BlackBerry Finally Announces BadAlloc Vulnerability in QNX Devices
Blackberry became aware of a vulnerability that impacted multiple components of its software in April 2021, but waited until this week to disclose it after facing increased pressure.
While other companies impacted by the vulnerabilities quickly issued public announcements, BlackBerry informed the U.S. Cybersecurity & Infrastructure Security Agency (CISA) that it would privately inform direct customers about the issue. However, the agency pointed out that this would still leave several downstream or other users that BlackBerry could not identify in the dark. The company ultimately agreed to issue the alert and encourage users to upgrade devices.
CISA also issued its own alert that several medical, automotive, and industrial devices have multiple BlackBerry software components that are affected by a memory allocation vulnerability.
This vulnerability affects older versions of BlackBerry’s QNX Real-Time Operating System (RTOS) and is part of a larger group of flaws, which Microsoft researchers collectively called “BadAlloc.” These vulnerabilities appear in memory allocation functions, which are nearly ubiquitous and can be found in products ranging from operating systems to software development kits, some of which are even used on the International Space Station. The software vulnerability could also place pharmaceutical or medical device manufacturing equipment at risk, according to the U.S. Food and Drug Administration (FDA).
🚨 Critical Infrastructure owners and operators – Protect against #BadAlloc 🚨 Review @CISAgov’s latest Alert on Blackberry’s QNX #RTOS vulnerabilities and help protect our national critical functions: https://t.co/buOij7cir0 pic.twitter.com/QZF15CEsRm— CISA Infrastructure Security (@CISAInfraSec) August 17, 2021
Microsoft Section 52 security researchers disclosed in April 2021 that BadAlloc could impact an incredible number of Internet of Things (IoT) and Operational Technology (OT) devices. With 25 different vulnerabilities linked to BadAlloc, Section 52 reported that each can allow an attacker to move remotely, capable of disrupting or controlling devices, as well as inserting malicious code, performing a denial of service, or altogether crashing an endangered system.
This flaw in BlackBerry products apparently “left 200 million cars, along with critical hospital and factory equipment, vulnerable to hackers—and the company opted to keep it secret for months,” Politico reported. On 17 August, BlackBerry formally announced that a total of 31 QNX items were vulnerable.
CISA releases alert on BadAlloc vulnerability in BlackBerry products https://t.co/9qxYcSolji— ZDNet (@ZDNet) August 18, 2021
“Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software,” Politico said. “The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems.”
Forbes noted that the company is already delivering patches for vulnerable software and issuing guidance on how to additionally secure any affected devices.
“It’s indeed fortunate that BlackBerry had not discovered any evidence of attacks exploiting any of the at-risk QNX products at the time of disclosure,” Forbes reported.
It’s possible that the former PDA-provider-turned-software-manufacturer will face backlash in the court of public opinion over its decision to delay the announcement, and only doing so under pressure from CISA. “Once trust is broken it is hard to repair and the adage ‘one aw-shucks wipes out a hundred atta-boys' applies,” CSO reported.