Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Blackberry Security Transportation

BlackBerry Denies QNX Was To Blame In Jeep Cherokee Hack 108

itwbennett writes: Last month, security researchers demonstrated how to circumnavigate the in-vehicle entertainment system of the Jeep Cherokee to take over the car itself, including control of the dashboard, steering mechanism, transmission, locks, and brakes. The more than 1.4 million vehicles being recalled all run the QNX Neutrino OS, which was supplied by BlackBerry subsidiary QNX Software Systems. But the flaw being exploited was not within the OS itself, BlackBerry said Monday in its blog.
This discussion has been archived. No new comments can be posted.

BlackBerry Denies QNX Was To Blame In Jeep Cherokee Hack

Comments Filter:
  • by cgfsd ( 1238866 ) on Tuesday August 11, 2015 @09:26AM (#50293145)
    Having a Blackberry for work, I would agree with Blackberry as QNX not being the problem. My Blackberry is not compatible with anything and doesn't run anything, so I would find it hard that someone could write an exploit and actually get it to run on a Blackberry OS.
    • someone could write an exploit and actually get it to run on a Blackberry OS.

      As a fellow ex-Blackberry owner, I agree- that was where the story became difficult to believe.

    • This is funny. But is also, unfortunately, -1 WRONG. QNX can run all Android applications and has for quite some time now. They aren't as nice as native apps, but they all run.
      • QNX can run all Android applications and has for quite some time now.

        No, it can't run all Android applications and even BlackBerry doesn't claim that.

        • Neither can Android run *all* Android applications! Go the Play store some day and it will show you which of your devices are compatible with the app. Sometimes none of your devices are compatible. Maybe a particular Blackberry device doesn't run as many Android apps as an Android device but it runs a lot of them. And Android devices don't run QNX apps. I would always dislike it when there wasn't a native Blackberry version of an application and I had to use the Android version. But even your rejoinde
      • And you don't even need to believe me. Scroll to the bottom of this page [blackberry.com] and read this disclaimer that exists on all BB 10 pages about Android apps:

        Android app support and compatibility will vary by smartphone and/or software version.

        And also notice how they only mention being able to install apps from Amazon's App Store not Google Play.

        • Of course there is a disclaimer for things they don't control. But the fact is that Android apps run quite well. You can install the Amazon store using Blackberry World. You can side-load any Android apps that you want. There is also another disclaimer that comes up whenever you run an Android app with a reminder that they have an inferior security model. Don't take my word for it, go Google the disclaimer. I had a Z10 for years and ran any Android app that I wanted. They were a bit slow. But otherw
        • by narcc ( 412956 )

          Google Play is a different issue entirely. You'll find countless Android devices that don't have access to Google Play either. It has nothing to do with compatibility, only with Google's artificial restrictions. Not that it matters, as you'll find little worth-while that isn't also available through other channels, like Amazon's App Store.

          As for support, it looks really good to me. My wife is the big app user, and she has yet to find an Android app that didn't run, or even one that ran poorly compared t

      • QNX can't run shit. It's the underlying OS, basically a standalone embedded OS. It needs a completely separate layer above the OS to actually present a UI.

  • by xxxJonBoyxxx ( 565205 ) on Tuesday August 11, 2015 @09:28AM (#50293167)

    It's pretty clear that Blackberry's right about the OS here. From TFA:

    "The researchers themselves did not target QNX specifically, but rather the connectivity software that runs on top of QNX, called uConnect which, using cellular connections, offers Internet access, navigation, voice command capabilities and other features to drivers."

    • It's pretty clear that Blackberry's right about the OS here. From TFA:

      "The researchers themselves did not target QNX specifically, but rather the connectivity software that runs on top of QNX, called uConnect which, using cellular connections, offers Internet access, navigation, voice command capabilities and other features to drivers."

      Exactly. It's no help that everyone is connected on the CAN-bus with little in way of security there...

    • Trolling. Somebody is pushing the story as either clickbait or fud.

    • by Anonymous Coward

      Yeah, I was at the Defcon talk on Saturday, or was it Friday, it all blends together. It was because the designers ran everything as root and used D-Bus on port 6667 with no authentication and was accessible via the internet. Also, none of the software was signed in any way, allowing them to replace the firmware as they pleased.

    • by LWATCDR ( 28044 )

      Yep it is right up with Clinton Denies killing babies.

    • OK, sounds like uConnect is a trusted application? Who wrote uConnect? Seems like they're the ones' with some 'splainin' to do'...

      • by Anonymous Coward

        OK, sounds like uConnect is a trusted application?

        Not really. uConnect listened to a port on the built-in wifi hotspot and on the cellular internet connection, AND uConnect had no encryption, AND uConnect required NO authentication.

        It's like running Tomcat as your webserver on linux, but leaving the Tomcat admin interface wide open to the public with no authentication.

        It's certainly a big problem, but it has nothing to do with the underlying OS.

        Who wrote uConnect?

        Chrysler and/or Harmon Kardon.

  • Circumnavigate? (Score:5, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Tuesday August 11, 2015 @09:30AM (#50293185) Journal

    Circumnavigate?

    Umm, no. That is not how that word is used. I think they meant "circumvent".

    • We need a catchy media name for this spate of car hacks that have inundated us this last week or so.

      Of all the XYZ-gate names contrived for controversies since watergate, "Circumnavigate" is the first one I actually like.

      The Circumnavigate Controversy of 2015, costing Chrysler Millions of USD and Tesla Thousands (in bug bounties)!!
    • But surely nobody expects the editors to do any, you know, editing.

      That would be preposterous.

      • by KGIII ( 973947 )

        That would help the three people that read the summary and maybe stop the one person from clicking through to the article. It's not a bug - it's a feature.

    • They clearly meant "circumcise".

  • by Anonymous Coward

    If you want to automate your car to the point where the driver cannot control the vehicle under the worst of circumstances, then you've made a choice that uConnect, QNX, or anyone else is to blame. If you're going to automate vehicles, then you're going to pay the process when it fails.

  • Old guy story (Score:5, Interesting)

    by H0p313ss ( 811249 ) on Tuesday August 11, 2015 @09:43AM (#50293311)

    Amusingly, in while taking first year university courses in 1993, I placed second in a programming competition that was sponsored by OTI (now IBM) and QNX (now Blackberry).

    First prize was a licensed copy of QNX, second prize was a 2400 baud modem. I think I got a better deal with the modem.

    • by Xiaran ( 836924 )
      I was a QNX2/4 programmer around that time in Australia. A fully licensed QNX OS was AUD1000 at that time. QNX was and still is the best operating system I have ever had the pelasure to write software and device drivers for.
      • Hopefully when Blackberry goes out of business, they'll open-source QNX.

  • by neo-mkrey ( 948389 ) on Tuesday August 11, 2015 @10:15AM (#50293577)
    I don't think that word means what you think it means.
  • by Anonymous Coward

    An operating system could be the most secure OS in the world but it won't matter for anything if a buggy insecure application is running on top of it.

    • by KGIII ( 973947 )

      A very valid point. We are very guilty of that sort of thinking here. Whenever there is a bug or exploit on a common Linux distro then it is, "Linux is the kernel!" Yet if there is an exploit in IE then it is, "Windows has shitty security!" The actual Windows kernel is pretty damned secure and seldom has any security issues - when was the last time you heard of a bug or exploit that directly impacted explorer.exe?

      An OS is only as secure as the person in front of it and the software that is installed on top

  • by Anonymous Coward

    Disclaimer: I work in electrical architecture in the automotive industry, and I have started focusing on security.

    Perhaps I am biased by my profession, but the issue here is not that the U-Connect system had malware. The issue is that the U-Connect system could cause the vital control systems in the vehicle to do nasty things. That is an architectural problem of the first order.

    Bugs will always exist, and some are bound to be security vulnerabilities. This high-order bit is not that the system had bugs.

    • Yeah, I'm kinda wondering why the entertainment system is hooked up to the car's vital systems. It makes zero sense to do that. Even if it was to display vehicle information, you could just use the OBD information from the car, as you can set that up for Output Only if you really wanted to.
  • by t0mek ( 2799307 ) on Tuesday August 11, 2015 @10:36AM (#50293757)

    Engineers who work on steering, brakes, transmission and other core systems in the car are much more experienced than those who code up an entertainment system. The core engineers cost more, use much stricter (therefore longer and more costly) processes and so on. It would be wasteful to throw all that experience, time and money into non-critical system that doesn't need it. Jeep, quite rightfully, did sensible thing there. But running all systems on shared core or bus was asking for trouble. And they got what they asked for.

    Maybe next time they should try drive a pacemaker from an Android phone they also use to play games watch kitten videos, you know, to save the cost of the pacemaker's own microcontroller and battery. What can possibly go wrong?

  • I've been following this -- I thought -- pretty closely. There's a smoking gun. To answer the recall, they've got to actually do something. What's the "fix"? Yank out the radio? Does that fix it?

    Seems to me that a lot of this stuff is going to get worse before it gets better due to "smart" features such as collision avoidance, remote start, an the like. There will likely be a management device with privileged access to the CAN bus. What measures are being put into to place to protect that trust?

  • A interesting (and terrifying) article on this subject: http://money.cnn.com/2014/06/0... [cnn.com] It points out that in the 90's when the system was designed it wasn't a issue as it was a closed system. The CAN based system was never intended to be connected to anything. The ramifications of a wireless connected car with zero security should make everyone very concerned. It's just a matter of time before someone locks up your right front brake when you're doing 80 MPH. That the government is mandating this (RTA)
    • The government mandate on that is a load of bullshit. It means that everyone is going to have to buy new cars or do expensive retro-fits with the new gear. I prefer to be in control of my car. I've gotten out of some nasty situations by having good reaction times.

      One thing that I have to wonder is if there is a sudden stop, do the systems take into account quality of the braking systems (new vs. old fluid, quality of master cylinder, brake pad/rotor wear) and suspension systems (blown shocks, aftermar
  • Did no one at QNX, BlackBerry or FCA ask the frickin question as to whether the Jeep was immune to wireless hacking.
    • by mevets ( 322601 )

      QNX is a component; they donâ(TM)t make jeeps. The system most likely runs on an Ti/ARM; did anybody at Ti or ARM ask if the Jeep was immune to hacking?

      The customer is the right person to ask.
      Cust: Is this car immune to hacking?
      Sales: yes.
      Cust: Where, in the warrantee does it say that?
      Sales: uhm...

You know you've landed gear-up when it takes full power to taxi.

Working...