Who'd have picked a BlackBerry for the Internet of Things?

BlackBerry once relied on security and simplicity as key differentiators for winning over enterprise smartphone users.

But over the past five years, the company found itself trying to compete in a smartphone market that placed greater value on other features – namely a sexier user interface (touch instead of keyboard) and a broader app ecosystem.

Now BlackBerry has made a string of security acquisitions in order to return to one of its key value propositions – just not necessarily on the devices users have come to expect. It’s a big gamble, but one that might come just in time to save the company.

It is tempting to view BlackBerry’s creation of a new technology business unit for its security acquisitions as a sign the struggling handset maker is re-organising its intellectual property for a fire sale.

That assumes Blackberry doesn’t have any ideas beyond smartphones and PDAs – when what is more intriguing about the company is the way in which it is mobilising for a strong position in the Internet of Things. 

Last month BlackBerry hosted a surprise Security Summit in New York City, hosted by new CEO John Chen, ostensibly as a platform from which to announce the acquisition of German voice security outfit Secusmart.

BlackBerry and Secusmart have worked together for a long time; their stated aim is to put a properly secure phone in the “hand of every President and every Chancellor”. That’s a catchy ambition given the recent news that US intelligence forces had bugged the calls of Chancellor Angela Merkel.

Secusmart CEO Hans-Christoph Quelle is a champion of voice security.  He says convincingly that eavesdropping on phone calls is now routine by nation-states and enterprise alike.  He foresees strong demand for counter-surveillance in telephony and messaging. 

Secusmart is also responsible for the Micro SD cards BlackBerry use as removable security modules in their handsets.  And this is where the SecuSmart acquisition really resonates – I see a huge and very timely push for hardware-mediated security.

Hardware-mediated security is not a new idea.  Over a decade ago, computer industry heavyweights formed a consortium to drive the “Trusted Platform Module” (TPM) concept.  It was hoped that a locked-down, tamper proof and certifiably secure chip would become standard in PCs and laptops, and thereby protect these devices against malware, keystroke logging and attacks on the cryptographic key stores.  Tragically, the TPM concept never took off; millions of chips have been shipped but they’re hardly used. 

But now, as a result of falling hardware prices and the spiralling costs of criminal activity, personal hardware security is undergoing a renaissance. 

The FIDO Alliance, for instance, was founded only last year, to leverage the near universal availability of reliable smart devices with built-in strong cryptography, and has already spawned new secure m-payments apps. 

We’ve seen new USB keys for personal authentication come into the consumer market, and there’s vigorous R&D going on in Trusted Execution Environments (TEEs).

In the meantime, frankly stupid software failures seem to be getting worse.  We’ve recently seen the “Goto Fail” bug afflict all Apple devices, thanks to a single mistakenly placed line of code in the Operating System.  And the notorious “Heartbleed” bug negated SSL in hundreds of thousands of secure websites, again as a result of a beginner-level coding error.  The fragility of our core software building blocks is frightening.

In this context, it was especially astute of BlackBerry back in 2010 to acquire QNX and its secure operating system.  I spoke with QNX founder Dan Dodge at the BlackBerry Security Summit.  He says over 50 percent of today’s connected cars run the QNX OS. 

QNX OS market penetration is even higher in high reliability settings like power stations and wind turbines.  It also meets market demand for reliability in the gaming machine industry. 

The QNX OS comprises of just 100,000 lines of code and Dodge stressed that on that basis, his team knows the software inside out.  There is not a single line of code there that the QNX team did not write itself.  In contrast, such mastery is utterly impossible in the 15 million lines that make up Linux or the estimated 50-70 million lines in Windows. For this reason, QNX has achieved a level of security certification beyond the reach of the mainstream software houses. 

Now, BlackBerry can make quality and reliability its unique competitive strengths, and isn’t limited to handsets.

Security in the Internet of Things – and therefore in everyday life – will turn out to be just as important as it is in power plants. 

Paradoxically, the public has a decent appetite for risk and failures in very complex systems. Deep down, we basically know that nuclear power is inherently risky.  And we all know that planes will occasionally fall out of the sky or that implantable defibrillators will sometimes fail.

Collectively we have decided we just can’t live without electricity, air travel and high tech medicine, and we’ve come to settle on a roughly acceptable cost of failure in these modern activities.  But when everyday, mundane processes go digital, our tolerance for errors will crash. 

When our cars and appliances and light switches are connected to an Internet of Things, and when a software bug can disable the toaster, consumers won’t stand for it. 

So the very best security we can currently engineer is going to be necessary at scale for smart appliances, wearables, connected homes, smart meters and networked cars. 

We need a different gauge for this type of security. And it’s going to be very tough to engineer and deploy economically.  Commercial operating systems are simply not up to the task.  As memory and processing power depreciate under Moore’s Law, it’s been tempting until now to port regular operating systems into embedded systems, but this expedient approach needs rethinking. Linux won’t do for light switches.

You might have written off BlackBerry in the handset market. But with a solid understanding of dependable software, a bulletproof OS, and a commitment to hardware-based security, Blackberry may enjoy a new lease of life in the Internet of Things.

Steve Wilson is Vice President and Principal Analyst at Constellation Research.  He travelled to Blackberry’s Security Summit as a guest of Blackberry and SC Magazine.