Ilane Whitepaper for Security and Bes

8/4/2019 Ilane Whitepaper for Security and Bes

1/20

iLane Admin GuideWHITEPAPER for SECURITY and BES


2/20

TABLE of CONTENTS

DOC-00047-01 (2-3-09) iLane Admin Guide

i

Section 1 ADMINISTRATORS OVERVIEW 3

1.0 Introduction 3

1.1 About This Guide 3

Section 2 iLANE CONNECTIVITY 5

2.0 iLane Components 52.1 iLane Connections 5

2.2 iLane and the Internet 8

Section 3 iLANE SECURITY 9

3.0 Authentication 9

3.1 Encryption 9

Section 4 BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS 11

4.0 iLane and BES: Introduction 11

4.1 Required IT Configurations / Policies 11

4.2 Using BES Application Control Policies 124.3 BlackBerry Settings for Your End Users 13

Section 5 MAINTAINING A SECURE ENVIRONMENT 15

5.0 iLane Installations and Upgrades 15

5.1 Controlling Bluetooth Access 155.2 iLane and Your Network 16

5.3 If an iLane is Lost or Stolen 16

Section 6 APPENDIX: TYPICAL BES SCREEN SHOTS 17

Due to continuous advancements, all information is subject-to-change. Please consult my.ilane.com for revisions.


3/20


4/20


5/20

ADMINISTRATORS OVERVIEW

iLane Admin Guide

4

GGRRAAPPHHIICC CCOONNVVEENNTTIIOONNSS UUSSEEDD IINN TTHHIISS GGUUIIDDEE

== NOTEor TIP for exceptions, emphasis and/or help

iLane and its related marks, logos, i mages and symbols are the exclusive property and trademarks of Intelligent

Mechatronic Systems, Inc.

Bluetooth is a registered trademark of Bluetooth SIG, Inc.

BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research in

Motion Limited.

All other trademarks are the property of their respective owners.

DDIISSCCLLAAIIMMEERR

While every effort has been made to ensure that all informationpublished and provided in support of iLane is accurate, completeand up-to-date, IMS can accept no liability for possible errors oromissions. Due to continuing research, please note that all iLaneinformation is subject to change without notice.

CCOOPPYYRRIIGGHHTT NNOOTTIICCEE

No part of this guide or other IMS publications may be reproduced,

transmitted, transcribed, stored in a retrieval system, or translatedinto any language in any form or by any means without prior writtenpermission of IMS.


6/20

iLANE CONNECTIVITY

SECTION 2

This overview describes iLane and how it interconnects.

2.0 iLane ComponentsiLane is designed for in-vehicle use. Its 3 main system components are:

the iLane device

(running iLanePlatform firmware)

the iLane headset

the iLane Gateway

softwareapplication

installed on a users BlackBerry

iLane Admin Guide

5

AA NNOOTTEE AABBOOUUTT BBLLUUEETTOOOOTTHH CCOOMMPPAATTIIBBIILLIITTYY

The original iLane Platform firmware (v1.0.5) released in Fall 2008

is optimized for use with the iLane headset, the BlueAnt Z9i. Asother compatible Bluetooth hands-free audio systems orBluetooth-enabled vehicles complete testing and are verified foruse with iLane, they are added to the Bluetooth Compatibility List

at my.iLane.com. Please consult this list if you are interested in

using your own Bluetooth audio device with iLane.

2.1 iLane ConnectionsAs shown in Figure 1, the Bluetooth wireless communicationsbetween iLane components are local within the vehicle. Othercommunications outside the vehicle environment, which allow theBlackBerry to receive and send information, utilize your pre-existingInternet connections. See 2.2, iLane and the Interneton page 8.


7/20

iLANE CONNECTIVITY

Figure 1. iLane Connectivity

Since messages flow directly between iLane and the smartphonewithout passing through any additional servers, the driver receivesiLane communications securelyand without delay.

iLane Admin Guide

6


8/20

iLANE CONNECTIVITY

iLane Admin Guide

7

EESSTTAABBLLIISSHHIINNGG iiLLAANNEE''SS BBLLUUEETTOOOOTTHH LLIINNKKSS

When the user first sets up their iLane system, the two Bluetoothwireless connections are established between 1) iLane and the

users BlackBerry and 2) iLane and the iLane headset. In this

pairingprocess, iLane is discoverable only by Bluetooth devices

within range of the iLane transceiver. This pairing mode is possible

only under certain conditions:if you have a new iLane, or if you have done a Factory Reset on

iLane to delete previous pairings and restore factory defaults

if you have physical access to iLane (for pressing the requiredbutton during the pairing process).

NOTE: A successfully paired iLane is no longer discoverable by other

Bluetooth devices. The smartphone, however, does not have to be

discoverable in order to be successfully paired to iLane.

TTHHEE HHAANNDDSS--FFRREEEE PPRROOFFIILLEE ((BBEETTWWEEEENN iiLLAANNEE AANNDD BBOOTTHH CCOOMMPPOONNEENNTTSS))

As shown in Figure 1, all communications between iLane and theheadset use the industry-standard Bluetooth Hands-Free Profile

(HFP). This profile is also used for audio and call status exchangesbetween iLane and the BlackBerry.

TTHHEE SSEERRIIAALL PPOORRTT PPRROOFFIILLEE ((BBEETTWWEEEENN iiLLAANNEE AANNDD TTHHEE BBLLAACCKKBBEERRRRYY OONNLLYY))

As shown in Figure 1, a Bluetooth Serial Port Profile(SPP) is usedbetween iLane and the BlackBerry. This additional profile enablesthe secure exchange of messages and other information which

iLane reads aloud and manages using a voice-based interface. Afterauthentication, AES-256 transport level encryption is applied toinformation within the SPP link. The BlackBerrys access to theSPP interface is established and controlled by the iLane Gateway

application.


9/20

iLANE CONNECTIVITY

iLane Admin Guide

8

2.2 iLane and the InternetEvery iLane user needs external web access on their BlackBerry.This internet connection is required in order to:

Create an iLane account

Download and install iLane Gatewaysoftware on a BlackBerry

Authenticate and activate iLane

Configure personal preferences available at my.iLane.com

Receive on-demand custom content such as the Associated Press

news and The Weather Networkforecasts available with a paid

iLane subscription


10/20

iLANE SECURITY

iLane Admin Guide

9

SECTION 3

This section summarizes iLane security measures.

3.0 AuthenticationiiLLAANNEE GGAATTEEWWAAYY AAUUTTHHEENNTTIICCAATTIIOONN

iLane Gateway, the software application installed on every iLane

users BlackBerry, is a digitally signed and validated application.

This status grants iLane Gatewayaccess to the required RIM-controlled APIs.

BBLLAACCKKBBEERRRRYY AAUUTTHHEENNTTIICCAATTIIOONN

Every iLane users BlackBerry is associated with a registered iLaneaccount on my.iLane.com. This association is based on the emailaddress and phone number configured on the BlackBerry. Themanager of an iLane account can approve or deny the use ofspecific email addresses and phone numbers with a given iLane.

iiLLAANNEE DDEEVVIICCEE AAUUTTHHEENNTTIICCAATTIIOONN

Public key cryptography with device-unique key pairs authenticates

each iLane device. This approach ensures that all access to iLane

Gatewayis controlled through the Bluetooth SPP link. Any device

lacking the complementary portion of the asymmetric key cannotuse the SPP link to reach iLane Gatewayon the smartphone.

3.1 EncryptionDuring any iLane session, two secure tunnels prevent

eavesdroppingone tunnel is between iLane and the smartphone,and one is between iLane and the my.iLane.com server.

Each tunnel is authenticated using RSA and encrypted using AES-256, and does not rely on existing Bluetooth encryption.


11/20


12/20

BLACKBERRY ENTERPRISE SERVER (BES) SETTINGS

SECTION 4

This section specifies how to configure your BES policies for successful

iLane setup and/or operation. See also Section 6, Appendix.

4.0 iLane and BES: IntroductionSettings for corporate IT security policies, Bluetooth access, and

application controls all need to be properly configured before iLane

can be set up and used with a BlackBerry email account residing ina BES environment.

NOTE: Your text, displays and prompts may not be exactly as shown. See

also Section 6, Appendix.

4.1 Required BES IT Configurations / PoliciesIT security and Bluetooth requirements are listed below.

iLane Admin Guide

11

GGEENNEERRAALL SSEECCUURRIITTYY ((IITT))

Enable 3rd-party downloadsiLane Gateway software is typically deployed over-the-air, so is

considered a 3rd-party download. If necessary, this ability to download

may be temporarily granted just for the time required to install iLane

Gateway.

Enable external connectionsExternal connections are required to activate iLane, access on-demand

content (such as news and weather), and manage iLane preferences.

Enable internal downloads (optional)Enable internal downloads if you wish to route network communications

from iLane Gateway through the BES rather than directly to a carrier

network.

Allow outgoing calls when lockediLane is typically used while the smartphone is holstered or otherwise

stored. Drivers need the ability to place a call without access to their

smartphone.


13/20


iLane Admin Guide

12

BBLLUUEETTOOOOTTHH ((IITT))

Enable BluetoothBluetooth technology is used for communications between iLane and the

smartphone.

Enable pairingAs part of the iLane setup procedure, the smartphone must be paired to

iLane. This establishes the secure Bluetooth link between the twodevices.

Enable Serial Port ProfileThe Bluetooth Serial Port Profile (SPP) is used to exchange information

between iLane and the smartphone.

Enable Hands-Free Profile (HFP)iLane uses the Hands-Free Profile (HFP) for managing voice calls.

4.2 Using BES Application Control PoliciesIf desired, a BES administrator can whitelist iLane Gatewayso

that special application control privileges (such as connections thatiLane requires) apply only when the smartphone is used with iLane.

Other applications on the users smartphone would still becontrolled by default application control policies.

Keep in mind that general BES IT policies (see 4.1, Required BES

IT Configurations / Policieson page 11) override all application

control policies.

Suggested application control policies for iLane are listed below:

Allow Bluetooth Serial ProfileThe Bluetooth Serial Port Profile (SPP) is used to exchange information

between iLane and the smartphone.


14/20


Allow / prompt phone accessiLane requires phone access in order to obtain caller information and

add entries to the BlackBerrys diagnostic log.

Allow external domain my.iLane.comSet to null or my.iLane.com so that iLane can access the iLane

servers for device authentication, activation, preferences and on-demand

content such as subscription news and weather reports.

Allow / prompt interprocess communicationAs processes unfold, iLane Gateway requires certain data exchanges

(hand-shaking) with other BlackBerry applications.

Allow / prompt external network connectionsAn external network connection enables iLane to access my.iLane.com

directly using the carrier network infrastructure.

Allow / prompt message accessThis enables the flow of email messages between iLane and the

BlackBerry. Note this is a local transferwithin the vehicleonly.

Allow / prompt PIM data accessiLane must access Personal Information Manager data such as Calendar

and Contact details in order to place outbound calls, call back an email

sender, and to review scheduled events.

See also 5.1, Controlling Bluetooth Accesson page 15 for an

example of how application control policies are used.

4.3 BlackBerry Settings for Your End UsersDepending on general IT policies and application control policies,

certain application settings and options are visible to end userswithin a BES environment. See the following examples:

iLane Admin Guide

13


15/20


iLane Admin Guide

14

CCOONNNNEECCTTIIOONNSS

Enable BluetoothBluetooth technology is used for communications between iLane and the

smartphone.

Enable message accessiLane requires phone access in order to obtain caller information and

add entries to the BlackBerrys diagnostic log.

Enable company network accessIf enabled, iLane can access my.iLane.com using the BES as a proxy

server.

Enable carrier internet accessIf enabled, iLane can access my.iLane.com directly using the carrier

network infrastructure.

IINNTTEERRAACCTTIIOONNSS

Enable interprocess communicationAs processes unfold, iLane Gateway requires certain data exchanges

(hand-shaking) with other BlackBerry applications.

UUSSEERR DDAATTAA

Enable email / messagingThis enables the flow of email messages between iLane and the

BlackBerry. Note this is a local transferwithin the vehicleonly, and that

no messages are actually stored in iLane memory.

Enable PIM data accessiLane must access Personal Information Manager data such as Calendar

and Contact details in order to place outbound calls, call back an email

sender, and to review scheduled events.


16/20

MAINTAINING A SECURE ENVIRONMENT

iLane Admin Guide

15

SECTION 5

This section describes general security parameters over the life of iLane.

5.0 iLane Installation and UpgradesDepending on the situation and/or your preference, iLane Gateway

software may be installedor upgradedon a smartphone using

any of the standard BlackBerry deployment methods:

Over-the-air (OTA) wireless download

USB (requires a USB connection to a PC)

Administrative application push using BlackBerry Manager

5.1 Controlling Bluetooth AccessIf your general IT policy is to restrict users Bluetooth accesswhenever possible, it is recommended that this limitation insteadbe applied as an application control policy. This method allows you

to grant Bluetooth privileges on a case-by-case basis, such asenabling Bluetooth use for iLane Gateway only.

For example:

(1) Set the IT Bluetooth policy disable serial port to false. This

fully enables the serial port.

(2) Set the default application control policy Bluetooth SerialPort Profile to disabled.

(3) Enable the application control policy Bluetooth Serial PortProfile for iLane Gatewayonly. This overrides the default set

in Step 2, but just for iLane.

(4) iLane Gatewaycan now use the Bluetooth Serial Port Profile,

but the disabled default is enforced for other applications.


17/20


18/20

APPENDIX: TYPICAL BES SCREEN SHOTS

SECTION 6

This section repeats the required BES settings as discussed in Section 4,

but with the typical text you will likely see.

NOTE: Your text, displays and prompts may not be exactly as shown.

Figure 2. IT BES Settings

iLane Admin Guide

17


19/20

APPENDIX: TYPICAL BES SCREEN SHOTS

Figure 3. End-user Device Settings

iLane Admin Guide

18


20/20

2009 Intelligent Mechatronic Systems Inc. All rights reserved.

iLane and its related marks, logos, slogans, images and symbols are theexclusive property and trademarks of Intelligent Mechatronic Systems Inc.

Patents Pending.

Intelligent Mechatronic Systems Inc.161 Roger StreetWaterloo, ONN2J 1B1 Canada

TECHNICAL SUPPORT:

GENERAL INQUIRIES:

[email protected]

[email protected]

1-866-818-6637

www.iLane.com

Bluetooth is a registered trademark of Bluetooth SIG, Inc.

Ilane Whitepaper for Security and Bes

Documents

Transcript of Ilane Whitepaper for Security and Bes