Jeep Cherokee hack is not a vulnerability of QNX technology

When the news of hackers being able to remotely kill a Jeep Cherokee while it was driving down the road came to light by the folks at WIRED, it was some pretty scary information. Imagine driving down the road and losing all access to dashboard functions, steering, transmission, and brakes. Once the news was out, understandably, there was plenty of discussion in the CrackBerry Forums surrounding the hack and how it could possibly be related to QNX, despite there being not even a single mention of QNX in WIRED's original article and most of it related to Uconnect, the infotainment system Fiat Chrysler cars, SUVs, and trucks.

Still, that didn't stop many outlets from directly relating QNX to the hack. During the BlackBerry Security Summit in July, BlackBerry offered up comments on the matter to CBCKW891 reporter, Andrea Bellemare, which noted 'The system uses QNX Neutrino OS, but there's no evidence to suggest that the exploit described by Charlie Miller and Chris Valasek is based on an OS vulnerability'. Most recently, an article titled 'BlackBerry: The Class Action Lawsuit Resulting From The 'Jeep Hack Could Negatively Impact QNX Sales' appeared on Seeking Alpha and caught the attention of BlackBerry, which has now spoken out against the article through their #BBFactCheck Portal.

Since the exploit came to light, a formal recall has been issued for 1.4 million vehicles that may be affected by the vulnerability, it looks like a class-action lawsuit is on the way, and the National Highway Traffic Safety Administration (NHTSA) is apparently studying the issue, with a report to come.

More recently, however, the website Seeking Alpha has published its own story on the matter, which speculates on BlackBerry's role. While the legal complaint is directed at the vehicle manufacturer and the maker of the infotainment system, the operating system used is the QNX Neutrino OS supplied by QNX Software Systems, a subsidiary of BlackBerry. So, the article asks, is the hack a vulnerability of QNX technology?

We can state unequivocally that it is not.

The QNX Neutrino OS has been deployed in more than 60 million vehicles and field-proven in a host of mission-critical and safety-critical applications. In any computing architecture, the OS can play a key role in enabling reliability and security. An infotainment system such as the one in question has several software components in addition to an OS. The security of such a system is only as strong as the weakest link. In this particular case, the vulnerability came about through certain architecture and software components that are unrelated to the QNX Neutrino OS.

Further, the two security researchers who uncovered the vulnerability have clearly demonstrated that the weakness exploited is not due to the QNX Neutrino OS.

Finally, and perhaps most important, the automaker, the infotainment system supplier and the cellular carrier that connects these vehicles to the Internet have already implemented measures to block unauthorized entry to affected systems.

Connected cars are the future, and BlackBerry is proud to play a leading role in this exciting field through QNX and BlackBerry IoT.

From the jump, it never appeared as though QNX was a part of this vulnerability and as BlackBerry rightly points out, it takes a lot of software components to make up an infotainment system and if all those components are not as secure as some of the other, that creates a weak point in the system.

I'm entirely pleased that BlackBerry put this post out there to defend themselves and clear up the misinformation as well offer some expanded comments on it but I'm a bit disheartened in the fact I have to even mention it because again, it never appeared as though QNX was a part of this vulnerability.

Read more