiting beacons simultaneously to address cases where a particular wireless device is programmed with a preset list known in the art as the preferred roaming list (PRL). Some scenarios may call for a cloned baiting beacon corresponding to each wireless service provider whose beacons are is detected in the operational area and one or more additional baiting beacons that are designed to be as general as possible to snare wireless devices that are completely foreign to the operational area. This problem is addressed by simply introducing one or more additional baiting beacons that operate on the same frequency channel but have different pilot PN offsets. This minimizes the multiple frequency channel monitoring problem by placing all the beacons on the same frequency channel (905). Another possibility previously described is to duplex the beacon across the provider sub-bands.

Interfering signals

Any class of interference signals will work to cause a wireless device to reregister with a baiting beacon as long as the interference signals prevent the wireless device from detecting the signal of a relevant beacon. This is shown at (1001) in FIG. 10a. Examples of interference signals that will work are simple white noise or a modified CDMA signal that uses illegal code sequences. CDMA signals are, however, inherently resistant to jamming. Because this is so an indiscriminant jamming signal such as white noise centered upon the same frequency and having the same bandwidth as a relevant beacon that is to be suppressed must have a signal strength in the operational area that is on the order of 100 times the signal strength of the relevant beacon in the operational area. The signal strength necessary for indiscriminate jamming is a particular problem when legitimate beacons are operating at high power and in close proximity to the operational area.

The interrogation system is able to generate interference signals that require no more power to suppress a relevant beacon in an operational area than the power of the relevant beacon's signal in the operational area. The interrogation system achieves

this by limiting the bandwidth of the interfering signals to that of the relevant beacon and attacking only critical sections of the waveform within the bandwidth (FIG 5). , By limiting the attack to only critical sections of the waveform, the interrogation system minimizes the transmit on-time of the interfering signal and thus significantly reduces the average power required to suppress the relevant beacon. Matching the bandwidth and power level of the interfering signals to the bandwidth and power levels of the relevant beacons also hides the interfering signals within the waveform produced by the relevant beacons, making the interfering signals hard to detect. Where it is necessary to hide the interrogating system so that its location cannot be detected and countermeasures cannot be employed against it, the transmit on-time may be randomized.

FIG. 10a shows several different examples of the types of interfering signals that may be used by the interrogation system to suppress CDMA beacons. Because the interrogation system is precisely synchronized to the relevant CDMA beacon (FIG. 2) it is possible to perform a direct attack on the relevant beacon's pilot signal by proffering an interfering pilot signal with false delays that are either slightly advanced or slightly retarded with respect to the relevant beacon's pilot signal but still close enough to the timing of the relevant beacon's pilot signal for the wireless device to lock onto the false pilot signal rather than onto the relevant beacon's pilot signal (1002, 1003, 1004). Because the timing from the pilot signal is used by the wireless device to interpret the remaining portions of the signal from the relevant beacon, a wireless device that is locked onto the false pilot signal cannot interpret any of the signal from the relevant beacon. The interfering pilot signal thus forces the wireless device to lose contact with its network, and that in turn forces the wireless device to reregister with the baiting beacon. This has the distinct advantage that the interfering pilots need only be slightly larger in signal strength than the legitimate pilots as received by the wireless device (1002, 1003, 1004) instead of the previously mentioned 100 fold increase in signal level required by a non synchronized white noise attack (1001).

Another possible attack, expressed in FIG. 10b, is to recognize that all CDMA channels (such as the sync channel) use cyclic redundancy checks (CRCs) and convolutional encoding (1005) to deal with errors in the data represented by the

signal. A CRC indicates whether data in a portion of the signal termed a CRC checking span is valid. Associated with the convolution encoding process is data interleaving. Cellular interference tends to occur in bursts instead of being uniformly spread over time. The purpose of data interleaving is to shuffle the data symbols prior to transmission so that when they are subsequently deinterleaved at the receiver, any bursts of errors introduced in the transmission channel will tend to be distributed over time instead of occurring in contiguous bursts. The intent of interleaving is to improve the performance of the deconvolution process (an example of which is the Viterbi algorithm) (1006) that is well understood in the art to perform best when errors are more or less uniformly distributed over time instead of occurring in sets of contiguous symbols. However, the deconvolution process diminishes rather than improves the demodulation performance when errors occur in contiguous bursts in the pre-deconvolved data, as it makes it more likely that the trellis path decoding will forsake the expected traceback path in favor of a competing traceback path and thus cause the receiver to completely corrupt the decoded signal (1007).

Contiguous bursts of errors in the deconvoluted data can be produced by attacking the pre-deinterleaved symbol sequence at seemingly disparate but in fact deliberate places that are matched to the interleaving process (1008). The attack introduces errors into the post-interleaved symbol sequence at the locations that are related by the interleaving process such that when they are subsequently deinterleaved by the receiver, the errors occur in contiguous bursts (1009). Selection of particular interleaved candidate symbol sets is not generally important and therefore this technique lends itself to randomization of the attack within any given frame, which further disguises the attacking signal. Moreover, not every frame of the beacon's signal need be attacked. Instead merely successfully attacking a single frame within the total CRC checking span (1010) is generally sufficient to force the intended CRC error. Because this is the case, frames can be randomly selected for attack. In the former instance, this leads to a further reduction of on-time and therefore required power and in the latter instance, further reduces the conspicuousness of the attack.

Symbols in the sync code channel can be directly attacked by generating interfering symbols that are coded to that channel. Another possibility is to attack the symbols indirectly by corrupting portions of the pilot signal (1011) upon which the sync code

channel is synchronized for the duration of the symbol that is being attacked. As a result of the attack on the sync code channel, the synchronization required to correctly read the symbol is disturbed and the wireless device reads the symbol incorrectly. Either form of attack causes enough post deconvolution bit errors that the CRC for the checking span to which the packet belongs to indicate that the packet is bad and thereby cause the wireless device to drop or otherwise ignore the packet and any message to which the packet belongs. Again, only a relatively small number of post- interleaved symbols on a reduced subset of frames need be attacked, and the power requirements for the interrogation system are correspondingly small.

Obtaining identification information from the wireless device

In the interrogation system, a receiver is paired with each bating beacon. The receiver looks for registration bursts from wireless devices. In the CDMA standard, these registration bursts are termed access probes (FIGs. 1 and 2). Many properties of a wireless device's access probe are controlled by parameters which the wireless device receives from the beacon it is monitoring. Every access probe contains information that identifies the wireless device making the access probe. Proper parameter settings in the beacon can force the wireless device to provide identifying information that uniquely identifies the wireless device. Examples of information that uniquely identifies the wireless devise are the device's IMSI or ESN.

Since no single access probe from a wireless device contains all of the access information which may be retrieved from an access code, the interrogation system uses a two or perhaps three pass process in which the wireless device is forced to reregister itself with a number of baiting beacons, each one having parameters that require the wireless device to return a different part of the information in the access probe to that baiting beacon. More specifically, each baiting beacon broadcasts an access parameters message which indicates the identifiers for the wireless device which that baiting beacon desires to receive from the wireless device. In other embodiments, each wireless device may be expressly interrogated as it is detected by the baiting beacon to gain the identification information.

Herding Wireless Devices

The interrogation system can use messages from the baiting beacon to a wireless device to cause the wireless device to operate on an otherwise unused channel. The technique of causing the wireless device to operate on the unused channel is termed herding. Herding is shown in FIG. 11. If the herded wireless device is the only wireless device operating on the unused channel, location of the herded wireless device from the signal it broadcasts becomes dramatically easier. A CDMA wireless device can baited as described previously (1101) and then subsequently herded to attempt access on yet another baiting beacon supplied by the interrogation system. This is done by having the first baiting beacon provide channel assignment parameters in either the sync message or the neighbor list messages (1102). Once the access probe of a wireless device that is to be herded is detected in the first baiting beacon, the interrogating system responds to the access probe with a message on the forward paging channel that indicates that the wireless device is to operate on the herding channel. As soon as the message has been set, the first baiting beacon lowers its power to prevent any additional wireless devices from being baited and redirected to the herding channel. At this point the wireless device is the only wireless device in the herding channel and can be interrogated at leisure by the baiting beacon on the herding channel.

The herding beacon can modify the parameters it provides to the herded wireless device so that the herded wireless device can be trapped in a continuous registration mode on the herding channel. In this mode, the wireless device will broadcast continuously without further interaction between the baiting beacon and the wireless device.. Where continuous broadcasting by the wireless device is undesirable, the baiting beacon may send paging messages to the herded wireless device to elicit additional transmissions from it. The more transmissions the herded wireless device sends, the easier it is to locate it. Herding can also be used to disable the herded wireless device. To do this, the baiting beacon for the herding channel prevents the herded wireless device from either placing outgoing calls or receiving incoming calls.

The baiting beacon for the herding channel can also use a herded wireless device to measure the strengths of the pilot signals from the relevant beacons. This can be done by means of a message from the baiting beacon requesting a pilot strength measurement or by listening for an automatic pilot measurement report message

which the CDMA standard requires the wireless device to send to the beacon that the wireless device is monitoring. As will be described in detail below, the pilot strength measurements can be used to locate the wireless device.

Disablement

As already mentioned, the interrogation system may use data base (107) to determine whether a wireless device is to be disabled. Once it is determined that a wireless device is to be disabled, there are a number of disablement techniques available. One such technique is using maintenance features provided in the CDMA standards can be used by a baiting beacon to disable a wireless device. The CDMA standard provides that when the network detects a malfunctioning wireless device, the beacon being monitored by the wireless device may send a lock until power cycled command which locks the wireless device and thereby disables it until the wireless device is power cycled. Another such technique is to herd the wireless device onto a channel whose baiting beacon does not respond to calls from the wireless device, calls to the wireless device, or both.

GSM, GPRS and EDGE.

In the following, GSM, GPRS and EDGE are collectively referred to as GSM and are governed by the ETSI standards body. The GSM, GPRS, and EDGE standards may be found at http://www.etsi.org. All of these standards are hereby incorporated by reference into the present patent application. GPRS and EDGE are considered to be enhanced modes of the GSM standard and hence it is only necessary to consider GSM with the understanding that wireless devices capable of these modes must necessarily operate as a superset of GSM.

Suppression and Baiting

At a high level, the methods described for CDMA are applicable to the GSM. Specifically with respect to baiting, all of the relevant beacons are suppressed and a lower level baiting beacon is proffered and thereby enjoys all of the same benefits described for CDMA (i.e., minimization of power through surgical attack and minimization of collateral interference). The most important differences between the

methods used with GSM and those used with CDMA are the parameters that must be set in the baiting beacon and the specific techniques used in beacon suppression.

FIG. 12 provides examples of interfering signals that may be used in GSM. The GSM beacon waveform operates on a single 200 kHz channel that does not frequency hop. The beacon's signal is divided into frames that are in turn divided into 8 slots. A slot is approximately 5.8 uS (1201) and a frame in turn is approximately 4.6 mS. (1202). 51 frames are grouped together to form what is known in the standard as the 51-multiframe that has the specific structure shown in (1203). The beacon necessarily operates on slot 0 (1204) of each frame with other types of channels (not important to the interrogation system) possibly operating on the remaining slots. The standard dictates that all unused slots within all frames will carry dummy bursts so that the beacon is guaranteed to be transmitting in every slot of every frame (i.e., so the beacon is constantly on). This makes it easier for the wireless device to monitor the beacon.

The remaining description is concerned with slot 0. The first two frames carry the frequency correction channel (FCCH) and the synchronization channel (SCH) (1205). The information carried in the FCCH channel permits the wireless device to correct any frequency error it may have relative to the base station. The information carried in the SCH channel permits the wireless device to determine the precise timing of the frame and its slots. The beacon repeats the FCCH and SCH frames every 10 frames within the 51-multiframe. The next 4 frames in the 51-multiframe carry the Broadcast Control Channel (BCCH) (1206) which carries the system information for the beacon as well as the parameters which the wireless device must use to access the beacon. The remaining channels are grouped into blocks of 4 frames each and constitute collectively what is known as the common control channels (CCCH). Depending on how the beacon is configured, these channels are subdivided into sets of paging and/or access grant channels (1207).

Each slot (1201) contains a burst having the structure shown at (1208). The burst consists of a training sequence (referred to in the standard as the TSC) and payload data on either side. The standard provides for 8 distinct (orthogonal) TSCs and the TSC persists for approximately 50 uS out of the total 580 uS for the burst. The

purpose of the training sequence is to enable the receiver, be it the wireless device or the base station, to synchronize to each and every burst so as to demodulate the associated payload data. The TSC thus represents a fundamental weakness in the GSM signaling. If the TSC is sufficiently modified, the receiver cannot recover the payload data. Ways of attacking the TSC include but are not limited to:

• using white noise to jam the portion of the slot containing the TSC;

• offering a delayed version of the TSC to give the wireless device false timing, which in turn causes the wireless device to misinterpret the payload data in the slot; or

• overriding a specific expected TSC pattern with another pattern so that the wireless device ignores the burst altogether.

All of these attacks operate only on the TSC and consequently, the transmitter for the interfering signal need be on only for the portion of the frame that contains the TSC. Which of these or similar attacks on the TSC or other portions of the frame are employed will depend on the situation in which the attack is being made. The TSC attack might further be limited to only the bursts contained in the BCCH and SCH frames or perhaps even only to the SCH bursts. In the latter case, the transmitter for the interfering signal need be on for only 1 mS out of each second the beacon signal is transmitted, giving the attack on the TSC an average power efficiency which is better by a factor of 1000 than the power efficiency of a conventional jamming attack on the beacon signal. Such a conventional jamming attach is shown at (1209).

As with CDMA, the interrogation system will generate baiting beacons for an operational area by automatically cloning the relevant beacons in the operational area, but will also permit the user to edit the parameters which the baiting beacons provide to the wireless devices. The user may also specify the form of the interfering signal. For example, the user may specify the number of times the interfering signal will be transmitting per frame as well as the periodicity of the transmission. An example is shown in FIG 13 using WideFire Technology. Like the example presented in FIG. 8 for CDMA, the example of FIG. 13 shows example parameter settings for a baiting

beacon at (1301 and 1302) which maximize the conspicuousness of any subsequent registration attempt by a wireless device.

Interrogation, Herding and Location

Identifying wireless devices in the operational area

FIG. 14 shows the interrogation process for GSM wireless devices. In the interrogation system, a receiver is paired with the baiting beacon. The receiver looks for channel request bursts. The GSM standard terms the request bursts random access channel burst (RACH) (1401). The wireless device transmits the RACH burst to request a temporary dedicated control channel from the beacon. Parameters passed on the control channel will determine the subsequent interaction between the wireless device and the beacon. The form of the RACH to which a particular beacon responds is controlled by parameter settings in the beacon. The RACH further contains a transaction type field that indicates the kind of transaction which the wireless device wishes to perform with the beacon. The transaction types include location update; answer to a page; call origination; and emergency call.

In order for the interrogation system to identify a wireless device in the operational area, the receiver paired with the baiting beacon must detect the RACH burst. Then the baiting beacon must respond to the RACH by assigning the wireless device a temporary dedicated control channel (1402). The wireless device will then use the control channel to provide identification information to the receiver.

If the wireless device is performing a registration, otherwise known in the standard as a location update, it will generate a RACH burst in which the transaction type field indicates that the wireless device wishes to register with the beacon. After the subsequent allocation of a temporary channel by the baiting beacon, the wireless device will then burst a location update request (1403) in which is embedded either the wireless device's TMSI or its IMSI. Nominally the wireless device will attempt a location update using its TMSI. However the standard provides for the case where the TMSI currently assigned to a wireless device is not in the system data base of the service provider with which it is attempting to gain access. In this case, the TMSI is unrecognized by the system and hence the location update is ignored. The wireless

device will subsequently retry access using its IMSI (1404). In the interrogation system, the baiting beacon ignores all TMSI based attempts at location update, forcing the wireless to retry using its IMSI. This in turn makes it possible to pair the device's TMSI with its IMSI. The standard also provides for expressly interrogating the wireless device using an identity request message as well. In the identity request message, the wireless device is queried for its IMSI, TMSI, IMEI or IMEISV (1405). .

Forcing the wireless device to produce its IMSI in addition to its TMSI also makes it possible to uniquely identify the device to friend or foe data base 107. The TMSI is ephemeral and is consequently not used to identify the wireless device in data base 107.

Acquiring the MIN of the GSM phone

In some cases it is desirable to acquire the MIN (telephone number) of the wireless device. This information is, however, stored in the wireless network, not in the wireless device itself. A baiting beacon can retrieve the MIN for a wireless device whose TMSI or IMSI is known by "hijacking" the wireless device. This is shown in FIG. 15. The baiting beacon uses the wireless device's TMSI or IMSI to place an outgoing call to a telephone number prescribed by the interrogation system (1501). When the call is placed to the telephone number, the interrogation system uses the wireless network's caller ID function to determine the MIN of the wireless device (1502). The hijacking works because of two characteristics of a GSM network:

• the GSM network typically only authenticates a wireless device during location update.

• the GSM network permits a device in the network to request an unencrypted channel.

Thus, once the wireless device has registered with the baiting beacon, the baiting beacon can use an unencrypted channel (1501) to make the call to the telephone number belonging to the interrogation system be it another phone wherein the phone number is shown on the display or; .the interrogation system outfitted with a GSM

subscriber identity module (SIM) that is behaving like a legitimate phone and is registered with the network to receive incoming calls.. The SIM allows the interrogation system to behave as a legitimate subscriber in the GSM network. As such, the interrogation system can accept the call that it made for the wireless device. Having accepted the call, the interrogation system can extract the caller ID information for the wireless device from the call.

Herding

The interrogation system may also herd a wireless device to an unused channel. In GSM, the use of temporary dedicated control channels makes it possible to force wireless devices to operate on any specified channel and time slot therein. FIG. 16 demonstrates the process. The baiting beacon pages the wireless device that is to be herded, using either the TMSI or IMSI. When the wireless device responds with a RACH whose transaction type indicates an answer to a page, the interrogation system responds to the RACH by providing a channel assignment response that specifies the herding channel. The herded wireless device will remain on the herding channel as long as it receives SACCH frames indicating that the herded wireless device is still connected to the network. The interrogation system can herd as many wireless devices simultaneously as it has baiting beacons and separate frequency channels. For example an interrogation system with 8 baiting beacons capable of operating on 8 separate frequency channels can herd up to 63 phones simultaneously if each beacon uses all 8 slots within all 8 channels (64 less 1 to account for beacon generation).

Disablement

There are a number of methods available to disable a GSM phone. Techniques that can be derived from a direct reading of the standards include:

• Hijacking a wireless device and issuing an IMSI detach that tells the network that the wireless device is powering down. This will cause the network to stop routing incoming calls to the network. The technique only suppresses incoming calls but will not prevent a subscriber from placing a call.

• Issuing an authentication rejection to force the wireless device to invalidate the SIM placed therein until the wireless device is power cycled.

• Hijacking a wireless device and deliberately cloning it on the network.

FIG. 17 demonstrates a different methodology. Generally, when a GSM beacon responds to a location update from a wireless device, it provides the wireless device with a new TMSI and a new cipher key. The baiting beacon, however, foregoes the TMSI reallocation that is normally part of the location update process. As a result, the TMSI for the wireless device and the wireless device's cipher key are now effectively out of phase.

When a wireless device's cipher key is out of phase with its TMSI and attempts to initiate a call, the network will generally not re-authenticate the wireless device. Instead the network will presume that because the wireless device's TMSI has not changed, the wireless device is still using the cipher key that it received with the TMSI. Because the cipher key the wireless device is using does not match its TMSI, the wireless device will not be able to complete the cipher mode sequence in the call setup (1701). The network responds to the failure to get past the cipher mode sequence by dropping the call. The same thing happens when an attempt is made to call the wireless device. The wireless device is consequently effectively cut off from the network. The wireless device will remain cut off from the network until such time as the network chooses to re-authenticate the wireless device. After re-authentication, the TMSI and the cipher key will again be in phase. The period of time during which the TMSI and the cipher key are out of phase depends on the interval between re- authentications which is specified in the network configuration. Typical intervals range from 10 minutes to an hour. If sustained denial of service is desired, the interrogation system can again put the TMSI and the cipher key out of phase each time the network re-authenticates.

Another aspect of this technique is that the wireless device can be restored to the network at any time by putting the TMSI and the cipher key back in phase. This can be done by re-interrogating the wireless device with the random challenge that was used for the legitimate authentication, as this will restore the original key state and therefore put the cipher key back in phase with the currently established TMSI (1702).

Another important feature of this technique is that the user does not know that the wireless device is cut off from the network.

UMTS

The UMTS standard is the next generation successor to the GSM standard. The UMTS standard has introduced safeguards that are expressly designed to thwart baiting beacons that exploit shortcomings in the earlier GSM design. Among the safeguards is that the UMTS beacon must correctly authenticate itself to the wireless device. If the beacon fails to authenticate correctly, the handset will mark the beacon as suspect and thereafter refrain from interacting with it. In order to distinguish between situations in which authentication fails because the beacon cannot respond, for example, because the call is dropped and situations in which the beacon does respond but does not do so correctly, the wireless device marks the beacon as suspect only if it has received a response from the beacon that is correct as to form but not as to content. The response is correct if beacon has presented fully formed valid messages having valid CRCs.

The interaction between a wireless device to which the UMTS beacon must authenticate itself and the beacon begins when the UMTS beacon receives either the TMSI or the IMSI of the wireless device. Consequently, the requirement that a UMTS beacon authenticate itself to the wireless device does not prevent discovery of both the TMSI and the IMSI of the wireless device. One way of doing this is the "ignore TMSI" method described above for GSM. Another way of doing this is to suppress all UMTS beacons using the techniques described for CDMA and then provided a GSM baiting beacon. This forces the wireless device to fall back to GSM and the "ignore TMSI" or conventional interrogation methods are again available..

The interrogation system further takes advantage of UMTS' requirement that the beacon authenticate itself to the wireless device to disable individual or entire classes of wireless devices. The method is shown in FIG. 18. The interrogator suppresses all but one of the legitimate beacons using any of the previously described techniques for CDMA (1801) and overrides the remaining beacon (1802). This ensures that the wireless device will be listening on that beacon (1803). The wireless device is then paged (1804) using either the TMSI or IMSI that was presumably derived using the

interrogation methodology previously described. This is possible because paging messages in UMTS are not subject to integrity checking. The wireless device responds with a RACH for a channel and interrogator obliges (1805, 1806). The wireless device offers either its TMSI or IMSI (1807) and the baiting beacon attempts authentication in a fashion which is guaranteed to fail (1808). In response to the failure of the authentication, the wireless device marks that beacon as no longer viable and ignores the beacon from that point on. This process is repeated for all of the UMTS beacons that are detected in the operational area (1809). The wireless device is now ignoring all of the UMTS beacons in the operational area and has thereby disabled itself.

Conclusion

The foregoing Detailed Description has set forth to those skilled in the relevant technologies how to make and use the inventions disclosed herein and has further disclosed the best mode known to the inventor of making and using the inventions. The Detailed Description has described the inventions in general terms and has also set forth how the inventions are implemented in wireless systems that operate according to the CDMA, GSM, and UMTS standards. It will be immediately apparent to those skilled in the relevant technologies that the principles of the invention can be employed to make interference signals and baiting beacons in any present or future digital wireless communication system and to enable baiting beacons to obtain identification information from wireless devices, to disable wireless devices, to perform operations in the wireless communication system for the wireless devices, to locate wireless devices, and to herd wireless devices to specified channels in any present or future digital wireless communication system. Since that is the case, the Detailed Description is to be regarded as being in all respects exemplary and not restrictive, and the breadth of the invention disclosed here in is to be determined not from the Detailed Description, but rather from the claims as interpreted with the full breadth permitted by the patent laws.

CLAIMS