Blackbe;rry PlayBook Tablet Installation guide
BlackBerry PlayBook Tablet
Version: 1.0
Security Technical Overview
Published: 2011-09-08
SWD-1674396-0316050254-001
Contents
1 Revision history................................................................................................................................................. 4
2 Tablet security features.................................................................................................................................... 6
3System requirements: tablet............................................................................................................................ 7
4Opening an encrypted and authenticated connection between a tablet and smartphone............................. 8
The Bluetooth pairing process.......................................................................................................................... 8
The BlackBerry Bridge pairing key.................................................................................................................... 9
Generating an initial pairing key during the BlackBerry Bridge pairing process............................................... 9
Process flow: Generating an initial pairing key.......................................................................................... 10
Cryptosystem parameters that the BlackBerry Bridge pairing process uses to generate an initial
pairing key................................................................................................................................................. 11
Generating a BlackBerry Bridge pairing key during the BlackBerry Bridge pairing process............................. 11
Process flow: Generating a BlackBerry Bridge pairing key........................................................................ 12
Connecting a tablet to a smartphone that is activated on the BlackBerry Enterprise Server or BlackBerry
Internet Service................................................................................................................................................. 13
Process flow: Generating a BlackBerry Bridge work key........................................................................... 13
Reconnecting a tablet to a smartphone........................................................................................................... 13
Deleting a tablet and smartphone connection................................................................................................. 13
Bluetooth security features on the tablet and smartphone............................................................................. 14
Using IT policy rules to manage Bluetooth technology on smartphones......................................................... 15
Specifying Bluetooth connections that third-party applications can access.................................................... 16
Bluetooth profiles that the tablet supports...................................................................................................... 17
5 Securing tablets in your organization’s environment for work use.................................................................. 18
How a tablet distinguishes between work data and personal data.................................................................. 18
How a tablet protects work data............................................................................................................... 19
What happens when a user updates or creates work files on a tablet..................................................... 20
How a tablet controls whether an application is a work application or a personal application....................... 20
Determining which applications are work applications or personal applications..................................... 20
Comparison of work applications and personal applications.................................................................... 21
Access rights for work data and personal data that the BlackBerry Tablet OS grants to applications...... 22
Using the Bridge Browser.......................................................................................................................... 22
Running the Files application in work mode............................................................................................. 23
Taking screen shots on a tablet................................................................................................................. 23
When a tablet prevents a user from accessing work data or work applications.............................................. 23
Connecting a tablet to an enterprise Wi-Fi network........................................................................................ 24
IT policy rules that apply to a tablet................................................................................................................. 24
6 The BlackBerry Tablet OS.................................................................................................................................. 25
The tablet file system........................................................................................................................................ 25
How the BlackBerry Tablet OS uses sandboxing to protect application data................................................... 26
How the BlackBerry Tablet OS manages the resources on the tablet.............................................................. 26
How the tablet manages permissions for applications..................................................................................... 26
How the tablet verifies the boot ROM code..................................................................................................... 27
How the tablet manages software updates...................................................................................................... 27
7 Protecting user information............................................................................................................................. 28
Using the smartphone password to help protect access to the tablet............................................................. 28
Using the tablet password................................................................................................................................ 28
Deleting data from the tablet memory............................................................................................................. 29
What happens to work data on the tablet when it is connected to a smartphone that deletes all
smartphone data.............................................................................................................................................. 29
8 Cryptographic algorithms, codes, protocols, and APIs that the tablet supports.............................................. 31
Symmetric encryption algorithms..................................................................................................................... 31
Asymmetric encryption algorithms.................................................................................................................. 31
Hash algorithms................................................................................................................................................ 32
Message authentication codes......................................................................................................................... 32
Signature scheme algorithms........................................................................................................................... 32
Key agreement schemes................................................................................................................................... 32
Cryptographic protocols................................................................................................................................... 33
Cryptographic APIs............................................................................................................................................ 33
VPN cryptographic support............................................................................................................................... 33
Wi-Fi cryptographic support............................................................................................................................. 33
9 Attacks that the BlackBerry Bridge pairing process is designed to prevent..................................................... 35
Brute-force attack............................................................................................................................................. 35
Online dictionary attack.................................................................................................................................... 35
Eavesdropping.................................................................................................................................................. 35
Impersonating a smartphone........................................................................................................................... 36
Man-in-the-middle attack................................................................................................................................. 36
Small subgroup attack...................................................................................................................................... 36
10 Glossary............................................................................................................................................................ 37
11 Provide feedback.............................................................................................................................................. 41
12 Legal notice....................................................................................................................................................... 42
Revision history 1
Date Description
15 July 2011 Added the following topics:
• The Bluetooth pairing process
• Generating an initial pairing key during the BlackBerry Bridge pairing
process
• Process flow: Generating an initial pairing key
• Cryptosystem parameters that the BlackBerry Bridge pairing process
uses to generate an initial pairing key
• Generating a BlackBerry Bridge pairing key during the BlackBerry
Bridge pairing process
• Process flow: Generating a BlackBerry Bridge pairing key
• Process flow: Generating a BlackBerry Bridge work key
• Bluetooth security features on the tablet and smartphone
• Using IT policy rules to manage Bluetooth technology on smartphones
• Specifying Bluetooth connections that third-party applications can
access
• Bluetooth profiles that the tablet supports
• Taking screen shots on a tablet
• What happens to work data on the tablet when it is connected to a
smartphone that deletes all smartphone data
Updated the following topics:
• Tablet security features
• Opening an encrypted and authenticated connection between a tablet
and smartphone
• The BlackBerry Bridge pairing key
• Connecting a tablet to a smartphone that is activated on the BlackBerry
Enterprise Server or BlackBerry Internet Service
• Reconnecting a tablet to a smartphone
• How a tablet distinguishes between work data and personal data
• How a tablet protects work data
• Determining which applications are work applications or personal
applications
• Running the web browser in work mode (changed to "Using the Bridge
Browser")
• Running the Files application in work mode
• When a tablet prevents a user from accessing work data or work
application
Security Technical Overview Revision history
4
Date Description
• Using the tablet password
• The tablet file system
• Using the smartphone password to help protect access to the tablet
• Deleting data from the tablet memory
• Symmetric encryption algorithms
4 April 2011 Initial version
Security Technical Overview Revision history
5
Tablet security features 2
Feature Description
Encrypted and authenticated
connection between a BlackBerry
PlayBook tablet and BlackBerry
smartphone
• A tablet and smartphone perform two pairing processes to open an
encrypted and authenticated connection between each other: a
Bluetooth pairing process and a BlackBerry Bridge pairing process that
is designed to enhance the level of encryption for the connection.
• The BlackBerry Bridge uses the ECDH algorithm to negotiate a key and
AES-256 to encrypt the connection.
Protection of work data on a tablet • The tablet is designed to isolate the work file system and work
applications from the personal file system and personal applications.
• The tablet classifies applications as work applications and allows them
to access work data.
• The tablet helps protect work data using XTS-AES-256 encryption.
• The tablet does not store local copies of work data permanently, the
tablet uses the BlackBerry smartphone file system to store work data.
Protection of BlackBerry PlayBook
tablet user information
The tablet is designed to allow a user to delete all user information and
application data from the tablet memory.
Protection of BlackBerry Tablet OS • When the BlackBerry Tablet OS starts, it completes integrity tests to
detect damage to the kernel.
• The BlackBerry Tablet OS can restart a process that stops responding
without negatively affecting other processes.
• The BlackBerry Tablet OS validates requests that applications make for
resources on the tablet.
Protection of the user spaces that
applications run in
The BlackBerry Tablet OS runs each process in a user space on the tablet.
To help protect a user space, the BlackBerry Tablet OS is designed to
evaluate the requests that processes make for memory outside of the user
space. The BlackBerry Tablet OS is designed to permit a process to access
only the memory that it has permissions for at a specific time.
Protection of resources The BlackBerry Tablet OS uses adaptive partitioning to allocate resources
that are not used by applications during typical operating conditions and to
make sure that resources are available to applications during times of peak
operating conditions.
Management of permissions to
access capabilities
The BlackBerry Tablet OS evaluates every request that an application makes
to access a capability on the tablet.
Verification of the boot ROM code The tablet verifies that the boot ROM code is permitted to run on the tablet.
Security Technical Overview Tablet security features
6
System requirements: tablet 3
Item Requirement
BlackBerry Enterprise Server version To use IT policy rules to control settings for the BlackBerry Bridge and
BlackBerry PlayBook tablet, your organization's environment must include
BlackBerry Enterprise Server 4.0 or later and the IT policy rules included in
KB26294 imported into the BlackBerry Enterprise Server.
For more information about importing the IT policy rules to control settings
for the BlackBerry Bridge and tablet, visit www.blackberry.com/go/kbhelp
to read KB26294.
smartphone BlackBerry PlayBook tablet users who want to use the BlackBerry Bridge
must have a BlackBerry smartphone that is running one of the following:
• BlackBerry Device Software 5.0
• BlackBerry 6
• BlackBerry 7
Users whose smartphones are running BlackBerry Device Software 5.0 and
BlackBerry 6, must install BlackBerry Bridge from the BlackBerry App World
storefront. The BlackBerry Bridge is pre-installed on smartphones that are
running BlackBerry 7.
operating system Users who want to install and run BlackBerry Desktop Software to manage
the tablet using their computers must have one of the following operating
systems running on a computer:
• Windows XP SP3 or later
• Windows Vista
• Windows 7
• Mac OS X 10.5.7 or later
BlackBerry Desktop Software Users who want to manage the tablet using their computers must install
one of the following:
• BlackBerry Desktop Software (Windows) 6.0.2 or later
• BlackBerry Desktop Software (Mac) 2.0.0 or later
Security Technical Overview System requirements: tablet
7
Opening an encrypted and authenticated
connection between a tablet and smartphone
4
A BlackBerry PlayBook tablet and BlackBerry smartphone perform two pairing processes to open an encrypted and
authenticated connection between each other:
• Bluetooth pairing process to open a Bluetooth connection
• BlackBerry Bridge pairing process to provide a level of security that is greater than what the Bluetooth pairing
process provides
During the Bluetooth pairing process, the tablet and smartphone share a Bluetooth key to encrypt and decrypt
data that is sent between the tablet and smartphone.
During the BlackBerry Bridge pairing process, the tablet and smartphone share a BlackBerry Bridge pairing key to
authenticate the connection and encrypt and decrypt data that is sent between the tablet and smartphone.
During the BlackBerry Bridge pairing process, the tablet and smartphone also share the BlackBerry Bridge work
key if the smartphone was activated on a BlackBerry Enterprise Server. The tablet uses the 512-bit BlackBerry
Bridge work key and XTS-AES-256 to encrypt the keys that encrypt and decrypt the work data that the tablet
stores.
A user can start a Bluetooth pairing process and BlackBerry Bridge pairing process on a tablet or smartphone in
one step. To start the pairing processes, the user can add a smartphone in the Paired Device options on the tablet
or in the BlackBerry Bridge application on the device.
If the BlackBerry PlayBook tablet user presses and holds the power key to reset the tablet, the tablet erases the
BlackBerry Bridge work key from memory.
The Bluetooth pairing process
Bluetooth technology permits a BlackBerry PlayBook tablet and a BlackBerry smartphone to open a wireless
connection between each other.
Bluetooth profiles on the tablet and smartphone specify how Bluetooth enabled applications can connect and run.
The Bluetooth Serial Port Profile that is on the tablet and smartphone specifies how the tablet and smartphone
can open a serial connection between each other using a virtual serial port.
By default, a tablet and smartphone include the following Bluetooth security features:
• A user can turn off the Bluetooth technology for the tablet or smartphone. You can turn off the Bluetooth
technology for the smartphone using IT policies.
• A user must request a connection, or pairing, between the tablet and smartphone. A user can connect a tablet
and smartphone by scanning a barcode or manually configuring the connection (and typing a shared secret to
complete the pairing).
• If a user connects or reconnects a tablet to a smartphone that requires a password, the user must type the
smartphone password on the tablet.
• A user can delete a Bluetooth connection between a tablet and smartphone in the Bluetooth settings on a tablet.
Security Technical Overview Opening an encrypted and authenticated connection between a tablet and smartphone
8
• The tablet and smartphone use AES-256 encryption to encrypt and decrypt data that is sent between each other.
The tablet and smartphone use SHA-256 to authenticate the connection between each other.
• The smartphone prompts the user each time a Bluetooth device tries to connect to the smartphone.
The BlackBerry Bridge pairing key
The first time that a BlackBerry PlayBook tablet connects to a BlackBerry smartphone, the tablet connects with the
smartphone using Bluetooth technology and generates a BlackBerry Bridge pairing key. The BlackBerry Bridge
pairing key is designed to protect data as it travels between the tablet and smartphone.
A BlackBerry PlayBook tablet user can connect a tablet and smartphone by scanning a barcode or manually
configuring the connection. When the user connects a tablet and smartphone, the connection creates a shared
secret to use in the key agreement protocol. The shared secret contains 128 bits of randomness when the user
scans a barcode and 32 bits of randomness when the user manually configures the connection. To discover the
shared secret by eavesdropping during the key agreement protocol, a potentially malicious user must perform an
online dictionary attack. The tablet is designed to prevent an online dictionary attack by permitting the potentially
malicious user only one guess at the shared secret. If the guess is incorrect, the user must restart the pairing
process, which then creates a new shared secret.
The BlackBerry Bridge uses the shared secret and ECDH with a 521-bit Random Curve to perform a password-
authenticated key agreement and create an initial pairing key. The BlackBerry Bridge uses the initial pairing key to
generate the BlackBerry Bridge pairing key. The BlackBerry Bridge uses the BlackBerry Bridge pairing key and
AES-256 encryption to encrypt and decrypt data that is sent between the tablet and the smartphone. The
BlackBerry Bridge uses the BlackBerry Bridge pairing key and SHA-256 to authenticate the connection between the
tablet and smartphone.
Generating an initial pairing key during the BlackBerry
Bridge pairing process
The initial key establishment protocol uses ECDH with the 521-bit Random Curve and the SPEKE authentication
method with the shared secret (the shared secret parameter is "s") to generate a long-term symmetric initial
pairing key. The BlackBerry Bridge pairing key establishment protocol uses the initial pairing key to generate the
BlackBerry Bridge pairing key.
If you delete a BlackBerry PlayBook tablet and BlackBerry smartphone connection in the Bluetooth settings on a
tablet, the next time you connect the tablet to the smartphone, the BlackBerry Bridge pairing process uses the
initial key establishment protocol to create a new initial pairing key.
The initial key establishment protocol negotiates algorithms and parameters that are used in subsequent
BlackBerry Bridge pairing key exchanges, including the following:
• Elliptic curve used by future ECDH exchanges
• Encryption algorithm and hash algorithm used by the BlackBerry Bridge
Security Technical Overview The BlackBerry Bridge pairing key
9
The initial key establishment protocol is designed to negotiate so that the tablet and smartphone can use the 521-
bit Random Curve, AES-256, and SHA-256 for application layer encryption and authentication, and SHA-512 for IT
policy authentication.
Related topics
Cryptosystem parameters that the BlackBerry Bridge pairing process uses to generate an initial pairing key, 11
Process flow: Generating an initial pairing key
1. The BlackBerry smartphone sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry PlayBook
tablet to confirm that a Bluetooth connection to the tablet exists and to verify that the smartphone and tablet
both understand the protocol.
2. The tablet receives the initial echo and replies with an echo transmission of the same value.
3. The smartphone receives the echo and replies to the tablet with a request for a list of supported algorithms.
4. The tablet creates a list of all the algorithms and elliptic curves that it supports and sends the list to the
smartphone.
5. The smartphone searches the list for matches with algorithms and elliptic curves that the smartphone supports.
• If a match is not available, the smartphone sends an error to the tablet and stops processing the list.
• If a match exists, the smartphone begins the key establishment process by sending a pairing request using
the selected algorithms, the selected elliptic curve, and a 64-byte seed to the tablet.
6. The tablet verifies the selected algorithms and elliptic curve.
7. The tablet performs the following calculation to select a short-term key (Y):
• Selects random y, 1 < y < r – 1
• Calculates Y = yS
8. The tablet sends Y to the smartphone.
9. The smartphone performs the following calculations to select a short-term key (X):
• Selects random x, 1 < x < r – 1
• Calculates X = xS
• Calculates the initial pairing key (MK) using the following information:
Parameter Value
K xY = xyS
H1 SHA-512 (sent data packets)
H2 SHA-512 (received data packets)
• Calculates H = H1 + H2
• Calculates MK = SHA-256( H || K )
10. The smartphone sends X to the tablet.
11. The tablet calculates MK using the following information:
Parameter Value
K yX = yxS
Security Technical Overview Generating an initial pairing key during the BlackBerry Bridge pairing process
10
Parameter Value
H1 SHA-512 (sent data packets)
H2 SHA-512 (received data packets)
H H1 + H2
MK SHA-256 ( H || K )
The smartphone and the tablet share an initial pairing key.
Related topics
Cryptosystem parameters that the BlackBerry Bridge pairing process uses to generate an initial pairing key, 11
Cryptosystem parameters that the BlackBerry Bridge pairing process uses
to generate an initial pairing key
A BlackBerry PlayBook tablet and BlackBerry smartphone are designed to share the following cryptosystem
parameters.
Parameter Description
E(Fq) This parameter is the NIST-approved 521-bit random elliptic curve over Fq, which has a
cofactor of 1.
The initial key establishment protocol performs all mathematical operations in the group
E(Fq).
Fq This parameter is a finite field of prime order q.
P This parameter is a point of E that generates a subgroup of E(Fq) of prime order r.
xR This parameter is a representation of elliptic curve scalar multiplication, where x is the
scalar and R is a point on E(Fq).
s This parameter is the shared secret that appears on the tablet screen.
The shared secret must be known only to the authorized user of the smartphone and the
tablet until the protocol completes.
S This parameter is the shared secret converted to a point on E(Fq).
Generating a BlackBerry Bridge pairing key during the
BlackBerry Bridge pairing process
If the initial key establishment protocol process is successful, the BlackBerry PlayBook tablet and the BlackBerry
smartphone share an initial pairing key. The tablet and smartphone use the initial pairing key to generate a
BlackBerry Bridge pairing key. The BlackBerry Bridge pairing key is used to encrypt and authenticate the data that
the tablet and smartphone send between each other.
The BlackBerry Bridge pairing key establishment protocol uses ECDH and the elliptic curve that the initial key
establishment protocol negotiates. The ECDH algorithm provides PFS, which prevents the protocol from deriving
previous or subsequent encryption keys. Each run of the BlackBerry Bridge pairing key establishment protocol
Security Technical Overview Generating a BlackBerry Bridge pairing key during the BlackBerry Bridge pairing process
11
uses a unique, random, ephemeral key pair to create the new BlackBerry Bridge pairing key. The tablet discards
the ephemeral key pair after generating the BlackBerry Bridge pairing key. Even if the ephemeral private keys from
a specific protocol run of the ECDH algorithm are compromised, the BlackBerry Bridge pairing keys from other
runs of the same protocol remain uncompromised.
Process flow: Generating a BlackBerry Bridge pairing key
1. The BlackBerry smartphone sends an initial echo of the value 0xC1F34151520CC9C2 to the BlackBerry PlayBook
tablet to confirm that a Bluetooth connection to the tablet exists and to verify that both the smartphone and
tablet understand the protocol.
2. The tablet receives the initial echo and replies with an echo transmission of the same value.
3. The smartphone receives the echo and uses the algorithm that the initial key establishment protocol negotiated
to send the selected algorithms, the selected elliptic curve, and a seed to the tablet.
4. The tablet performs the following calculation to select a short-term key (Y):
• Selects random y, 1 < y < r – 1
• Calculates Y = yP, where P is a fixed point on the selected elliptic curve that generates a subgroup of prime
order
5. The tablet sends Y to the smartphone.
6. The smartphone performs the following calculation to select a short-term key (X):
• Selects random x, 1 < x < r – 1
• Calculates X = xP
• Calculates the BlackBerry Bridge pairing key (CK) using the following information:
Parameter Value
K xY = xyP
H1 SHA-512 (sent data packets)
H2 SHA-512 (received data packets)
H H1 + H2
CK SHA-256 ( MK || H || MK || K )
7. The smartphone sends X to the tablet.
8. The tablet calculates the BlackBerry Bridge pairing key (CK) using the following information:
Parameter Value
K yX = yxP
H1 SHA-512 (sent data packets)
H2 SHA-512 (received data packets)
H H1 + H2
CK SHA-256( MK || H || MK || K )
The smartphone and tablet share a BlackBerry Bridge pairing key.
Security Technical Overview Generating a BlackBerry Bridge pairing key during the BlackBerry Bridge pairing process
12
Connecting a tablet to a smartphone that is activated on
the BlackBerry Enterprise Server or BlackBerry Internet
Service
If a BlackBerry PlayBook tablet connects to a BlackBerry smartphone that was activated on a BlackBerry Enterprise
Server, the data that the smartphone stores on the tablet is classified as work data. Work data is stored separately
from personal data and is protected using the BlackBerry Bridge work key. During the BlackBerry Bridge pairing
process, the tablet and smartphone share the BlackBerry Bridge work key. The BlackBerry Bridge work key
encrypts the keys that encrypt and decrypt data that is stored on the tablet.
If a tablet connects to a smartphone that was activated on the BlackBerry Internet Service only, then the data that
the smartphone stores on the tablet is considered personal data. Personal data that is stored on the tablet is not
encrypted.
Process flow: Generating a BlackBerry Bridge work key
1. During the BlackBerry Bridge pairing process, the BlackBerry smartphone generates a random 256-bit key and
sends it to the BlackBerry PlayBook tablet.
2. The tablet uses SHA-512 to hash the key that it receives from the smartphone with the tablet system key to
produce the BlackBerry Bridge work key.
The tablet system key is created during the manufacturing process and is the SHA-512 hash of a hardware ID
and a 512-bit random key.
Reconnecting a tablet to a smartphone
The BlackBerry PlayBook tablet is designed to reconnect automatically to a BlackBerry smartphone that it was
previously connected to if the tablet did not delete the Bluetooth key or BlackBerry Bridge pairing key.
If you reconnect a tablet to a smartphone that requires a password, you must type the smartphone password on
the tablet. The tablet and smartphone then perform the Bluetooth pairing process and BlackBerry Bridge pairing
process. The smartphone uses the previous BlackBerry Bridge work key to decrypt the keys that were used to
encrypt the data that the smartphone stored on the tablet when the tablet and smartphone were previously
connected. The previous BlackBerry Bridge work key is stored in the memory of the smartphone.
Deleting a tablet and smartphone connection
You can delete a BlackBerry PlayBook tablet and BlackBerry smartphone connection in the Bluetooth settings on a
tablet. If you delete a tablet and smartphone connection on a tablet, the tablet performs the following actions:
• Closes all work applications
• Erases the Bluetooth key and BlackBerry Bridge pairing key from memory
• Deletes the work file system and erases the BlackBerry Bridge work key from memory
Security Technical Overview Connecting a tablet to a smartphone that is activated on the BlackBerry Enterprise Server or
BlackBerry Internet Service
13
• Removes the Bluetooth connection with the smartphone
Bluetooth security features on the tablet and smartphone
The following security features on the BlackBerry PlayBook tablet and BlackBerry smartphone enhance the
existing protection for Bluetooth technology on the tablet and smartphone.
You can use the BlackBerry Enterprise Server to set IT policy rules in the Bluetooth policy group that are designed
to control the behaviour of Bluetooth enabled smartphones. For more information about the IT policy rules, see
the BlackBerry Enterprise Server Policy Reference Guide. For more information about configuring IT policy rules,
see the BlackBerry Enterprise Server Administration Guide.
Security feature Description
Limit paired Bluetooth enabled devices You can use the Disable Pairing IT policy rule to prevent a BlackBerry
smartphone user from pairing a smartphone with a Bluetooth enabled
device other than their tablet. After the smartphone pairs with the
tablet, you can use this rule to prevent the smartphone from pairing with
other Bluetooth enabled devices.
You can also use application control policy rules to prevent third-party
applications from accessing Bluetooth technology on smartphones.
Limited use of serial port profiles The tablet uses the Bluetooth Serial Port Profile only, which allows you
to use application control policy rules to turn off all the other profiles on
the smartphone and prevent third-party applications from using the
smartphone or tablet.
Smartphones support only seven of the available Bluetooth profiles. The
user can control pairing requests and the number of Bluetooth enabled
devices that the user can pair with is limited.
Use of Bluetooth pairing process to help
prevent passive attack
During the Bluetooth pairing process, the tablet uses a random key
(unlike the hard-coded keys that headsets and other Bluetooth enabled
smartphones use).
A user starts the Bluetooth pairing process from the tablet or
smartphone. If a message prompts the user to type a pairing password
when the user did not start a pairing process, the user knows that
another Bluetooth enabled device, which the user might not want to
connect to, started the pairing process. The Bluetooth pairing process is
designed to help prevent a passive attack where a potentially malicious
user tries to search for the smartphone PIN or tablet PIN.
Protection of the Bluetooth encryption
key
After the user resets the tablet, a smartphone can perform the Bluetooth
pairing process and BlackBerry Bridge pairing process to reconnect to
the tablet. If the smartphone was the last smartphone to connect to the
Security Technical Overview Bluetooth security features on the tablet and smartphone
14
Security feature Description
tablet before the user reset the tablet, the tablet restores the backed-
up Bluetooth encryption key for the Bluetooth connection and opens
the Bluetooth connection to the smartphone automatically.
Use of the discoverable mode option By default, the discoverable mode option on a smartphone and tablet is
turned off. The smartphones are not visible to other Bluetooth enabled
smartphones. The tablet or smartphone does not enter into discoverable
mode unless the user turns on the discoverable mode option. Potentially
malicious users cannot locate tablets or smartphones easily and
compromise them.
You can also set the Limit Discoverable Time IT policy rule to True to
allow the user to turn on the discoverable mode option on the
smartphone for 2 minutes only. The smartphone is discoverable for a
very limited time to allow pairing with another Bluetooth enabled device.
Control the Bluetooth wireless
transceiver
By default, the Bluetooth wireless transceiver on tablets and
smartphones is turned off. When the Bluetooth wireless transceiver is
turned off, Bluetooth technology is not operational on the tablet or
smartphone, and the tablet or smartphone are not open to potentially
malicious users using the Bluetooth technology.
You can also use the Disable Bluetooth IT policy rule to control the
Bluetooth wireless transceiver on smartphones.
Protect data over a Bluetooth
connection
The tablet and smartphone use AES-256 encryption to encrypt and
decrypt data that is sent between each other. The tablet and smartphone
use SHA-256 to authenticate the connection between each other.
Using IT policy rules to manage Bluetooth technology on
smartphones
You can use the BlackBerry Enterprise Server to set IT policy rules that are designed to control the behaviour of
Bluetooth enabled BlackBerry smartphones. For example, you can configure the following IT policy rules in the
Bluetooth policy group to manage Bluetooth settings on smartphones.
For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide. For
more information about configuring IT policy rules, see the BlackBerry Enterprise Server Administration Guide.
Action IT policy rule
Opening a Bluetooth connection with a BlackBerry
PlayBook tablet
• Disable Bluetooth
• Disable Pairing
Turning on the discoverable mode option • Disable Discoverable Mode
Security Technical Overview Using IT policy rules to manage Bluetooth technology on smartphones
15
Action IT policy rule
Setting the discoverable mode option to have no
time limit
• Limit Discoverable Time
Using the Bluetooth profiles that tablet and
smartphone support
• Disable Advanced Audio Distribution Profile
• Disable Audio/Video Remote Control Profile
• Disable Dial-Up Networking
• Disable Handsfree Profile
• Disable Headset Profile
• Disable Message Access Profile
• Disable Serial Port Profile
• Disable SIM Access Profile
Using wireless bypass over a Bluetooth connection • Disable Wireless Bypass
Exchanging files with supported Bluetooth OBEX
devices
• Disable File Transfer
Sending or receiving address book information
over a Bluetooth connection
• Disable Address Book Transfer
Making calls over a Bluetooth connection • Allow Outgoing Calls
Using Bluetooth encryption on all Bluetooth
connections
• Require Encryption
Flashing the LED light when the smartphone is
connected to another Bluetooth enabled device
• Require LED Connection Indicator
Prompting users to type their smartphone
passwords to turn on Bluetooth support
• Require Password for Enabling Bluetooth Support
Prompting users to type their smartphone
passwords to turn on discoverable mode
• Require Password for Discoverable Mode
Specifying Bluetooth connections that third-party
applications can access
You can use application control policy rules to limit the use of Bluetooth technology and the Bluetooth profiles to
specific, permitted third-party applications. You can use the BlackBerry Enterprise Server to configure application
control policy rules to control which applications can access resources on the BlackBerry smartphone. For
example, you can use application control policy rules to make all Bluetooth profiles unavailable for applications by
default and to turn on the Bluetooth Serial Port Profile for the BlackBerry PlayBook tablet driver only. If you
configure these settings, only specific applications are allowed to use the tablet driver.
The following table lists the application control policy rules and the result that you can achieve by configuring
them.
Security Technical Overview Specifying Bluetooth connections that third-party applications can access
16
Action Application control policy rule
Permit or prevent a BlackBerry smartphone user
from downloading third-party applications
• Disposition
Specify the features (for example, the email
application, the phone application, and the
smartphone key store) that third-party
applications can access
• Is Access to the Email API Allowed
• Is Access to the Phone API Allowed
• Is Access to the Handheld Key Store Allowed
• Is Access to the PIM API Allowed
• Is Access to the Screen, Microphone, and Video
Capturing APIs
Specify the types of connections that a third-party
application can open (for example, opening
network connections inside the firewall)
• Are External Network Connections Allowed
• Are Internal Network Connections Allowed
• Are Local Connections Allowed
Bluetooth profiles that the tablet supports
A BlackBerry PlayBook tablet uses Bluetooth profiles to communicate with BlackBerry smartphones and other
types of Bluetooth enabled devices. The tablet supports the following Bluetooth profiles.
Profile Description
Dial-up Networking
(DUN)
The tablet uses this profile to connect to a tethered smartphone or other Internet-
enabled device to access the Internet connection.
Human Interface Device
(HID)
The tablet uses this profile to connect to a wireless keyboard or mouse.
Serial Port Profile (SPP) The tablet uses this profile to connect to a smartphone through the BlackBerry Bridge.
Security Technical Overview Bluetooth profiles that the tablet supports
17
Securing tablets in your organization’s
environment for work use
5
Your organization can permit a BlackBerry PlayBook tablet user to connect a BlackBerry PlayBook tablet to a
BlackBerry smartphone that is associated with a BlackBerry Enterprise Server and use the tablet for work
purposes. Security features on the tablet can control how the tablet helps protect your organization’s data and
applications. The security features provide the following benefits:
• Control access to your organization’s data on the tablet
• Help prevent your organization’s data from being compromised
• Provide one experience for users, regardless of whether they access work data or personal data
• Make your organization’s data on the tablet inaccessible when the connection to the smartphone closes
These security features are not available when the user connects the tablet to a smartphone that is activated on
the BlackBerry Internet Service. If the user connects the tablet to a smartphone that is activated on a BlackBerry
Internet Service, the tablet specifies that all data and applications on the tablet are for personal use.
How a tablet distinguishes between work data and personal
data
Work data consists of all email messages, calendar entries, and attachments that a BlackBerry Enterprise Server
and a BlackBerry smartphone send between each other and any data that is associated with work applications (for
example, metadata). If a BlackBerry PlayBook tablet user connects a BlackBerry PlayBook tablet to a smartphone
that is activated on a BlackBerry Enterprise Server, the tablet permits the user to view and interact with work
data. A media card must be inserted in the smartphone to permit the user to interact with work data (for example,
open attachments on the tablet or save updates to files).
To help protect work data, the tablet automatically creates a work file system in the BlackBerry Tablet OS that
isolates work data and work applications from personal data and personal applications. The tablet encrypts the
work file system using XTS-AES-256 encryption.
The tablet is designed to prevent the user from seeing or accessing the work file system directly on the tablet by
clicking on an icon for the work file system. The tablet is designed to allow the user to access work data and work
applications when the user connects the tablet to the smartphone using the BlackBerry Bridge. When the user
connects the tablet to the smartphone, the tablet displays the BlackBerry Bridge panel. The user can use the
BlackBerry Bridge to access work applications.
Security Technical Overview Securing tablets in your organization’s environment for work use
18
Other manuals for PlayBook Tablet
11
Table of contents
Other Blackbe;rry Tablet manuals
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry 4G LTE Playbook Manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
Blackbe;rry
Blackbe;rry PlayBook Tablet Instruction Manual
Blackbe;rry
Blackbe;rry PlayBook Tablet User manual
