Mobile terminal, access control method, and access control program
The mobile terminal system manages access permissions based on proximity to prevent unauthorized server access from stolen devices, addressing the risk of simultaneous theft and ensuring controlled access.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- NEC PLATFROMS LTD
- Filing Date
- 2024-01-10
- Publication Date
- 2026-06-23
AI Technical Summary
Existing technologies for preventing access to servers from lost or stolen mobile devices require the loss prevention device and smartphone to be carried together, increasing the risk of both being stolen.
A mobile terminal system that includes an application receiving unit, license granting unit, and access permission instruction unit to manage access permissions based on proximity, granting licenses only when the distance from the responsible terminal is within a predetermined threshold, and denying access when exceeded.
Prevents unauthorized access to servers from mobile devices by ensuring proximity, reducing the risk of simultaneous theft of both the loss prevention device and smartphone, while allowing legitimate access within a controlled range.
Smart Images

Figure 0007878748000001 
Figure 0007878748000002 
Figure 0007878748000003
Abstract
Description
Technical Field
[0001] The present invention relates to a mobile terminal, an access control method, and an access control program.
Background Art
[0002] There are cases where data is downloaded by accessing a server from a mobile terminal such as a smartphone. Here, there is a technology for preventing access to the server from a lost or stolen mobile terminal (for example, Patent Document 1).
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] The following analysis is made from the perspective of the present invention. Each disclosure of the above prior art documents is incorporated herein by reference.
[0005] In Patent Document 1, a smartphone whose distance from a loss prevention device exceeds a predetermined value transitions to a locked state. Therefore, according to the technology of Patent Document 1, it is possible to prevent access to the server from a lost or stolen smartphone.
[0006] However, in Patent Document 1, there is an inconvenience that the loss prevention device and the smartphone must always be carried as a set. In addition, since it is necessary to always carry them as a set, there is also a risk that both the loss prevention device and the smartphone will be stolen at once.
[0007] Therefore, the present invention aims to provide a technology that contributes to appropriately preventing access to servers from mobile devices. [Means for solving the problem]
[0008] According to the first aspect of the present invention, An application receiving unit that receives requests for permission to access a specified device from other mobile devices, A license granting unit that, when the distance from its own device to another mobile terminal is below a predetermined threshold, grants a license to access a predetermined device to the other mobile terminal as a response to the application, An access permission instruction unit that instructs the aforementioned predetermined device to allow access from other licensed mobile terminals, A mobile device including the above will be provided.
[0009] According to a second aspect of the present invention, A request receiving step to receive a request for access permission to a specified device from another mobile device, A license granting step in which, if the distance from the device to the other mobile terminal is below a predetermined threshold, a license for access to the specified device is granted to the other mobile terminal as a response to the application, An access permission instruction step instructs the aforementioned predetermined device to allow access from other licensed mobile terminals, A method for controlling access via mobile devices is provided, including the following.
[0010] According to a third aspect of the present invention, Application reception process for receiving requests for access permission to a specified device from other mobile devices, A license granting process that, when the distance from the device to another mobile terminal is below a predetermined threshold, grants a license to access the specified device to the other mobile terminal as a response to the application, An access permission instruction process that instructs the aforementioned predetermined device to allow access from other mobile terminals to which a license has been granted, An access control program is provided that allows this to be executed on a computer acting as a mobile device. [Effects of the Invention]
[0011] According to each aspect of the present invention, a mobile terminal, an access control method, and an access control program are provided that contribute to appropriately preventing access to a server from a mobile terminal. [Brief explanation of the drawing]
[0012] [Figure 1] This is a diagram to explain the general overview. [Figure 2] This diagram shows an example of a mobile device (person in charge's device). [Figure 3] This flowchart shows an example of the processing flow using a mobile device (the device of the person in charge). [Figure 4] This is a diagram to explain the form of change. [Figure 5] This is a diagram to explain the form of change. [Figure 6] This is a diagram to explain the form of change. [Figure 7] This diagram shows an example of a computer used as a mobile terminal (responsible person's terminal). [Modes for carrying out the invention]
[0013] Preferred embodiments of the present invention will be described in detail with reference to the drawings. Note that the reference numerals attached to the following description are for convenience of each element as an example to assist understanding, and are not intended to limit the present invention to the illustrated aspects. Also, the connection lines between blocks in each figure include both bidirectional and unidirectional ones. The one-way arrow schematically shows the flow of the main signal (data) and does not exclude bidirectionality. Further, in the circuit diagrams, block diagrams, internal configuration diagrams, connection diagrams, etc. shown in the present application disclosure, although not explicitly shown, input ports and output ports exist at the input ends and output ends of each connection line respectively. The same applies to the input / output interface.
[0014] First, an overview of the present invention will be described. As shown in FIG. 1, the mobile terminal 100 includes an application receiving unit 110, a license granting unit 120, and an access permission instructing unit 130. The application receiving unit 110 receives an application for access permission to a predetermined device 300 from another mobile terminal 200. The license granting unit 120 grants a license for access to the predetermined device 300 to another mobile terminal 200 as a response to the application when the distance from the own device (mobile terminal 100) to another mobile terminal 200 is equal to or less than a predetermined threshold value. The access permission instructing unit 130 instructs the predetermined device 300 to permit access from another mobile terminal 200 to which the license has been granted.
[0015] A more specific example will be described. Here, let the predetermined device 300 be the server 300. Assume that the owner of the mobile terminal 100 is the person in charge of the server 300. Therefore, hereinafter, the mobile terminal 100 will be referred to as the "responsible person terminal 100". Also, assume that another mobile terminal 200 is a terminal personally owned by a subordinate of the responsible person. Therefore, hereinafter, another mobile terminal 200 will be referred to as the "subordinate terminal 200".
[0016] According to the present invention, access from the subordinate terminal 200 to the server 300 is permitted only when the distance from the responsible person's terminal 100 is less than or equal to a predetermined threshold value (for example, the distance that can communicate by short-range wireless communication). Therefore, even if the subordinate terminal 200 is stolen, the thief has to access the server 300 from the subordinate terminal 200 within the range where the responsible person can see, which is practically impossible.
[0017] On the other hand, even when the distance from the responsible person's terminal 100 exceeds the predetermined threshold value, the functions of the subordinate terminal 200 are effective except for access to the server 300. That is, even if the subordinate terminal 200 is a terminal personally owned by a subordinate, there is no impact on private use.
[0018] Also, since the owner of the responsible person's terminal 100 and the owner of the subordinate terminal 200 are different persons, it can be said that the possibility that both the responsible person's terminal 100 and the subordinate terminal 200 are stolen at the same time is low.
[0019] As described above, according to the present invention, it is possible to appropriately prevent access to the server from another mobile terminal (subordinate terminal 200).
[0020] [Embodiment 1] The above general outline will be described more specifically as Embodiment 1. Hereinafter, the mobile terminal 100 is also referred to as the responsible person's terminal 100, the other mobile terminal 200 is referred to as the subordinate terminal 200, and the predetermined device 300 is referred to as the server 300.
[0021] As shown in FIG. 2, the responsible person's terminal 100 further includes an access rejection instruction unit 140 in addition to an application reception unit 110, a license granting unit 120, and an access permission instruction unit 130.
[0022] The application receiving unit 110 receives an application from a subordinate terminal 200 for permission to access the server 300. The license granting unit 120 grants the subordinate terminal 200 a license to access the server 300 as a response to the application, if the distance from its own device (responsible terminal 100) to the subordinate terminal 200 is below a predetermined threshold.
[0023] Here, the threshold for the distance from the supervisor terminal 100 to the subordinate terminal 200 can be defined by, for example, a short-range wireless communication standard such as Bluetooth®. A specific numerical example of the threshold is 10m for Bluetooth Class 2. If communication using Bluetooth is possible between the supervisor terminal 100 and the subordinate terminal 200, the licensing unit 120 determines that the distance from the supervisor terminal 100 to the subordinate terminal 200 is below a predetermined threshold.
[0024] Alternatively, the application receiving unit 110 may be configured to receive requests for permission to access the server 300 from subordinate terminals 200 via Bluetooth. In other words, when the responsible terminal 100 receives a request for permission to access the server 300 from subordinate terminals 200 via Bluetooth, it can be said that the distance between the responsible terminal 100 and subordinate terminals 200 is below a predetermined threshold. Therefore, the distance determination by the license granting unit 120 can be made unnecessary.
[0025] Furthermore, various technologies can be applied to measure the distance from the supervisor terminal 100 to the subordinate terminal 200, not limited to short-range wireless communication. For example, the GPS (Global Positioning System) installed in both the supervisor terminal 100 and the subordinate terminal 200 may be used.
[0026] The access permission instruction unit 130 instructs the server 300 to allow access from the subordinate terminal 200 to which a license has been granted. For example, the application receiving unit 110 obtains the MAC address of the subordinate terminal 200 as an application from the subordinate terminal 200. The access permission instruction unit 130 notifies the server 300 of the obtained MAC address and configures the server 300 to allow access from the terminal with the notified MAC address (i.e., the subordinate terminal 200).
[0027] The access denial instruction unit 140 instructs the server 300 to deny access from the licensed subordinate terminal 200 if the distance from its own device (responsible terminal 100) to the subordinate terminal 200 exceeds a predetermined threshold. For example, if the Bluetooth communication between the responsible terminal 100 and the subordinate terminal 200 is interrupted, the access denial instruction unit 140 determines that the distance from the responsible terminal 100 to the subordinate terminal 200 has exceeded a predetermined threshold. The access denial instruction unit 140 may also periodically measure the distance between the responsible terminal 100 and the subordinate terminal 200.
[0028] Furthermore, the function of the access denial instruction unit 140 can also be achieved by granting the subordinate terminal 200 a license with an expiration date. In other words, if the license granted to the subordinate terminal 200 is permanently valid, once permission is granted, access from the subordinate terminal 200 to the server 300 is possible even if it is not within the supervision of the person in charge. Therefore, the access denial instruction unit 140 instructs the server 300 to deny access. On the other hand, if the license has an expiration date, access from the subordinate terminal 200 to the server 300 becomes impossible once the license expires, so there is no need to issue an access denial instruction to the server 300.
[0029] For example, a license with a time password could be used as a license with an expiration date. The license granting unit 120 periodically grants a license with a time password to the subordinate terminal 200 if the distance between the responsible terminal 100 and the subordinate terminal 200 is below a predetermined threshold. The access permission instruction unit 130 notifies the server 300 of the time password. The server 300 determines whether to allow or deny access by verifying the time password when the subordinate terminal 200 attempts to access the server.
[0030] The following describes the processing flow by the responsible terminal 100. As shown in Figure 3, the responsible terminal 100 receives an access permission request from the subordinate terminal 200 to the server 300 (Step S01, Yes). Here, if the distance from its own device to the subordinate terminal 200 is below a predetermined threshold, the responsible terminal 100 grants the subordinate terminal 200 a license to access the server 300 (Step S02). Then, the responsible terminal 100 instructs the server 300 to allow access from the licensed subordinate terminal 200 (Step S03).
[0031] Subsequently, if the distance from its own device to the subordinate terminal 200 exceeds a predetermined threshold (step S04, Yes), the responsible terminal 100 instructs the server 300 to deny access from the subordinate terminal 200 (step S05).
[0032] As described above, according to the present invention, it becomes possible to appropriately prevent access to the server 300 from subordinate terminals 200.
[0033] [Variant form] The above model can be expanded into various modified forms. As an example, as shown in Figure 4, a predetermined device 300 is assumed to be a mobile router 300, and the owner of the mobile terminal 100 is assumed to be the owner of the mobile router 300. Furthermore, the owner of the other mobile terminal 200 is assumed to be a friend of the owner. In this modified model, it becomes possible to allow network connections by the friend via the mobile router 300 only within the owner's reach.
[0034] Furthermore, the processing performed by the responsible terminal 100 (mobile terminal 100) may also be performed by the server 300. For example, as shown in Figure 5, the server 300 receives requests for access permission to its own device (server 300) from other mobile terminals (subordinate terminals 200) (corresponding to the request receiving unit 110). Here, the server 300 queries the responsible terminal 100 to see if the distance to the subordinate terminal 200 is below a predetermined threshold. If the query confirms that the distance is below the predetermined threshold, the server 300 grants the subordinate terminal 200 a license to access its own device (server 300) (corresponding to the license granting unit 120 and the access permission instruction unit 130). Subsequently, if the responsible terminal 100 reports that the distance to the subordinate terminal 200 has exceeded the predetermined threshold, the server 300 denies access from the subordinate terminal 200 (corresponding to the access denial instruction unit 140).
[0035] [Embodiment 2] In Embodiment 1, if the distance from the responsible terminal 100 to the subordinate terminal 200 exceeds a predetermined threshold, the server 300 denies access from the subordinate terminal 200. Therefore, in order to allow access from the subordinate terminal 200 to the server 300 again, it is necessary to reapply for permission to access the responsible terminal 100, which is time-consuming. Herein, it is conceivable to simplify the process of re-granting access from the subordinate terminal 200 to the server 300.
[0036] For example, as shown in Figure 6, the responsible terminal 100 may further include a denial release instruction unit 150. After instructing the server 300 to deny access, the denial release instruction unit 150 instructs the server 300 to release the access denial if the distance from its own device (responsible terminal 100) to the subordinate terminal 200 falls below a predetermined threshold again.
[0037] More specifically, even though server 300 is denying access from subordinate terminal 200, it may still receive access from subordinate terminal 200. In this case, server 300 queries the responsible terminal 100 for the distance from responsible terminal 100 to subordinate terminal 200. Upon receiving the query, responsible terminal 100 instructs server 300 to lift the access denial if the distance from responsible terminal 100 to subordinate terminal 200 is below a predetermined threshold.
[0038] Alternatively, the responsible terminal 100 may actively measure the distance to the subordinate terminal 200 and, when it falls below a predetermined threshold, instruct the server 300 to lift the access denial.
[0039] In any case, the subordinate terminal 200 can resume access to server 300 without going through the step of requesting access permission.
[0040] Furthermore, from the above perspective, the license granted to the subordinate terminal 200 can be considered a "conditional license" that is valid only when the distance from the supervisor terminal 100 is below a threshold.
[0041] [Variant form] Furthermore, the present invention can also be developed as a guidance program that causes a computer, acting as a mobile terminal 100, to execute the above-described process. For example, as shown in Figure 7, the computer acting as a mobile terminal 100 includes memory, a CPU (Central Processing Unit), and an interface. The CPU reads and executes the guidance program of the present invention from memory, thereby realizing processing modules corresponding to the application receiving unit 110, the license granting unit 120, and the access permission instruction unit 130.
[0042] Some or all of the above embodiments may also be described as follows, but are not limited to the following:
[0043] (Note 1) An application receiving unit that receives requests for permission to access a specified device from other mobile devices, A license granting unit that, when the distance from its own device to another mobile terminal is below a predetermined threshold, grants a license to access a predetermined device to the other mobile terminal as a response to the application, An access permission instruction unit that instructs the aforementioned predetermined device to allow access from other licensed mobile terminals, Mobile devices, including those mentioned above.
[0044] (Note 2) A mobile terminal as described in Appendix 1, including an access denial instruction unit that, when the distance from the device to another mobile terminal exceeds a predetermined threshold, instructs the predetermined device to deny access from the licensed mobile terminal.
[0045] (Note 3) A mobile device as described in Appendix 1 or 2, for which the aforementioned license is an expiry-term license.
[0046] (Note 4) A mobile terminal according to any one of the appendices 1 to 3, which includes a denial release instruction unit that, after instructing the predetermined device to deny access, instructs the predetermined device to release the access denial if the distance from the device to another mobile terminal falls below a predetermined threshold again.
[0047] (Note 5) A request receiving step to receive a request for access permission to a specified device from another mobile device, A license granting step in which, if the distance from the device to the other mobile terminal is below a predetermined threshold, a license for access to the specified device is granted to the other mobile terminal as a response to the application, An access permission instruction step instructs the aforementioned predetermined device to allow access from other licensed mobile terminals, A method of access control using a mobile device, including [the following].
[0048] (Note 6) Application reception process for receiving requests for access permission to a specified device from other mobile devices, A license granting process that, when the distance from the device to another mobile terminal is below a predetermined threshold, grants a license to access the specified device to the other mobile terminal as a response to the application, An access permission instruction process that instructs the aforementioned predetermined device to allow access from other mobile terminals to which a license has been granted, An access control program that is executed on a computer acting as a mobile device.
[0049] Furthermore, the features described in appendices 2 to 4 can also be applied to access control methods and access control programs. For example, the rejection release instruction unit can also be applied as a rejection release instruction step or a rejection release instruction process.
[0050] Furthermore, each disclosure of the above-mentioned patent documents cited is incorporated into this document by reference and may be used as the basis or part of the present invention as necessary. Within the framework of the full disclosure of the present invention (including the claims), further modifications and adjustments to the embodiments or examples are possible based on the basic technical concept. Also, within the framework of the full disclosure of the present invention, various combinations or selections (including partial deletions) of various disclosure elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) are possible. In other words, the present invention naturally includes the full disclosure, including the claims, and various modifications and alterations that a person skilled in the art could make in accordance with the technical concept. In particular, with respect to the numerical ranges described in this document, any numerical value or sub-range included within that range should be interpreted as being specifically described, even if not otherwise stated. Furthermore, each disclosure of the above-mentioned cited documents may, as necessary, be used in part or in whole as part of the disclosure of the present invention, in accordance with the spirit of the present invention, and this is also considered to be included in the disclosure of this application. [Explanation of Symbols]
[0051] 100: Mobile devices, devices of persons in charge 110: Application Reception Department 120: License Granting Department 130: Access permission indicator 140: Access Denied Instruction Unit 150: Rejection Cancellation Instruction Unit 200: Other mobile devices, subordinate devices 300: Designated devices, servers, mobile routers
Claims
1. An application receiving unit that receives requests for permission to access a specified device from other mobile devices, A license granting unit that, when the distance from its own device to the other mobile terminal is below a predetermined threshold, grants the other mobile terminal a license to access the predetermined device as a response to the application, An access permission instruction unit that instructs the aforementioned predetermined device to allow access from the other mobile terminal to which a license has been granted, An access denial instruction unit that, when the distance from its own device to the other mobile terminal exceeds a predetermined threshold, instructs the predetermined device to deny access from the licensed other mobile terminal, Mobile devices, including those mentioned above.
2. The mobile terminal according to Claim 1, further comprising a denial release instruction unit that, after instructing the predetermined device to deny access, instructs the predetermined device to release the access denial if the distance from the device to the other mobile terminal falls below a predetermined threshold again.
3. The mobile terminal according to claim 1 or 2, wherein the license is a license with an expiration date.
4. A request receiving step to receive a request for access permission to a specified device from another mobile device, A license granting step in which, if the distance from the device to the other mobile terminal is below a predetermined threshold, a license for access to the predetermined device is granted to the other mobile terminal as a response to the application, An access permission instruction step instructs the predetermined device to allow access from the other mobile terminal to which a license has been granted, An access denial instruction step in which, if the distance from the device to the other mobile terminal exceeds a predetermined threshold, the predetermined device is instructed to deny access from the licensed other mobile terminal, A method of access control using a mobile device, including [the following].
5. Application reception process for receiving requests for access permission to a specified device from other mobile devices, A license granting process that, when the distance from the device to the other mobile terminal is below a predetermined threshold, grants the other mobile terminal a license to access the predetermined device as a response to the application, An access permission instruction process that instructs the aforementioned predetermined device to allow access from the other mobile terminal to which a license has been granted, Access denial instruction processing, which instructs the predetermined device to deny access from the licensed other mobile terminal when the distance from the device to the other mobile terminal exceeds a predetermined threshold, An access control program that is executed on a computer acting as a mobile device.