back to article BlackBerry can't catch a break: Now it's fending off Jeep hacking claims

BlackBerry has denied rumors that its software might have played a role in the infamous "Jeep hack," saying it's "unequivocally" not true. In July, security researchers revealed that certain cars built by Fiat Chrysler were vulnerable to potentially life-threatening remote attacks, thanks to a flaw in the automaker's uConnect …

  1. cyke1

    "In this particular case, the vulnerability came about through certain architecture and software components that are unrelated to the QNX Neutrino OS."

    If that is the case it wouldn't be blackberry's fault if fiat added in software/modules that were flawed. It would be like blaming MS for cause adobe flash cause windows to get infected or java. But people will see them guilty by association kinda like where OCZ took a huge hit for a bug in SSD controller firmware they had nothing to do with.

    1. Trevor_Pott Gold badge

      OCZ didn't take a huge hit for selling bad flash. They took a huge hit for denying the issue repeatedly and loudly and treating victims of the flaw like shit. OCZ were (and who knows, maybe still are) run by utter twatdangles and how they handled the whole affair will end up in multiple text books about how not to do things in the modern world. Or any world.

      Ever.

      1. cyke1

        OCZ wasn't ones at fault. Sandforce the company that made the controller they used screwed up in on the firmware, sadly since OCZ was largest SSD maker at the time they took the most flak.

        1. Trevor_Pott Gold badge

          A) OCZ chose to use Sandforce

          B) OCZ handled the whole even completely fucking atrociously and they deserved to have been run out of business for that. It is a crime against consumers that they were purchased.

          OCZ purchased something from a supplier, put it together and sold it to customers. It was defective. They denied this up and down and then they were awful to customers. Even after it was undeniable, they continued to be terrible. Sorry mate, there is absolutely nothing defensible about OCZ. One of the worst, most awful storage companies in all of tech history, full stop.

    2. Tom 13

      Re: It would be like blaming MS for cause adobe flash

      Um, yes there is good reason to blame MS for allowing Adobe Flash to infect Windows. The OS ought not do that. If Flash is affected and it crashes Flash, yeah that an Adobe only problem, but if it gets into the OS, that's an MS problem.

      In order for the Blackberry claim to be true (and I hope it is even though I'm doubtful), they'll have to prove that Fiat/Chrysler deliberately disabled security features.

      1. Eddy Ito

        Re: It would be like blaming MS for cause adobe flash

        My guess is that it's a case something along the lines of putting in the hooks for self-driving cars to make life easier for phase 2 of their self-driving cars program and forgetting to nail it shut on the current production software.

  2. m0rt

    something smells bad.

    You know those magazines you see at the checkout of supermarkets with headline titles of 'Woman eats shark raw!' or 'My husband was a mass murderer!'? This must be the financial equivalent.

    I would just assume the 'infotainment' system, apart from being a shite word, was running flash...

    1. Def Silver badge

      Re: something smells bad.

      I'm fairly certain if it were running Flash, it wouldn't be up long enough to be hacked.

  3. DerekCurrie
    Facepalm

    Uconnect Uconnect Uconnect

    Homework Hints:

    http://www.driveuconnect.com

    https://www.driveuconnect.com/software-update/

    http://www.autoblog.com/2015/07/25/how-to-update-secure-vulnerable-chrysler-uconnect-video/

    IOW: Uconnect is specifically what has been implicated in this latest IoT security mess.

  4. Anonymous Coward
    Anonymous Coward

    OS responsible for security?

    In comparing QNX with monolithic OS's, it's apparent that Seeking Alpha doesn't know as much about operating systems as it thinks it does.

    QNX is a microkernel based OS, meaning that it really just consists of scheduler, memory management and IPC subsystems; everything else, from filesystems and networking stacks etc, which would normally be part of a monolithic OS, right up to end-user applications, such as uConnect, run as userspace 'servers'.

    Security must be handled by the userspace servers.

  5. Z30

    In this particular case, the vulnerability came about through certain architecture and software components that are unrelated to the QNX Neutrino OS.

    Further, the two security researchers who uncovered the vulnerability have clearly demonstrated that the weakness exploited is not due to the QNX Neutrino OS.

    A REGISTERED BANANA REVIEW

  6. Dan 55 Silver badge

    How could any OS be responsible for security...

    ... if someone was numpty enough to write a server which opens a port, lets people connect without authentication, and acts on commands?

    1. Tom 13

      Re: How could any OS be responsible for security...

      Yep, THAT would definitely count as bypassing security in my previous comment.

  7. Hans 1 Silver badge
    Mushroom

    >How could any OS be responsible for security...

    >... if someone was numpty enough to write a server which opens a port, lets people connect without authentication, and acts on commands?

    And allows the infotainment module to command the car?

    Whoever wrote that piece of sh*t should never be allowed near calculators, let alone computers.

    Infotainment systems must be PHYSICALLY isolated from controls, be it in cars, trains, or planes - not a single cable - I know, Tesla do not get that one either. And software that is able to command a car should not be network aware ... if it needs to be patched, let a certified garage update the firmware, after 3 way authentication. Let it be 100% traceable, as in, you cannot update the firmware for a specific vehicle without the manufacturer getting involved, and the id of garages that updated the firmware must be stored in the car and at the manufacturers - if the firmware was updated by an unqualified person, or the id's stored in the the car mismatch with the id's stored at the manufacturers, it should be considered 0wned.

    iiiii will never allow that, though ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020