RIM Explains BlackBerry PlayBook Work & Personal Info Security

BlackBerry Bridge

In the past we have mentioned a bit about what security measures RIM has put in place on the BlackBerry PlayBook but the documentation was a bit daunting. They have kindly summed much of it up into one comparably short knowledge base article. In short your work data over the Bridge is ultra secure with 512 bit encryption but your personal data is not. Hopefully that is fixed in the future but still this should be an easy sell for enterprises worried about jailbroken iPads and Android tablets.

Security of work and personal data on the BlackBerry PlayBook tablet

Article ID: KB27707

Does the tablet store any work data persistently in the work file system?

No.

When a tablet is connected to a BlackBerry® smartphone using BlackBerry® Bridge™, the tablet temporarily stores work data in the work file system on the tablet. The work file system is encrypted using XTS-AES-256. The keys that the BlackBerry® PlayBook™ tablet uses to encrypt the work file system are encrypted using the BlackBerry Bridge work key. The tablet stores the BlackBerry Bridge work key in RAM only.

When the Bluetooth® connection between a tablet and a smartphone closes, the tablet and the smartphone each delete their copy of the BlackBerry Bridge work key. All of the work data that is stored on the tablet is encrypted with keys that are encrypted using the BlackBerry Bridge work key, and both copies of the work key are deleted. This data and key encryption means that it is not possible to decrypt the work data after the Bluetooth connection closes and the smartphone and tablet delete their copies of the BlackBerry Bridge work key.

What is XTS-AES?

XTS-AES is an IEEE-approved Advanced Encryption Standard mode for disk encryption that provides protection against manipulation of encrypted data. XTS-AES-256 uses 512-bit cryptographic keys.

Does the tablet encrypt personal data?

No.

Can I disable the feature that allows work applications to attach personal files to work email messages or calendar entries?

No.

Is the cryptographic module on the BlackBerry PlayBook tablet FIPS validated?

The cryptographic module on the tablet is currently in the process of being validated for FIPS 140-2 certification.

Can I set a password on a tablet?

Yes. A user can configure the tablet password and timeout options using the Options menu on the tablet. If you set a password for the tablet, you must provide that password to log in to the tablet.

Is work data protected by the smartphone password?

Yes. After a BlackBerry PlayBook tablet user connects the tablet to a BlackBerry smartphone that requires a password, the tablet automatically requires the user to provide the smartphone password when the tablet accesses any smartphone data. Smartphone data can include email messages, calendar entries, tasks, memos, BlackBerry® Messenger messages, intranet content, files, or attachments that the user views on the tablet.

The requirement to provide the smartphone password to access work data is independent of the tablet password that a user may set.

Do the IT policy rules that control the password security level of a smartphone extend to a tablet?

Yes. If a user connects a tablet to a smartphone that is associated with a BlackBerry Enterprise Server, any IT policy rules that control the password security level of the smartphone apply to the smartphone password that the user must enter to access work data on the tablet.

What password security level is enforced if I connect a tablet to a smartphone with one set of IT policy rules, then disconnect and connect the tablet to a smartphone with a different set of IT policy rules?

While the tablet is connected to the first smartphone, the password security level that is set for that smartphone is enforced. This security level applies to the smartphone password that a user must enter to access work data on the tablet. It does not apply to the tablet access password that a user may set on the tablet.

When you connect the tablet to another smartphone, the tablet deletes the work file system that temporarily stored work data associated with the first smartphone. While the tablet is connected to the second smartphone, the password security level that is set for that smartphone is enforced. This security level applies to the smartphone password that a user must enter to access work data on the tablet. It does not apply to the password that a user may set on the tablet.

Environment

  • BlackBerry® PlayBook™

Additional Information

For more information on BlackBerry PlayBook tablet security see the BlackBerry PlayBook Security Technical Overview

2 total comments on this postSubmit your comment!