At the North American International Auto Show on Monday, BlackBerry CEO John Chen unveiled “Jarvis,” a new security platform for connected and autonomous cars. The software scans the cars’ inputs and outputs for both standard and manufacturer-defined protocols, and automatically identifies any bugs, potential exploits and nonconforming code.
“Future cars will have half a billion lines of code, from 50 to 100 different providers: a humongous mobile computer running around the world,” said Chen. “We want to secure all those endpoints.”
In comparison, the most advanced current model cars run about 100 to 150 million lines of code, mostly provided by the manufacturer or a few close partners. That code is painstakingly reviewed by security teams, as the costs of failure or a security vulnerability are staggeringly high.
A system like Jarvis is essential as cars move from software provided solely by the manufacturer and a few chosen partners to something closer to a smartphone or personal computer, where code can be deployed by a wide range of providers, often without the manufacturer having access to the original source code.
BlackBerry’s Sandeep Chennakeshu gave an example of an infotainment engine containing over 20,000 files, where Jarvis was able to identify over 41,000 vulnerabilities. In another example given by Chen, Jaguar Land Rover was able to reduce the time to assess code on a connected vehicle from 30 days to 7 minutes–and Jarvis correctly identified more security issues than the team of security researchers.
In short, you need robust, mobile, inexpensive and fast security monitoring in order for cars to be a proper platform for third-party entertainment and advertising. Otherwise the code used by ads and other media would need to be laboriously reviewed by security teams. Ads could be used by a malicious actor to compromise the car or its user interface, or mistakes and malformation in the code could have an unexpected effect on the car’s operation.
Ken Washington, CTO of Ford, whose Sync 3 interactive entertainment system is powered by BlackBerry’s QNX, explained it this way:
The customer doesn’t care [where the code is coming from]. They just want to be safe, and they want to have a good experience. In this future world where you’ve got … a connected vehicle that’s getting downloads from the cloud, or syncing with your smartphone, or it’s an autonomous vehicle that’s managing the route or whatever might be the case. All of these software modules have to be secured… Even if you don’t have access to the source code, they all have to be thought of as one system. That’s what being a trusted mobility provider means. [And for that,] tools like Jarvis may be extremely important.
In this sense, BlackBerry’s Jarvis solves two problems. It makes it easier to test and deploy code longitudinally, over the lifetime of the vehicle, as software gets updated and new fixes and capabilities are unlocked. It also makes it easier for lots of vendors, whether working in entertainment or advertising or powertrain and safety capabilities, to test their code against common standards and have assurances that it’s going to be secure and compatible when it’s deployed.
BlackBerry may seem like an unusual choice to provide this software, but, as Chen points out, even with pagers and smartphones, security, mobility and reliability have been the hallmarks of the brand. The company has pivoted strongly from consumer smartphones to security and enterprise services for the Internet of Things.
Finally, its QNX software is installed in 60 million cars from over 40 different manufacturers, including Honda, Subaru, General Motors, Fiat-Chrysler, BMW and Ford. While the Jarvis security platform isn’t limited to its QNX customers, it clearly has an interest in keeping that fleet secure.
Ads, information and entertainment may make up a small part of the overall code base of connected vehicles, but securing all of it will be necessary in order to turn them into a proper platform for dynamic advertising and brand partnerships comparable to the smartphone or personal computer.
Inexpensive, automated vetting can work at the speed and scale required to support a full compliment of advertisers. The alternative is a limited, relatively static set of partnerships between auto companies and trusted brands. Otherwise, the security standards and possible consequences of a mistake or an attack are simply too high.