BlackBerry Denies QNX Was To Blame In Jeep Cherokee Hack

itwbennett writes: Last month, security researchers demonstrated how to circumnavigate the in-vehicle entertainment system of the Jeep Cherokee to take over the car itself, including control of the dashboard, steering mechanism, transmission, locks, and brakes. The more than 1.4 million vehicles being recalled all run the QNX Neutrino OS, which was supplied by BlackBerry subsidiary QNX Software Systems. But the flaw being exploited was not within the OS itself, BlackBerry said Monday in its blog.

Blackberry not compatible with anything

[cgfsd]

Having a Blackberry for work, I would agree with Blackberry as QNX not being the problem. My Blackberry is not compatible with anything and doesn't run anything, so I would find it hard that someone could write an exploit and actually get it to run on a Blackberry OS.

Re:Blackberry not compatible with anything

[JustAnotherOldGuy]

someone could write an exploit and actually get it to run on a Blackberry OS.

As a fellow ex-Blackberry owner, I agree- that was where the story became difficult to believe.

Re:Blackberry not compatible with anything

[MightyMartian]

Find another job soon. BB is going to go under in the next couple of years, and you won't be getting any money for shilling for them.

Re:Blackberry not compatible with anything

[edtice1559]

This is funny. But is also, unfortunately, -1 WRONG. QNX can run all Android applications and has for quite some time now. They aren't as nice as native apps, but they all run.

Re:Blackberry not compatible with anything

[edtice1559]

Seriously? There are real BB fans out there. I'm one of them ( and not an AC ). I changed from a Blackberry Z/10 to a Nexus/6 when my company got bought and the acquiring organization wouldn't support the device. (Mobile Iron doesn't support Blackberry). The Nexus/6 is *way* better for things like going on Facebook, buying movie tickets, and every other non-productive activity. But when it came to getting stuff done, the Blackberry Hub was really the ultimate in UI design. BBRY isn't going to do well because most companies are going to BYOD. And if somebody has to fork out $500 of their own money for a device and has to choose between one that is great for personal use and marginal for business use and one that is great for business use and marginal for personal use, they will always choose the former. I also hear that BES is really hard to maintain. I have no first-hand experience. But I will certainly switch back to Blackberry if it becomes a possibility for me. If I want an Android device for recreation, I would rather use a tablet.

Re:Blackberry not compatible with anything

[Lunix+Nutcase]

QNX can run all Android applications and has for quite some time now.

No, it can't run all Android applications and even BlackBerry doesn't claim that.

Re:Blackberry not compatible with anything

[Lunix+Nutcase]

And you don't even need to believe me. Scroll to the bottom of this page and read this disclaimer that exists on all BB 10 pages about Android apps:

Android app support and compatibility will vary by smartphone and/or software version.

And also notice how they only mention being able to install apps from Amazon's App Store not Google Play.

Re:Blackberry not compatible with anything

[edtice1559]

Of course there is a disclaimer for things they don't control. But the fact is that Android apps run quite well. You can install the Amazon store using Blackberry World. You can side-load any Android apps that you want. There is also another disclaimer that comes up whenever you run an Android app with a reminder that they have an inferior security model. Don't take my word for it, go Google the disclaimer. I had a Z10 for years and ran any Android app that I wanted. They were a bit slow. But otherwise everything worked.

Re:Blackberry not compatible with anything

[edtice1559]

Neither can Android run *all* Android applications! Go the Play store some day and it will show you which of your devices are compatible with the app. Sometimes none of your devices are compatible. Maybe a particular Blackberry device doesn't run as many Android apps as an Android device but it runs a lot of them. And Android devices don't run QNX apps. I would always dislike it when there wasn't a native Blackberry version of an application and I had to use the Android version. But even your rejoinders prove my point. The original post stated that Blackberry wasn't "compatible with anything." I pointed out all the things that it is compatible with. The responses are to add some nuance to my statement. But still you can run almost anything in the Amazon App Store on a Blackberry so calling it "not compatible with anything" is just silly.

Re:Blackberry not compatible with anything

[narcc]

Google Play is a different issue entirely. You'll find countless Android devices that don't have access to Google Play either. It has nothing to do with compatibility, only with Google's artificial restrictions. Not that it matters, as you'll find little worth-while that isn't also available through other channels, like Amazon's App Store.

As for support, it looks really good to me. My wife is the big app user, and she has yet to find an Android app that didn't run, or even one that ran poorly compared to the same app on her Kindle Fire. (She's found that they often run better.)

Stop struggling and just let your ridiculous beliefs go. Embrace reality. It's okay that a company you don't like for irrational reasons makes a product that works well. Rest assured, no harm will come to you.

Re:Blackberry not compatible with anything

[KGIII]

Everyone who does not agree is a paid shill. It is what we do here. You are obviously a BB shill - a paid one at that. I am retired but I'd take money to shill for a product. Hell, I do not even have to like the product. I do not see any job postings for this job, though.

Re:Blackberry not compatible with anything

[Pubstar]

I worked as an intern at a moderately sized company. Once I figured out how to sync a BB phone with the Exchange server (which only had a 50% chance of working, 10 minutes between each try), the guy responsible for the BES said "Great, you know how to do this now. I get 4 months of not dealing with this anymore!". The BES is a total fucking nightmare to work with, and I was only doing very basic things with it. I feel sorry for the poor bastard that had to set up the BES and do the higher level admin work on it. The web interface you use gives almost no feedback as to if something you did took or didn't take. There is no screen that shows you what processes are running. Resending the same process would cause the BES to freak out, so you basically had to figure out about how long each process would take, and time it from there.

Of course, I only was working at a very basic level with it, so there could have been stuff I didn't know about to make my job easier.

Re:Blackberry not compatible with anything

[edtice1559]

The funny thing is that many companies running BES don't even need it. Pretty much any device out there (Blackberry, Android, iOS) will synchronize via ActiveSync without the need for any mobile device management software. Exchange servers supporting ActiveSync are available on the public internet and all you have to do is to point your device at it. In this scenario, I don't even see the expensive MDM products adding any value. There are *some* places where you can't get to ActiveSync over the internet due to firewall, you need to proxy it via something like BES or MobileIron. I'm not convinced that either of these solutions really add much value at all in most environments. But BES and Blackberry devices should not be confused. For most mail and calendaring setups, the devices (handsets) setup and configure exactly the same was an Android or iOS device would.

Re:Blackberry not compatible with anything

[Pubstar]

The thing is that if you want full control over the device (such as remote wipe), you need the BES to manage that part of the system. So yes, while you are able to sync the device with ActiveSync without a BES, you lose all management that the BES provides for BB phones.

With the android phone I had hooked up with ActiveSync, the permissions to remote wipe my phone were assigned when I had it sync with our Exchange server. AFAIK, those options are not assigned when working with BB phones over ActiveSync the way they are with Android and iOS.

Re:Blackberry not compatible with anything

[davester666]

QNX can't run shit. It's the underlying OS, basically a standalone embedded OS. It needs a completely separate layer above the OS to actually present a UI.

Re:Blackberry not compatible with anything

[edtice1559]

This works the same in Blackberry 10 the same as Android, iOS, and Windows Phone. The older (pre-QNX) Blackberries screen-scraped Outlook Web Access to get their mail if you didn't have BES. ActiveSync is probably good enough for 90% of organizations out there without any additional MDM software.

Re: Blackberry not compatible with anything

[OdinOdin_]

That is because they didn't bake security into the windows platform from the start. Security is a process not a piece of software.

Re:Blackberry not compatible with anything

[Pubstar]

Yeah, but the place I was working at regularly handled information and data that fell under International Traffic in Arms Regulations (ITAR) regulations. We had people helping us doing some migrations off of Lotus Notes in India, but if a person was flagged as handling ITAR information, everything had to be handled in house.

That is also why they were very anal about everyone's device having the ability to be remote wiped should it be lost or stolen.

Re:Blackberry not compatible with anything

[edtice1559]

If you are handling ITAR materials, you need to worry about more than just remote wipe. You're going to need a device that's "not compatible with anything." Doesn't matter if I can remote wipe the stolen device if all of the data has already leaked. This is where tools like MobileIron and BES come in. These solutions have both a server and a device component. (You don't notice the client portions on a BB10 since they are built in). They client apps attempt to keep the sensitive data isolated from other apps on the system in "virtual containers" (to use MobileIron's term). They also monitor devices for compliance with security policies. (Jailbreak your phone, no email for you). For some environments you can't just rely on remote wipe. You have to issue "locked down" hardware. Again we've digressed far from the initial discussion of whether Blackberry devices are compatible with anything to a (perhaps more interesting) one about MDM software. In the end, third-party MDM software really isn't a good architectural model. The client software should be provided by the device manufacturers and made secure. BB10 OS, Android, and iOS all have to potential to provide what's needed here. Then you need to enforce the use of OEM firmware (which /.ers surely hate) and an entire trust chain. The equivalent of TPM for mobile devices. Security without it is almost impossible.

What's the story? We already know it's not the OS.

[xxxJonBoyxxx]

It's pretty clear that Blackberry's right about the OS here. From TFA:

"The researchers themselves did not target QNX specifically, but rather the connectivity software that runs on top of QNX, called uConnect which, using cellular connections, offers Internet access, navigation, voice command capabilities and other features to drivers."

Circumnavigate?

[JustAnotherOldGuy]

Circumnavigate?

Umm, no. That is not how that word is used. I think they meant "circumvent".

Re:Circumnavigate?

[Trevelyan]

We need a catchy media name for this spate of car hacks that have inundated us this last week or so.

Of all the XYZ-gate names contrived for controversies since watergate, "Circumnavigate" is the first one I actually like.

The Circumnavigate Controversy of 2015, costing Chrysler Millions of USD and Tesla Thousands (in bug bounties)!!

The blame fall squarely on Jeep

If you want to automate your car to the point where the driver cannot control the vehicle under the worst of circumstances, then you've made a choice that uConnect, QNX, or anyone else is to blame. If you're going to automate vehicles, then you're going to pay the process when it fails.

Re:Circumnavigate?

[gstoddart]

But surely nobody expects the editors to do any, you know, editing.

That would be preposterous.

Old guy story

[H0p313ss]

Amusingly, in while taking first year university courses in 1993, I placed second in a programming competition that was sponsored by OTI (now IBM) and QNX (now Blackberry).

First prize was a licensed copy of QNX, second prize was a 2400 baud modem. I think I got a better deal with the modem.

Re:Old guy story

[Xiaran]

I was a QNX2/4 programmer around that time in Australia. A fully licensed QNX OS was AUD1000 at that time. QNX was and still is the best operating system I have ever had the pelasure to write software and device drivers for.

Re:Old guy story

[Grishnakh]

Hopefully when Blackberry goes out of business, they'll open-source QNX.

Re:Old guy story

[Xiaran]

Photon was indeed the GUI that shipped with QNX6/Neutrino. The pricing back then(and probably now) could be a little weird and confusing. A full OS(usually for development) could be really pricey. But the OS was extremely modular because it was embeddable in small control devices without user IO or even any kind of comms all the way up to server type things. So it was easy to jigsaw together a system that could remove unwanted components like the GUI, the TCP/IP stack and even the file system.

Re:Old guy story

[H0p313ss]

Being their only quality product, it will likely remain profitable and be spun off and continued as proprietary.

Bingo

Re:Old guy story

[H0p313ss]

A 2400 in 1993 is a pretty lousy prize.

Wave from OTI!

True. But infinitely better than no modem at all, which is where I was as a broke student. I begged & borrowed hardware all through my schooling. My desktop in 1993 was a 286 with a monochrome screen and no hard drive.

And QNX? A quality product, but what's a student with a 286 going to do with that?

Re:Old guy story

[mevets]

1993 qnx ran fine on a 286. The 32bit version was still a few years away at that point. 286 + 2M ram made for a decent development machine.

Re:Old guy story

[KGIII]

Wait, what? They are running QNX on airplanes? I realize an OS is just what is underneath it but, well, every time I think of QNX I think of nothing but cell phones. Is it really that stable?

Re:Old guy story

[KGIII]

It looks like some of that stuff is still free. After reading some of the thread I decided to investigate and I came up with this:
http://www.qnx.com/download/

I have nothing better, or more productive, to do in my spare time so I may poke at it and see where I can go. I wonder if I can get it on a Pi? I have a Pi and can just use that if it works. I have, of course, no reason to have a Pi other than it looked like fun at the time. I have unboxed it once. I can not think of anything to do with it. Maybe I should get a Pi2 which, it seems, can actually take SoaC and poke at that. Then again, I can probably search and find something fun to do with a Pi but I can not think of anything that I actually would benefit from with it.

Re:Old guy story

[H0p313ss]

Old guy? Are you really that big of a fucking idiot?

Well one of us is.

Re:Old guy story

[KGIII]

I looked into it and they are much older than I thought they were. Strange... I never even heard about them until the phones. It is interesting that they are a RTOS as well.

Re:Old guy story

[Grishnakh]

RTOSes don't all compete with each other. QNX, for instance, has preemptive multitasking, which is something you would not ever use in many "CAN'T FAIL" use cases such as avionics. For those, you usually use a very small, simple RTOS with cooperative multitasking and predefined time-slices for each task. Something with preemptive multitasking is not deterministic, so it's not allowed.

Re:Old guy story

[Xiaran]

QNX is a true microkernel. Device drivers crashing will not bugger the kernel because they do not run at ring 0. It does this via an extremely fast and deterministic message passing system. Writing a device driver in QNX is like writing a normal app... you can fire it up in a debugger without anythign like SoftICE and run it... if it crashes you just restart it.

Back in the day the QNX people used to have a joke about them selling more licenses than MS every year. Which they did. QNX was in all sorts of SCADA systems from DuPont(one of their major clients) oil pumps for Shell.

Re:Old guy story

[Xiaran]

QNX may or may not be used in avionics but QNX has a strict priority-preemptive scheduler that fully supports hard real time applications.

Re:Old guy story

[drkstr1]

Think "embedded systems" rather than "phones." It's not really intended as a smart phone OS, although you could easily build one using QNX as the base system.

Re:Old guy story

[KGIII]

Yeah, I went on and did some searching shortly after posting. I learned that it is actually a mature UNIX OS and a RTOS. I was kind of shocked and a bit curious as to why I had not guessed it was UNIX based on the name - hindsight and all that, I suppose. I'd never heard of it until BB and never looked into it. So, to my mind, it was similar to saying airplanes were being run on Android or iOS.

Re:What's the story? We already know it's not the

[TemporalBeing]

It's pretty clear that Blackberry's right about the OS here. From TFA:

"The researchers themselves did not target QNX specifically, but rather the connectivity software that runs on top of QNX, called uConnect which, using cellular connections, offers Internet access, navigation, voice command capabilities and other features to drivers."

Exactly. It's no help that everyone is connected on the CAN-bus with little in way of security there...

Re:Eh?

[Runaway1956]

Maybe - maybe not. When the "engineers" set this thing up, they probably established permissions. I'm not all that familiar with QNX, but I believe it actually has a security model. If the rules were written to permit this peripheral to do that, and another peripheral to do thus, then the OS can't be blamed for the results of those permissives rules.

Kinda like Android. Linux is a pretty robust, reliable, and secure operating system. So, the "engineers" put Linux on a phone, then wrote a bunch of silly-assed rules, and granted permissions to apps to do whatever they want. Security sucks - but it's not Linux' fault that it sucks.

Re:What's the story? We already know it's not the

[Carewolf]

Trolling. Somebody is pushing the story as either clickbait or fud.

Re:Eh?

[MightyYar]

QNX, at least when I used it 10 years ago, is a real-time unix-like OS. It runs basically no services by default... it is as bare-bones as it gets. We used it to control a vision system. You CAN load it up with as much extra gunk as you like - even X11. It is possible that the flaw was in a Blackberry-supplied component - but the OS itself is whatever you want to make it.

circumnavigate

[neo-mkrey]

I don't think that word means what you think it means.

Re:Eh?

[MountainLogic]

Please, this is an embedded OS, not computer (or pocket computer masquerading as a phone). There should not "apps" in an embedded OS. The entertainment system must be architected as a whole and the car must be architected as a whole. Given this is a life/safety critical device there must be a hard separation between the nice to have things like the radio and critical systems like the brakes. Especially if you have a system that has open ports, OTA upgrades or even are connected. The executives, engineers and marketers need to face significant criminal liability for such breaches of trust when offering a life/safety device to the public. Even though I am not a PE this type of situation does argue for licensing.

Makes sense to me

An operating system could be the most secure OS in the world but it won't matter for anything if a buggy insecure application is running on top of it.

Re:Makes sense to me

[KGIII]

A very valid point. We are very guilty of that sort of thinking here. Whenever there is a bug or exploit on a common Linux distro then it is, "Linux is the kernel!" Yet if there is an exploit in IE then it is, "Windows has shitty security!" The actual Windows kernel is pretty damned secure and seldom has any security issues - when was the last time you heard of a bug or exploit that directly impacted explorer.exe?

An OS is only as secure as the person in front of it and the software that is installed on top of it. I often say that, "Security is a process and not an application." It is important that we keep that in mind AND that we separate the idea of OS security vs application security. There is lots of concentration on the former but not so much on the latter. As applications run with high level privileges we really need to be aware of this and secure them as well.

I found one application, I was being nice and beta testing it, that I could take another computer on the same network and fill it's log so full that it would crash the PC that was running the firewall. I never checked to see if I could use that to write something to memory or anything. It took the vendor many, many years to fix that bug and I had told them exactly how to do it and exactly how I was able to crash it and the PC(s) that I tested. All they had to do was automatically trim the log files - that was it. Otherwise it was possible to hammer them with so many attempts that it would crash it as it filled up the logs and the buffer.

That is just one of many such experiences and I mention it because it is a "security" application which should be concentrating on the whole security thing.

Anyhow, the first paragraph is why I tend to difference myself by clarifying that I am not a FOSS advocate. I am a FOSS supporter and user. We, and I have been a part of this group, tend to really bury our heads in the sand on such matters. "It is not Linux, it is not the kernel." That is well, and true, but does not really matter when push comes to shove. We will happily decry any other software security issues as being the fault of the OS - so long as it is not our OS. What the OS can do about this is beyond me... I can think of a couple of potential solutions but they would not work so well for end users. Then again, I am not sure that it matters.

Architectural Problem

Disclaimer: I work in electrical architecture in the automotive industry, and I have started focusing on security.

Perhaps I am biased by my profession, but the issue here is not that the U-Connect system had malware. The issue is that the U-Connect system could cause the vital control systems in the vehicle to do nasty things. That is an architectural problem of the first order.

Bugs will always exist, and some are bound to be security vulnerabilities. This high-order bit is not that the system had bugs. The high-order bit is that a single vulnerability in an infotainment subsystem allowed for remote actuation of the vehicle's vital control systems. That is terrible!

Re:Architectural Problem

[Pubstar]

Yeah, I'm kinda wondering why the entertainment system is hooked up to the car's vital systems. It makes zero sense to do that. Even if it was to display vehicle information, you could just use the OBD information from the car, as you can set that up for Output Only if you really wanted to.

The issue is not technical

[t0mek]

Engineers who work on steering, brakes, transmission and other core systems in the car are much more experienced than those who code up an entertainment system. The core engineers cost more, use much stricter (therefore longer and more costly) processes and so on. It would be wasteful to throw all that experience, time and money into non-critical system that doesn't need it. Jeep, quite rightfully, did sensible thing there. But running all systems on shared core or bus was asking for trouble. And they got what they asked for.

Maybe next time they should try drive a pacemaker from an Android phone they also use to play games watch kitten videos, you know, to save the cost of the pacemaker's own microcontroller and battery. What can possibly go wrong?

Re:The issue is not technical

[t0mek]

An experienced engineer would give more quality within the same time but at higher budget because it costs more to hire an experienced one :) Either way, from engineering perspective, an in-car audio player of acceptable quality may crash occasionally but obviously it mustn't make the car crash with it. I'm pretty sure that someone in the engineering department pointed that out. But that's not engineers who usually pull the strings and make final decisions...

Re:The issue is not technical

[t0mek]

I meant: *Software* engineers who work on steering...", Sorry for the confusion.

Re:Eh?

[stackOVFL]

This! Although at the time I said, well wasn't that easy, BMW was able to perform a FW download to my car while it was sitting in the parking lot at work. I didn't even know it was happening until I saw a news article on it. I'm sure BMW and the other car makers are trying to be careful (I hope that's true) and this all sounds neat until something like this comes along and them you go "what if...". Yes it scares the crap out of me too.

Re:What's the story? We already know it's not the

Yeah, I was at the Defcon talk on Saturday, or was it Friday, it all blends together. It was because the designers ran everything as root and used D-Bus on port 6667 with no authentication and was accessible via the internet. Also, none of the software was signed in any way, allowing them to replace the firmware as they pleased.

Re:Circumnavigate?

[glenebob]

They clearly meant "circumcise".

Re:What's the story? We already know it's not the

[LWATCDR]

Yep it is right up with Clinton Denies killing babies.

So, What system are they actually blaming?

[Mr.+Droopy+Drawers]

I've been following this -- I thought -- pretty closely. There's a smoking gun. To answer the recall, they've got to actually do something. What's the "fix"? Yank out the radio? Does that fix it?

Seems to me that a lot of this stuff is going to get worse before it gets better due to "smart" features such as collision avoidance, remote start, an the like. There will likely be a management device with privileged access to the CAN bus. What measures are being put into to place to protect that trust?

Re:What's the story? We already know it's not the

[Mr.+Droopy+Drawers]

OK, sounds like uConnect is a trusted application? Who wrote uConnect? Seems like they're the ones' with some 'splainin' to do'...

Re:What's the story? We already know it's not the

OK, sounds like uConnect is a trusted application?

Not really. uConnect listened to a port on the built-in wifi hotspot and on the cellular internet connection, AND uConnect had no encryption, AND uConnect required NO authentication.

It's like running Tomcat as your webserver on linux, but leaving the Tomcat admin interface wide open to the public with no authentication.

It's certainly a big problem, but it has nothing to do with the underlying OS.

Who wrote uConnect?

Chrysler and/or Harmon Kardon.

Take a look

[stackOVFL]

A interesting (and terrifying) article on this subject: http://money.cnn.com/2014/06/0... It points out that in the 90's when the system was designed it wasn't a issue as it was a closed system. The CAN based system was never intended to be connected to anything. The ramifications of a wireless connected car with zero security should make everyone very concerned. It's just a matter of time before someone locks up your right front brake when you're doing 80 MPH. That the government is mandating this (RTA) is even worse.

Re:Take a look

[Pubstar]

The government mandate on that is a load of bullshit. It means that everyone is going to have to buy new cars or do expensive retro-fits with the new gear. I prefer to be in control of my car. I've gotten out of some nasty situations by having good reaction times.

One thing that I have to wonder is if there is a sudden stop, do the systems take into account quality of the braking systems (new vs. old fluid, quality of master cylinder, brake pad/rotor wear) and suspension systems (blown shocks, aftermarket shocks with different dampening profiles, etc.)? There are so many variables that this program could never work.

Re:Eh?

[Rufty]

But it will get blamed for it. The Windows NT kernel has a very sophisticated security model, and look how well the rest of Windows builds on that.

Re:Circumnavigate?

[GrumpySteen]

Congratulations on your mastery the dictionary. Perhaps you could put those skills to work teaching the submitter how to use the word properly.

The hackers didn't go around or bypass or circumnavigate the entertainment system. They hacked the entertainment system and used it to bypass other security measures. If they had not gone through the entertainment system, they would not have been able to compromise the vehicle's communication network.

Re:What's the story? We already know it's not the

[Mr.+Droopy+Drawers]

thanks for the tip. Didn't think of Harmon Kardon as being the vendor for this, uh, app. NTSA seems to call them out explicitly in their complaint.

Security system of the Jeep Cherokee ..

[nickweller]

Did no one at QNX, BlackBerry or FCA ask the frickin question as to whether the Jeep was immune to wireless hacking.

Re:Security system of the Jeep Cherokee ..

[mevets]

QNX is a component; they donâ(TM)t make jeeps. The system most likely runs on an Ti/ARM; did anybody at Ti or ARM ask if the Jeep was immune to hacking?

The customer is the right person to ask.
Cust: Is this car immune to hacking?
Sales: yes.
Cust: Where, in the warrantee does it say that?
Sales: uhm...

Re:Circumnavigate?

[KGIII]

That would help the three people that read the summary and maybe stop the one person from clicking through to the article. It's not a bug - it's a feature.

Re:Eh?

[KGIII]

BMW is excellent at this - so far. I can not fault them - yet. I will be displeased when they screw up. I am nearly certain that they will BUT it is BMW so I expect it to be repaired quickly and professionally when they do make an error. I am, obviously, a fan of BMW. In fact, my new (and first "bespoke") BMW is due in on Thursday. I ordered a very nice custom 640Li. I drove the test model at the dealer and nearly just bought that so that I could take it home and molest it in private. The dealer was not impressed when I tried to get into the trunk naked and smeared in chocolate sauce.