SlideShare a Scribd company logo

Hacking QNX

R
ricardomcm

Ricardo Mourato gave a presentation on hacking the QNX RTOS. Some key points: - QNX is a real-time operating system used in embedded systems like medical devices, robots, and cars. It has a microkernel architecture for reliability. - Potential vulnerabilities were demonstrated, like exploiting default services like Telnet and FTP to gain root access, or abusing the QCONN debugging protocol. - The Qnet inter-process communication could allow accessing resources like files and processes remotely in a transparent way. - A live demonstration showed exploiting these avenues to hack into a QNX system remotely or locally. Default configurations and services provide initial access points to attack the system.

Technology
1 of 24
Downloaded 64 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Most read
16
17
18
19
Most read
20
21
22
Most read
23
24
Hacking Confraria de Segurança da Informação 27 Nov 2013
root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
Disclaimer: You know, i’m not responsible for your:
What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
What is QNX Neutrino (cont): Source: http://www.qnx.com/
Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
More About QNX (cont):
More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
How it Looks:
How it Looks:
How it Looks (Pentester’s view)
QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
Q&A
Hacking QNX

More Related Content

DOCX
Qnx os
Student
 
PPTX
Enable DPDK and SR-IOV for containerized virtual network functions with zun
heut2008
 
PDF
QNX Sales Engineering Presentation
Robert-Emmanuel Mayssat
 
PDF
QNX Software Systems
Robert-Emmanuel Mayssat
 
PDF
Review of QNX
Robert-Emmanuel Mayssat
 
PDF
Apresentacao sobre o QNX Neutrino
Líus Fontenelle Carneiro
 
PDF
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Stefano Stabellini
 
PDF
Linux Preempt-RT Internals
哲豪 康哲豪
 
Qnx os
Student
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
heut2008
 
QNX Sales Engineering Presentation
Robert-Emmanuel Mayssat
 
QNX Software Systems
Robert-Emmanuel Mayssat
 
Review of QNX
Robert-Emmanuel Mayssat
 
Apresentacao sobre o QNX Neutrino
Líus Fontenelle Carneiro
 
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Stefano Stabellini
 
Linux Preempt-RT Internals
哲豪 康哲豪
 

What's hot (20)

PDF
Achieving the ultimate performance with KVM
ShapeBlue
 
PPTX
Docker Networking Overview
Sreenivas Makam
 
PDF
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
PDF
Dockerを支える技術
Etsuji Nakai
 
PDF
What’s the Best PostgreSQL High Availability Framework? PAF vs. repmgr vs. Pa...
ScaleGrid.io
 
PDF
Open shift 4 infra deep dive
Winton Winton
 
PDF
Présentation docker et kubernetes
Kiwi Backup
 
PDF
不揮発メモリ(NVDIMM)とLinuxの対応動向について
Yasunori Goto
 
PDF
Reconnaissance of Virtio: What’s new and how it’s all connected?
Samsung Open Source Group
 
PDF
A crash course in CRUSH
Sage Weil
 
PDF
Backroll: Production Grade KVM Backup Solution Integrated in CloudStack
ShapeBlue
 
PDF
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Vietnam Open Infrastructure User Group
 
PDF
Terraform
Marcelo Serpa
 
PDF
Neutron packet logging framework
Vietnam Open Infrastructure User Group
 
PDF
Embedded Android : System Development - Part IV
Emertxe Information Technologies Pvt Ltd
 
PPTX
QNX Neutrino RTOS
lccasagrande
 
ODP
Embedded Android : System Development - Part III
Emertxe Information Technologies Pvt Ltd
 
ODP
Dpdk performance
Stephen Hemminger
 
PDF
OpenWrt From Top to Bottom
Kernel TLV
 
PDF
An Introduction to Kubernetes
Imesh Gunaratne
 
Achieving the ultimate performance with KVM
ShapeBlue
 
Docker Networking Overview
Sreenivas Makam
 
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
Dockerを支える技術
Etsuji Nakai
 
What’s the Best PostgreSQL High Availability Framework? PAF vs. repmgr vs. Pa...
ScaleGrid.io
 
Open shift 4 infra deep dive
Winton Winton
 
Présentation docker et kubernetes
Kiwi Backup
 
不揮発メモリ(NVDIMM)とLinuxの対応動向について
Yasunori Goto
 
Reconnaissance of Virtio: What’s new and how it’s all connected?
Samsung Open Source Group
 
A crash course in CRUSH
Sage Weil
 
Backroll: Production Grade KVM Backup Solution Integrated in CloudStack
ShapeBlue
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Vietnam Open Infrastructure User Group
 
Terraform
Marcelo Serpa
 
Neutron packet logging framework
Vietnam Open Infrastructure User Group
 
Embedded Android : System Development - Part IV
Emertxe Information Technologies Pvt Ltd
 
QNX Neutrino RTOS
lccasagrande
 
Embedded Android : System Development - Part III
Emertxe Information Technologies Pvt Ltd
 
Dpdk performance
Stephen Hemminger
 
OpenWrt From Top to Bottom
Kernel TLV
 
An Introduction to Kubernetes
Imesh Gunaratne
 

Similar to Hacking QNX (20)

PPTX
Qnx os
Student
 
PPTX
Qnx 120227023226-phpapp01
Kishore Wrecks
 
PPTX
5th
Erm78
 
PPTX
Qnx
Guevarra Institute of Technology
 
PPTX
QNX OS
Guevarra Institute of Technology
 
PDF
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
PROIDEA
 
PPTX
Keynote at Home Automation/ IoT Telecom Council conference
Larry McDonough
 
PDF
Survey/analysis of the QNX Neutrino Secure Kernel
Apollo_n
 
PPTX
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
PDF
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Qualcomm Developer Network
 
PDF
No Apology Required: Deconstructing BB10
Duo Security
 
PPTX
Learn how to addressing medical and industrial challenges with BlackBerry QNX...
Qt
 
PDF
Black berry playbook security part one
Yury Chemerkin
 
PDF
KonnexSIM middleware
Yiannis Hatzopoulos
 
PDF
Quad9 and DNS Privacy
CSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Juniper Network Automation for KrDAG
KwonSun Bae
 
PDF
Anonguide
Arif Wahyudi
 
PPTX
Kiran 005
Sai Kiran
 
PPTX
Thinknx Webinar Quick Guide 2023.pptx
Ivory Egg
 
PDF
The Low-Risk Path to Building Autonomous Car Architectures
Real-Time Innovations (RTI)
 
Qnx os
Student
 
Qnx 120227023226-phpapp01
Kishore Wrecks
 
5th
Erm78
 
Qnx
Guevarra Institute of Technology
 
QNX OS
Guevarra Institute of Technology
 
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
PROIDEA
 
Keynote at Home Automation/ IoT Telecom Council conference
Larry McDonough
 
Survey/analysis of the QNX Neutrino Secure Kernel
Apollo_n
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Qualcomm Developer Network
 
No Apology Required: Deconstructing BB10
Duo Security
 
Learn how to addressing medical and industrial challenges with BlackBerry QNX...
Qt
 
Black berry playbook security part one
Yury Chemerkin
 
KonnexSIM middleware
Yiannis Hatzopoulos
 
Quad9 and DNS Privacy
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Juniper Network Automation for KrDAG
KwonSun Bae
 
Anonguide
Arif Wahyudi
 
Kiran 005
Sai Kiran
 
Thinknx Webinar Quick Guide 2023.pptx
Ivory Egg
 
The Low-Risk Path to Building Autonomous Car Architectures
Real-Time Innovations (RTI)
 

Recently uploaded (20)

PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

Hacking QNX

  • 1. Hacking Confraria de Segurança da Informação 27 Nov 2013
  • 2. root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
  • 3. Disclaimer: You know, i’m not responsible for your:
  • 4. What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
  • 5. What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
  • 6. What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
  • 7. What is QNX Neutrino (cont): Source: http://www.qnx.com/
  • 8. Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
  • 9. Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
  • 10. Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
  • 11. QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
  • 12. More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
  • 13. More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
  • 14. More About QNX (cont):
  • 15. More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
  • 18. How it Looks (Pentester’s view)
  • 19. QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
  • 20. QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
  • 21. Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
  • 22. References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
  • 23. Q&A