Anti-Malware , Breach Preparedness , Data Breach

BlackBerry in Motion: Firm Aims to Secure Cars From Hackers

With Jarvis, BlackBerry Targets Connected - and Driverless - Vehicle Security
BlackBerry in Motion: Firm Aims to Secure Cars From Hackers
BlackBerry CEO John Chen announces Jarvis on Jan. 15 at the North American International Automotive Show. (Photo: NAIAS)

BlackBerry mobile devices are a rare sight. But you may still be using the company's technology - in your car. In a pivot from its declining mobile phone business, Waterloo, Ontario-based BlackBerry is aspiring to secure autonomous vehicles from hackers.

See Also: IoT is Happening Now: Are You Prepared?

In a keynote address at the North American International Automotive Show on Monday, BlackBerry CEO John Chen launched a cloud-based static code-scanning tool called Jarvis. The tool is designed for automobile manufacturers to scan binary code inside the software components used inside cars - which can originate from thousands of different suppliers - and identify software errors.

Now Blackberry envisions its future as a major player in the automotive and internet of things industry, leveraging its legacy in security.

The shift from left-behind smartphone pioneer to car security service is not as surprising as it may sound. BlackBerry, formerly known as Research in Motion, was arguably the first mobile device company to market security as a feature, with its encrypted email and messaging systems used by the likes of President Barack Obama.

The company has continued to maintain a robust focus on security in areas such as device-to-device communication and authorization, which will be crucial for connected vehicles.

QNX, A Microkernel

Perhaps presciently, BlackBerry in 2010 acquired real-time embedded operating system developer QNX, whose systems are now in more than 60 million vehicles built by companies including Audi, GM and Mercedes.

"QNX is at the core of a lot of the automotive operating systems," says Steve Wilson, vice president and principal analyst at Constellation Research in Sydney.

QNX's Neutrino microkernel - the core and most sensitive part of an operating system, from a security standpoint - comprises just 150,000 lines of code, Wilson says. BlackBerry has a handful of people who know the code well, he says.

QNX's operating system runs automotive entertainment and information systems and handles connectivity. But Blackberry also sees QNX as a future platform for driverless cars, coordinating the relay and processing of data from sensors that are required to prevent accidents.

Just two months before it opened an autonomous driving research center in Ottawa in December 2016, BlackBerry successfully tested a driverless Ford Lincoln running QNX, CBC Radio-Canada reported.

Securing Connected Cars

Most software consists of a patchwork of code, mixing custom-written code with code borrowed from open-source efforts. Both approaches, however, carry security risks, because developers can lose track of code origin or what any given piece of code is meant to do. Cumulatively, these can add up to security vulnerabilities.

The automobile industry is particularly at risk. One often-repeated estimate is that modern cars run on 100 million lines of code. And vehicle manufacturers are integrators at scale, assembling cars that run on parts and code sourced from thousands of different suppliers.

"The connected car is like the pinnacle of IoT," Wilson says. "It's the grandest expression of IoT."

Of course, as IoT device-infecting malware such as Mirai has demonstrated, IoT devices often lack strong controls, making many of them an easily exploitable security nightmare.

And that's where BlackBerry sees a connected car business opportunity via Jarvis. Vehicle manufacturers can use its pay-as-you-go cloud service to scan for issues and spot vulnerabilities before code hits the highway.

"The connected car is like the pinnacle of IoT. It's the grandest expression of IoT."
—Steve Wilson, Constellation Research

Static Code-Scanning Play

Static binary code scanning tools are good at finding obvious vulnerabilities in code, says Damon McCoy, an assistant professor in the computer science and engineering department at New York University.

McCoy, who has not analyzed Jarvis, says BlackBerry may have a bit of an edge given its experience with embedded systems. But it's also possible that BlackBerry might lag competitors' sophistication when it comes to the algorithms they use to find potential vulnerabilities.

Some competitors have been in the static code scanning space much longer. That includes IBM, as well as Veracode, which was acquired by CA last year, and Coverity, which was acquired by Synopsys in 2014.

"It's unclear how much better [BlackBerry] will do in the embedded market compared to these other companies," says McCoy, who is also part of the Center for Automotive Embedded Systems Security. "That's definitely going to be a challenge for them in this particular space."

While using static code scanning is a good first step to reducing issues, it has limits, McCoy said. It won't catch logic flaws, which aren't software vulnerabilities but rather an ability to do something that was unintended and "potentially dangerous," he says.

"If the logic isn't quite right, it could lead to pressing problems," McCoy adds.

Wider use static code scanning is good for the automotive industry, says Craig Smith, research director of transportation security for the software testing firm Rapid7. Cars now needed to be treat like software, with the same care taken as when building a network, he says.

"You won't catch everything, but it's always good to have that defense in depth," says Smith, who published the The Car Hacker's Handbook in 2016.

BlackBerry's Attempted Reboot

Jarvis's debut comes in the midst of BlackBerry's years-long transition from smartphone maker into software and service firm.

After being late to the touchscreen smartphone race, BlackBerry saw Apple iOS and Google Android operating system devices eat its lunch, with the company's handset sales even falling behind that of Windows mobile devices.

In a 2015 last-ditch effort, BlackBerry launched Priv, a smartphone that dropped BlackBerry OS for the open source Android OS, with BlackBerry CEO Chen promising to kill the hardware side of the business if he couldn't bring it back to profitability. That came to pass in 2016, when BlackBerry ceased manufacturing devices, although it still outsources some manufacturing to others.

In the meantime, BlackBerry has doubled down on software and services. In 2015, it acquired mobile device management firm Good Technology (see BlackBerry's MDM Future: Good Move).

And while the company has seen a bumpy ride, its software and service play may be paying off. Last December, the publicly traded company announced third quarter earnings that beat analysts' expectations. The company's stock surged after it reported quarterly GAAP revenue of $226 million, of which $190 million came from software and services, which was a year-on-year increase of 11 percent.

"The growth specifically in enterprise software is good to see," Ali Mogharabi, an analyst at research firm Morningstar, told Reuters.

BlackBerry's stock price has surged in recent months. (Source: MarketWatch)

The company also announced that QNX was being distributed by 10 automotive suppliers, including Bosch, Denso and Magna.

But quarterly revenue from its BlackBerry Technology Solution group, which includes QNX software, stayed flat from the same period the prior year, earning $43 million.

Will BlackBerry's connected car and security push, including Jarvis, help improve those figures?

(Executive Editor Mathew Schwartz also contributed to this story.)


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network