360 has discovered multiple high-risk vulnerabilities in car operating systems! BMW and BlackBerry thank you

Recently, the Intelligent Connected Vehicle Security Laboratory (hereinafter referred to as 360 Sky-Go) under the Qihoo 360 Group (stock code: 601360.SH) discovered multiple security vulnerabilities in the automotive operating system QNX, including a severe remote code execution vulnerability that scored 9.8 points (out of 10) in the Common Vulnerability Scoring System (CVSS). This vulnerability affects multiple versions of BlackBerry QNX SDP from 6.4 to 7.1, becoming a major hidden danger affecting vehicle safety. The official has now released a fix for the above vulnerability.

As one of the largest operating system suppliers in the automotive field, QNX released by BlackBerry has a market share of 75% in the automotive market. Currently, more than 230 car models in the world use the QNX system, including many well-known automobile manufacturers such as Volkswagen, BMW, Audi, Porsche, Ford, etc. Tens of millions of smart connected cars at home and abroad are equipped with QNX-based in-car entertainment systems.

(Security announcement about this vulnerability released by BlackBerry official website)

It is reported that the 360 ​​Sky-Go team has received thanks from QNX publisher BlackBerry for two consecutive years. The ten vulnerabilities submitted in 2021 covered multiple components such as the TCP/IP protocol stack, media library, and kernel. BlackBerry awarded 360's security researchers the title of "Super Finder Status" to recognize the outstanding achievements made by the 360 ​​Sky-go team in protecting the safety of smart connected car users.

(BlackBerry 2021 official website thank you page)

(BlackBerry 2020 official website thank you page)

In the first half of this year, 360 Sky-Go submitted a QNX vulnerability to BMW, confirming that this general operating system vulnerability poses a direct security threat to automobile safety. This is also the world's first case of using a QNX system 0day vulnerability to affect automobile safety. The 360 ​​Sky-Go team's discovery and reporting of this type of vulnerability has been officially thanked by the BMW Group and QNX publisher BlackBerry.

(Thank you page on BMW's official website)

360 Sky-Go is one of the early domestic companies that researches the security of intelligent connected vehicles established by 360 Government and Enterprise Security Group in 2014. It has rich research results and practical experience in the field of automotive information security. Relying on 360's comprehensive digital security capabilities, it has formed a set of monitoring solutions for security incidents of intelligent vehicles that comply with domestic and international laws and regulations. In this way, the security incidents of intelligent connected vehicles can be perceived, visualized and traced, and the automotive industry can be provided with compliance detection capabilities, real-time monitoring capabilities of road vehicles and safe operation services.

In recent years, the 360 ​​Sky-Go team has been deeply involved in the Internet of Vehicles industry, committed to deepening the research on Internet of Vehicles security, and further promoting the innovation and security development of the Internet of Vehicles industry at home and abroad. Previously, the 360 ​​Sky-Go security team had exclusively released the Mercedes-Benz Security Research Report, which disclosed and assisted in fixing 19 security vulnerabilities and was officially recognized by Mercedes-Benz. In addition, 360 Sky-Go has also been committed to promoting the construction and implementation of Internet of Vehicles security-related standards across the country and even around the world. The ITU-T X.1376 "Connected Car Security Abnormal Behavior Detection Mechanism Using Big Data" officially released in January this year is the first international standard for automobile safety led by China. It is the automobile network security abnormal behavior detection mechanism summarized by the 360 ​​Sky-Go team based on years of attack and defense experience. At present, 360 has taken the lead in the formulation of 11 standards, participated in the formulation of more than 200 standards, published more than 90 standards, and won 7 awards from standardization organizations at all levels.

In the future, 360 Sky-Go will continue to delve deeper into the field of automotive safety, and under the guidance of the 360 ​​Government and Enterprise Security Group's digital security capability framework, it will continue to make efforts to protect the safe and healthy development of the intelligent connected vehicle industry in the digital era.