Patent Application
20120262272
Global trade is one of the fastest growing portions of the global economy. More countries than ever are importing and exporting more products than ever before. The vast majority of products are shipped in one or more types of cargo containers. About 90% of the world's trade is transported in cargo containers. Containers include ISO (International Organization of Standardization) containers, shipped by ship or train, and truck containers.
Cargo containers can contain valuable products that are easy targets for thieves. Cargo containers can also contain dangerous products that could be used for evil purposes if allowed to fall into the wrong hands. Terrorists, for example, could use a cargo container to transport explosives, or radiological material in order to attempt to disrupt the economic infrastructure of developed countries. The vulnerability of international shipping has been the focus of a program known as the Container Security Initiative (CSI) that was launched in 2002 by the U.S. Bureau of Customs and Border Protection (CBP).
CSI addresses the security concerns of shipping by focusing on four main areas. The four main areas addressed by CSI include:
Container/cargo monitoring devices are used to monitor various conditions associated with containers or other cargo. Monitoring devices can be reconfigured via various methods including wireless communications. Authentication of individuals desiring to reconfigure a monitoring device provides for more secure transportation of the associated containers. Techniques described herein provide for secure configuration management of monitoring devices associated with containers or other cargo. However, by being field reconfigurable, monitoring devices can be more susceptible to hijackings, theft and/or terrorism. What is needed is a secure way of initiating a reconfiguration of a container/cargo monitoring device in the field.
The ensuing description provides preferred exemplary embodiment(s) only, and is not intended to limit the scope, applicability or configuration of the disclosure. Rather, the ensuing description of the preferred exemplary embodiment(s) will provide those skilled in the art with an enabling description for implementing a preferred exemplary embodiment. It being understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope as set forth in the appended claims.
A monitoring device for monitoring a container or other cargo in accordance with the disclosure includes a key fob interface configured to communicate with a key fob, a wireless interface, a memory storing a serial number list, the serial number list including data indicative of at least one valid serial number associated with one or more key fobs permitted to interact with the monitoring device, and a processing unit coupled to the key fob interface, the wireless interface and the memory. The processing unit is configured to: receive a wakeup signal via the key fob interface, read a serial number from a key fob via the key fob interface, search the serial number list for data indicative of a valid serial number matching the serial number read via the key fob interface, read action data from the key fob via the key fob interface, the action data being indicative of an action to be taken by the processing unit, and in response to the read serial number matching a valid serial number of the serial number list, cause the monitoring device to take an action based on the action data.
A method of operating a monitoring device for monitoring a container or other cargo in accordance with the disclosure includes: storing a serial number list in non-volatile memory, the serial number list including data indicative of at least one valid serial number associated with one or more key fobs permitted to interact with the monitoring device, and receiving a wakeup signal via a key fob interface configured to communicate with a key fob. The method further includes reading a serial number from a key fob via the key fob interface, searching the stored serial number list for data indicative of a valid serial number matching the serial number read via the key fob interface, reading action data from the key fob via the key fob interface, the action data being indicative of an action to be taken by the monitoring, and in response to the read serial number matching a valid serial number of the stored serial number list, causing the monitoring device to take an action based on the action data.
Items and/or techniques described herein may provide one or more of the following capabilities. The key fob includes a unique serial number that the container/cargo monitoring device can query before interacting further with the key fob, e.g., taking any action associated with action data stored on the key fob. Different key fobs can store data associated with different actions to be taken by the monitoring device. The key fobs can be distributed to people in a hierarchical manner such that fewer key fobs, and therefore fewer people, can cause the container/cargo monitoring device to take more crucial actions, such as powering down, for example. The container/cargo monitoring device can store a list of valid and/or invalid serial numbers to determine which key fobs can or cannot cause the container/cargo monitoring device to take action. The list of valid and/or invalid serial numbers can vary, depending on a location of the monitoring device, a time of day, and/or a mode of transportation with which a container or other cargo the container/cargo monitoring device is coupled to is being transported. The serial number list can be changed during transport in response to several factors to add or remove serial numbers from valid and/or invalid lists.
The features, objects, and advantages of embodiments of the disclosure will become more apparent from the detailed description set forth below when taken in conjunction with the drawings. In the drawings, like elements bear like reference labels. Various components of the same type may be distinguished by following the reference label with a dash and a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label.
In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of various embodiments. It will be apparent, however, to one skilled in the art that various embodiments may be practiced without some of these specific details. In other instances, well-known structures and devices are shown in block diagram form.
The ensuing description provides exemplary embodiments only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing an exemplary embodiment. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the disclosed systems and methods as set forth in the appended claims.
Specific details are given in the following description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.
Also, it is noted that individual embodiments may be described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed, but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination can correspond to a return of the function to the calling function or the main function.
Furthermore, embodiments may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine-readable medium. A processor(s) may perform the necessary tasks.
Monitoring devices described herein may be configured in a variety of ways, in a variety of contexts. By being reconfigurable in the field, e.g., when coupled to and monitoring a shipping container or other cargo, actions performed by monitoring devices can be modified to suit the ever changing conditions where the monitoring devices are located. For example, a destination of a monitoring device can be modified, additional sensors can be added to a communications network that the monitoring device is coupled with, etc. Sensors can provide information to the monitoring device, e.g., via wired or wireless communications. The sensor information can include data from a variety of sensors, which can indicate the temperature and/or humidity of a container, whether the container door is or has been opened, whether the container or cargo is experiencing or has experienced a shock, the location of the monitoring device, whether the monitoring device is moving, and more.
Monitoring devices can be reconfigured in the field using a mobile processing unit such as a personal digital assistant (PDA), a laptop computer, a smart phone, etc. However, some locations may be inhospitable to these mobile processing units. For example, if a monitoring device is located in an area with rugged climate or conditions, e.g., in a desert, in a blizzard, in a hurricane, in a war zone, or another inhospitable location, mobile processing units can be susceptible to malfunction.
A wired or wireless key fob device can be used to cause a monitoring device to take certain actions without requiring the use of more complex mobile processing units such as a personal digital assistant, tablet computer or mobile phone. The key fob can be inexpensive and more durable than the more complex mobile processing units.
Examples of monitoring devices in accordance with the disclosure provide a key fob interface for communicating with a key fob. The key fob interface can be a wired or wireless connection. A wired key fob interface can be a two contact interface comprising a ground contact and a data contact configured to contact the “lid” of a key fob such as, for example, an iButton ® (a product of Maxim Integrated Products and Dallas Semiconductor). A wireless key fob interface could be an RFID interface, a smartcard interface, etc.
The key fobs are loaded with a unique serial number. The serial number is unique to a single key fob. The unique fob serial number is usually pre-loaded at the fob manufacturer's factory and is not changeable. The monitoring device stores a list of serial numbers associated with the serial numbers of key fobs. The serial number list of the monitoring device can include serial numbers associated with valid key fobs that are permitted to interact with the monitoring device. The serial number list can also include serial numbers associated with key fobs that are not permitted to interact with the monitoring device. The serial number list can include location information that limits the valid devices to specific locations. For example, a customs official could be issued a key fob that is listed as a valid key fob only when the monitoring device is located in an area controlled by the customs organization, e.g., a border crossing or port of entry. The monitoring device serial number list can be updated from a remote location via a wireless signal, e.g., mobile telephone and/or satellite communications.
The key fobs can also be loaded with data indicative of actions to be taken by the monitoring device after the monitoring device verifies that the key fob is a valid key fob. The actions data can cause the monitoring device to perform various actions as described below. The monitoring device communicates serial numbers and actions taken in response to interactions with the key fob to a remote device management system (DMS). The DMS can determine whether the actions have been caused by a valid key fob based on the data communicated by the monitoring device. The DMS can also update the serial number list on the monitoring device. For example, if a key fob is reported as being lost or stolen, the DMS can communicate a message to the monitoring device that rescinds the serial number of the lost key fob from the valid serial number list.
The monitoring device 110 communicates with a key fob 120. The communication between the monitoring device 110 and the key fob 120 can be wired or wireless. The key fob 120 stores a serial number that is communicated to the monitoring device 110. The monitoring device 110 verifies that the key fob 120 is permitted to interact with the monitoring device 110 by searching a list of serial numbers stored in the monitoring device 110. The DMS server 160 can provide valid and invalid serial numbers to be included in the serial number list via the Internet 150 and/or the satellite system 180 or the mobile telephone system 190. The key fob 120 also stores action data. If the key fob 120 is verified by the monitoring device 110 to be a valid key fob, the action data is read from the key fob 110 by the monitoring device 110 and the monitoring device 110 performs actions associated with the action data.
The DMS server 160 provides an interface with the monitoring device 110 that can be used by a human user or another system, by utilizing, for example, a graphical user interface (GUI) and/or an application programmable interface (API). The DMS server 160 can collect and store information from the monitoring device 110. The data communicated between the DMS server 160 and the monitoring device 110 can be securely communicated in encrypted packets, and the DMS server 160 can provide secure management of the collected data.
One or more of a variety of physical layers may be used to provide the wireless connections between the monitoring device 110 and the satellite or mobile telephone systems 180 and 190 (and optionally the key fob 120). The monitoring device 110 can communicate wirelessly using a protocol stack based on IEEE 802.15.4 standard at 2.4 GHz using all 16 channels available in that standard. Other wireless technologies may be used, including IEEE 802.15.4 at 900 MHz; IEEE 802.11; Bluetooth®; IEEE 802.16; Ultra Wideband (UWB); 433 MHz Industrial, Scientific, and Medical (ISM) Band; cellular; optical; and more, using multiple RF channels (e.g., narrow-band frequency hopping) or a single RF channel.
The mobile DSM 130 can be, for example, a PDA, a cellular telephone, a satellite telephone or a laptop computer. The mobile DSM 130 can use a short range wireless system such as Bluetooth, Zigbee (IEEE 802.15.4), infrared, UWB, and/or WiFi to communicate with the monitoring device 110. In one embodiment, the mobile DSM 130 is an RFID (e.g., ISO/IEC 14443) reader that powers at least a portion of the monitoring device 110 with an inductive power signal. The mobile DSM 130 uses public and/or private keys to authorize and authenticate a communication channel with the monitoring device 110. Once a cryptographically-secure communication channel is configured, communication of commands and data through the communication channel can be performed.
The processing unit 210 is a programmable device, e.g., a central processing unit (CPU), such as those made by Intel® Corporation or AMD®, a microcontroller, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and/or logic gates etc. The memory 220 includes random access memory (RAM) and/or read-only memory (ROM). The memory 220 stores a computer program product comprising computer-readable, computer-executable software code 225 containing instructions that are configured to, when executed, cause the processing unit 210 to perform various functions described herein. Alternatively, the software 225 may not be directly executable by the processing unit 210 but configured to cause the processing unit 210, e.g., when the instructions are compiled and executed, to perform the functions described. The memory 220 can include persistent storage used to store serial number lists, and/or sensor data received from sensor modules associated with a shipping container or other cargo that the monitoring device is securing.
The sensors 230 can include passive sensors or active sensors. Passive sensors require no power to sense and record a change in a condition and can be analyzed/queried at a later date to determine if the condition has changed. The passive and active sensors could be located inside the monitoring device 110, on the outside of the shipping container, on the inside of the shipping container, and/or attached to the cargo. Active sensors require a power source and detect changes continually or intermittently. Active sensors can be battery powered, powered from the container, powered with a wire from the power supply 250, and/or wirelessly powered using RF fields supplied by a wireless power signal.
The power supply 250 includes one or more batteries. During normal operating conditions, power is supplied, directly or indirectly (e.g., via the processing unit 210) to the various modules of the monitoring device 110 from the power supply 250. The power supply 250 can also include one or more backup batteries as well as an inductive power supply. The inductive power supply is configured to receive a wireless power signal from an external source, such as the mobile DSM 130.
It can also be noted that the monitoring device 110 can include an interface (not shown) to provide a user with information. Such an interface can comprise a liquid-crystal display (LCD), one or more light emitting diodes (LEDs), etc.
The position location module 260 provides a location of the monitoring device 110 to the processing unit 210. The position location module 260 can be a GPS receiver. A GPS receiver is configured to receive signals, via a GPS antenna (not shown), from a plurality of GPS satellites in order to determine the global location of the monitoring device 110. Instead of, or in addition to GPS, other types of navigation systems such as GLONASS (Russia), Galileo, Beidou (China), WiFi assisted location systems, and/or cellular (e.g., GSM, CDMA, TDMA) based location systems can also be used.
The key fob interface 270 can be a wired or wireless interface, depending on the type of key fob 120 that the monitoring device 110 communicates with via the key fob interface 270. Wireless key fob interfaces include RFID, Bluetooth, Zigbee (IEEE 802.15.4), infrared, UWB, and/or WiFi. A wired key fob interface can include three wire leads, a ground, a key fob presence detect wire and a data wire. The key fob presence detect wire can receive a power signal from a capacitive resister of the key fob 120. The power signal wakes up the monitoring device 110 such that the power supply 250 of the monitoring device 110 can supply power to a microchip of the key fob 120. The serial number and action data stored on the key fob 120 is then communicated to the processing unit 210 via the data wire of the key fob interface 270.
The communication interface 340 is configured to support communication between the processing unit 310 of the key fob 120 and the processing unit 210 of the monitoring device 110. The communication interface 340 can be a wired or wireless communication interface. A wireless communication interface 340 can include an antenna and a wireless interface such as one or more local area network or LAN radios. LAN radios of the communication interface 340 can include one or more of WiFi (IEEE 802.11 standards), Bluetooth, or Zigbee (802.15.4). A wired interface can be as simple as an outer surface of a stainless steel (or other metal) can that the processing unit is mounted within, where the can includes a top portion acting as the data contact and the processing unit 310 is mounted on the lower portion of the can that acts as the ground contact.
Different key fobs 120 can be configured to cause the monitoring device 110 to perform different actions. In one embodiment, a command vector stored in the memory 320 indicates to the monitoring device 110 what action or actions are to be taken when a monitoring device 110 encounters a valid key fob 120. Each bit in the command vector is assigned a value of one or zero. A value of one indicates that the action associated with that bit should be performed by the monitoring device 110 if the key fob 120 has been verified as being valid for the monitoring device 110. A value of zero indicates that the action associated with that bit is not to be performed by the monitoring device 110. Table 1 lists an exemplary 32 bit command vector and the associated actions that a key fob 120 can store in the memory 320.
Regardless of how the process 400 is initiated, at block 405, the DMS provides one or more key fobs to a client where each key fob stores a serial number. Upon providing the key fobs 120 to the client the process 400 proceeds to block 410 where the DMS identifies which serial numbers will be valid serial numbers for a given monitoring device. Each monitoring device is assigned an identification number and the valid serial numbers are stored at the DMS in association with the identification number of the monitoring device. Each key fob 120 serial number can be valid for one or more monitoring devices.
If a serial number is to be rescinded from a valid list already stored in a monitoring device, the process 400 proceeds to block 415 where the DMS identifies any serial numbers of key fobs that are to be rescinded from a stored valid list. A key fob serial number can be rescinded if a user of the key fob has lost the key fob, or if the key fob was stolen. Alternatively, the DMS could identify a key fob serial number that has been linked to unusual activity at a monitoring device. Unusual activity could include powering down a monitoring device before a final destination is reached, for example.
The valid or rescinded serial numbers can include data indicative of a range of sequential serial numbers associated with a plurality of key fobs. For example, if the serial numbers are represented by 64 bits, on value of the 60 most significant bits could represent a range of 16 serial numbers.
Upon identifying valid serial numbers at block 410 and or identifying serial numbers to be rescinded at block 415, the process 400 continues at block 420 where the DMS prepares an encrypted list of valid serial numbers to be added to and/or serial numbers to be rescinded from the memory of a monitoring device. The encryption can employ a private/public authentication scheme. The key fobs 120 can store an encrypted version of the serial number and the monitoring device can verify the serial number as being authentic using a public key associated with the key fob 120.
At block 425, the encrypted serial number list is communicated to the monitoring device. The communication can be over one or more wired and/or wireless networks such as the Internet, satellite and/or mobile telephone systems. The encrypted serial number list can be communicated with a checksum that is used to verify the integrity of the serial number list received by the monitoring device. At block 430, the monitoring device receives the encrypted serial number list. At block 435, the monitoring device decrypts and authenticates the received serial number list including valid and/or rescinded serial numbers. Upon authenticating the serial number list, the process 400 continues at block 440 where the monitoring device stores the serial number list into memory such as the memory 220 of
If the authentication performed at block 435 indicates that the serial number list was properly received, the monitoring device sends an acknowledgment (ACK) message to the DMS at block 445, the ACK message indicating that the serial number list was properly received. If the serial number list was not properly received the monitoring device could send a negative acknowledgment (NAK) message to the DMS at the block 445. At block 460, the DMS receives the ACK or NAK message. If an ACK message is received at block 460, the process 400 terminates. If a NAK message is received, the process 400 returns to block 425 to communicate another serial number list from the DMS to the monitoring device.
The process 400 is exemplary only and not limiting. The process 400 can be altered, e.g., by having blocks added, removed, or rearranged. For example, block 410 or block 415 described above for identifying valid serial numbers to add to a monitoring device or identifying serial numbers to rescind from a monitoring device can be omitted. Still other alterations to the process 400 as shown and described are possible.
Upon receiving the wakeup signal, the processing unit 210, at block 510, reads the serial number from the key fob 120. The serial number data stored on the key fob 120 can be encrypted. In addition to reading the serial number at block 510, data related to actions to be taken in response to verifying that the key fob 120 is a valid key fob 120 can also be read from the key fob 120 at block 510. The action data can be a bit field such as the 32 bit vector illustrated in Table 1 above. The action data can also be encrypted.
At block 515, the processing unit 210 searches the serial number list stored in the memory 220. The stored serial number list can include valid serial numbers and/or rescinded serial numbers. The serial numbers can be stored in encrypted form. At decision block 520, the processing unit 210 determines if the serial number read from the key fob 120 is an allowable serial number, as indicated by being in the valid serial number list, and/or not included in a rescinded serial number list. If the processing unit 210 determines that the read serial number is allowable, the process 500-1 continues at block 525 where the processing unit 210 causes the modules of the monitoring device 110 to perform actions as determined by the read serial number and/or the read action vector data. For example, if one or more of the bit fields in the 32 bit command vector of Table 1 is equal to one, the processing unit will cause the monitoring device 110 to take the associated action(s).
In one embodiment, the key fob 120 stores an unencrypted version of the serial number and an encrypted version of the serial number. The processing unit 210 reads the unencrypted serial number and the encrypted serial number at block 510. The processing unit 210 decrypts the encrypted serial number with a key stored in the memory 220 to form a decrypted serial number. The processing unit 210 then compares the decrypted serial number and the unencrypted serial number at block 520 to further verify that the key fob 120 is valid and not a copy or forgery.
Upon taking the actions at block 525, the process 500-1 proceeds to block 530 where the processing unit causes the wireless interface 240 to transmit a reporting message to the DSM. The reporting message can be a result of the action data to be taken at block 525 or, alternatively, to report the key fob serial number to the DSM. For example, if bit number 11 of the command vector of Table 1 is set equal to one, the processing unit 210 will put the monitoring device into sleep mode.
If the processing unit 210 determines that the read serial number is not valid or is included in the rescinded list, the process 500-1 continues at block 530 where the processing unit 210 causes the wireless interface 240 to transmit a message to the DMS. In the case where the serial number was determined to be invalid, the reporting message can include an identification number of the monitoring device 110 and the serial number of the key fob 120. In addition, the reporting message could include states of the sensors 230, the location of the monitoring device 110 as determined by the position location module 260 and other pertinent data. In one embodiment, the message transmitted at block 530 causes an email message to be communicated to the holder of the key fob 120 that awakened the monitoring device 110. In this way, the user of the key fob 120 can be alerted if someone else found and used the key fob 120 to communicate with the monitoring device 110.
The process 500-1 is exemplary only and not limiting. The process 500-1 can be altered, e.g., by having blocks added, removed, or rearranged.
With further reference to
The process 500-2 is exemplary only and not limiting. The process 500-2 can be altered, e.g., by having blocks added, removed, or rearranged.
In the foregoing description, for the purposes of illustration, methods were described in a particular order. It should be appreciated that in alternate embodiments, the methods may be performed in a different order than that described. It should also be appreciated that the methods described above may be performed by hardware components or may be embodied in sequences of machine-readable instructions, which may be used to cause a machine, such as a general-purpose or special-purpose processor or logic circuits programmed with the instructions to perform the methods. These machine-readable instructions may be stored on one or more machine-readable mediums, such as CD-ROMs or other type of optical disks, floppy diskettes, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, flash memory, or other types of machine-readable mediums suitable for storing electronic instructions. Alternatively, the methods may be performed by a combination of hardware and software.
While illustrative and presently preferred embodiments of the disclosed systems, methods, and devices have been described in detail herein, it is to be understood that the inventive concepts may be otherwise variously embodied and employed, and that the appended claims are intended to be construed to include such variations, except as limited by the prior art.
