BlackBerry Denies QNX Was To Blame In Jeep Cherokee Hack

itwbennett writes: Last month, security researchers demonstrated how to circumnavigate the in-vehicle entertainment system of the Jeep Cherokee to take over the car itself, including control of the dashboard, steering mechanism, transmission, locks, and brakes. The more than 1.4 million vehicles being recalled all run the QNX Neutrino OS, which was supplied by BlackBerry subsidiary QNX Software Systems. But the flaw being exploited was not within the OS itself, BlackBerry said Monday in its blog.

Blackberry not compatible with anything

[cgfsd]

Having a Blackberry for work, I would agree with Blackberry as QNX not being the problem. My Blackberry is not compatible with anything and doesn't run anything, so I would find it hard that someone could write an exploit and actually get it to run on a Blackberry OS.

Re:Blackberry not compatible with anything

[JustAnotherOldGuy]

someone could write an exploit and actually get it to run on a Blackberry OS.

As a fellow ex-Blackberry owner, I agree- that was where the story became difficult to believe.

Re:Blackberry not compatible with anything

[MightyMartian]

Find another job soon. BB is going to go under in the next couple of years, and you won't be getting any money for shilling for them.

Re:Blackberry not compatible with anything

[edtice1559]

Seriously? There are real BB fans out there. I'm one of them ( and not an AC ). I changed from a Blackberry Z/10 to a Nexus/6 when my company got bought and the acquiring organization wouldn't support the device. (Mobile Iron doesn't support Blackberry). The Nexus/6 is *way* better for things like going on Facebook, buying movie tickets, and every other non-productive activity. But when it came to getting stuff done, the Blackberry Hub was really the ultimate in UI design. BBRY isn't going to do well because most companies are going to BYOD. And if somebody has to fork out $500 of their own money for a device and has to choose between one that is great for personal use and marginal for business use and one that is great for business use and marginal for personal use, they will always choose the former. I also hear that BES is really hard to maintain. I have no first-hand experience. But I will certainly switch back to Blackberry if it becomes a possibility for me. If I want an Android device for recreation, I would rather use a tablet.

Re:Blackberry not compatible with anything

[Lunix+Nutcase]

QNX can run all Android applications and has for quite some time now.

No, it can't run all Android applications and even BlackBerry doesn't claim that.

What's the story? We already know it's not the OS.

[xxxJonBoyxxx]

It's pretty clear that Blackberry's right about the OS here. From TFA:

"The researchers themselves did not target QNX specifically, but rather the connectivity software that runs on top of QNX, called uConnect which, using cellular connections, offers Internet access, navigation, voice command capabilities and other features to drivers."

Circumnavigate?

[JustAnotherOldGuy]

Circumnavigate?

Umm, no. That is not how that word is used. I think they meant "circumvent".

Re:Circumnavigate?

[Trevelyan]

We need a catchy media name for this spate of car hacks that have inundated us this last week or so.

Of all the XYZ-gate names contrived for controversies since watergate, "Circumnavigate" is the first one I actually like.

The Circumnavigate Controversy of 2015, costing Chrysler Millions of USD and Tesla Thousands (in bug bounties)!!

Old guy story

[H0p313ss]

Amusingly, in while taking first year university courses in 1993, I placed second in a programming competition that was sponsored by OTI (now IBM) and QNX (now Blackberry).

First prize was a licensed copy of QNX, second prize was a 2400 baud modem. I think I got a better deal with the modem.

Re:What's the story? We already know it's not the

[TemporalBeing]

It's pretty clear that Blackberry's right about the OS here. From TFA:

"The researchers themselves did not target QNX specifically, but rather the connectivity software that runs on top of QNX, called uConnect which, using cellular connections, offers Internet access, navigation, voice command capabilities and other features to drivers."

Exactly. It's no help that everyone is connected on the CAN-bus with little in way of security there...

circumnavigate

[neo-mkrey]

I don't think that word means what you think it means.

Re:Eh?

[MountainLogic]

Please, this is an embedded OS, not computer (or pocket computer masquerading as a phone). There should not "apps" in an embedded OS. The entertainment system must be architected as a whole and the car must be architected as a whole. Given this is a life/safety critical device there must be a hard separation between the nice to have things like the radio and critical systems like the brakes. Especially if you have a system that has open ports, OTA upgrades or even are connected. The executives, engineers and marketers need to face significant criminal liability for such breaches of trust when offering a life/safety device to the public. Even though I am not a PE this type of situation does argue for licensing.

The issue is not technical

[t0mek]

Engineers who work on steering, brakes, transmission and other core systems in the car are much more experienced than those who code up an entertainment system. The core engineers cost more, use much stricter (therefore longer and more costly) processes and so on. It would be wasteful to throw all that experience, time and money into non-critical system that doesn't need it. Jeep, quite rightfully, did sensible thing there. But running all systems on shared core or bus was asking for trouble. And they got what they asked for.

Maybe next time they should try drive a pacemaker from an Android phone they also use to play games watch kitten videos, you know, to save the cost of the pacemaker's own microcontroller and battery. What can possibly go wrong?