BlackBerry's Latest Experiment: a $2,300 'Secure' Tablet

An anonymous reader writes: After missing the boat on smartphones, BlackBerry has been throwing everything they can at the wall to see what sticks. From making square phones to insisting users want physical keyboards, their only standard is how non-standard they've become. Now they're expanding this strategy to the tablet market with a security-centric tablet that costs $2,300. And they're not doing it alone — the base device is actually a Samsung Galaxy Tab S 10.5. The tablet runs Samsung Knox boot tech, as well as software from IBM and encryption specialist Secusmart (which BlackBerry recently purchased). The device will be targeted at businesses and organizations who have particular need for secure devices.

"Organizations deploying the SecuTablet will be able to set policies controlling what apps can run on the devices, and whether those apps must be wrapped, said IBM Germany spokesman Stefan Hefter. The wrapping process—in which an app is downloaded from a public app store, bundled with additional libraries that encrypt its network traffic and intercept Android 'intents' for actions such as cutting or pasting data, then uploaded to a private app store—ensures that corporate data can be protected at rest, in motion and in use, he said. For instance, it can prevent data from a secure email being copied and pasted into the Facebook app running on the same device—yet allow it to be pasted into a secure collaboration environment, or any other app forming part of the same 'federation,' he said."

Too complex for politicians

[ITRambo]

I don't think many politicians would bother to use anything this secure as their records would be kept and likely accessible after a court order. Congress doesn't believe it needs to work this hard. They are above the law, exempt really, in many ways. Businesses with valuable trade secrets are a great target market for this technology.

Re:yes to real keyboards

[binarylarry]

Virtual keyboards our the fracture!

You're selling it all wrong....

[Shakrai]

I don't think many politicians would bother to use anything this secure as their records would be kept and likely accessible after a court order.

You're selling it all wrong. Better records retention for a politician? Pa-lease, that's like trying to sell a greenie an SUV because it gets great gas mileage. Let me show you how it's done, from TFS: "For instance, it can prevent data from a secure email being copied and pasted into the Facebook app running on the same device—yet allow it to be pasted into a secure collaboration environment, or any other app forming part of the same 'federation,' he said."

Sales pitch: "You see Congressman, the enhanced security framework prevents you from accidentally tweeting pictures of your junk that you were trying to send to a private audience. The iPad can't do that. Neither can your Android phone."

Re:yes to real keyboards

[oodaloop]

They're called laptops.

Um... it's 16 days

[rsilvergun]

Until April fools. Seriously, is this a joke? Maybe if they have a juicy gov't contract that'll buy these up. Other than that every company is just going to buy a Windows tablet for a $1000 and put their own security software (which is already certified and tested up the wazoo) on it.

Re:Um... it's 16 days

[thsths]

This.

With Windows, you get security updates every second Tuesday. For free, for years, and in a timely fashion.

On Android, you are lucky if Google deems a bug worthy of fixing. The best sandboxing is useless if the OS itself has known and remote exploitable security issues, as Android usually does.

Re:Um... it's 16 days

[swillden]

On Android, you are lucky if Google deems a bug worthy of fixing.

I'm a member of Google's Android security team, and I want to correct this. The only component in which Google doesn't fix bugs is the old Webview implementation. I'm not going to try to explain or defend that decision, just note that at this point we think it's more productive to get apps to stop using it to display untrusted content on pre-4.4 Android. Outside of that, Google does provide fixes to all significant issues that are reported to us, and we provide those fixes to device manufacturers, at no cost and with security bulletins explaining the nature and severity of the issues. Further there are partnership policies in place that require manufacturers to release updates for severe issues. The nature and scope of those requirements aren't what I wish they were, but Google's ability to dictate to Android OEMs is limited (which isn't a bad thing, though arguably it is in this case).

The best sandboxing is useless if the OS itself has known and remote exploitable security issues, as Android usually does.

The first portion of this sentence is indisputably true. The claim that Android usually has remote exploitable security issues, not so much. Local exploits are pretty common, as they are on every platform, frankly. Securing against local exploits is a hard problem, though I think we're making significant progress. We're finding that SELinux is making many vulnerabilities non-functional on 5.0 and above (granted that it will be a couple of years before 5.0+ represents the majority of Android devices). Functional remote root exploits, however, aren't actually that common, even on pre-5.0 devices. Also, such high-severity vulnerabilities generally *do* motivate manufacturers to deploy fixes (again, pre-4.4 Webview being the notable exception).

Also, I'll point out that thanks to the Android Verify Apps tool, which is active on several hundred million devices, Google has very good insight into exactly what (known) vulnerabilities exist on real-world devices, and even quite a bit about how often exploits are used (though that data is more squishy and speculative). This data even covers a lot of devices that don't use Google Play, since the Verify Apps opt-in is offered to all devices, not just those that use Play.

I can't provide details, but the high-level summary is that the Android ecosystem is actually surprisingly safe. Given the size and complexity of modern mobile operating systems in general and Android in particular, I would expect the situation to be bad, but it's not.

With respect to Blackberry's work here, it actually sounds really good to me. They're doing a lot of good things, some of which we are also working on. I don't think any of the mobile OSes in current use are very resistant to targeted threats. What Blackberry is doing with this tablet is trying to tackle that problem: how do you secure high-value data which may be the specific target of a skilled attacker on a commodity, open platform device? It's a really tough problem. They're doing it by creating a locked-down sub-platform within the platform, allowing only whitelisted apps, preventing data leakage between those and apps in the open portion of the platform. That's a sensible approach. If they can really achieve protection against targeted attacks, the higher price point isn't unreasonable at all. People with high-value data on their devices will pay for security. Most people won't, but there's nothing wrong with focusing on a high-value niche. It's good business, and a strategy that's consistent with the reputation of the Blackberry brand.

Google, of course, isn't targeting the niche, but trying to provide reasonably good security to the mass market. My opinion is that we're largely succeeding, but must keep pushing hard to stay (mostly) ahead of the threats.

(Disclaimer: Please don't take this as any sort of official Google statement. I'm not a Google spokesperson,

Niche

[geoskd]

Blackberry: Filling a niche that doesnt exist since 2005!

I think it's actually a decent idea

[93+Escort+Wagon]

But I'm not sure the implementation is sound.

However that's all moot - the price point makes this a non-starter. Companies might be willing to pay a few hundred extra for a secure tablet - but not almost two grand.

Re:I think it's actually a decent idea

[Frosty+Piss]

Companies might be willing to pay a few hundred extra for a secure tablet - but not almost two grand.

It's aimed at government.

Also initially I read the name as SuckuTablet.

Re:I think it's actually a decent idea

[Lumpy]

You are hilarious... Companies pay $5000 or more for laptops that are secure and ar ethe same horsepower as a $500 walmart cheapie. I suggest you actually learn what companies will pay. Because they will pay a lot and do it all the time. Hell they happily and readily pay $3000 to $5000 each just for Panasonic toughbooks that are only rugged.

AirWatch

[rsmoody]

...already does this. No need for a $2300 tablet, grab an off-the-shelf iPad/iPhone/Android/Windows Phone, install AirWatch, push the required packages and secure as needed/required from the management console. All corporate data is held in a secure container by the software. Remote management? Done. Remote wipe? Done. Remote password reset? Done. Need to locate the device? Done. Need to see what other software is installed on the device? Done.

Too little, too late.

People's expectations are unreasonable

[msobkow]

People's expectations for low prices are completely unreasonable nowadays. It hasn't been all that long since $2000 was the "normal" price for a decent machine, never mind a portable device. I realize prices have come down a lot, but realistically Blackberry is only a bit more than doubling the price for this custom-configured device compared to the base hardware. That's far from unreasonable in the "preconfigured stack" systems market.

Don't forget, the point of such devices and systems is to have a single supplier you can pin for resolving any issues or problems. You're buying the vendor's services and reputation, not a collection of unconfigured components.

Re:Not portable.

[gnasher719]

So you have arbitrarily decided your definition of a portable device is what fits into your definition of the size of a pocket.

Many, many years ago when Apple built its first "portable" computer, they used the definition "a device that can be carried by an average ten year old girl for one mile". ( I assume they meant "can be carried" and not "can be carried without complaining").

Re:Rooting?

[gweihir]

Blackberrys have a "developer mode", there is zero reason to root them. Quite unlike the flashy, but locked-down Android and iPhone alternatives. This is a real problem for iPhone and Android security: Platform penetration testers cannot do their work without root access.

Re:yes to real keyboards

[gweihir]

You know, after I tried it, my next phone will be a Blackberry classic. The difference is I work with the thing, for gaming I have a real PC.

Re:rofl...

[BarbaraHudson]

lol Blackberry... no US tech (software or hardware) is considered secure in the rest of the world. OMG please wake up...

Blackberry isn't US, and never has been. It's head office is still in Waterloo, Ontario, Canada :-)

Re:Not portable.

[MachineShedFred]

I would love to see a 10 year old girl trying to carry the Macintosh Luggable for one mile. The damn thing weighed 16 pounds. Also, who would entrust their 10 year old girl with a $6500 (in 1989) slab of technology to carry for a mile?

Re: Rooting?

[BarbaraHudson]

If you read the fine article, you'd see that this is what Blackberry is allowing, obviating the need to root the phone to get tasks done. You can't make a phone secure while allowing it to be rootable.