BlackBerry plans comeback as secure IoT hub

Protecting the internet of things from cyber attacks will be a big business opportunity and the race is already on to create new products and services to safeguard the 20bn or so devices that are expected to be connected to the internet by 2020.

Among those hoping to benefit from the boom is BlackBerry, the Canadian phonemaker that dominated the smartphone market in the early years of the millennium, but saw its market share collapse after 2010 as Apple’s iPhone and Google’s Android system took over.

Now the company is looking for a comeback as a provider of secure IoT access. It hopes to apply its experience and reputation for high-level security in smartphones — which were in effect the first mainstream IoT products — to a broader range of devices.

Last month, the company launched BlackBerry Spark, a communications platform that allows IoT devices used in business — which it calls the “enterprise of things”, or EoT — made by any manufacturer to connect securely to each other.

“We’re taking our DNA of security and privacy and we’re making sure to apply that to the devices that we’re bringing into the BlackBerry Spark ecosystem,” says Charles Eagan, chief technology officer at BlackBerry.

Next year, the company will launch an additional security layer to sit on top of this platform. This will continuously authenticate devices on the network using data points such as location, time and even biometrics.

If a device appears to be in use by an unauthorised person it is blocked immediately and may have additional layers of security added to it.

BlackBerry has also released a service that allows manufacturers to embed a security key into their devices — whether those are smart speakers, smart locks or smart healthcare devices — to make them inherently trusted. A BlackBerry server records the key and continuously checks that the two keys match. If they do not, the device will no longer reboot.

BlackBerry said in its latest earnings report that it now generates more than 90 per cent of its revenue from software and services, with John Chen, chief executive, highlighting the “significant future opportunities” he saw coming from the Spark platform.

BlackBerry’s focus is the business market, but other technologies will be needed to protect connected devices across the board.

The seriousness of the IoT threat was underlined when almost half a million pacemakers had to be recalled in the US in August last year because they were found to be vulnerable to cyber “intrusions and exploits”. It prompted the US Federal Drugs Administration to announce a new “action plan” to advance cyber security in all medical devices.

Among those working on potential solutions are researchers at the Massachusetts Institute of Technology, who have developed a new type of low-power encryption for microchips. This would allow small connected devices to have the same level of encryption as transactions performed on regular computers but using 400 times less energy and 90 per cent less memory, while executing processes 500 times faster.

The remote access pathway is . . . the hackers’ golden ticket, ultimately

This is potentially a game-changer for simple, low-powered products such as smart sensors used by industry to gauge things such as temperature and pressure, as well as health monitors.

“In the IoT space we have different sensors and small resource-constrained devices that might be running on batteries or energy harvesting,” says Utsav Banerjee, a graduate student at MIT and one of the lead researchers on the project.

Small IoT devices will often have some custom-made security features, Mr Banerjee says, but they tend to be less secure than standard security systems used for most internet traffic, for example.

Strong encryption normally takes considerable computing power. The new microchip cuts down on energy use, however, because it is designed to handle any kind of elliptic curve calculation — the mathematical technique that underlies most modern encryption — rather than being hard-wired for a particular one.

The chip exists as a working prototype and will need further checks before going into production. But Mr Banerjee said several companies had already expressed an interest in it.

Meanwhile Bomgar, a private cyber security company based in Jackson, Mississippi, is focusing on a particular area of vulnerability for IoT devices: remote access. This is software that allows a device to be remotely controlled in order to fix it, patch it, or provide support.

“Remote access is the number one attack vector across any platform,” says Scott Walker, a solutions engineer at Bomgar. “Apart from the keys to the kingdom, which is often the password, the remote access pathway is what people want — that’s the hackers’ golden ticket, ultimately.”

Better control over remote access, Mr Walker says, would have frustrated the infamous “fish tank” attack revealed by security company Darktrace last year. A North American casino had some of its customer data stolen by hackers who accessed the computer system through an internet-connected fish tank in the lobby.

Bomgar has come up with a solution it calls “continuous true discovery”, which immediately takes inventory of a device as soon as it comes online and can automatically change its password and track it. Several S&P 500 and FTSE 100 companies are using the system, the company says.