Blackberry QNX: Midwife of the (Secure) Connected Car

Blackberry CEO John Chen got a rude awakening this week when Wikileaks shared internal Central Intelligence Agency meeting notes that mentioned Blackberry's QNX operating system as a "potential mission area" for the organization's Embedded Devices Branch, according to multiple press reports. Suddenly Wikileaks put the CIA in the position of inadvertently impugning the impeccable security credentials of the leading automotive industry supplier of operating system software for automotive telematics and infotainment systems.

The episode reminds me of FBI Director James Comey investigating "newly discovered emails" of presidential candidate and former Secretary of State Hilary Clinton within a week of the 2016 election. And then coming back with a negative determination a day or two before the vote: "Never mind."

What makes the "leak" especially ironic is that Blackberry owns both QNX and Certicom, a one-two security value proposition that is virtually unmatched inside or outside the automotive industry. Blackberry's Certicom has hundreds of patents around its elliptic curve cryptography technnology, some of which is licensed by the U.S. National Security Agency.

It is with good reason that Blackberry devices were long coveted by business users for their security - a feature for which they were loathed by privacy-invading governments throughout the world. Blackberry has always been about security, which is a pedigree it shares with its QNX division.

Press reports of the Wikileaks leaks indicated that the meeting notes that mention QNX date to Oct. 23, 2014 and say that the company hadn’t yet been “addressed” by the branch’s work. "The documents don’t say if the CIA ever moved forward with QNX as a hacking target," reported the Globe and Mail.

At a time when particularly vulnerable operating systems such as Linux and Android are seeing wider deployment in automotive infotainment systems - and contemplated for use in safety systems - it is ironic that QNX is the OS supplier that comes under suspicion as a result of being nominated as an attack target. QNX may well be the last best hope for securing cars.

It's not that systems based on QNX software have never been hacked or penetrated. There have been a few low-profile OnStar hacks over the years, but certainly nothing catastrophic - with the possible exception of the "60 Minutes" episode of a couple years ago.

The reality is that QNX has been at the core of connected car implementations encompassing telematics control units, Bluetooth hands-free systems and infotainment systems - areas in connected cars that have been repeatedly and successfully targeted by both ethical and malicious hackers. There are more than 60M cars equipped with QNX technology on the road today and QNX has laid the groundwork for safely connecting cars from the very beginning of OnStar - 20 years ago.

Having just moderated a panel on security at the Future Networked Car event put on each year by the International Telecommunications Union in connection with the Geneva International Motor Show, I can honestly say that the automotive industry does have a cybersecurity problem. In fact, the problem is so pronounced and well known that the CIA may well have determined that it was a waste of time - not enough of a challenge for the crack Embedded Devices squad. (I can see the new FX series coming this fall: "Embedded Vice - Pedal to the Metal.")

But QNX isn't only adept at security and connectivity - the company is also a leader in software update technology. Any car maker seeking to keep vehicle systems secure will need over-the-air updates to deliver patches, particularly in emergency circumstances as reflected in 2015's now-famous Chrysler hack.

Lacking over-the-air software updating capability, Chrysler was forced to mail thumb drives to 1.4M Jeep owners - a fix that cost the company hundreds of millions of dollars. At the ITU panel discussion executives from Argus Cyber Security, ATS, TüV, and Symantec agreed that there will be no quick fix for the cybersecurity holes facing the automotive industry.

Over the next two years, the best the industry can hope for is to detect intrusions. The jury is still out as to what to do after the intrusion is detected.

It's likely that cars will never be truly secure. The best consumers and the industry can hope for is to mitigate the threats. They will never be eliminated. But the company with the best track record along with the greatest exposure - Blackberry - ought not to be considered a suspect. Blackberry's QNX is part of the solution and has been for 20 years.

Roger C. Lanctot is Associate Director in the Global Automotive Practice at Strategy Analytics. More details about Strategy Analytics can be found here: https://www.strategyanalytics.com/access-services/automotive#.VuGdXfkrKUk