IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`Nehushtan et al.
`In re Patent of:
`9,642,002 Attorney Docket No.: 50095-0122IP1
`U.S. Patent No.:
`May 2, 2017
`
`Issue Date:
`Appl. Serial No.: 14/591,947
`
`Filing Date:
`January 8, 2015
`
`
`
`
`Title:
`CELLULAR DEVICE SECURITY APPARATUS AND METHOD
`
`
`
`
`
`
`DECLARATION OF DR. PATRICK G. TRAYNOR
`
`
`APPLE 1003
`
`1
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`
`
`
`I.
`
`II.
`
`TABLE OF CONTENTS
`
`ASSIGNMENT .............................................................................................. 4
`
`QUALIFICATIONS ...................................................................................... 4
`
`III.
`
`SUMMARY OF CONCLUSIONS FORMED .............................................. 8
`
`IV. LEVEL OF ORDINARY SKILL IN THE ART ........................................... 8
`
`V.
`
`LEGAL PRINCIPLES ................................................................................... 9
`
`A.
`
`B.
`
`C.
`
`Claim Interpretation .......................................................................... 10
`
`Priority ............................................................................................... 10
`
`Anticipation ....................................................................................... 10
`
`D. Obviousness ....................................................................................... 11
`
`VI. MATERIALS CONSIDERED .................................................................... 13
`
`VII. TECHNOLOGY OVERVIEW.................................................................... 16
`
`A. Device Access Control ...................................................................... 16
`
`B.
`
`C.
`
`Device-Unique Credentials ............................................................... 18
`
`Remote Administration Systems ....................................................... 20
`
`VIII. OVERVIEW OF THE ’002 PATENT ........................................................ 21
`
`A.
`
`B.
`
`C.
`
`Specification ...................................................................................... 21
`
`Claims ................................................................................................ 25
`
`Prosecution History ........................................................................... 30
`
`IX.
`
`INTERPRETATION OF THE ’002 PATENT CLAIMS ........................... 31
`
`X.
`
`SUMMARY OF RELEVANT PRIOR ART .............................................. 32
`
`A. Overview of Shahbazi ....................................................................... 32
`
`B.
`
`C.
`
`Overview of Fam ............................................................................... 38
`
`Overview of Geiger ........................................................................... 43
`
`D. Overview of Shirai ............................................................................ 46
`
`XI. ANALYSIS OF SHAHBAZI ...................................................................... 48
`
`A.
`
`B.
`
`The Shahbazi Combination ............................................................... 48
`
`Analysis of Claims 1-29 .................................................................... 50
`
`2
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`Claim 1 .................................................................................... 50
`
`Elements of Claims 5 and 24 .................................................. 68
`
`Claims 2-4 ............................................................................... 72
`
`Claims 6-15 and 21 ................................................................. 75
`
`Elements of Claims 16-20, 22, 23, 25-29 ............................... 88
`
`XII. ANALYSIS OF FAM AND GEIGER ........................................................ 92
`
`A.
`
`B.
`
`The Combination of Fam and Geiger ................................................ 92
`
`Analysis of Claims 1-10, 13-19, 21-25, 27-29 .................................. 94
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`Claim 1 .................................................................................... 94
`
`Elements of Claims 5 and 24 ................................................ 107
`
`Claims 2-4 ............................................................................. 110
`
`Claims 6-10, 13-15, 21 .......................................................... 113
`
`Elements of Claims 15-19, 22, 23, 25, 27-29 ....................... 119
`
`XIII. ANALYSIS OF FAM, GEIGER, AND SHIRAI ...................................... 124
`
`A.
`
`B.
`
`The Combination of Fam, Geiger, and Shirai ................................. 124
`
`Analysis of Claims 11, 12, 20, 26 ................................................... 125
`
`1.
`
`2.
`
`Claims 11 and 12................................................................... 125
`
`Elements of Claims 20 and 26 .............................................. 127
`
`XIV. CONCLUSION .......................................................................................... 128
`
`
`
`
`
`
`
`3
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`I, Dr. Patrick G. Traynor, of Gainesville, Florida, declare that:
`
`I.
`
`ASSIGNMENT
`
`1.
`
`I have been retained on behalf of Apple Inc. (“Apple” or “Petitioner”)
`
`to offer technical opinions related to U.S. Patent No 9,642,002 (“the ’002 patent”)
`
`(APPLE-1001). I understand that Apple is requesting that the Patent Trial and
`
`Appeal Board (“PTAB” or “Board”) to institute an inter partes review (“IPR”)
`
`proceeding of the ’002 patent.
`
`2.
`
`I have been asked to provide my independent analysis of the ’002
`
`patent based on the prior art publications cited in this declaration.
`
`3.
`
`I am not and never have been, an employee of Apple. I received no
`
`compensation for this declaration beyond my normal hourly compensation based
`
`on my time actually spent analyzing the ’002 patent, the prior art publications cited
`
`below, and issues related thereto, and I will not receive any added compensation
`
`based on the outcome of any IPR or other proceeding involving the ’002 patent.
`
`II. QUALIFICATIONS
`
`4.
`
`I am over the age of 18 and am competent to write this declaration. I
`
`have personal knowledge, or have developed knowledge of these technologies
`
`based upon education, training, or experience, of the matters set forth herein.
`
`5.
`
`I earned a B.S. in Computer Science from the University of Richmond
`
`in 2002 and an M.S. and a Ph.D. in Computer Science and Engineering from the
`
`4
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`Pennsylvania State University in 2004 and 2008, respectively. My dissertation,
`
`entitled “Characterizing the Impact of Rigidity on the Security of Cellular
`
`Telecommunications Networks,” focused on security problems that arise in cellular
`
`infrastructure when gateways to the Internet are created.
`
`6.
`
`I am currently a Professor in the Department of Computer and
`
`Information Science and Engineering (CISE) at the University of Florida. I was
`
`hired under the “Rise to Preeminence” Hiring campaign and serve as the Associate
`
`Chair for Research for my Department. I am also the John and Mary Lou Dasburg
`
`Preeminent Chair in Engineering.
`
`7.
`
`Prior to joining the University of Florida, I was an Associate Professor
`
`from March to August 2014 and an Assistant Professor of Computer Science from
`
`2008 to March 2014 at the Georgia Institute of Technology. I have supervised
`
`many Ph.D., M.S., and undergraduate students during the course of my career.
`
`8. My area of expertise is security, especially as it applies to mobile
`
`systems and networks, including cellular networks. As such, I regularly teach
`
`students taking my courses and participating in my research group to program and
`
`evaluate software and architectures for mobile and cellular systems. I have taught
`
`courses on the topics of network and systems security, cellular networks, and
`
`mobile systems at both Georgia Tech and the University of Florida. I also advised
`
`5
`
`

`

`
`and instructed the Information Assurance Officer Training Program for the United
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`States Army Signal Corps in the spring of 2010.
`
`9.
`
`I have received numerous awards for research and teaching, including
`
`being named a Kavli Fellow (2017), a Fellow of the Center for Financial Inclusion
`
`(2016), and a Research Fellow of the Alfred P. Sloan Foundation (2014). I also
`
`won the Lockheed Inspirational Young Faculty Award (2012), was awarded a
`
`National Science Foundation (NSF) CAREER Award (2010), and the Center for
`
`the Enhancement of Teaching and Learning at Georgia Tech’s “Thanks for Being a
`
`Great Teacher” Award (2009, 2012, 2013).
`
`10.
`
`I have published over 100 articles in the top journals and conferences
`
`in the areas of information security, mobility, and networking. Many of my results
`
`are highly cited, and I have received multiple “Best Paper” Awards. I have also
`
`written a book entitled Security for Telecommunications Networks, which is used
`
`in wireless and cellular security courses at a number of top universities.
`
`11.
`
`I am a Senior Member of the Association for Computing Machinery
`
`(ACM) and the Institute of Electrical and Electronics Engineers (IEEE). I am also
`
`a member of the USENIX Advanced Computing Systems Association.
`
`12.
`
`I serve as an Associate Editor for IEEE Security and Privacy
`
`Magazine, have been the Program Chair for seven conferences and workshops, and
`
`have served as a member of the Program Committee for over 50 different
`
`6
`
`

`

`
`conferences and workshops. I am also currently the Security Subcommittee Chair
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`for the ACM US Technology Policy Committee (USACM).
`
`13.
`
`I was a co-Founder and Research Fellow for the private start-up,
`
`Pindrop Security, from 2012 to 2014. Pindrop provides anti-fraud and
`
`authentication solutions for Caller-ID spoofing attacks in enterprise call centers by
`
`creating and matching acoustic fingerprints.
`
`14.
`
`I was a co-Founder and Chief Executive of a private start-up,
`
`CryptoDrop. CryptoDrop developed a ransomware detection and recovery tool to
`
`provide state of the art protection to home, small business and enterprise users.
`
`15.
`
`I was a co-Founder and Chief Executive of a private start-up, Skim
`
`Reaper. Skim Reaper developed tools to detect credit card skimming devices, and
`
`currently works with a range of banks, law enforcement, regulators, and retailers.
`
`16.
`
`I am a named inventor on nine United States patents. These patents
`
`detail methods for determining the origin and path taken by phone calls as they
`
`traverse networks, cryptographically authenticating phone calls, providing a secure
`
`means of indoor localization using mobile/wireless devices, detecting credit card
`
`skimmers, identifying cloned credit cards, and blocking ransomware from
`
`encrypting data.
`
`17. My curriculum vitae, attached as Exhibit A, includes a list of
`
`publications on which I am a named author. It contains further details regarding
`
`7
`
`

`

`
`my experience, education, publications, and other qualifications to render an expert
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`opinion in connection with this proceeding.
`
`III. SUMMARY OF CONCLUSIONS FORMED
`
`18. This Declaration explains the conclusions that I have formed based on
`
`my analysis. To summarize those conclusions:
`
`
`
`Ground 1: Based upon my knowledge and experience and my review of the
`
`prior art publications in this declaration, I believe that claims 1-29 of the
`
`’002 patent are made obvious by Shahbazi
`
`
`
`Ground 2A: Based upon my knowledge and experience and my review of
`
`the prior art publications in this declaration, I believe that claims 1-10 and
`
`13-19, 21-25, and 27-29 of the ’002 patent are made obvious by Fam and
`
`Geiger
`
`
`
`Ground 2B: Based upon my knowledge and experience and my review of
`
`the prior art publications in this declaration, I believe that claims 11, 12, 20,
`
`and 26 of the ’002 patent are made obvious by Fam, Geiger, and Shirai
`
`IV. LEVEL OF ORDINARY SKILL IN THE ART
`
`19.
`
`I have been informed that a person of ordinary skill in the art
`
`(“POSITA”) is a hypothetical person who is presumed to have the skill and
`
`experience of an ordinary worker in the field at the time of the alleged invention.
`
`The ’002 patent was filed January 8, 2015, and claims priority through a string of
`
`8
`
`

`

`
`applications that includes U.S. Provisional Application No. 60/550,305 filed March
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`8, 2004 (“Critical Date”). Because I do not know at what date the invention as
`
`claimed was made, if ever, I have used the Critical Date of the ’002 patent as the
`
`point in time for claim interpretation purposes. My opinion does not change if the
`
`invention date is earlier.
`
`20. Based on my knowledge and experience in the field and my review of
`
`the ’002 patent and file history, I believe that a person of ordinary skill in the art in
`
`this matter would have had at least a Bachelor’s Degree in an academic area
`
`emphasizing electrical engineering, computer science, or a similar discipline, and
`
`at least one year of experience in wireless communication systems. Superior
`
`education could compensate for a deficiency in work experience, and vice-versa.
`
`Based on my experiences, I have a good understanding of the capabilities of a
`
`POSITA. Indeed, I have taught, mentored, advised, and collaborated closely with
`
`many such individuals over the course of my career.
`
`V. LEGAL PRINCIPLES
`
`21.
`
`I am not a lawyer and I will not provide any legal opinions in this IPR.
`
`Although not a lawyer, I have been advised that certain legal standards are to be
`
`applied by technical experts in forming opinions regarding the meaning and
`
`validity of patent claims.
`
`9
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`
`A. Claim Interpretation
`
`22.
`
`I understand that claim terms are generally given their plain and
`
`ordinary meaning based on the patent’s specification and file history as understood
`
`by a person of ordinary skill in the art at the time of the purported invention. In that
`
`regard, I understand that the best indicator of claim meaning is its usage in the
`
`context of the patent specification as understood by a POSITA. I further
`
`understand that the words of the claims should be given their plain meaning unless
`
`that meaning is inconsistent with the patent specification or the patent’s history of
`
`examination before the Patent Office. I also understand that the words of the
`
`claims should be interpreted as they would have been interpreted by a POSITA at
`
`the time of the invention was made (not today).
`
`B.
`
`Priority
`
`23.
`
`I understand that a continuation application is a later-filed application
`
`that has the same disclosure (specification and figures) as an earlier filed
`
`application to which the later-filed application claims priority. A continuation is
`
`generally entitled to the same priority date as the later-filed application to which it
`
`claims priority.
`
`C. Anticipation
`
`24.
`
`I understand that a patent claim is invalid as anticipated if each and
`
`every element as set forth in the claim is found, either expressly or inherently
`
`10
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`described, in a single prior art reference. I also understand that, to anticipate, the
`
`reference must teach all of the limitations arranged or combined in the same way
`
`as described in the claim. I do not rely on anticipation in this declaration.
`
`25. With respect to inherency, I understand that the fact that a certain
`
`result or characteristic may occur or be present in the prior art is not sufficient to
`
`establish the inherency of that result or characteristic. Instead, the inherent
`
`characteristic must necessarily flow from the teaching of the prior art.
`
`D. Obviousness
`
`26.
`
`I understand that a patent claim is invalid if the claimed invention
`
`would have been obvious to a person of ordinary skill in the field at the time of the
`
`purported invention, which is often considered the time the application was filed.
`
`Even if all of the claim limitations are not found in a single prior art reference that
`
`anticipates the claim, the claim can still be invalid.
`
`27. To obtain a patent, a claimed invention must have, as of the priority
`
`date, been nonobvious in view of the prior art in the field. I understand that an
`
`invention is obvious when the differences between the subject matter sought to be
`
`patented and the prior art are such that the subject matter as a whole would have
`
`been obvious at the time the invention was made to a person having ordinary skill
`
`in the art.
`
`11
`
`

`

`
`
`28.
`
`I understand that, to prove that prior art or a combination of prior art
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`makes a patent obvious it is necessary to: (1) identify the particular references that,
`
`singly or in combination, make the patent obvious; (2) specifically identify which
`
`elements of the patent claim appear in each of the asserted references; and (3)
`
`explain a motivation, teaching, need, market pressure or other legitimate reason
`
`that would have inspired a person of ordinary skill in the art to combine prior art
`
`references to solve a problem.
`
`29.
`
`I also understand that certain objective indicia can be important
`
`evidence regarding whether a patent is obvious or nonobvious. Such indicia
`
`include:
`
` Commercial success of products covered by the patent claims;
`
` A long-felt need for the invention;
`
` Failed attempts by others to make the invention;
`
` Copying of the invention by others in the field;
`
` Unexpected results achieved by the invention as compared to the
`
`closest prior art;
`
` Praise of the invention by the infringer or others in the field;
`
` The taking of licenses under the patent by others;
`
`12
`
`

`

`
`
` Expressions of surprise by experts and those skilled in the art at the
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`making of the invention; and
`
` The patentee proceeded contrary to the accepted wisdom of the
`
`prior art.
`
`30. To the extent these factors have been brought to my attention, if at all,
`
`I have taken them into consideration in rendering my opinions and conclusions.
`
`VI. MATERIALS CONSIDERED
`
`31. My analysis and conclusions set forth in this declaration are based on
`
`my educational background and experiences in the field (see Section II). Based on
`
`my knowledge and experience, I believe that I am considered to be an expert in the
`
`field. Also, based on my knowledge and experience, I understand and know of the
`
`capabilities of persons of ordinary skill in the field during the early 1990s–2010s,
`
`and I taught, participated in organizations, and worked closely with many such
`
`persons in the field during that time frame.
`
`32. As part of my independent analysis for this declaration, I have
`
`considered the following: the background knowledge/technologies that were
`
`commonly known to persons of ordinary skill in this art during the time before the
`
`earliest claimed priority date for the ’002 patent; my own knowledge and
`
`experiences gained from my work experience in the field of the ’002 patent and
`
`13
`
`

`

`
`related disciplines; and my experience in working with others involved in this field
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`and related disciplines.
`
`33.
`
`In addition, I have analyzed the following publications and materials:
`
` U.S. Patent No. 8,635,661 (“Shahbazi”) (APPLE-1004)
`
` U.S. Patent No. 7,181,726 (“Fam”) (APPLE-1005)
`
` U.S. Patent No. 6,463,534 (“Geiger”) (APPLE-1006)
`
` U.S. Patent Application Publication No. 2001/0051519 (“Shirai”)
`
`(APPLE-1007)
`
`
`
` Klemetti, Aarne, “PDA Operating Systems,” EVTEK, Media
`
`Technology, 2002 (APPLE-1008)
`
` “The Symbian Platform Version 6.0: Power and Innovation,” The
`
`Wayback Machine (accessed 10/11/2022), available at
`
`https://web.archive.org/web/20010303233643/http://www.symbian
`
`devnet.com (APPLE-1009)
`
` U.S. Provisional Application No. 60/531,668 (“Shahbazi
`
`Provisional”) (APPLE-1011)
`
` United States Department of Defense, Department of Defense
`
`Standard, “Trusted Computer System Evaluation Criteria”, DoD
`
`5200.28-STD (APPLE-1012)
`
`14
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`
` Polly Sprenger, “Pirates Sneer at Intel Chip,” Wired, 22 Jan. 1999,
`
`https://www.wired.com/1999/01/pirates-sneer-at-intel-chip/
`
`(APPLE-1013)
`
` Jason Miller, Federal News Network, “10 Years Later, CAC is
`
`securely part of DoD” (APPLE-1014)
`
` Arnis Parsovs, “Estonian Electronic Identity Card: Security Flaws
`
`in Key Management”, USENIX Security 2020 (APPLE-1015)
`
` C. Stephen Carr, “Network Subsystem for Time Sharing Hosts”,
`
`IETF RFC 15, 25 September, 1969 (APPLE-1016)
`
` ITU-T Recommendation E.212 (1993) (APPLE-1017)
`
` GSMA, https://www.gsma.com/aboutus/history, Accessed 16 Nov.
`
`2022 (APPLE-1018)
`
` Research in Motion, 2001 Annual Report (APPLE-1019)
`
` U.S. Pat. No. 7,239,877 (“Corneille”) (APPLE-1020)
`
` GSM 03.48 v8.0.0 (1999-07) (APPLE-1021)
`
` U.S. Patent Application Publication No. 2006/0031407
`
`(“Dispensa”) (APPLE-1022)
`
`15
`
`

`

`
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
` Sascha Segan, “The Evolution of the Blackberry, From 957 to
`
`Z10,” PCMag, 28 Jan. 2013, https://www.pcmag.com/news/the-
`
`evolution-of-the-blackberry-from-957-to-z10 (APPLE-1023)
`
` Symbian S600, https://nokia.fandom.com/wiki/Symbian_S60,
`
`Accessed 16 Nov. 2022 (APPLE-1024)
`
`34. My analysis and conclusions set forth in this declaration are based on
`
`the perspective of a POSITA.
`
`VII. TECHNOLOGY OVERVIEW
`
`A. Device Access Control
`
`35. Access control is the process of selectively granting use of a
`
`computing resource. Such decisions are traditionally made through the explicit
`
`naming of a resource (e.g., a file) and a specific party’s rights to interact with that
`
`resource (e.g., read, write, execute). These permissions are often stored in Access
`
`Control Lists (ACLs).
`
`36. Access control has been a primary mechanism of security policy
`
`enforcement in virtually all operating systems. For instance, the first known
`
`implementation of ACLs came as part of the MULTICS operating system in 1965.
`
`All operating systems since the creation of MULTICS incorporate some form of
`
`access control.
`
`16
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`
`37.
`
` There are two general categories of access control: Discretionary
`
`Access Control (DAC) and Mandatory Access Control (MAC). Both forms are
`
`well-known and were formalized by the United States Department of Defense
`
`(DoD) in the Trusted Computer System Evaluation Criteria (TCSEC, also known
`
`as the “Orange Book”) in 1985. APPLE-1012.
`
`38. DAC systems allow users with permissions to a specific resource to
`
`pass their rights to another user. For instance, the creator of a file could share the
`
`file directly with another user without the direct intervention of the system
`
`administrator. MAC systems constrain access to resources based on a centrally
`
`administered policy. Unlike DAC systems, users do not have the ability to override
`
`these policy decisions, and changes to MAC policies can only be performed by an
`
`administrator.
`
`39. Modern operating systems implement a combination of MAC and
`
`DAC. For instance, operations that might involve sensitive files/directories or
`
`programs can be specified by the system administrator using MAC policies. For
`
`less sensitive operations, users can be given latitude to specify their own policies
`
`for resources. For example, a system may restrict access to directories containing
`
`intellectual property or classified government materials using MAC policies. Only
`
`a limited set of applications and users could then access the contents of those files.
`
`However, for less sensitive information (e.g., calendars), users could rely on DAC
`
`17
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`policies to specify who should be given access to their information. While the
`
`Orange Book was published in 1985, the problem of securing “remote-access,
`
`resource-sharing computer systems” (p7, Trusted Computer System Evaluation
`
`Criteria) was first discussed by the Defense Science Board in October of 1967.
`
`APPLE-1012. The secure administration and update of remote machines has been
`
`a well-known concern in the government and private sectors for nearly six decades.
`
`Id.
`
`B. Device-Unique Credentials
`
`40.
`
`Identifying devices and users using credentials (e.g., passphrase,
`
`username) is important to ensuring that access control is performed properly. Once
`
`a credential is provided to a verifying party, the party with the credential is then
`
`granted the rights affiliated with it. For example, the holder of a
`
`username/password credential on a computer would be allowed to operate in the
`
`role of that particular user (and access that user’s files, perform that user’s duties,
`
`etc.).
`
`41. Credentials have long preceded computing systems, with some of the
`
`earliest recorded uses (e.g., passwords) dating as far back as the Roman Empire.
`
`Modern computing systems rely on device-unique credentials as part of the process
`
`of authenticating themselves to other parties. For mobile phones, the best-known
`
`credential is the International Mobile Subscriber Identity (“IMSI”). Originally
`
`18
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`standardized in 1988 by the International Telecommunications Union, the IMSI
`
`uniquely identifies the SIM card in a user’s mobile phone. APPLE-1017, 1.
`
`42. Similar to the IMSI is the International Mobile Equipment Identity
`
`(IMEI). Introduced as the same time as the IMSI, the IMEI specifically identifies
`
`the user’s mobile phone hardware and is assigned by the manufacturer. A user
`
`changing SIM cards in a phone would change IMSIs, but the IMEI would remain
`
`the same. Conversely, a user moving their SIM card to a new mobile phone would
`
`keep the same IMSI, but their IMEI would change.
`
`43. The use of IMSIs has been common since 2G GSM networks and
`
`became universal in the late 1990s. APPLE-1017, 1; APPLE-1018. There are
`
`currently billions of devices that rely on IMSIs as their primary identification
`
`credential. Starting with 2G cellular networks, all mobile phones were also
`
`equipped with a unique, long-term symmetric key known as the Individual
`
`Subscriber Authentication Key (or “Ki”). In combination with the IMSI, these two
`
`credentials are used to cryptographically authenticate a mobile phone to the
`
`network so that services and billing could be tailored to the account associated with
`
`that specific mobile phone. Id.
`
`44. Mobile phones are not the only systems that have offered device-
`
`unique credentials. In 1999, Intel’s Pentium III processor came equipped with a
`
`unique Processor Serial Number (PSN). While the feature was removed in the
`
`19
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`Pentium IV, Intel intended the PSN to be used for tasks including asset
`
`management, information flow/leak control, and potentially advertising via web
`
`tracking. The PSN was viewed as a means of restricting software installations and
`
`functionality to specific set of machines. Intel marketed this feature as a means of
`
`combatting software piracy and cloning. APPLE-1013.
`
`45. Device-unique credentials can take many other forms as well. One
`
`example is a device-unique public-key certificate. Such credentials can be kept in
`
`traditional hard disks or a variety of other platforms. For example, the DoD
`
`launched its Common Access Card (CAC) in 1999, which stored unique
`
`cryptographic credentials for each DoD employee. APPLE-1014. Similarly, the
`
`government of Estonia began its rollout of national ID cards equipped with
`
`smartcards storing unique public-key certificates in 2002. APPLE-1015.
`
`C. Remote Administration Systems
`
`46. The ability to remotely use and administer machines is nearly as old
`
`computer networks themselves. Soon after the first computers were connected via
`
`the ARPANET (the precursor to the Internet) in 1969, the Telnet protocol was
`
`proposed. APPLE-1016.
`
`47. Telnet addressed two specific problems. First, direct access to every
`
`computer was constrained given their relatively large size. As such, small
`
`inexpensive terminals were needed to access computers. Second, as the number
`
`20
`
`

`

`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`
`and location of computers grew, so too did the need to be able to administer them
`
`efficiently. While Telnet was built for a closed, largely academic Internet, it was
`
`not designed to address with the security concerns of the current Internet. As such,
`
`it was eventually replaced by the introduction of the Secure Shell Protocol (SSH)
`
`in the 1990s. Graphical interfaces such as Virtual Network Computing (VNC),
`
`which allowed for an experience more similar to modern computer use, became
`
`available in the late 1990s. Id.
`
`48. Traditional computers were not the only devices for which remote
`
`administration tools were developed. For instance, the Blackberry Enterprise
`
`Server (BES) allowed enterprises to manage messaging and email access for
`
`associated Blackberry mobile devices in early 1999. APPLE-1019, 9-10. As such,
`
`tools for the remote administration have been long known and used throughout real
`
`networks. As new devices are introduced, it is expected that they too will be
`
`managed through such systems.
`
`VIII. OVERVIEW OF THE ’002 PATENT
`
`A.
`
`Specification
`
`49. The ’002 patent focuses on cellular device security and describes a
`
`“security system for protection of data and access,” including “read and write
`
`access to configuration data, in a cellular telephony device.” APPLE-1001, 1:20-
`
`24. According to the ’002 patent, “[a] security vulnerability exists in cellular
`
`21
`
`

`

`
`device” in that “it is possible to read sensitive information” and “write it into a new
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`cellular device (destination) thus making the destination device identical to the
`
`source device with regards to the cellular network.” Id., 1:25-35. This “enables the
`
`destination device to make calls, which are then billed to the source device.” Id.
`
`50. The ’002 patent identifies four types of sensitive information in a
`
`cellular device: (1) an “Electronic Serial Number” supplied by the manufacturer of
`
`the cellular device (ESN), (2) “cellular device’s phone number” supplied by the
`
`cellular provider (NUM), (3) “authentication key” for authenticating the identity of
`
`a cellular device by the cellular provider (A-KEY), and (4) an “identifier” created
`
`by the cellular network in combination with additional information from the
`
`cellular provider’s database and used to identify the cellular device when a call is
`
`made (SSD). APPLE-1001, 1:46-58. This information is “generally located in the
`
`cellular device along with the operating system located on the chipset.” Id. Access
`
`to this sensitive information is provided during a “Data Mode”—“a mode in which
`
`the device allows any access to the device to change settings and/or accepts
`
`commands, via its serial interface, which can be used to read and write
`
`information.” APPLE-1001, 1:63-2:6.
`
`51. The ’002 patent describes solving security vulnerabilities associated
`
`with sensitive information stored on a cellular device by limiting device access.
`
`Figure 2 shows a system in which “a cellular telephone is connected through a data
`
`22
`
`

`

`
`connection to a reprogramming device and to a secure server.” APPLE-1001,
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`6:66-7:2.
`
`APPLE-1001, Fig. 2
`
`
`
`Device 20 is connected to reprogramming computer 24 for “upgrading according
`
`to an upgrading configuration.” APPLE-1001, 9:1-15. Device 20 is placed in a
`
`“data mode for allowing reading and writing of data to change the settings and
`
`generally to allow reprogramming.” Id. Device 20 is “configured to restrict use of
`
`the data mode” using a “unique security setting belonging to the device.” Id. This
`
`ensures “the data mode cannot be used unless the device unique security setting is
`
`23
`
`

`

`
`provided” and “it is no longer possible to obtain a single password and thereby
`
`Declaration of Dr. Patrick G. Traynor
`APPLE-1003
`
`compromise a large number of devices.” Id.
`
`52. Device 20 includes a “mode management unit 22” (or “an access