At the CES 2018 BlackBerry booth, BlackBerry Chief Security Officer Alex Manea shared some attack methods he’s seen that might be keeping auto executives gripping their wheels pretty tightly.
“The biggest hacks that I’ve seen are basically proof of concept attacks that really look at how to get access to the vehicle’s safety-critical components remotely,” he says. “It’s one thing to get access to the car’s drivetrain if you have physical access. What really scares me is attacks where somebody can just start scanning IP addresses and find vulnerable cars on the road, attacking lots of different cars on the road without actually being there.”
In an interview at the BlackBerry Ltd. booth at CES 2018, Chief Security Officer Alex Manea is steered away from addressing BlackBerry Jarvis directly by a member of the public affairs team.
It wouldn’t be polite to CEO John Chen, standing just a few feet away, who was anticipating a keynote address at the North American International Auto Show that he delivered on Monday. There, he announced Jarvis, a cloud-based service that promises to automate the scanning of code for security vulnerabilities and compliance issues. What better customer for such a service than the auto industry, which has an incredibly complex supply chain and is seeing technology integrated into multiple components.
So it’s no wonder that the BlackBerry booth is filled with cars – including an Aston Martin DB11. All of them featured the embedded technology of BlackBerry’s QNX division, which it acquired from Harman International in 2010 for $200 million. In 2011 and 2012, BlackBerry would have brought QNX to the CES show floor via its short-lived tablet, the Playbook, and then its modernized BB10 operating system. We know how that story ended, but this time the software is being shown in the form that it was intended – as an embedded system.
Securing a whole new mobile platform
CES 2018 also served as the stage for BlackBerry to announce the latest in a string of partnerships in automotive software security. Nvidia, known for its line of high-performance GPUs, announced that it’s working on a self-driving development platform that will be powered by QNX. As Manea sees it, BlackBerry is bringing together its long history of software security expertise with QNX’s automotive safety knowledge and unifying it into a single solution.
“QNX is one of the most secure embedded operating systems out there. It runs on cars, it runs in nuclear power plants, it runs on the International Space Station,” he says. “If you think about BlackBerry’s heritage, it’s always been focused on security, and same with QNX.”
In its keynote introducing the Nvidia Drive platform at CES, the GPU maker focused on safety and security. It promises that its platform provides developers a way to build self-driving systems that will be able to operate safely with several onboard failsafe systems. Nvidia is providing deep learning algorithms and the necessary hardware to automakers looking to build autonomous capabilities, and it’s bundled QNX to deliver the embedded onboard systems to round out the platform’s capabilities.
“They’re building this platform that others can build on top of to develop autonomous vehicles and we’re helping them with the core platform side of the security,” Manea says. “If you want to be successful in this market you have to partner with the top industry players. We look at ourselves as platform agnostic, right? We’re happy to partner with anybody that wants to partner with us if there’s a viable use-case for the consumer or for the enterprise.”
On the same day as the announcement with Nvidia, Chen foreshadowed his keynote in Detroit with a blog post titled The Road Ahead. In it, he declared “we are no longer in turnaround mode,” pointing to double-digit growth in the enterprise cyber security software and services portion of the business. He quickly pivots to QNX, saying the goal is to “serve as the safety-certified foundational operating system for connected and autonomous vehicles.”
Chen goes on to list the array of partnerships BlackBerry has announced in the automotive sector in the last several months, which we’ve covered here on IT World Canada, including partnerships with Denso and Intel to bring an integrated Human Machine Interface platform to market, and with Baidu, which will use QNX as the OS powering its open Apollo platform for autonomous cars.
With the Jarvis announcement, BlackBerry was able to point to working directly with a major automaker in Jaguar Land Rover. CEO Ralf Speth went on the record saying Jaguar’s time to assess code was reduced from 30 days to just seven minutes. Manea explains why this metric is so crucial to ensuring security in the auto sector – the attack surface available to hackers is huge.
“A typical luxury car these days can have 100 million lines of code. Even if you have one vulnerability every 10,000 lines of code, that’s a huge number of vulnerabilities,” he says. “There’s also lots of different types of connectivity with cars. You’ve got everything from 4G, Wi-Fi, Bluetooth… so as a hacker if I want to get into a car I have many different potential entry points.”
Manea’s ‘defense in depth’ for cars
Taking us under the hood of the security approach that’s enabled those partnerships, Manea shares his “defense in depth” approach that addresses system security at multiple layers:
- Layer 1 – Engine Control Unit) “The very lowest layer would be the hardware itself, there would be the ECUs [engine control units] and the chips,” he says. “We embed our authentication keys within the ECUs right during the manufacturing process so that then we can authenticate the software on top of that.”
- Layer 2 – QNX Neutrino OS) “It was what’s called a microkernel technology, which basically means that the core operating code is very small, and is very well isolated from the application layer.”
- Layer 3 – Applications) “We as much as possible protect the different apps from one another, and especially protect the basic critical systems of the car, so kind of the driving systems from the non-safety critical systems such as the acoustics.”
- Layer 4 – Patches) “It’s not a matter of if you will be breached, it’s a matter of when you will be breached. We have our own software update service that we provide not only to our car partners, but also to all IoT device manufacturers to really help them push those out securely.”
On the last layer, Manea points to BlackBerry’s ongoing partnership with TCL, the company now manufacturing BlackBerry handsets. It’s learned how to push out Android software updates to all of its devices as quickly as Google makes them available.
So you won’t be seeing any smartphones at the BlackBerry booth at CES 2019 either. But the security lessons learned are still well-seen in the rearview mirror.