Security Switch Sicherheitsschalter Commutateur De Sécurité

(19) TZZ _Z_T

(11) EP 2 106 578 B1

(12) EUROPEAN PATENT SPECIFICATION

(45) Date of publication and mention (51) Int Cl.: of the grant of the patent: G06F 21/55 (2013.01) G06F 21/70 (2013.01) 14.09.2016 Bulletin 2016/37 G06F 21/82 (2013.01)

(21) Application number: 07736264.8 (86) International application number: PCT/IL2007/000524 (22) Date of filing: 29.04.2007 (87) International publication number: WO 2008/090537 (31.07.2008 Gazette 2008/31)

(54) SECURITY SWITCH SICHERHEITSSCHALTER COMMUTATEUR DE SÉCURITÉ

(84) Designated Contracting States: (72) Inventors: AT BE BG CH CY CZ DE DK EE ES FI FR GB GR •Yoffe,Simon HU IE IS IT LI LT LU LV MC MT NL PL PT RO SE 54056 Givat Shmuel (IL) SI SK TR • Yoffe, David 54056 Givat Shmuel (IL) (30) Priority: 22.01.2007 US 881510 P (74) Representative: Modiano, Micaela Nadia et al (43) Date of publication of application: Modiano Josif Pisanty & Staub Ltd 07.10.2009 Bulletin 2009/41 Thierschstrasse 11 80538 München (DE) (73) Proprietors: •Yoffe,Simon (56) References cited: 54056 Givat Shmuel (IL) EP-A2- 1 698 990 US-A- 3 703 987 • Yoffe, David US-A- 4 945 443 US-A- 4 945 443 54056 Givat Shmuel (IL) US-A- 5 555 156 US-A1- 2003 051 162 US-A1- 2005 271 190

Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention). EP 2 106 578 B1

Printed by Jouve, 75001 PARIS (FR) 1 EP 2 106 578 B1 2

Description phone-lines, cables, a wireless LAN, Bluetooth, etc, which only increases the security risk. TERMS [0004] These communication means can be used to retrieve private information, audio/video information, us- [0001] 5 er location information (track where user is located when personal device is using out communication) or transmit- Authorized user - owner or permitted operator of a ted information. Devices with permanently installed or personal device. accessory sensor components such as a microphone, Unauthorized user - any user or software that does earphone(s), speakers, camera, etc, are able to capture not have an explicit permission to operate the per- 10 the information at a user location. Devices with perma- sonal device. nently installed or accessory communication compo- Unauthorized access - any attempt of an unauthor- nents like: modem, LAN adapter, Wireless LAN adapter, ized user to access or operate a personal device Bluetooth, GSM, etc, are able to transmit information and False indication/notification - an indication show- might reveal the user location. When signals are trans- ingone state, while the real stateis different. Hooked 15 mitted from the user location, the transmission can be component- a component connected in parallel with used for tracking the user location. Components of a de- other device(s) to the same input element, in such vice/appliance that are controlled by software and elec- way that both devices can operate together, but the tronic switching devices may be controlled by an unau- hooked component is isolated from the other de- thorized user even if they were disabled earlier by the vice(s). 20 authorized user. The components can be controlled with- "Man in the middle" - a component logically placed out the user noticing the change in mode of operation. between two other components and which can con- For example, a mobile phone may look "switched off" but trol the information passed between the two other still be functioning or even transmitting. components [0005] Local authorized or unauthorized users can Secure Input - an input readable only to a permitted 25 easily modify the software operating the personal device, component, meaning that the input of the permitted thereby causing a security breach, e.g. by downloading component cannot be revealed by others compo- a virus affected software update. This scenario of soft- nents. ware modification is very common: on one hand it is much Internal - enclosed within an envelope or surface of easier than hardware modification, and on the other hand the personal device or positioned at least partially 30 it is much harder to verify such modification or notice onthe surface of theenvelope of thepersonal device. unwanted change. Isolated Switch - a switch that cannot be operated [0006] At present, the problem of unauthorized access or affected by any entity or factor except an author- is handled by different types of security software such as ized user. firewalls, anti-virus programs, anti-spyware programs Independent operation - operation that cannot be 35 and security systems. However, each new software se- affected by any entity or factor except an authorized curity system is eventually overcome by new hacking user. methods, viruses, worms, Trojans and other threats. This creates an endless competition between security provid- FIELD OF THE INVENTION ers and unauthorized users. In essence, software secu- 40 rity is hard to implement and/or prove. Even if the theo- [0002] The presented invention is related to security retical model of the security is proven, there may still be of personal communication or computing devices with a mistake or bug in the implementation that allows a break external communications and sensors (e.g. microphone, in the security. Consequently, software security solutions camera) features and using software for operation. cannot be trusted. 45 [0007] Hardware security solutions are known and in- BACKGROUND OF THE INVENTION clude: devices used to isolate telephone lines in order to prevent unauthorized capture of audio information from [0003] Personal software operated devices or appli- phone user (see US Pat. No.5,402,465 and US Pat. Ap- ances (hereinafter "personal devices") such as mobile plication No. 20050271190); data line switches for com- phones, IP-phones, pocket PCs, PDAs, laptop comput- 50 puters that disconnect a computer line physically from ers, desktop computers and network switches, use a va- the Internet, working in manual and/or automatic mode riety of hardwired or wireless communication means for (US Pat. Application No. 20030062252); a power off communication with other devices. A remote unauthor- method for a wireless peripheral device, which termi- izeduser can adversely use these communication means nates power to all parts of the wireless device except the to try and break the personal device security and obtain 55 control chip by a certain operation on a connect button personal and other information on the personal device (US Pat. Application No. 20050009496); a switch that user or owner. A single personal device may have a powers-on a PDA in response to the stylus being re- number of different communication means such as moved from the PDA’s stylus holder, and, selectably,

2 3 EP 2 106 578 B1 4 powers-off the PDA in response to the stylus being re- means, referred to as "security switch" or "isolated placed into the PDA (US Pat. No. 6,233,464); a mobile switch" is internal to the personal device and is isolated, phone with two input modes, whereby a switch of input both "internal" and "isolated being defined above. modes is attained by changing an electrical connection The "isolation" also means that the control elements of between the main printed circuit board (PCB) in the5 the switch do not have any external communication ca- phone and the front and back PCBs (US Pat. No. pability and are protected from remote operation/manip- 7,031,758); the NetSafe Computer Security Switch, ulation. which uses a simple physical switching technology in a [0011] In some embodiments a security switch of the way that allows a computer or group of computers to present invention is a component having: a) control ele- quickly and easily block a communications signal from 10 ments that are not connected electrically to an environ- entering the computer(s) and restart the signal without ment from which they should be isolated and shielded, any softwareand without the need to power down,reboot, or that are decoupled in such a way that both electrical or run software on the computer(s) (US Pat. Application and magnetic fields cannot influence their operation; and No. 20040243825); a wireless button for a laptops, of- b) switching elements that cannot be connected, discon- fered by the Hewlet Packard Corporation in its line of15 nected or bypassed by elements other than the control Pavilion laptops (hereinafter the "HP wireless button"), elements in (a). which enables or disables all integrated wireless compo- [0012] The security switch may be mechanical (elec- nents in the laptop (e.g. WiFi and Bluetooth), and a wire- trical contacts switched mechanically) or electronic/elec- less light that indicates simultaneous the computer’s trical. When mechanical, its control is already isolated overall wireless state (enabled or disabled); the portable 20 because it can be operated only by manual physical op- electronic device that disconnects a receiving antenna erationof the user, not by the deviceitself. A mechanically from the duplexer of a mobile phone (US Pat. Application operated switch should not have an electrically operated No. 2004/0203536A1). bypass. When electronic/electrical, the security switch is [0008] All existing protection solutions suffer from one isolated electrically, i.e. completely separated electrically of two disadvantages: either the switch is "external" and 25 from other elements or components of the personal de- can therefore be tampered with by an external factor, or vice. the switch is internal but not fully isolated from the device [0013] The principle of operation of the security switch itself (and therefore can be manipulated by the software disclosed herein relies solely on manual disconnection of the device). Consequently, existing solutions cannot (or connection) of audio/video/communication or power provide simultaneous temporary protection from au-30 supply components in the personal device in order to dio/video information capture in device, cannot provide avoid unauthorized access to the information or personal simultaneous temporary protection from both audio/vid- device. This provides full isolation even in cases of full eo information capture and unauthorized access and us- access to the device software or remote access to elec- er location\device location in device and cannot provide tronic components of the device, in the sense that an secure security mode exit, prevention of capture of the 35 unauthorized user is not able to connect electrical circuits logic required for existing the security mode in device. that are switched off manually. Existing internal switches cannot provide prevention of [0014] Two main modes of operation are provided: false notification about the device security mode in device Mode 1 - manual switching by an authorized user (or with already broken software security, i.e. in a state in simple "user") for preventing capture of audio/video in- which an unauthorized user gains access or control of 40 formation from the user; Mode 2 - manual switching by the personal device despite software protection solu- the authorized user for preventing unauthorized determi- tions. nation of the user location or capture of other information. [0009] There is therefore a widely recognized need for, In mode 1, the user can receive visual information (for and it would be highly advantageous to have a simple example incoming calls, SMS, memos, files, etc) yet is internally isolated hardware security solution for the us- 45 protected from being listened to, recorded or visually cap- ers of the above mentioned personal devices that does tured by unauthorized access to his personal device. In not suffer from the above mentioned software and hard- mode 2, the communication to the device is completely ware solution disadvantages. disconnected, so the device location cannot be discov- ered by any means and no information transfer is possi- SUMMARY OF THE INVENTION 50 ble. There is also a possibility to combine modes 1 and 2 into a "combined mode". Note that mode 2 is not a [0010] The present invention discloses hardware se- substitute for mode 1, since in case of unauthorized ac- curity solutions that overcome the problems of hardware cess;audio/video information canbe captured and stored and software security solutions mentioned above. The in the device memory, then transmitted after the user invention provides a user of a personal device with hard- 55 exits mode 2. ware means for protecting information such as private [0015] The switch allows the user of a personal device information, audio/video information, user location infor- to temporarily change the mode of operation when in mation or transmission information. The hardware need of privacy and wants to avoid possibility of spying

3 5 EP 2 106 578 B1 6 after him/her by capturing his audio/video information or vising a visual indication of an input logic state. tracking his location. The usage of security switch that [0024] Preferably, the personal device is a mobile operates manually by the user provides the user a pos- phone, an IP-phone, a pocket PC, a PDA, a laptop com- sibility to disconnect components that can capture au- puter, a desktop computer or a network switch. dio/video and user input information or transmit signal 5 [0025] According to the present invention there is pro- from/to the user’s personal device. When an electrical vided a method for securing a personal device that in- circuit is broken manually, it cannot be reconnected by cludes a device core and one or more peripheral devices an unauthorized user even in case of full access to the from unauthorized access or operation. One or more device software or by remote access to an electronic per- switches for securing the personal device from unauthor- sonal device. When all components capable of capture 10 ized access or operation are provided. Every such switch audio/video information - i.e. microphone(s), head- is internal to the personal device. Every such switch is phone(s), speaker(s), and camera(s) are disconnected, operationally connected to the device core and to the information cannot be obtained by an unauthorized user. peripheral device(s). Every such switch has operating [0016] Whenall components capableof transmit signal functions that are operable only by an authorized user from/to user’s device/appliance - i.e. RF, WiFi, Bluetooth, 15 and that cannot be affected by either the personal device NFC, and LAN are disconnected, the user location and core or the peripheral device(s). An interface of (one of) other private information cannot be obtained by an un- the switch(es) is directly manipulated to protect the per- authorized user. sonal device from unauthorized use or access. [0017] Note that the present invention is not concerned [0026] Preferably, a disconnector is provided in (one with software security, but with protecting certain private 20 of) the switch(es). The disconnector is for connecting and information even in cases when security of device was disconnecting the device core from the peripheral de- already broken by disabling devices capable of capturing vice(s) and is operable only by the authorized user. More information or transmitting signal. preferably, a switch mode indicator is provided in that [0018] The protection is based on the idea of perform- switch. The switch mode indicator is coupled to the dis- ing an operation that cannot be done by the software of 25 connector and provides a visual indication of the state of the device or by the device itself, but only by the user the disconnector. Also most preferably, the direct manip- (manual disconnection of the relevant components) and ulating of the switch interface includes directly manipu- the operation is not known to the software of the device lating the switch interface, by the authorized user, to dis- or the device itself. connect the device core from the peripheral device(s) in [0019] According to the present invention there is pro- 30 response to a threat detection or preemptively. vided a personal device that includes a device core, one [0027] Preferably, a user input logic is provided in (one or more peripheral devices, and one or more switches of) the switch(es). The user input logic is for reading user for securing the personal device from unauthorized ac- inputs into the switch. cess or operation. Every such switch is internal to the [0028] The following documents disclose a system for personal device. Every such switch is operationally con- 35 securing a personal device: nected to the device core and to the peripheral device(s). Every such switch has operating functions that are op- Decante, US 5,555,156 erable only by an authorized user and cannot be affected Staude et al., EP 1 698 990 by either the personal device core or the peripheral de- Lee, WO 2008/140292 vice(s). Every such switch is operated only by direct ma- 40 Kirchmann, US 2003/0051162 nipulation, by the authorized user, of an interface of the Ikeda, US 3,703,987 switch. [0020] Preferably, (one of) the switch(es) includes a [0029] In these systems, either the switch is not oper- disconnector, for connecting and disconnecting the de- ated by an authorized user (Staude et al..), or the user vice core from the peripheral device(s), that is operable 45 does not manipulate the switch interface directly (De- only by the authorized user. cante, Ikeda), or the switch is not internal to the personal [0021] Preferably, each switch includes components device (Lee, Kirchmann). selected from the group consisting of electro-mechanical components, electrical components, electronic compo- BRIEF DESCRIPTION OF THE DRAWINGS nents and a combination thereof. 50 [0022] Preferably, (one of) the switch(es) includes a [0030] Reference will be made in detail to preferred switch mode indicator for providing a visual indication of embodiments of the invention, examples of which may a state of the switch. be illustrated in the accompanying figures. The figures [0023] Preferably, (one of) the peripheral device(s) in- are intended to be illustrative not limiting. Although the clude(s) a user input component, and (one of) the55 invention is generally described in the context of these switch(es) includes a user input logic for reading user preferred embodiments, it should be understood that it inputs. Most preferably, the switch that includes the user is not intended to limit the scope of the invention to these input logic also includes an input mode indicator for pro- particular embodiments. The structure, operation, and

4 7 EP 2 106 578 B1 8 advantages of the present preferred embodiment of the more user input components. Each of these will be shown invention will become further apparent upon considera- in following figures. The communication components tion of the following description, taken in conjunction with may include wireless communication components or the accompanying figures, wherein: wired communication components (e.g. WiFi, RF, Blue- 5 tooth, NFC, LAN, and modem). The sensor components FIG 1 shows a first embodiment of a personal device may include audio components, video components (e.g. with a security switch of the present invention; a microphone, speaker or camera). The user input com- FIG. 2 shows another embodiment of a personal de- ponent may include a keyboard or a touch screen. vice with a security switch of the present invention; [0033] Isolated switch 102 is a key inventive element FIG. 3 shows yet another embodiment of a personal 10 of the present invention, which contrasts with prior art in device with a security switch of the present invention; terms of both structure and function. Isolated switch 102 FIG. 4 shows yet another embodiment of a personal is an internal component, isolated from other compo- device with a security switch of the present invention; nents of the personal device. As defined above, "internal" FIG. 5 shows yet another embodiment of a personal means enclosed within an envelope of the personal de- device with a security switch of the present invention; 15 vice or positioned at least partially on the surface of the FIG. 6 shows an embodiment of a personal device envelope of the personal device. "Isolated" means that with an input solution for security switch of the the operation of the security switch cannot be affected present invention; either directly or indirectly by device core 100 or periph- FIG. 7 shows yet another embodiment of a personal eral devices 104. This isolation prevents manipulation of device with a security switch of the present invention; 20 switch 102 by the software of the personal device. In FIG. 8 shows yet another embodiment of a personal short, switch 102 can perform operations independently device with a security switch of the present invention; from the personal device (i.e. the personal device cannot FIG. 9 shows an example of an electro-mechanical affect an operation performed by switch102) and can implementation of an isolated switch; operate either in parallel with device core 100 (meaning FIG. 10 shows an example of electrical implemen- 25 that both perform independent tasks, in which case there tation of an isolated switch; may be a direct connection between device core 100 and FIG. 11 shows another example of an electrical im- peripheraldevice 104), or as a "man in the middle", mean- plementation of an isolated switch; ing that the connection of device core 100 with peripheral FIG. 12 shows an example of electrical/electronic devices 104 or the information passed therebetween is implementation of an isolated switch; 30 affected by the operation of the switch.. FIG. 13 shows an example of an electro-mechanical [0034] Isolated switch 102 may be implemented in a implementation of an isolated switch; number of different ways: by electro-mechanical compo- FIG. 14 shows an example of an electro-mechanical nents, by electrical components, by electronic compo- implementation of isolated switch. nents or a combination of the above. 35 [0035] Isolated switch 102 is different from similar prior DETAILED DESCRIPTION OF INVENTION art components as follows: the HP wireless button not fully isolated, because some of the HP button subcom- [0031] The present invention discloses security sys- ponents (e.g. an indicator) are operated by the laptop, tems and devices for protecting personal devices and and other subcomponents are not proven to be without their users from unauthorized access, operation, identity 40 a bypass and without access to its control element. In theft or information theft. In particular, the invention dis- contrast, switch 102 is completely isolated from the per- closes a security switch that provides total protection of sonal device in which it is integrated. The HP wireless information related to the personal device or a user of button operates only as "man in the middle", while iso- the device. In the following description, like elements ap- lated switch 102 can operate in parallel as well. The port- pearing in different figures are numbered identically. 45 able electronic device in US Patent Application No. [0032] FIG 1 shows a first embodiment 50of a personal 2004/0203536A1 is also not "isolated" in the sense de- device with a security switch of the present invention. fined herein, because it disconnects only the receiving Personal device 50 includes a device core 100, an iso- antenna from the duplexer, while the transmitting anten- lated switch 102 and at least one peripheral device 104. na is still functional and may provide a bypass. In con- The dotted arrows indicate an optional direct connection 50 trast, switch 102 is completely isolated from the personal between device core 100 and peripheral device104 device in which it integrated with no possibility of bypass. and/or between device core 100 and isolated switch 102. The portable electronic device operates only as a "man Device core 100 operates by software and may include in the middle", while isolated switch 102 can operate in one or more controllers (e.g. central processing units parallel as well. The NetSafe switch (US Pat. Application (CPUs)), one or more memory units and one or more 55 No. 20040243825) is an external device, while switch power management modules. A peripheral device 104 102 is internal. The circuit power reduction scheme (US. may include one or more communication components, Pat. Application No. 2006/0066370 uses micro-electro- and/or one or more sensor components, and/or one or mechanical switches and is not isolated (in fact, it is op-

5 9 EP 2 106 578 B1 10 erated by the logic of the device), meaning that the circuit connects only a receiving signal (of RF communication), power reduction scheme using micro-electro-mechani- which still allows sending information from the device by cal switches can be manipulated by the software of the an unauthorized user. In contrast, disconnector 200 can device. In contrast, switch 102 is isolated and cannot be disconnect any predefined subset of peripheral devices operated or manipulated by the logic of the personal de- 5 (including the RF receiving signal, among others), not vice. limited to communication devices, thereby providing a [0036] FIG. 2 shows a second embodiment52 of a mode in which sending information from the device by personal device with a security switch of the present in- unauthorized user is impossible. vention. In addition to all the components of device 50, [0039] Isolated disconnector 200 is different from the in device 52, isolated switch 102 includes a discon- 10 NetSafe switch (US Pat. Application No. 20040243825); nect/connect component. ("disconnector") 200. Discon- in that the NetSafe switch is an external device which nector 200 is a key inventive sub-component of the disconnects only wired communications, while discon- present invention, which contrasts with prior art in terms nector 200 is internal and capable of disconnecting any of both structure and function. It is an internal, isolated predefined subset of peripheral devices 104 (which in- (in the sense defined above for switch 102) sub-compo- 15 cludes not only wired peripheral devices). nent, which can disconnect and reconnect different sub- [0040] Isolated disconnector 200 is different from the sets of peripheral devices 104 from the device core. The circuit power reduction scheme (US. Pat. Application No. disconnect operation may be effected by disconnecting 2006/0066370); in that the circuit power reduction uses (cutting) essential links between the device core and the micro-electro-mechanical switches and is not isolated (in subset of peripheral devices 104 (e.g. a data line, a power 20 fact, it is operated by the logic of the device), meaning supply line, etc) or by shorting electrically essential links that the circuit power reduction scheme using micro-elec- in the subset of peripheral devices 104 (e.g. a data line, tro-mechanical switches can be manipulated by the soft- sensor terminals, etc). Disconnector 200 may be imple- ware of the device. In contrast, disconnector 200 is iso- mented in a number of different ways: by electrical con- lated and cannot be operated or manipulated by the logic tacts switched mechanically, by electrical components, 25 of the personal device. The circuit power reduction in US. by electronic components or a combination of the above. Pat. Application No. 2006/0066370 can only disconnect [0037] Exemplarily, the security switch is used as fol- the logic block elements, while disconnector 200 is ca- lows: when a threat to an authorized user’s privacy or to pable of either disconnecting or shorting peripheral de- the personal device security is detected by the user or vices 104. when the user wishes to perform preventive measures: 30 [0041] FIG. 3 shows another embodiment 54 of a per- disconnector 200 is operated by the user to disconnect sonal device with a security switch of the present inven- the relevant subset of peripheral devices 104 from the tion. Device 54 includes in addition to all the components device core. When the user detects that the threat is over of device 52 a switch mode indicator (e.g. a LED) 300. or that preventive measures are not required, he/she op- Indicator 300 provides visual indication of the state of erates disconnector 200 to restore the connection of the 35 disconnector 200, i.e. a visual indication of the discon- disconnected subset of peripheral devices 104 to the de- nected subset of peripheral devices 104 or an indication vice core. Alternatively, disconnector 200 is operated by that none of peripheral devices 104 are disconnected by the user to connect the relevant subset of peripheral de- disconnector 200. The switch mode indicator is "isolated" vices 104 to the device core. When the user detects that in the same sense as disconnector 200 and controlled the threat is over or that preventive measures are not 40 only by disconnector 200 which contrasts with prior art required anymore, he/she operates disconnector 200 to in terms of structure. This prevents manipulation of indi- disconnect (back) the connected subset of peripheral de- cator 300 by the software of the personal device or by vices 104 from the device core. other means, meaning that false indication or notification [0038] Isolated disconnector 200 is different from the is impossible. HPwireless button, inthat theHP wireless button enables 45 [0042] In use, under the same circumstance as de- or disables all integrated wireless devices simultaneous- scribed for device 52, the security switch is used as fol- ly, while disconnector 200 can disconnect a subset of lows: Disconnector 200 is operated by the user to dis- such devices. The HP wireless button enables/disables connect the relevant subset of peripheral devices104 all integrated wireless peripheral devices at once and from the device core. The disconnector then enables in- disconnection of a subset of these devices is enabled 50 dicator 300, which is used by the user to visually verify only by the laptop software. The HP wireless button may the desired mode of security switch. When the user de- not be isolated. In inventive contrast, disconnector 200 tects that the threat is over or that preventive measures is capable of disconnecting any predefined subset of pe- are not required, he/she operates disconnector200 to ripheral devices 104 (which includes not only wireless restore the connection of the disconnected subset of pe- peripheral devices e.g. wired peripheral devices, sensor 55 ripheral devices 104 to the device core. Disconnector devices) and is isolated from the personal device in which 200 then disables the indicator 300, which is used by the it integrated. Disconnector 200 is different from the port- user to visually verify again the desired mode of security able electronic device in that this device connects/dis- switch.

6 11 EP 2 106 578 B1 12

[0043] Switch mode indicator 300 is different from an 200 to disconnect the respective user input component indicator in the HP wireless button, in that the HP wireless from the device core (for enabling continued input in a button indicator is not isolated from the laptop and con- secure environment, e.g. secure input of a user PIN trolled as well by the laptop software, while indicator 300 code). The user input component is then operated by the is isolated from the personal device in which it integrated. 5 user to continue entering inputs for the security switch The wireless button indicator may provide false notifica- as an independent operation (while the input cannot be tion/indication (e.g. due to software manipulation), while captured by any entity except the security switch). At the indicator 300 is controlled only by disconnector200, end of the input operation, logic 400 operates disconnec- which prevents false notification/indication. tor 200 to restore the connection of the disconnected [0044] FIG. 4 shows yet another embodiment 56 of a 10 subset of user input components 402 to device core 100. personal device with a security switch of the present in- [0049] FIG. 6 shows an embodiment 60 of a personal vention. Device 56 includes in addition to all the compo- device with an input solution for security switch of the nents of device 50 an isolated user input logic 400 (or present invention. Device 60 includes in addition to all simply "logic") as a component of isolated switch 102 and the components of device 58 an input mode indicator at least one user input component 402 included in at least 15 (e.g. a LED) 500. Indicator 500 provides visual indication one of peripheral devices 104. A component 402 may be of the state of logic 400, i.e. a visual indication that logic any known input component such as a keyboard or a 400 operates disconnector 200 to disconnect user input touch screen. components 400 from device core 100, or an indication [0045] Isolated user input logic 400 is a second key thatnone of userinput components 400 are disconnected inventive sub element of the present invention, which 20 by logic 400 via disconnector 200. The switch mode in- contrasts with prior art in terms of both structure and pur- dicator is "isolated" in the same sense as logic 400 and pose. Logic 400 is an internal isolated component (in the controlled only by logic 400 which contrasts with prior art sense defined above for switch102 ) used for reading in terms of structure. This prevents manipulation of indi- inputs, which is hooked to at least one subset of user cator 500 by the software of the personal device or by input components 402 in parallel with and separately 25 other means, meaning that false indication or notification from device core 100. The hook-up may be done exem- is impossible. plarily by using keys with a mutual mechanical part and [0050] Under similar use circumstances as described independent electrical contacts. Logic400 is isolated for device 58, the security switch is used as follows: User from other components of the personal device in the input component 402 is operated by the user to enter an sense that the inputs read from user input components 30 initial input for security switch. Logic 400 reads the initial 402 cannot be affected either directly or indirectly by de- input from user input component 402, operates discon- vice core 100 or by peripheral devices 104. This isolation nector 200 to disconnect input component 402 from de- prevents manipulation of logic 400 by the software of the vice core 100 (for enabling continued input in a secure personal device. environment) and enables indicator 500. Indicator 500 is [0046] Logic 400 may have different implementations 35 used by the user to visually verify a secure input envi- depending on the user input component(s) 402 to which ronment. Input component 402 is operated by the user it is hooked. to continue entering inputs to the security switch. At the [0047] In use, when a user wants to enter an input to end of input operations, logic 400 operates disconnector the security switch (e.g. by pressing keys on the key- 200 to restore the connection of input component 402 to board) the input is entered by operating a user input com- 40 device core 100 and disables indicator 500. Indicator 500 ponent 402 to enter the input for security switch and logic is then used by the user to visually verify the restoration 400 reads the input from component 402 in an independ- of the input environment to the initial state. ent operation (i.e. independently from device core 100). [0051] FIG. 7 shows yet another embodiment 62 of a [0048] FIG. 5 shows yet another embodiment 58 of a personal device with a security switch of the present in- personal device with a security switch of the present in- 45 vention. Device 62 combines device 52 and device 58, vention. Device 58 includes in addition to all the compo- where peripheral devices 104 (described in device 50) nents of device 56 an isolated disconnector 200. In con- include user input components 402 (described in device trast to device 52, disconnector 200 in device 58 discon- 56), communication components 602 and sensor com- nects and reconnects only different subsets of user input ponents 600 (described in device 50 as sub-parts of pe- components 402 from the device core, for preventing in- 50 ripheral devices 104). Device 62 provides functionalities puts from reaching device core 100. This prevents un- of both device 52 and device 58. authorized input capture by the software of the personal [0052] FIG. 8 shows yet another embodiment 64 of a device or by other means (e.g. a keyboard sniffer), mean- personal device with a security switch of the present in- ing that the input is secured. In use, under the same cir- vention. Device 64 combines device 54 and device 60 cumstance as described for device 56, a user input com- 55 where peripheral devices 104 (described in device 50) ponent 402 is operated by the user to enter an initial input include user input components 402 (described in device for the security switch. Logic 400 reads the initial input 56), communication components 602 and sensor com- as an independent operation and operates disconnector ponents 600 (described in device 50 as sub-parts of pe-

7 13 EP 2 106 578 B1 14 ripheral devices 104). Device 64 provides functionalities implementation ofisolated switch 102 which includes dis- of both device 54 and device 60. connector 200 (represented by D3), switch mode indica- [0053] FIG. 9 shows an example of an electro-mechan- tor 300 (represented by I1) and isolated user input logic ical implementation of an isolated switch 102, which in- 400 (represented by K2). D3 is implemented via a latch cludes disconnector 200 and switch mode indicator 300. 5 relay LR3. I1 is implemented via a LED. K2 is implement- FIG. 9 includes DC1 as device core 100, PH1 (USB De- ed by independent Keys 1, 2, 3, 4 and latch relays LR1 vice) as communication component 602 D1 (Hub Master) and LR2. as an electro-mechanical implementation of disconnec- [0060] When Keys 1, 2, 3 are pressed in this exact tor 200 and I1 as an electrical implementation of indicator order, latch relay LR3 operates and opens contacts to 300. D1 is a multi-positional switch that has four states: 10 the circuit(s) that have to be interrupted and turns on the normal, mode 1, mode 2 and mode 1 + 2. The "normal" LED. Latch relays LR1, LR2 and LR3 stay in latched mode of D1 includes open contacts 1, 2 and closed con- mode until key 4 is pressed. When key 4 is pressed, the tacts 3, 4 (or normally opened contacts 3a, 4a). If D1 is interrupted circuit(s) returns to normal state. in normal mode, DC1 is connected to PH1 and the circuits [0061] Switch 102 is isolated because the relay LR3 of L1 and L2 of I1 are open, meaning that the LEDs of 15 coil and K2 (which are the control elements of D3) are mode 1 and mode 2 are off. When D1 is in "mode 1", not electrically connected to any other components and contacts 3, 4 (or 3a, 4a) remain in same state as in normal are not adjacent to any other components or are shielded mode (due to the fact that communication component from other components, so they cannot be operated di- 602 is not affected by mode 1), and contact 1 closes the rectly or indirectly (cross-talk) by other components.. connecting power from P1 through a resistor RS1 to L1, 20 There is no bypass to circuits that are interrupted by latch which turns on the LED of mode 1. relay LR3. [0054] When D1 is in "mode 2" contacts 3, 4 open and [0062] FIG. 12 shows an example of electrical/elec- disconnect the data line between DC1 and PH1 (or con- tronic implementation of isolated switch 102, which in- tacts 3a, 4a shorten data lines D+, D- to ground) and cludes disconnector 200 (represented by D2), switch contact 2 closes, connecting power from P1 through a 25 mode indicator 300 (represented by I1), isolated user in- resistor RS2 to L2, which turns on the LED of mode 2. put logic 400 (represented by K3) and input mode indi- When D1 is in "mode 1 + 2", contacts 3, 4 open and cator 500 (represented by I2). D2 is implemented via re- disconnect the data line between DC1 and PH1 (or con- lays R1 and R2, I1 is implemented via LED L1, and I2 is tacts 3a, 4a short data lines D+, D- to ground) and con- implemented via LED L2 (same as L1) and K3 is imple- tacts 1, 2 close, connecting power from P1 through RS1, 30 mented as independent hooks to existing Keys 0, 1, 2, RS2 to L1, L2, which turns on the LEDs of modes 1 and 2. 3, 4, 5 (while Key5 has two contacts), Flip-flops FL1, FL2, [0055] Switch 102is isolatedbecause D1operates me- FL3, FL4, FL5, FL6 and One-Shots ON1, ON2, ON3, chanically and its control cannot be affected by DC1 or ON4 and ON5. PH1. There is no bypass to data lines D+, D-, so when [0063] When key 0 is pressed, FL1 changes state and contacts 3, 4 open (3a, 4a close), communication be- 35 operates R1, which disconnects the required subset of tween PH1 and DC1 is disconnected without possibility peripheral devices 104 and turns on L1, meaning the of bypass. security switch enters a "secure mode". For exiting the [0056] FIG. 10 shows an example of electrical imple- secure mode, the user presses Key 1, which activates mentation of isolated switch 102 which includes discon- ON1 to send a signal to FL3. FL3 changes state and nector 200 (represented by D2), switch mode indicator 40 enables operation of FL4. The user then presses Key 2, 300 (represented by I1) and isolated user input logic 400 which activates ON2 to send a signal to FL4. FL4 chang- (represented by K1). D2 is implemented via a relay R. I1 es state, enables operation of FL5 and activates FL2. is implemented via a switch mode LED (as shown in Fig FL2 changes state and operates R2. R2 disconnects the 9) and K1 is implemented by independent Keys 1, 2, 3. main keyboard from device core100 and turns on L2 [0057] When Key 1 and Key 2 are pressed simultane- 45 (now the security switch has a secure input). The user ously, relay R operates and opens contacts to the cir- then presses Keys 3 and 4 in that exact order, which cuit(s) that have to be interrupted, closes contact R and causes FL5, then FL6 and then FL1 to change state and stays energized while Key 3 is in normal position and to release R1. R1 reconnects the previously disconnect- turns on the LED. When key 3 is pressed, relay R is re- ed subset of peripheral devices104, turns off L1 and leased and interrupted circuit(s) return to normal state. 50 connects the ground to Key5 (second contact). Key 5 is [0058] Switch 102 is isolated because the relay R coil used to reset the flip-flop sequence FL3, FL4, FL5, FL6 and K1 (which are the control elements of D2) are not for reentering the key sequence, and causes FL2 to electrically connected to any other components and are change state and release R2. R2 then reconnects the not adjacent to any other components or are shielded main keyboard and turns off L2, meaning the security from other components, so they cannot be operated di- 55 switch returns to normal mode. rectly or indirectly (cross-talk) by other components. [0064] Switch 102 is isolated because the relay R1 coil, There is no bypass to circuits interrupted by relay R. relay R2 coil and K3 (which are the control elements of [0059] FIG. 11 shows another example of an electrical D2) are not connected electrically to any other compo-

8 15 EP 2 106 578 B1 16 nents and are not adjacent to any other components, or cation components 602 that can be disconnected by dis- are shielded from other components (keys 0, 1, 2, 3, 4 connector 200 in mode 2 include: are connected to main keyboard only mechanically), so they cannot be operated directly or indirectly (cross-talk) 1. RF communication, e.g. in mobile phone. by other components. There is no bypass to circuits that 5 2. Bluetooth, infra-red and\or NFC (Near Field Com- are interrupted by relay R1 and R2. munication) e.g. in a mobile phone where NFC might [0065] FIG. 13 shows an example of an electro-me- be used for PayPass (Electronic Payment) and Blue- chanical implementation of isolated switch 102 which in- tooth\Infra-Red might be used for data transfer. cludes disconnector 200 (represented by D1) in a mobile 3. WiFi, Wimax, e.g. in a laptop computer. terminal (e.g. mobile phone). The mobile phone includes 10 a device core 100 (represented by DC2) with a CPU, a [0071] Examples of user input logic 400 hooks: Memory, a SIM Card, a Graphic LCD, a Camera IC, an AudioInterface, and a Powermanagement module; PH2, 1. Hook to the "end call" button and "start call" button PH3 representing communication components 602; a e.g. in a mobile phone. transceiver PH2 and a GPS receiver PH3; PH4 and PH5 15 2. Hook to the integrated cover, meaning that oper- representing sensor components 600; and PH6 as user ation will be initiated by closing\shifting the cover e.g. input component 402. PH4 consists of a microphone and in a mobile phone or laptop computer. a speaker, PH5 consists of a camera and PH6 consists 3. Hook to the keyboard, meaning that operation will of keyboard. All components and subcomponents are be initiated by the user pressing a combination or interconnected as shown. 20 sequence of keys, e.g. in a mobile phone. [0066] In mode 1, D1 disconnects PH4 and PH5. In 4. Hook to the "mute mode" button, e.g. in an IP- mode 2, D1 disconnects PH2 (for disconnecting PH2, D1 Phone. can disconnect the power module or the CPU from PH2). 5. Hook to the handset placement, meaning that op- In mode 1 + 2, D1 disconnects PH4, PH5 and PH2. How- eration will be initiated by the user plug in/out the ever, PH3 and PH6 are not affected by the modes of the 25 handset e.g. in an IP-Phone. security switch. 6. Hook to the stylus holder, meaning that operation [0067] FIG. 14 shows an example of an electro-me- will be initiated by the user placing the stylus back chanical implementation of isolated switch102, which in the stylus holder and/or removing the stylus from includes disconnector 200 (represented by D1) and the stylus holder e.g. in a Pocket PC\PDA. switch mode indicator 300 (represented by I1) in an IP- 30 Phone. The IP phone includes a device core 100 (repre- [0072] Citation or identification of any reference in this sented by DC3) with a VoIP processor, a Memory, an application shall not be construed as an admission that Audio/Voice Codec, a Power Module, a LCD controller, the reference is available as prior art to the present in- a LCD, a Camera Decoder, PH7, PH8 representing sen- vention. application shall not be construed as an admis- sor components 600, PH9 representing communication 35 sion reference is available as prior art to the present in- component 602 and PH10 representing user input com- vention. ponent 402. PH7 consists of a microphone and a speak- [0073] While the invention has been described with re- er, PH8 consists of a camera, PH9 is an Ethernet trans- spect to a limited number of embodiments, it will be ap- ceiver, and PH10 consists of keyboard. All components preciated that many variations, modifications and other and subcomponents are interconnected as shown. 40 applications of the invention may be made. Those skilled [0068] The security switch has only one mode (mode in the art will appreciate that the invention can be em- 1), due to the fact that mode 2 and mode 1 + 2 are not bodied by other forms and ways, without losing the scope required in this implementation. In mode 1, D1 discon- of the invention. The embodiments described herein nects PH8 and PH7 and activates I1. As shown (FIG. should be considered as illustrative and not restrictive. 14), a pull-up resistor can be used to protect the open 45 circuit between PH8 and DC2 while in mode 1. [0069] Examples of predefined subsets of sensor com- Claims ponents 600 that can be disconnected by disconnector 200 in mode 1 include: 1. A personal device (50, 52, 54, 56, 58, 60, 62, 64) 50 comprising: 1. Microphone, speaker and camera, e.g. in a mobile phone. a device core (100); 2. Microphone and camera (in case that the speaker at least one peripheral device (104); and is proved to be unable to capture voice, it is possible a plurality of switches (102) for securing the per- to leave it connected and to gain more functionally) 55 sonal device (50, 52, 54, 56, 58, 60, 62, 64) from e.g. in mobile phone. unauthorized access or operation, wherein different combinations of the plurality of [0070] Examples of predefmed subsets of communi- switches (102) disconnects and reconnects dif-

9 17 EP 2 106 578 B1 18

ferent subsets of the at least one peripheral de- computers. vice (104) from the device core (100), wherein every such switch (102): 9. The personal device (50, 52, 54, 56, 58, 60, 62, 64) of claim 1, wherein the personal device (50, 52, 54, is internal to the personal device (50, 52, 5 56, 58, 60, 62, 64) is a network switch. 54, 56, 58, 60, 62, 64), is operationally connected to the device 10. The personal device (50, 52, 54, 56, 58, 60, 62, 64) core (100) and to the at least one peripheral of claim 1, wherein the manual interface of each device (104), switch (102) reversibly alternates each switch (102) has operating functions that cannot be af- 10 between a first state in which each switch (102) plac- fected by either the personal device core es the device core (100) in a first operational mode (100) or the at least one peripheral device relative to a respective at least one of the at least (104), and one peripheral device (104) and a second state in is operated only by direct manipulation of a which each switch (102) places the device core (100) manual interface of the switch. 15 in a second operational mode relative to the respective at least one peripheral device (104); and wherein 2. The personal device (50, 52, 54, 56, 58, 60, 62, 64) the manual interface of each switch (102) is acces- of claim 1, wherein the personal device comprises a sible for the direct manipulation both when each plurality of said peripheral devices (104) and wherein switch (102) is in the first state and when each switch at last one of the plurality of switches (102) includes 20 (102) is in the second state. a disconnector (200), for selectively connecting and disconnecting the device core (100) from only a por- 11. The personal device (50, 52, 54, 56, 58, 60, 62, 64) tion of said peripheral devices (104). of claim 10, wherein the first operational mode is operational connection of the device core (100) to 3. The personal device (50, 52, 54, 56, 58, 60, 62, 64) 25 the respective at least one of the at least one periph- of claim 1, wherein each switch (102) includes com- eral device (104) and the second operational mode ponents selected from the group consisting of elec- is operational isolation of the device core (100) from tro-mechanical components, electrical components, the respective at least one of the at least one periph- electronic components and a combination thereof. eral device (104). 30 4. The personal device (50, 52, 54, 56, 58, 60, 62, 64) 12. A method for securing a personal device (50, 52, 54, of claim 1, wherein at least one of the plurality of the 56, 58, 60, 62, 64) that includes a device core (100) switches (102) includes a switch mode indicator and at least one peripheral device (104) from unau- (300) for providing a visual indication of a state of thorized access or operation, comprising the steps the switch (102). 35 of:

5. The personal device (50, 52, 54, 56, 58, 60, 62, 64) a. providing a plurality of switches (102) for se- of claim 1, wherein the at least one peripheral device curing the personal device (50, 52, 54, 56, 58, (104) includes a user input component (402) and 60, 62, 64) from unauthorized access or opera- wherein at least one of the plurality of switches (102) 40 tion, includes a user input logic (400) for reading user in- wherein a combination of plurality of switches puts. (102) disconnects and reconnects different subsets of the at least one peripheral device (104) 6. The personal device (50, 52, 54, 56, 58, 60, 62, 64) from the device core (100), every such switch of claim 5, wherein said one switch (102) further in- 45 (102): cludes an input mode indicator (500) for providing a visual indication of an input logic state. being internal to the personal device (50, 52, 54, 56, 58, 60, 62, 64), 7. The personal device (50, 52, 54, 56, 58, 60, 62, 64) being operationally connected to the device of claim 1, wherein the personal device (50, 52, 54, 50 core (100) and to the at least one peripheral 56, 58, 60, 62, 64) is selected from the group of de- device (104), and vices consisting of mobile phones, IP-phones, pock- having operating functions that cannot be et PCs and PDAs. affected by either the personal device core (100) or the at least one peripheral device 8. The personal device (50, 52, 54, 56, 58, 60, 62, 64) 55 (104); and of claim 1, wherein the personal device (50, 52, 54, 56, 58, 60, 62, 64) is selected from the group of de- b. directly manipulating a manual interface of vices consisting of laptop computers and desktop one of the at least one switch (102) to protect

10 19 EP 2 106 578 B1 20

the personal device (50, 52, 54, 56, 58, 60, 62, wobei verschiedene Kombinationen der Viel- 64) from unauthorized use or access. zahl von Schaltern (102) verschiedene Teilmen- gen des wenigstens einen Peripheriegeräts 13. The method of claim 12, further comprising the step (104) vom Gerätekern (100) abtrennen und wie- of: 5 der mit diesem verbinden, wobei jeder Schalter (102): c. providing, in at least one of the plurality of switches (102), a switch mode indicator (300) im persönlichen Gerät (50, 52, 54, 56, 58, for providing a visual indication of a state of the 60, 62, 64) angeordnet, operationell mit switch (102). 10 dem Gerätekern (100) und mit dem wenigstens einen Peripheriegerät (104) verbun- 14. The method of claim 12, wherein the step of manip- den ist, ulating includes directly manipulating said interface Betriebsfunktionen aufweist, die weder vom of the one switch (102) to disconnect the device core persönlichen Gerätekern (100) oder vom (100) from the at least one peripheral device (104) 15 wenigstens einen Peripheriegerät (104) be- in response to a threat detection or preemptively. einflusst werden können, und nur durch direkte Handhabung einer manu- 15. The method of claim 12, further comprising the step ellen Schnittstelle des Schalters betätigt of: wird. 20 c.providing, at least oneof the pluralityof switch- 2. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) es (102), a user input logic (400) for reading user nach Anspruch 1, wobei das persönliche Gerät eine inputs into the one switch (102). Vielzahl der Peripheriegeräte (104) umfasst und wobei wenigstens eines der Vielzahl (102) einen Trenn- 16. The method of claim 11, wherein the manual inter- 25 schalter (200) zum selektiven Verbinden und Tren- face of each switch (102) reversibly alternates each nen des Gerätekerns (100) von nur einem Teil der switch (102) between a first state in which each Peripheriegeräte (104) umfasst. switch (102) places the device core (100) in a first operational mode relative to a respective at least one 3. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) of the at least one peripheral device (104) and a sec- 30 nach Anspruch 1, wobei jeder Schalter (102) aus der ond state in which each switch (102) places the de- Gruppe umfassend elektromechanische Kompo- vice core (100) in a second operational mode relative nenten, elektrische Komponenten, elektronische to the respective at least one peripheral device (104); Komponenten und eine Kombination von diesen ge- and wherein the manual interface of each switch wählte Komponenten umfasst. (102) is accessible for the direct manipulation both 35 when each switch (102) is in the first state and when 4. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) each switch (102) is in the second state. nach Anspruch 1, wobei wenigstens einer der Viel- zahl von Schaltern (102) eine Schaltmodusanzeige 17. The method of claim 16, wherein the first operational (300) zum Bereitstellen einer optischen Anzeige ei- mode is operational connection of the device core 40 nes Zustands des Schalters (102) umfasst. (100) to the respective at least one of the at least one peripheral device (104) and the second opera- 5. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) tional mode is operational isolation of the device core nach Anspruch 1, wobei das wenigstens eine Peri- (100) from the respective at least one of the at least pheriegerät (104) eine Benutzereingabekomponen- one peripheral device (104). 45 te (402) umfasst und wobei wenigstens einer der Vielzahl von Schaltern (102) eine Benutzereingabe- logik (400) zum Lesen von Benutzereingaben um- Patentansprüche fasst.

1. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) 50 6. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) umfassend: nach Anspruch 5, wobei der eine Schalter (102) ferner eine Eingabemodusanzeige (500) zum Bereit- einen Gerätekern (100); stellen einer optischen Anzeige eines Eingabelogik- wenigstens ein Peripheriegerät (104); und zustands umfasst. eine Vielzahl von Schaltern (102) zum Absi-55 chern des persönlichen Geräts (50, 52, 54, 56, 7. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) 58, 60, 62, 64) vor unbefugtem Zugriff oder un- nach Anspruch 1, wobei das persönliche Gerät (50, befugter Bedienung, 52, 54, 56, 58, 60, 62, 64) aus der Gruppe von Ge-

11 21 EP 2 106 578 B1 22

räten umfassend Mobiltelefone, IP-Telefone, Ta- tens einen Peripheriegerät (104) verbun- schen-PCs und PDAs ausgewählt wird. den ist, und Betriebsfunktionen aufweist, die weder vom 8. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) persönlichen Gerätekern (100) oder vom nach Anspruch 1, wobei das persönliche Gerät (50, 5 wenigstens einen Peripheriegerät (104) be- 52, 54, 56, 58, 60, 62, 64) aus der Gruppe von Ge- einflusst werden können; und räten umfassend Laptop-Computer und Desktop- Computer ausgewählt wird. b. direkten Handhaben einer manuellen Schnitt- stelle von einem des wenigstens einen Schal- 9. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) 10 ters (102) zum Schützen des persönlichen Ge- nach Anspruch 1, wobei das persönliche Gerät (50, räts (50, 52, 54, 56, 58, 60, 62, 64) vor unbefug- 52, 54, 56, 58, 60, 62, 64) ein Netzwerk-Switch ist. ter Verwendung oder unbefugtem Zugriff.

10. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) 13. Verfahren nach Anspruch 12, ferner umfassend den nach Anspruch 1, wobei die manuelle Schnittstelle 15 Schritt zum: von jedem Schalter (102) umkehrbar jeden Schalter (102) zwischen einem ersten Zustand, in dem jeder c. Bereitstellen einer Schaltmodusanzeige Schalter (102) den Gerätekern (100) in einen ersten (300) in wenigstens einem der Vielzahl von Betriebsmodus in Bezug auf jeweils wenigstens ei- Schaltern (102) zum Bereitstellen einer opti- nes des wenigstens einen Peripheriegeräts (104) 20 schen Anzeige eines Zustands des Schalters versetzt, und einem zweiten Betriebsmodus, in dem (102). jeder Schalter (102) den Gerätekern (100) in einen zweiten Betriebsmodus in Bezug auf jeweils das we- 14. Verfahren nach Anspruch 12, wobei der Schritt zum nigstens eine Peripheriegerät (104) versetzt; und Handhaben direktes Handhaben der Schnittstelle wobei die manuelle Schnittstelle von jedem Schalter 25 des einen Schalters (102) zum Trennen des Gerä- (102) zur direkten Handhabung zugänglich ist, wenn tekerns (100) vom wenigstens einen Peripheriegerät sich jeder Schalter (102) im ersten Zustand befindet (104) als Reaktion auf eine Bedrohungserkennung und wenn sich jeder Schalter (102) im zweiten Zu- oder präventiv umfasst. stand befindet. 30 15. Verfahren nach Anspruch 12, ferner umfassend den 11. Persönliches Gerät (50, 52, 54, 56, 58, 60, 62, 64) Schritt zum: nach Anspruch 10, wobei der erste Betriebsmodus die operationelle Verbindung des Gerätekerns (100) c. Bereitstellen einer Benutzereingabelogik mit jeweils wenigstens einem des wenigstens einen (400) in wenigstens einem der Vielzahl von Peripheriegeräts (104) ist und der zweite Betriebs- 35 Schaltern (102) zum Lesen von Benutzereinga- modus die operationelle Trennung des Gerätekerns ben in den einen Schalter (102). (100) vom jeweils wenigstens einen des wenigstens einen Peripheriegeräts (104) ist. 16. Verfahren nach Anspruch 11, wobei die manuelle Schnittstelle von jedem Schalter (102) umkehrbar 12. Verfahren zum Absichern eines persönlichen Geräts 40 jeden Schalter (102) zwischen einem ersten Zu- (50, 52, 54, 56, 58, 60, 62, 64), das einen Gerätekern stand, in dem jeder Schalter (102) den Gerätekern (100) und wenigstens ein Peripheriegerät (104) um- (100) in einen ersten Betriebsmodus in Bezug auf fasst, vor unbefugtem Zugriff oder unbefugter Be- jeweils wenigstens eines des wenigstens einen Pe- dienung, umfassend die Schritte zum: ripheriegeräts (104) versetzt, und einem zweiten Be- 45 triebsmodus, in dem jeder Schalter (102) den Gerä- a. Bereitstellen einer Vielzahl von Schaltern tekern (100) in einen zweiten Betriebsmodus in Be- (102) zum Absichern des persönlichen Geräts zug auf jeweils das wenigstens eine Peripheriegerät (50, 52, 54, 56, 58, 60, 62, 64) vor unbefugtem (104) versetzt; und wobei die manuelle Schnittstelle Zugriff oder unbefugter Bedienung, von jedem Schalter (102) zur direkten Handhabung wobei eine Kombination einer Vielzahl von50 zugänglich ist, wenn sich jeder Schalter (102) im ers- Schaltern (102) verschiedene Teilmengen des ten Zustand befindet und wenn sich jeder Schalter wenigstens einen Peripheriegeräts (104) vom (102) im zweiten Zustand befindet. Gerätekern (100) abtrennt und wieder mit diesem verbindet, wobei jeder Schalter (102): 17. Verfahren nach Anspruch 16, wobei der erste Be- 55 triebsmodus die operationelle Verbindung des Ge- im persönlichen Gerät (50, 52, 54, 56, 58, rätekerns (100) mit jeweils wenigstens einem des 60, 62, 64) angeordnet, operationell mit wenigstens einen Peripheriegeräts (104) ist und der dem Gerätekern (100) und mit dem wenigs- zweite Betriebsmodus die operationelle Trennung

12 23 EP 2 106 578 B1 24

des Gerätekerns (100) vom jeweils wenigstens ei- nir une indication visuelle d’un état du commutateur nen des wenigstens einen Peripheriegeräts (104) ist. (102).

5. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) Revendications 5 selon la revendication 1, dans lequel l’au moins un dispositif périphérique (104) comprend un compo- 1. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) sant d’entrée d’utilisateur (402) et dans lequel au comprenant : moins l’un de la pluralité de commutateurs (102) comprend une logique d’entrée d’utilisateur (400) un coeur de dispositif (100) ; 10 pour lire des entrées d’utilisateur. au moins un dispositif périphérique (104) ; et une pluralité de commutateurs (102) pour sécu- 6. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) riser le dispositif personnel (50, 52, 54, 56, 58, selon la revendication 5, dans lequel ledit commu- 60, 62, 64) contre un accès ou une opération tateur (102) comprend en outre un indicateur de mo- non autorisé(e), 15 de d’entrée (500) pour fournir une indication visuelle dans lequel différentes combinaisons de la plu- d’un état de logique d’entrée. ralité de commutateurs (102) déconnectent et reconnectent différents sous-ensembles de l’au 7. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) moins un dispositif périphérique (104) à partir selon la revendication 1, dans lequel le dispositif per- du coeur de dispositif (100), 20 sonnel (50, 52, 54, 56, 58, 60, 62, 64) est sélectionné dans lequel chaque tel commutateur (102) : parmi le groupe de dispositifs consistant en des té- léphones mobiles, des téléphones par protocole In- est interne au dispositif personnel (50, 52, ternet (IP), des ordinateurs personnels (PC) de po- 54, 56, 58, 60, 62, 64), che et des assistants numériques personnels (PDA). est connecté de manière fonctionnelle au 25 coeur de dispositif (100) et à l’au moins un 8. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) dispositif périphérique (104), selon la revendication 1, dans lequel le dispositif per- possède des fonctions de fonctionnement sonnel (50, 52, 54, 56, 58, 60, 62, 64) est sélectionné qui ne peuvent pas être affectées par soit parmi le groupe de dispositifs consistant en des or- le coeur de dispositif personnel (100) soit 30 dinateurs portables et des ordinateurs de bureau. l’au moins un dispositif périphérique (104), et 9. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) est commandé seulement par manipulation selon la revendication 1, dans lequel le dispositif per- directed’une interface manuelle du commu- sonnel (50, 52, 54, 56, 58, 60, 62, 64) est un com- tateur. 35 mutateur de réseau.

2. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) 10. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) selon la revendication 1, dans lequel le dispositif per- selon la revendication 1, dans lequel l’interface ma- sonnel comprend une pluralité desdits dispositifs pé- nuelle de chaque commutateur (102) alterne de ma- riphériques (104) et dans lequel au moins l’un de la 40 nière réversible chaque commutateur (102) entre un pluralité de commutateurs (102) comprend un dé- premier état dans lequel chaque commutateur (102) connecteur (200), pour sélectivement connecter et place le coeur de dispositif (100) dans un premier déconnecter le coeur de dispositif (100) à partir seu- mode fonctionnel par rapport à au moins un respectif lement d’une partie desdits dispositifs périphériques de l’au moins un dispositif périphérique (104) et un (104). 45 second état dans lequel chaque commutateur (102) place le coeur de dispositif (100) dans un second 3. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) mode fonctionnel par rapport à l’au moins un dispo- selon la revendication 1, dans lequel chaque com- sitif périphérique respectif (104) ; et mutateur (102) comprend des composants sélec- dans lequel l’interface manuelle de chaque commu- tionnés parmi le groupe consistant en des compo- 50 tateur (102) est accessible pour la manipulation di- sants électromécaniques, des composants électri- recte à la fois lorsque chaque commutateur (102) ques, des composants électroniques et une combi- est dans le premier état et lorsque chaque commu- naison de ceux-ci. tateur (102) est dans le second état.

4. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) 55 11. Dispositif personnel (50, 52, 54, 56, 58, 60, 62, 64) selon la revendication 1, dans lequel au moins l’un selon la revendication 10, dans lequel le premier mode la pluralité des commutateurs (102) comprend un de fonctionnel est une connexion fonctionnelle du indicateur de mode de commutateur (300) pour four- coeur de dispositif (100) à l’au moins un respectif de

13 25 EP 2 106 578 B1 26

l’au moins un dispositif périphérique (104) et le se- lisateur (400) pour lire des entrées d’utilisateur cond mode fonctionnel est une isolation fonctionnel- dans le commutateur (102). le du coeur de dispositif (100) de l’au moins un respectif de l’au moins un dispositif périphérique (104). 16. Procédé selon la revendication 11, dans lequel l’in- 5 terface manuelle de chaque commutateur (102) al- 12. Procédé pour sécuriser un dispositif personnel (50, terne de manière réversible chaque commutateur 52, 54, 56, 58, 60, 62, 64) qui comprend un coeur (102) entre un premier état dans lequel chaque com- de dispositif (100) et au moins un dispositif périphé- mutateur (102) place le coeur de dispositif (100) rique (104) contre un accès ou une opération non dans un premier mode fonctionnel par rapport à au autorisé(e), comprenant les étapes consistant à : 10 moins un respectif de l’au moins un dispositif péri- phérique (104) et un second état dans lequel chaque a. fournir une pluralité de commutateurs (102) commutateur (102) place le coeur de dispositif (100) pour sécuriser le dispositif personnel (50, 52, dans un second mode fonctionnel par rapport à l’au 54, 56, 58, 60, 62, 64) contre un accès ou une moins un dispositif périphérique respectif (104) ; et opération non autorisé(e), 15 dans lequel l’interface manuelle de chaque commu- une combinaison de pluralité de commutateurs tateur (102) est accessible pour la manipulation di- (102) déconnectant et reconnectant différents recte à la fois lorsque chaque commutateur (102) sous-ensembles de l’au moins un dispositif pé- est dans le premier état et lorsque chaque commu- riphérique (104) à partir du coeur de dispositif tateur (102) est dans le second état. (100), 20 chaque tel commutateur (102) : 17. Procédé selon la revendication 16, dans lequel le premier mode fonctionnel est une connexion fonc- étant interne au dispositif personnel (50, 52, tionnelle du coeur de dispositif (100) à l’au moins un 54, 56, 58, 60, 62, 64), respectif de l’au moins un dispositif périphérique étant connecté de manière fonctionnelle au 25 (104) et le second mode fonctionnel est une isolation coeur de dispositif (100) et à l’au moins un fonctionnelle du coeur de dispositif (100) de l’au dispositif périphérique (104), et moins un respectif de l’au moins un dispositif péri- ayant des fonctions fonctionnelles qui ne phérique (104). peuvent pas être affectées par soit le coeur de dispositif personnel (100) soit l’au moins 30 un dispositif périphérique (104) ; et

b. manipuler directement une interface manuelle d’un de l’au moins un commutateur (102) pour protéger le dispositif personnel (50, 52, 54, 56, 35 58, 60, 62, 64) contre une utilisation ou un accès non autorisé(e).

13. Procédé selon la revendication 12, comprenant en outre l’étape consistant à : 40

c. fournir, dans au moins l’un de la pluralité de commutateurs (102), un indicateur de mode de commutateur (300) pour fournir une indication visuelle d’un état du commutateur (102). 45

14. Procédé selon la revendication 12, dans lequel l’éta- pe de manipulation comprend la manipulation direc- te de ladite interface du commutateur (102) pour dé- connecter le coeur de dispositif (100) de l’au moins 50 un dispositif périphérique (104) en réponse à une détection de menace ou de manière préventive.

15. Procédé selon la revendication 12, comprenant en outre l’étape consistant à : 55

c. fournir, dans au moins l’un de la pluralité de commutateurs (102), une logique d’entrée d’uti-

14 EP 2 106 578 B1

15 EP 2 106 578 B1

16 EP 2 106 578 B1

17 EP 2 106 578 B1

18 EP 2 106 578 B1

19 EP 2 106 578 B1

20 EP 2 106 578 B1

21 EP 2 106 578 B1

22 EP 2 106 578 B1

23 EP 2 106 578 B1

24 EP 2 106 578 B1

25 EP 2 106 578 B1

26 EP 2 106 578 B1

REFERENCES CITED IN THE DESCRIPTION

This list of references cited by the applicant is for the reader’s convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description

• US 5402465 A [0007] • US 20040203536 A1 [0007] [0035] • US 20050271190 A [0007] • US 5555156 A, Decante [0028] • US 20030062252 A [0007] • EP 1698990 A, Staude [0028] • US 20050009496 A [0007] • WO 2008140292 A, Lee [0028] • US 6233464 B [0007] • US 20030051162 A, Kirchmann [0028] • US 7031758 B [0007] • US 3703987 A, Ikeda [0028] • US 20040243825 A [0007] [0035] [0039] • US 20060066370 A [0035] [0040]