Concerns around IoT device security are on the rise. At the 2019 Consumer Electronics Expo (CES), BlackBerry, the mobile phone company, made an important announcement. The company is going to license its secure software framework to IoT manufacturers and developers. This announcement is timely, given the fact that about 80% of IoT devices are not tested for security flaws. Moreover, the number of IoT devices is expected to surge to 22 billion by 2025.
Developers need to start taking security seriously, and a prestigious company like BlackBerry becoming involved in the industry of IoT is evidence that this shift is finally occurring. In this article, we’ll take a deep dive into BlackBerry’s announcement. We’ll first review the company’s history, and then look at the CES announcement. Finally, we’ll discuss the effects the announcement may have on the IoT device security ecosystem at large. Let’s get started.
BlackBerry – A Quick Overview
BlackBerry has a long history of success in the mobile market. Founded in 1999 as Research In Motion (RIM), the Canadian company quickly became a leader in the world of business messaging. How did this happen? BlackBerry actually focused on secure communications and mobile productivity from the beginning. Major corporations and government organizations quickly adopted the BlackBerry OS. By September, 2013, there were more than 85 million BlackBerry subscribers worldwide.
Unfortunately, the rise of Android and iOS had a major impact on BlackBerry. The company lost its dominance in the mobile productivity and secure messaging space – and subscriber numbers had fallen to 23 million by March, 2016, with new phone sales numbering only 200,000 in 2017.
While the company continues to make some smartphones in a partnership with TCL and a few other manufacturers, mobile phones are no longer their focus. As of 2018, the company has shifted towards selling software and services to developers, and on the BlackBerry Spark “Enterprise of Things” platform.
Refocusing and Rebranding – Blackberry Focuses on IoT Device Security at CES 2019
Given the strategic shift that BlackBerry has undergone in the last decade or so, this latest announcement is not exactly a surprise. The IoT ecosystem is rapidly expanding – and represents a potentially-enormous area of business for the company. Let’s discuss their recent announcement in detail now.
The Strategy
BlackBerry is licensing their secure software framework to IoT manufacturers. This will allow the company to bring devices to market more quickly. BlackBerry will also be able to outsource cyber security research and technology.
BlackBerry will review every produced device. If it meets their security standards, it will get the “BlackBerry Secure” certification.
Here are the three “feature packs” the company is releasing for different IoT device security scenarios.
BlackBerry Secure Enablement Pack
This is BlackBerry’s first “feature pack.” Here’s how it works:
- Using a secure manufacturing platform, BlackBerry injects an identity service key into the device.
- The device is monitored 24/7.
- If this service key is ever changed or modified, the IoT device will not boot.
BlackBerry Secure Foundations Pack
This is BlackBerry’s second feature pack. The “Secure Foundations Pack” works as follows:
- It hardens the OS kernel.
- It uses software lockdown and ARM Trustzone technology to generate and store encryption keys.
These keys can be used for a number of different software operations. The software will create a real-time “health” report, viewable by users and some third-party applications.
BlackBerry Secure Enterprise Pack
The final feature pack is the “Secure Enterprise Pack” and will provide enterprise firms with more granular control over:
- Device debug interfaces,
- Communications protocols like NFC and Bluetooth,
- Radio communication via GPS, WiFi, and cellular networks.
Enterprises can set custom policies. This provides baseline security that allows for simpler certification by security standards such as the Federal Information Processing Standards (FIPS).
BlackBerry is clearly serious about its move into the IoT security space. This shift could not be happening at a better time. In 2017, the number of malware attacks on IoT devices doubled. In 2018, the first-ever global Code of Practice for IoT security was published late last year by the DCMS and NCSC, outlining steps that IoT manufacturers should take to lock down their systems.
What Could This Mean for the IoT Device Security Ecosystem?
We think that this recent announcement by BlackBerry is a sure sign that manufacturers and developers of IoT technology are going to become much more serious about safety, security, and preventing hacks and data breaches in their systems.
Like many emerging technologies, IoT devices have developed very rapidly – and security standards were not the focus of developers. Companies were rushing to innovate, and capture market share. This has resulted in some serious, deep security flaws.
Older IoT devices are already being abandoned – with no plans to patch or fix them in the future. This could lead to serious security vulnerabilities that are, essentially, impossible to fix. Clearly, this is not a sustainable path forward for the technology that is intended to power self-driving cars, the “smart cities” of the future, and other such groundbreaking technologies.
We simply cannot trust our critical medical data and other information to platforms that have not been tested and secured. No hospital or medical facility would dream of using an unsecured, non-encrypted electronic record-keeping system. But many IoT devices that are being used in medical settings are extremely vulnerable, and they pose serious security risks to private patient data, which could be misused or stolen.
What Can We Expect for Iot Device Security in the Near Future?
In the coming years, as the BlackBerry IoT device security program grows, we expect to see other major tech companies follow suit. Ideally, they will begin licensing their security technology and services to IoT vendors.
Companies like Microsoft, Google, Apple and Amazon have a huge amount of experience in encryption and protecting data. They can certainly see the IoT device security market as an opportunity and they will look to take advantage of it.
In turn, this will legitimize the world of IoT and provide vendors and manufacturers with the tools, platforms, and expertise that they need to ensure valuable data protection. This will help their devices comply with the highest cybersecurity standards.
Of course, it remains to be seen how popular and profitable this BlackBerry Secure system will be. But, in our opinion, it’s a good sign and a big step forward. IoT is already in the mainstream. The faster the industry addresses security vulnerabilities, the faster IoT adoption will occur, including for large enterprises and governmental organizations.