With Jarvis, BlackBerry Targets Connected – and Driverless – Vehicle Security
BlackBerry mobile devices are a rare sight. But you may still be using the company’s technology – in your car. In a pivot from its declining mobile phone business, Waterloo, Ontario-based BlackBerry is aspiring to secure autonomous vehicles from hackers.
See Also: How to Scale Your Vendor Risk Management Program
In a keynote address at the North American International Automotive Show on Monday, BlackBerry CEO John Chen launched a cloud-based static code-scanning tool called Jarvis. The tool is designed for automobile manufacturers to scan binary code inside the software components used inside cars – which can originate from thousands of different suppliers – and identify software errors.
Now Blackberry envisions its future as a major player in the automotive and internet of things industry, leveraging its legacy in security.
The shift from left-behind smartphone pioneer to car security service is not as surprising as it may sound. BlackBerry, formerly known as Research in Motion, was arguably the first mobile device company to market security as a feature, with its encrypted email and messaging systems used by the likes of President Barack Obama.
The company has continued to maintain a robust focus on security in areas such as device-to-device communication and authorization, which will be crucial for connected vehicles.
QNX, A Microkernel
Perhaps presciently, BlackBerry in 2010 acquired real-time embedded operating system developer QNX, whose embedded systems are now in more than 60 million vehicles built by Audi, GM and Mercedes.
“QNX is at the core of a lot of the automotive operating systems,” says Steve Wilson, vice president and principal analyst at Constellation Research in Sydney.
QNX’s Neutrino microkernel – the core and most sensitive part of an operating system, from a security standpoint – comprises just 150,000 lines of code, Wilson says. BlackBerry has a handful of people who intimately know the code, he says.
QNX’s operating system runs automotive entertainment and information systems, as well as handling connectivity. But Blackberry also sees QNX as a future platform for driverless cars, coordinating the relay and processing of data from sensors that are required to prevent accidents.
Just two months before it opened an autonomous driving research center in Ottawa in December 2016, BlackBerry successfully tested a driverless Ford Lincoln running QNX, CBC Radio-Canada reported.
Securing Connected Cars
Most software consists of a patchwork of code, mixing custom-written code with code borrowed from open-source efforts. Both approaches, however, carry security risks, as developers can lose track of code origin or what any given piece of code is meant to do. Cumulatively, these can add up to security vulnerabilities.
The automobile industry is particularly at risk. One often-repeated estimate is that modern cars run on 100 million lines of code. And vehicle manufacturers are integrators at scale, assembling cars that run on parts and code sourced from thousands of different suppliers.
“The connected car is like the pinnacle of IoT, Wilson says. “It’s the grandest expressions of IoT.”
Of course as IoT device-infecting malware such as Mirai has demonstrated, IoT devices too often lack strong controls, making many of them an easily exploitable security nightmare.
And that’s where BlackBerry sees a connected car business opportunity via Jarvis. Vehicle manufacturers can use its pay-as-you-go cloud service to scan for issues and spot vulnerabilities before code hits the highway.
“The connected car is like the pinnacle of IoT. It’s the grandest expression of IoT.”
—Steve Wilson, Constellation Research
Static Code-Scanning Play
Static binary code scanning tools are good at finding obvious vulnerabilities in code, says Damon McCoy, an assistant professor in the computer science and engineering department at New York University.
McCoy, who has not analyzed Jarvis, says BlackBerry may have a bit of an edge given its experience with embedded systems. But it’s also possible that BlackBerry might lag competitors’ sophistication when it comes to the algorithms they use to find potential vulnerabilities.
Some competitors have been in the static code scanning space much longer, including IBM, as well as Veracode, which was acquired by CA last year, and Coverity, which was acquired by Synopsys in 2014.
“It’s unclear how much better [BlackBerry] will do in the embedded market compared to these other companies,” says McCoy, who is also part of the Center for Automotive Embedded Systems Security. “That’s definitely going to be a challenge for them in this space.”
While using static code scanning is a good first step to reducing issues, it has limits, McCoy said. It won’t catch logic flaws, which aren’t software vulnerabilities but rather an ability to do something that was unintended and “potentially dangerous,” he says.
“If the logic isn’t quite right, it could lead to pressing problems,” McCoy adds.
BlackBerry’s Attempted Reboot
Jarvis’s debut comes in the midst of BlackBerry’s years-long transition from smartphone maker into software and service firm.
After being late to the touchscreen smartphone race, BlackBerry saw Apple iOS and Google Android operating system devices eat its lunch, with the company’s handset sales even falling behind that of Windows mobile devices.
In a 2015 last-ditch effort, BlackBerry launched Priv, a smartphone that dropped BlackBerry OS for the open source Android OS, with BlackBerry CEO Chen promising to kill the hardware side of the business if he couldn’t bring it back to profitability. That came to pass in 2016, when BlackBerry ceased manufacturing devices, although it still outsources some manufacturing to others.
In the meantime, BlackBerry has doubled down on software and services. In 2015, it bid for mobile device management firm Good Technology (see BlackBerry’s MDM Future: Good Move).
And while the company has seen a bumpy ride, its software and service play may be paying off. Last December, the publicly traded company announced third quarter earnings that beat analysts’ expectations. The company’s stock surged after it reported quarterly GAAP revenue of $226 million, of which $190 million came from software and services, which was a year-on-year increase of 11 percent.
“The growth specifically in enterprise software is good to see,” Ali Mogharabi, an analyst at research firm Morningstar, told Reuters.
The company also announced that QNX was being distributed by 10 automotive suppliers, including Bosch, Denso and Magna.
But quarterly revenue from its BlackBerry Technology Solution group, which includes QNX software, stayed flat from the same period the prior year, earning $43 million.
Will BlackBerry’s connected car and security push, including Jarvis, help improve those figures?
Executive Editor Mathew Schwartz also contributed to this story.