BlackBerry's Latest Experiment: a $2,300 'Secure' Tablet

An anonymous reader writes: After missing the boat on smartphones, BlackBerry has been throwing everything they can at the wall to see what sticks. From making square phones to insisting users want physical keyboards, their only standard is how non-standard they've become. Now they're expanding this strategy to the tablet market with a security-centric tablet that costs $2,300. And they're not doing it alone — the base device is actually a Samsung Galaxy Tab S 10.5. The tablet runs Samsung Knox boot tech, as well as software from IBM and encryption specialist Secusmart (which BlackBerry recently purchased). The device will be targeted at businesses and organizations who have particular need for secure devices.

"Organizations deploying the SecuTablet will be able to set policies controlling what apps can run on the devices, and whether those apps must be wrapped, said IBM Germany spokesman Stefan Hefter. The wrapping process—in which an app is downloaded from a public app store, bundled with additional libraries that encrypt its network traffic and intercept Android 'intents' for actions such as cutting or pasting data, then uploaded to a private app store—ensures that corporate data can be protected at rest, in motion and in use, he said. For instance, it can prevent data from a secure email being copied and pasted into the Facebook app running on the same device—yet allow it to be pasted into a secure collaboration environment, or any other app forming part of the same 'federation,' he said."

Rooting?

[MouseTheLuckyDog]

OK. I have not yet read the entire article, but one ques4tion xomwea immediately to mind.

Is it still secure after you root it?

Re:

[Anonymous Coward]

8 AM: Shit, I have to be at work.

8:05 AM: Where the fuck are my shoes? Honey...

8:17 AM: Where did I put my keys while we were looking for my shoes? Goddamnit.

8:21 AM: Exits house.

8:23 AM: Exits driveway.

8:25 AM: Cracks open emergency flask.

1:52 PM: drunk8n [ostiung on sladshdot

Re:

[MouseTheLuckyDog]

but one question comes immediately to mind.

You couldn't figure that out.

PS THis week with luck I finally get to rearrage my desk so my hands do not hit the bottom of a drawer when typing.

Re:

[gweihir]

Blackberrys have a "developer mode", there is zero reason to root them. Quite unlike the flashy, but locked-down Android and iPhone alternatives. This is a real problem for iPhone and Android security: Platform penetration testers cannot do their work without root access.

Re:

[BarbaraHudson]

Blackberrys have a "developer mode", there is zero reason to root them. Quite unlike the flashy, but locked-down Android and iPhone alternatives.

Developer mode can easily be enabled on Android. Settings | About Phone | Build Number (Build number may also be in another submenu, depending on your manufacturer, such as Settings | About device | Build number or Settings | About phone | Software information | Build number or Settings | About | Software information | More | Build number)

Tap the Build Number 7 times and you're now a developer, can upload your test apps to the phone via usb, debug, etc.

Re:

[gweihir]

Ah, sorry. The problem then applies to iPhones only. I do wonder why people are rooting their Android phones then though?

Re:

[mSparks43]

android OS has a certain set of things it "never" allows.
Like MiMing mobile network traffic.

So if you want to install something on a phone that intercepts mobile traffic you have to strip out that layer by rooting. (for example Adblock or Tor)

Re:

[gweihir]

Thanks, that was what I was thinking.

Re:

[gl4ss]

if you want to do things normal applications aren't permitted to do.

developer mode is just for installing whatever apps you want, which are still limited by the security permissions on the device.

if you root, you may for example be able to remove googles play store from the device, if you for some reason wanted, or access some functionality not otherwise available(not exposed through regular android apis etc).

Re:

[gweihir]

Thanks, yes that makes sense.

Re:

[BarbaraHudson]

If you read the fine article, you'd see that this is what Blackberry is allowing, obviating the need to root the phone to get tasks done. You can't make a phone secure while allowing it to be rootable.

Too complex for politicians

[ITRambo]

I don't think many politicians would bother to use anything this secure as their records would be kept and likely accessible after a court order. Congress doesn't believe it needs to work this hard. They are above the law, exempt really, in many ways. Businesses with valuable trade secrets are a great target market for this technology.

You're selling it all wrong....

[Shakrai]

I don't think many politicians would bother to use anything this secure as their records would be kept and likely accessible after a court order.

You're selling it all wrong. Better records retention for a politician? Pa-lease, that's like trying to sell a greenie an SUV because it gets great gas mileage. Let me show you how it's done, from TFS: "For instance, it can prevent data from a secure email being copied and pasted into the Facebook app running on the same device—yet allow it to be pasted into a secure collaboration environment, or any other app forming part of the same 'federation,' he said."

Sales pitch: "You see Congressman, the enhanced security framework prevents you from accidentally tweeting pictures of your junk that you were trying to send to a private audience. The iPad can't do that. Neither can your Android phone."

Re:

[Anonymous Coward]

Or 4-year-old kids.

Re:

[Anonymous Coward]

I don't think many politicians would bother to use anything this secure as their records would be kept and likely accessible after a court order.

Politicians won't bother because they now know they don't need to.

They'll just stand up their own email server in their home, and then tell Congress Fuck You Very Much when asked for an audit, knowing damn well we won't do a fucking thing about it.

Don't mistake complexity for corruption. The reason is far simpler than seeing the internet as a series of tubes..

Re:

[Frosty Piss]

I don't think many politicians would bother to use anything this secure...

The military might.

Currently, the Air Force uses iPads, but not for classified, due to the requirement to connect to Apple servers to upgrade the OS (they will not supply a disc, as Microsoft does for our classified Windows boxes).

All of our pilots carry and use them for non-classified publications, but it would be nice to have something that Secret could be loaded onto for missions.

Re:

[the_B0fh]

Uh, you realize that it's simple to download and do a mass deployment internally right?

Re:

[Anonymous Coward]

So the Air Force is completely incompetent when dealing with IT. Good to know.

Here's a hint - you can download the IPSW from Apple and manually update (after testing and validation), and you can block devices you own from automatically grabbing it from Apple with MDM profiles. You then use an OS X Server running Software Update service, and configure it to be the update proxy in the same MDM profile. When you approve the update, you enable it on your update proxy, and the devices update from YOU, and not

Re:yes to real keyboards

[binarylarry]

Virtual keyboards our the fracture!

Re:

[Blaskowicz]

not only that : there surely is a way to put a keyboard on a tablet. And not a separate keyboard, or a keyboard that turns it into a baby laptop, but a keyboard on the tablet itself.

Re:

[oodaloop]

They're called laptops.

Re:

[the_B0fh]

Please stop trying to make sense on the Internet.

Re:

[gweihir]

You know, after I tried it, my next phone will be a Blackberry classic. The difference is I work with the thing, for gaming I have a real PC.

Re:

[tompaulco]

So you have arbitrarily decided your definition of a portable device is what fits into your definition of the size of a pocket. This tablet is less than 25% larger than your arbitrarily decided maximum pocket size. While we are at it, your arbitrarily decided maximum pocket size is rather huge. I am guessing you have decided on a particular manufacture that only has up to 8 inch tablets and are trying to justify it.

Re:Not portable.

[gnasher719]

So you have arbitrarily decided your definition of a portable device is what fits into your definition of the size of a pocket.

Many, many years ago when Apple built its first "portable" computer, they used the definition "a device that can be carried by an average ten year old girl for one mile". ( I assume they meant "can be carried" and not "can be carried without complaining").

Re:

[MachineShedFred]

I would love to see a 10 year old girl trying to carry the Macintosh Luggable [wikipedia.org] for one mile. The damn thing weighed 16 pounds. Also, who would entrust their 10 year old girl with a $6500 (in 1989) slab of technology to carry for a mile?

Re:

[gweihir]

And in other news, that approach would be called "innovative", "inventive", and "forward looking".

Re:

[MachineShedFred]

Especially if BlackBerry's treatment of this Samsung device doesn't remove the backdoors in the baseband firmware [bgr.com]...

Um... it's 16 days

[rsilvergun]

Until April fools. Seriously, is this a joke? Maybe if they have a juicy gov't contract that'll buy these up. Other than that every company is just going to buy a Windows tablet for a $1000 and put their own security software (which is already certified and tested up the wazoo) on it.

Re:

[thsths]

This.

With Windows, you get security updates every second Tuesday. For free, for years, and in a timely fashion.

On Android, you are lucky if Google deems a bug worthy of fixing. The best sandboxing is useless if the OS itself has known and remote exploitable security issues, as Android usually does.

Re:Um... it's 16 days

[swillden]

On Android, you are lucky if Google deems a bug worthy of fixing.

I'm a member of Google's Android security team, and I want to correct this. The only component in which Google doesn't fix bugs is the old Webview implementation. I'm not going to try to explain or defend that decision, just note that at this point we think it's more productive to get apps to stop using it to display untrusted content on pre-4.4 Android. Outside of that, Google does provide fixes to all significant issues that are reported to us, and we provide those fixes to device manufacturers, at no cost and with security bulletins explaining the nature and severity of the issues. Further there are partnership policies in place that require manufacturers to release updates for severe issues. The nature and scope of those requirements aren't what I wish they were, but Google's ability to dictate to Android OEMs is limited (which isn't a bad thing, though arguably it is in this case).

The best sandboxing is useless if the OS itself has known and remote exploitable security issues, as Android usually does.

The first portion of this sentence is indisputably true. The claim that Android usually has remote exploitable security issues, not so much. Local exploits are pretty common, as they are on every platform, frankly. Securing against local exploits is a hard problem, though I think we're making significant progress. We're finding that SELinux is making many vulnerabilities non-functional on 5.0 and above (granted that it will be a couple of years before 5.0+ represents the majority of Android devices). Functional remote root exploits, however, aren't actually that common, even on pre-5.0 devices. Also, such high-severity vulnerabilities generally *do* motivate manufacturers to deploy fixes (again, pre-4.4 Webview being the notable exception).

Also, I'll point out that thanks to the Android Verify Apps tool, which is active on several hundred million devices, Google has very good insight into exactly what (known) vulnerabilities exist on real-world devices, and even quite a bit about how often exploits are used (though that data is more squishy and speculative). This data even covers a lot of devices that don't use Google Play, since the Verify Apps opt-in is offered to all devices, not just those that use Play.

I can't provide details, but the high-level summary is that the Android ecosystem is actually surprisingly safe. Given the size and complexity of modern mobile operating systems in general and Android in particular, I would expect the situation to be bad, but it's not.

With respect to Blackberry's work here, it actually sounds really good to me. They're doing a lot of good things, some of which we are also working on. I don't think any of the mobile OSes in current use are very resistant to targeted threats. What Blackberry is doing with this tablet is trying to tackle that problem: how do you secure high-value data which may be the specific target of a skilled attacker on a commodity, open platform device? It's a really tough problem. They're doing it by creating a locked-down sub-platform within the platform, allowing only whitelisted apps, preventing data leakage between those and apps in the open portion of the platform. That's a sensible approach. If they can really achieve protection against targeted attacks, the higher price point isn't unreasonable at all. People with high-value data on their devices will pay for security. Most people won't, but there's nothing wrong with focusing on a high-value niche. It's good business, and a strategy that's consistent with the reputation of the Blackberry brand.

Google, of course, isn't targeting the niche, but trying to provide reasonably good security to the mass market. My opinion is that we're largely succeeding, but must keep pushing hard to stay (mostly) ahead of the threats.

(Disclaimer: Please don't take this as any sort of official Google statement. I'm not a Google spokesperson,

Re:

[swillden]

(Disclaimer: Please don't take this as any sort of official Google statement. I'm not a Google spokesperson, and I'm taking something of a risk by being this forthright about Android security work in public. Not a huge risk, because my management is supportive of transparency -- as long as I don't cross any lines. I obviously haven't gone and cleared all of this with PR and it's possible that something I've said is inaccurate, or inconsistent with the company's official position. If there are any such issues, the fault is entirely mine.)

Somehow, I wouldn't feel comfortable working for a company that would make me feel like I had to make such an extensive disclaimer. Sounds like they really *aren't* supportive of transparency, but have brainwashed you with Orwellian doublespeak to make you (and the public) think they are.

LOL. At the vast majority of companies, it wouldn't be a question of a disclaimer. Most places would fire me for speaking publicly at all without clearing everything first.

Re:

[Ed Tice]

The permissions system on Android is such that you can't really install any apps at all without compromising all of the data on the device. Every app asks for permission to everything. Why would anybody even bother going after an OS-level attack. Just create some marginally useful app, put it in the app store, and you have control over just about every Android device out there. And if I'm not going to install any apps, I might as well get a Blackberry. I have a Nexus tablet and like it. But I don't keep

Re:

[swillden]

The permissions system on Android is such that you can't really install any apps at all without compromising all of the data on the device.

Nonsense. Even with every permission that's offered you can't get to most of the data on the device. Apps have no access to data stored by other apps, for one huge example.

The rest of your comment seems to all follow from this erroneous assumption.

Re:

[mattr]

Hello, that is really interesting, thanks.
My customer only treats iPhones as secure, I have a Galaxy S5. Would it be possible do you think for Google to offer a service where you analyze source code and optionally only allow passed apps to be downloaded? The impression in the corporate world is that Android is an insecure platform.

Re:

[mattr]

P.S. interested in the results of analyzing MS apps ;)

Re:

[swillden]

Hello, that is really interesting, thanks. My customer only treats iPhones as secure, I have a Galaxy S5. Would it be possible do you think for Google to offer a service where you analyze source code and optionally only allow passed apps to be downloaded? The impression in the corporate world is that Android is an insecure platform.

I'll just say we're working on it :-)

As the AC who responded mentioned, though, you can always set up your own app store with well-analyzed apps. And it's also worth pointing out that Google does analyze apps for a wide variety of malware signals before making them available on Play.

Re:

[MachineShedFred]

We appreciate you doing what you can to fix some of these holes. However, Google appears to have no teeth which to use to get the handset manufacturers to actually update their products.

There can be software fixes for every single issue, but if they never get deployed, it does nothing to solve the issues.

Re:

[swillden]

Yes, this is a big issue. Huge. It's a clear consequence of the open source nature of Android, which has a lot of value in other ways. This is a fundamental tension between openness and modifiability and security.

My best recommendation: Buy Nexus devices which are guaranteed to get timely updates. Granted that if you are the sort of person who wants to use the same device for 3+ years that doesn't necessarily solve your problem, because even Nexus devices fall out of support fairly quickly. I actually exp

Comment removed

[account_deleted]

Comment removed based on user account deletion

Secure Email?

[BoRegardless]

Protected From iPhone Camera shots? Come on.

I think it's actually a decent idea

[93 Escort Wagon]

But I'm not sure the implementation is sound.

However that's all moot - the price point makes this a non-starter. Companies might be willing to pay a few hundred extra for a secure tablet - but not almost two grand.

Re:

[Frosty Piss]

Companies might be willing to pay a few hundred extra for a secure tablet - but not almost two grand.

It's aimed at government.

Also initially I read the name as SuckuTablet.

Re:I think it's actually a decent idea

[Lumpy]

You are hilarious... Companies pay $5000 or more for laptops that are secure and ar ethe same horsepower as a $500 walmart cheapie. I suggest you actually learn what companies will pay. Because they will pay a lot and do it all the time. Hell they happily and readily pay $3000 to $5000 each just for Panasonic toughbooks that are only rugged.

Re:

[Kjella]

You are hilarious... Companies pay $5000 or more for laptops that are secure and ar ethe same horsepower as a $500 walmart cheapie. I suggest you actually learn what companies will pay. Because they will pay a lot and do it all the time. Hell they happily and readily pay $3000 to $5000 each just for Panasonic toughbooks that are only rugged.

I've never worked for a company that would give me a $5000 laptop, quality laptops yes but not gold plated ones. Yes, some buy Toughbooks but only for the people in the field that really need one. These tablets sound like they'd be most useful as a corporate-wide standard and $2300/person is a pretty solid asking price. I'd just settle for the private repository, corporate-approved apps only and leave Facebook to be done on some other device.

Re:

[drinkypoo]

Hell they happily and readily pay $3000 to $5000 each just for Panasonic toughbooks that are only rugged.

I've never worked for a company that would give me a $5000 laptop,

Me neither, but I have worked for a company that gave me a $3000 laptop, a HP EliteBook with a 3 year warranty and a docking station which came from CDW. And they literally did give it to me when they laid me off, too. Then the GPU failed, then I had an epic time getting the machine replaced, I finally did that, and sold the replacement for $900, which was FMV. HP failed at getting the old laptop back and failed to send me a shipping label after multiple requests so after about a year and a half I broke it

AirWatch

[rsmoody]

...already does this. No need for a $2300 tablet, grab an off-the-shelf iPad/iPhone/Android/Windows Phone, install AirWatch, push the required packages and secure as needed/required from the management console. All corporate data is held in a secure container by the software. Remote management? Done. Remote wipe? Done. Remote password reset? Done. Need to locate the device? Done. Need to see what other software is installed on the device? Done.

Too little, too late.

Missing the boat on smartphones?

[aaron4801]

I get that Blackberry has been an industry joke for 6-7 years now, but the opening statement overstates their missteps. Blackberry missed many boats, but not the whole category of smartphones. Touchscreens, app stores, decent browsers...yes. But not smartphones.

Re:

[tompaulco]

Exactly. If anything, they invented the smartphone. But nobody knew about it until Apple made the iphone and decided that they had invented the smartphone.

Re:

[Lumpy]

Nokia invented the smartphone. Learn your phone history.

Re:

[kamapuaa]

Qualcomm invented the cell phone.

Re:

[rubycodez]

and before cellular, AT&T rolled out their Mobile Telephone Service in St. Louis in 1946. They only had three telephone channels, so three people could simultaneously make a call in the city. It costs $15 a month ($180 a month in 2015 dollars) plus 30 cents a call.

Re:

[the_B0fh]

I've never seen Apple claim to have invented the smartphone. You have a citation?

Re:

[the_B0fh]

So it's their fault?

Defeated by a smartphone video camera

[chaosdivine69]

Look, if you want to capture data that badly just video capture the screen from a secondary device (smartphone). Even a child could do this. Renders your really expensive security software completely useless instantaneously.

Dear Blackberry...

[Lumpy]

You slit your own throat when you gave up the keys to encryption and servers to governments.

Want to be relevant again? make secure smartphones that you CANT give government access to or touch the encrypted signals. Build in voice and data encryption that the users can specify the keys, give the phones self wipe and data destruction abilities.

Make them also alert the user to possible intrusion attempts like Cell tower fakes and other attacks.

Problem is your management is too chicken shit to do it. Just lik

Re:

[ArhcAngel]

Almost everything you mention is already baked into BES so you really have no idea what you are talking about.

Re:

[acoustix]

Your post is full of lies and ignorance.

People's expectations are unreasonable

[msobkow]

People's expectations for low prices are completely unreasonable nowadays. It hasn't been all that long since $2000 was the "normal" price for a decent machine, never mind a portable device. I realize prices have come down a lot, but realistically Blackberry is only a bit more than doubling the price for this custom-configured device compared to the base hardware. That's far from unreasonable in the "preconfigured stack" systems market.

Don't forget, the point of such devices and systems is to have a single supplier you can pin for resolving any issues or problems. You're buying the vendor's services and reputation, not a collection of unconfigured components.

Re:

[rubycodez]

it's unreasonable, they'll make their money on subscriptions so there is no need to charge an extra for their software.

Re:

[Just Some Guy]

My TV would probably cost $40,000 a decade ago. My iPhone would be a $30,000 workstation in the 90s. The NAS in my living room is $900,000 worth of storage in 1998 dollars. To your contrary, I think people have a perfectly reasonable expectation of low and dropping prices.

Looking forward to it

[Anonymous Coward]

Hopefully it comes in pink to match my $17,000 Applw Edition watch.
Oh I also hope it lasts for two years like my watch to match my device upgrade cycle.

seems strange

[bloodhawk]

If you remove the blackberry android references it sounds like they are describing a windows tablet, complete with Bitlocker, applocker, MS store and hooked up to active directory. Is android really that far behind in security and flexibility that this requires a such an expensive service?

Re:rofl...

[BarbaraHudson]

lol Blackberry... no US tech (software or hardware) is considered secure in the rest of the world. OMG please wake up...

Blackberry isn't US, and never has been. It's head office is still in Waterloo, Ontario, Canada :-)

keyboard

[bigdavex]

Until a few months ago, I carried a Blackberry for work a physical keyboard. The keyboard was nice and I miss it.

Blackberry Physical Keyboard, I want !!!

[lsatenstein]

I was given a Nexas 4 Android. I am not a cellphone devotee, I use it for phone calls received. I hardly ever make outgoing calls and because my fingers are large, texting is folly. My text stuff, when I do it, is full of errors, even to where I select the word that the software anticipates I want to write. If I am sitting in the car while the wife shops, I play freecell. I have a 6 gig data plan and use about 50megs a month. (Yes, a waste).

With a physical keypad, there is a space between the keytops, and

Secure? For small definitions of secure.

[DarthVain]

Security isn't really a technological question anymore. It is a legal and political one. Unless your enterprise and blackberry is immune to political interference as well it isn't really all that secure. Perhaps, "more secure" from some bum to picks up your tablet from the train seat or something.

Blackberry being located in Canada is a pretty good plus, as privacy laws are pretty good. However even Canada has gotten dinged about participation with the whole US electronic surveillance thing. Blackberry had