Soon after WikiLeaks revealed that the CIA was allegedly exploring hacking into the computer control systems for vehicles including BlackBerry QNX automotive software, BlackBerry has averred that its QNX OS is safe.

In a blog, Marty Beard, the COO of BlackBerry stated that the company is not presently aware of any exploits or attacks against its services or products including QNX. However, he added that the news was frightening, particularly since the world is now moving towards wholly self-driven cars though things are still in the semi-autonomous state.

60 million cars already using BlackBerry QNX automotive software

The blog also claims that more than 60 million cars comprising over 240 car models are using the BlackBerry QNX automotive software and the company is focused on claiming the top slot as providers of end-to-end providers of the software platform for connected cars. Presently the QNX software can be seen in infotainment systems in vehicles, vehicle telematics support, ADAS or advanced driver assistance system and instrument clusters.

Do vulnerabilities exist in BlackBerry QNX automotive software?

Over 8,700 documents were released by WikiLeaks on Wednesday last claiming that they came from the Cyber Intelligence Center of the CIA. Some of these documents pointed to the agency looking at exploiting vulnerabilities in security on smartphones, vehicle computer systems, and smart TVs. The aim was allegedly to activate the cameras and microphones on the devices for the purpose of spying. The WikiLeaks post added further that as at 2014 October, the CIA was also exploring infecting vehicle control systems in modern trucks and cars and that while the purpose of the exercise was unspecified, it would allow the CIA to launch close to undetectable assassinations.

Some threats are real

The chief security officer at BlackBerry, David Kleidemacher also added vehicles constitute a rich target of opportunities for states, nations, and terrorists and that keeps him up during the night. He also opined that terrorists could find hijacking 10 million cars all at once through the common internet connectivity easier, than hijacking a plane and crash it into famous buildings like the Twin Towers. He added that for now, people did not appear to comprehend this is a real threat and that is causing deep disturbance in him.

BlackBerry QNX automotive software – designed without root vulnerabilities

Kleidemacher added that QNX has been developed to be without the underlying vulnerabilities since it is a system that is critical to the safety of the vehicle and therefore free from the vulnerabilities generally found in enterprise-class or consumer OSes. He went on to state that QNX architecture is based on microkernel which compartmentalizes functions like file system, networking stack, memory and software drivers. In standard OS built on monolithic kernel architecture, when attackers gain root access they get a free run of the whole system. This is also one reason why most cyber attacks finally boil down to the OS being fooled to think that it is a root user who is accessing the OS. Further, according to Kleidemacher, QNX is the singular automotive software meeting ISO 26262 which is the highest level of automotive safety possible and there have been no vulnerabilities either with the current or earlier versions of QNX.

BlackBerry QNX automotive software – agency should have revealed the vulnerabilities

Security experts also added that they were not surprised at CIA looking for vulnerabilities, but the agency hoarding the information was a matter of dismay. Agencies are expected to reveal weaknesses so that companies involved can fix them and ensure the safety of Americans. The present event is an instance of a massive organization failing to follow those rules and exposing people to the vulnerabilities so that they can be exploited – says Kit Walsh, who is a staff attorney with the privacy group EFF (Electronic Frontier Foundation)