Ilane Whitepaper for Security and Bes
Transcript of Ilane Whitepaper for Security and Bes
-
8/4/2019 Ilane Whitepaper for Security and Bes
1/20
iLane Admin GuideWHITEPAPER for SECURITY and BES
-
8/4/2019 Ilane Whitepaper for Security and Bes
2/20
TABLE of CONTENTS
DOC-00047-01 (2-3-09) iLane Admin Guide
i
Section 1 ADMINISTRATORS OVERVIEW 3
1.0 Introduction 3
1.1 About This Guide 3
Section 2 iLANE CONNECTIVITY 5
2.0 iLane Components 52.1 iLane Connections 5
2.2 iLane and the Internet 8
Section 3 iLANE SECURITY 9
3.0 Authentication 9
3.1 Encryption 9
Section 4 BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS 11
4.0 iLane and BES: Introduction 11
4.1 Required IT Configurations / Policies 11
4.2 Using BES Application Control Policies 124.3 BlackBerry Settings for Your End Users 13
Section 5 MAINTAINING A SECURE ENVIRONMENT 15
5.0 iLane Installations and Upgrades 15
5.1 Controlling Bluetooth Access 155.2 iLane and Your Network 16
5.3 If an iLane is Lost or Stolen 16
Section 6 APPENDIX: TYPICAL BES SCREEN SHOTS 17
Due to continuous advancements, all information is subject-to-change. Please consult my.ilane.com for revisions.
-
8/4/2019 Ilane Whitepaper for Security and Bes
3/20
-
8/4/2019 Ilane Whitepaper for Security and Bes
4/20
-
8/4/2019 Ilane Whitepaper for Security and Bes
5/20
ADMINISTRATORS OVERVIEW
iLane Admin Guide
4
GGRRAAPPHHIICC CCOONNVVEENNTTIIOONNSS UUSSEEDD IINN TTHHIISS GGUUIIDDEE
== NOTEor TIP for exceptions, emphasis and/or help
iLane and its related marks, logos, i mages and symbols are the exclusive property and trademarks of Intelligent
Mechatronic Systems, Inc.
Bluetooth is a registered trademark of Bluetooth SIG, Inc.
BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research in
Motion Limited.
All other trademarks are the property of their respective owners.
DDIISSCCLLAAIIMMEERR
While every effort has been made to ensure that all informationpublished and provided in support of iLane is accurate, completeand up-to-date, IMS can accept no liability for possible errors oromissions. Due to continuing research, please note that all iLaneinformation is subject to change without notice.
CCOOPPYYRRIIGGHHTT NNOOTTIICCEE
No part of this guide or other IMS publications may be reproduced,
transmitted, transcribed, stored in a retrieval system, or translatedinto any language in any form or by any means without prior writtenpermission of IMS.
-
8/4/2019 Ilane Whitepaper for Security and Bes
6/20
iLANE CONNECTIVITY
SECTION 2
This overview describes iLane and how it interconnects.
2.0 iLane ComponentsiLane is designed for in-vehicle use. Its 3 main system components are:
the iLane device
(running iLanePlatform firmware)
the iLane headset
the iLane Gateway
softwareapplication
installed on a users BlackBerry
iLane Admin Guide
5
AA NNOOTTEE AABBOOUUTT BBLLUUEETTOOOOTTHH CCOOMMPPAATTIIBBIILLIITTYY
The original iLane Platform firmware (v1.0.5) released in Fall 2008
is optimized for use with the iLane headset, the BlueAnt Z9i. Asother compatible Bluetooth hands-free audio systems orBluetooth-enabled vehicles complete testing and are verified foruse with iLane, they are added to the Bluetooth Compatibility List
at my.iLane.com. Please consult this list if you are interested in
using your own Bluetooth audio device with iLane.
2.1 iLane ConnectionsAs shown in Figure 1, the Bluetooth wireless communicationsbetween iLane components are local within the vehicle. Othercommunications outside the vehicle environment, which allow theBlackBerry to receive and send information, utilize your pre-existingInternet connections. See 2.2, iLane and the Interneton page 8.
-
8/4/2019 Ilane Whitepaper for Security and Bes
7/20
iLANE CONNECTIVITY
Figure 1. iLane Connectivity
Since messages flow directly between iLane and the smartphonewithout passing through any additional servers, the driver receivesiLane communications securelyand without delay.
iLane Admin Guide
6
-
8/4/2019 Ilane Whitepaper for Security and Bes
8/20
iLANE CONNECTIVITY
iLane Admin Guide
7
EESSTTAABBLLIISSHHIINNGG iiLLAANNEE''SS BBLLUUEETTOOOOTTHH LLIINNKKSS
When the user first sets up their iLane system, the two Bluetoothwireless connections are established between 1) iLane and the
users BlackBerry and 2) iLane and the iLane headset. In this
pairingprocess, iLane is discoverable only by Bluetooth devices
within range of the iLane transceiver. This pairing mode is possible
only under certain conditions:if you have a new iLane, or if you have done a Factory Reset on
iLane to delete previous pairings and restore factory defaults
if you have physical access to iLane (for pressing the requiredbutton during the pairing process).
NOTE: A successfully paired iLane is no longer discoverable by other
Bluetooth devices. The smartphone, however, does not have to be
discoverable in order to be successfully paired to iLane.
TTHHEE HHAANNDDSS--FFRREEEE PPRROOFFIILLEE ((BBEETTWWEEEENN iiLLAANNEE AANNDD BBOOTTHH CCOOMMPPOONNEENNTTSS))
As shown in Figure 1, all communications between iLane and theheadset use the industry-standard Bluetooth Hands-Free Profile
(HFP). This profile is also used for audio and call status exchangesbetween iLane and the BlackBerry.
TTHHEE SSEERRIIAALL PPOORRTT PPRROOFFIILLEE ((BBEETTWWEEEENN iiLLAANNEE AANNDD TTHHEE BBLLAACCKKBBEERRRRYY OONNLLYY))
As shown in Figure 1, a Bluetooth Serial Port Profile(SPP) is usedbetween iLane and the BlackBerry. This additional profile enablesthe secure exchange of messages and other information which
iLane reads aloud and manages using a voice-based interface. Afterauthentication, AES-256 transport level encryption is applied toinformation within the SPP link. The BlackBerrys access to theSPP interface is established and controlled by the iLane Gateway
application.
-
8/4/2019 Ilane Whitepaper for Security and Bes
9/20
iLANE CONNECTIVITY
iLane Admin Guide
8
2.2 iLane and the InternetEvery iLane user needs external web access on their BlackBerry.This internet connection is required in order to:
Create an iLane account
Download and install iLane Gatewaysoftware on a BlackBerry
Authenticate and activate iLane
Configure personal preferences available at my.iLane.com
Receive on-demand custom content such as the Associated Press
news and The Weather Networkforecasts available with a paid
iLane subscription
-
8/4/2019 Ilane Whitepaper for Security and Bes
10/20
iLANE SECURITY
iLane Admin Guide
9
SECTION 3
This section summarizes iLane security measures.
3.0 AuthenticationiiLLAANNEE GGAATTEEWWAAYY AAUUTTHHEENNTTIICCAATTIIOONN
iLane Gateway, the software application installed on every iLane
users BlackBerry, is a digitally signed and validated application.
This status grants iLane Gatewayaccess to the required RIM-controlled APIs.
BBLLAACCKKBBEERRRRYY AAUUTTHHEENNTTIICCAATTIIOONN
Every iLane users BlackBerry is associated with a registered iLaneaccount on my.iLane.com. This association is based on the emailaddress and phone number configured on the BlackBerry. Themanager of an iLane account can approve or deny the use ofspecific email addresses and phone numbers with a given iLane.
iiLLAANNEE DDEEVVIICCEE AAUUTTHHEENNTTIICCAATTIIOONN
Public key cryptography with device-unique key pairs authenticates
each iLane device. This approach ensures that all access to iLane
Gatewayis controlled through the Bluetooth SPP link. Any device
lacking the complementary portion of the asymmetric key cannotuse the SPP link to reach iLane Gatewayon the smartphone.
3.1 EncryptionDuring any iLane session, two secure tunnels prevent
eavesdroppingone tunnel is between iLane and the smartphone,and one is between iLane and the my.iLane.com server.
Each tunnel is authenticated using RSA and encrypted using AES-256, and does not rely on existing Bluetooth encryption.
-
8/4/2019 Ilane Whitepaper for Security and Bes
11/20
-
8/4/2019 Ilane Whitepaper for Security and Bes
12/20
BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS
SECTION 4
This section specifies how to configure your BES policies for successful
iLane setup and/or operation. See also Section 6, Appendix.
4.0 iLane and BES: IntroductionSettings for corporate IT security policies, Bluetooth access, and
application controls all need to be properly configured before iLane
can be set up and used with a BlackBerry email account residing ina BES environment.
NOTE: Your text, displays and prompts may not be exactly as shown. See
also Section 6, Appendix.
4.1 Required BES IT Configurations / PoliciesIT security and Bluetooth requirements are listed below.
iLane Admin Guide
11
GGEENNEERRAALL SSEECCUURRIITTYY ((IITT))
Enable 3rd-party downloadsiLane Gateway software is typically deployed over-the-air, so is
considered a 3rd-party download. If necessary, this ability to download
may be temporarily granted just for the time required to install iLane
Gateway.
Enable external connectionsExternal connections are required to activate iLane, access on-demand
content (such as news and weather), and manage iLane preferences.
Enable internal downloads (optional)Enable internal downloads if you wish to route network communications
from iLane Gateway through the BES rather than directly to a carrier
network.
Allow outgoing calls when lockediLane is typically used while the smartphone is holstered or otherwise
stored. Drivers need the ability to place a call without access to their
smartphone.
-
8/4/2019 Ilane Whitepaper for Security and Bes
13/20
BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS
iLane Admin Guide
12
BBLLUUEETTOOOOTTHH ((IITT))
Enable BluetoothBluetooth technology is used for communications between iLane and the
smartphone.
Enable pairingAs part of the iLane setup procedure, the smartphone must be paired to
iLane. This establishes the secure Bluetooth link between the twodevices.
Enable Serial Port ProfileThe Bluetooth Serial Port Profile (SPP) is used to exchange information
between iLane and the smartphone.
Enable Hands-Free Profile (HFP)iLane uses the Hands-Free Profile (HFP) for managing voice calls.
4.2 Using BES Application Control PoliciesIf desired, a BES administrator can whitelist iLane Gatewayso
that special application control privileges (such as connections thatiLane requires) apply only when the smartphone is used with iLane.
Other applications on the users smartphone would still becontrolled by default application control policies.
Keep in mind that general BES IT policies (see 4.1, Required BES
IT Configurations / Policieson page 11) override all application
control policies.
Suggested application control policies for iLane are listed below:
Allow Bluetooth Serial ProfileThe Bluetooth Serial Port Profile (SPP) is used to exchange information
between iLane and the smartphone.
-
8/4/2019 Ilane Whitepaper for Security and Bes
14/20
BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS
Allow / prompt phone accessiLane requires phone access in order to obtain caller information and
add entries to the BlackBerrys diagnostic log.
Allow external domain my.iLane.comSet to null or my.iLane.com so that iLane can access the iLane
servers for device authentication, activation, preferences and on-demand
content such as subscription news and weather reports.
Allow / prompt interprocess communicationAs processes unfold, iLane Gateway requires certain data exchanges
(hand-shaking) with other BlackBerry applications.
Allow / prompt external network connectionsAn external network connection enables iLane to access my.iLane.com
directly using the carrier network infrastructure.
Allow / prompt message accessThis enables the flow of email messages between iLane and the
BlackBerry. Note this is a local transferwithin the vehicleonly.
Allow / prompt PIM data accessiLane must access Personal Information Manager data such as Calendar
and Contact details in order to place outbound calls, call back an email
sender, and to review scheduled events.
See also 5.1, Controlling Bluetooth Accesson page 15 for an
example of how application control policies are used.
4.3 BlackBerry Settings for Your End UsersDepending on general IT policies and application control policies,
certain application settings and options are visible to end userswithin a BES environment. See the following examples:
iLane Admin Guide
13
-
8/4/2019 Ilane Whitepaper for Security and Bes
15/20
BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS
iLane Admin Guide
14
CCOONNNNEECCTTIIOONNSS
Enable BluetoothBluetooth technology is used for communications between iLane and the
smartphone.
Enable message accessiLane requires phone access in order to obtain caller information and
add entries to the BlackBerrys diagnostic log.
Enable company network accessIf enabled, iLane can access my.iLane.com using the BES as a proxy
server.
Enable carrier internet accessIf enabled, iLane can access my.iLane.com directly using the carrier
network infrastructure.
IINNTTEERRAACCTTIIOONNSS
Enable interprocess communicationAs processes unfold, iLane Gateway requires certain data exchanges
(hand-shaking) with other BlackBerry applications.
UUSSEERR DDAATTAA
Enable email / messagingThis enables the flow of email messages between iLane and the
BlackBerry. Note this is a local transferwithin the vehicleonly, and that
no messages are actually stored in iLane memory.
Enable PIM data accessiLane must access Personal Information Manager data such as Calendar
and Contact details in order to place outbound calls, call back an email
sender, and to review scheduled events.
-
8/4/2019 Ilane Whitepaper for Security and Bes
16/20
MAINTAINING A SECURE ENVIRONMENT
iLane Admin Guide
15
SECTION 5
This section describes general security parameters over the life of iLane.
5.0 iLane Installation and UpgradesDepending on the situation and/or your preference, iLane Gateway
software may be installedor upgradedon a smartphone using
any of the standard BlackBerry deployment methods:
Over-the-air (OTA) wireless download
USB (requires a USB connection to a PC)
Administrative application push using BlackBerry Manager
5.1 Controlling Bluetooth AccessIf your general IT policy is to restrict users Bluetooth accesswhenever possible, it is recommended that this limitation insteadbe applied as an application control policy. This method allows you
to grant Bluetooth privileges on a case-by-case basis, such asenabling Bluetooth use for iLane Gateway only.
For example:
(1) Set the IT Bluetooth policy disable serial port to false. This
fully enables the serial port.
(2) Set the default application control policy Bluetooth SerialPort Profile to disabled.
(3) Enable the application control policy Bluetooth Serial PortProfile for iLane Gatewayonly. This overrides the default set
in Step 2, but just for iLane.
(4) iLane Gatewaycan now use the Bluetooth Serial Port Profile,
but the disabled default is enforced for other applications.
-
8/4/2019 Ilane Whitepaper for Security and Bes
17/20
-
8/4/2019 Ilane Whitepaper for Security and Bes
18/20
APPENDIX: TYPICAL BES SCREEN SHOTS
SECTION 6
This section repeats the required BES settings as discussed in Section 4,
but with the typical text you will likely see.
NOTE: Your text, displays and prompts may not be exactly as shown.
Figure 2. IT BES Settings
iLane Admin Guide
17
-
8/4/2019 Ilane Whitepaper for Security and Bes
19/20
APPENDIX: TYPICAL BES SCREEN SHOTS
Figure 3. End-user Device Settings
iLane Admin Guide
18
-
8/4/2019 Ilane Whitepaper for Security and Bes
20/20
2009 Intelligent Mechatronic Systems Inc. All rights reserved.
iLane and its related marks, logos, slogans, images and symbols are theexclusive property and trademarks of Intelligent Mechatronic Systems Inc.
Patents Pending.
Intelligent Mechatronic Systems Inc.161 Roger StreetWaterloo, ONN2J 1B1 Canada
TECHNICAL SUPPORT:
GENERAL INQUIRIES:
1-866-818-6637
www.iLane.com
Bluetooth is a registered trademark of Bluetooth SIG, Inc.