BlackBerry QNX flaw left cars and medical devices vulnerable to attack
The company reportedly didn't want to make the issue public at first.
A major vulnerability affecting older versions of BlackBerry's QNX operating system could allow hackers to gain control of a variety of products, including cars and medical devices. Apparently, some older versions of QNX have a BadAlloc vulnerability, which gives bad actors a way to attack systems remotely. The infiltrators could then execute a denial-of-service attack or execute arbitrary code. BlackBerry, the FDA and US Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories about the flaw. According to Politico, though, BlackBerry originally didn't want to go public about it and kept it a secret for months.
The company reportedly told CISA that it didn't believe its OS was affected by BadAlloc, which is a group of memory allocation vulnerabilities Microsoft found in April affecting a wide range of industrial, medical and enterprise networks. A number of companies publicly revealed being affected by the flaw shortly after Microsoft's report came out, but BlackBerry wasn't one of them. Politico says it was CISA that confirmed that some older QNX versions are indeed affected by BadAlloc, and it was the agency that eventually convinced the company to go public.
Apparently, the agency was worried that most QNX users wouldn't even know their systems are affected, because BlackBerry licenses the OS to manufacturers. The company originally wanted to privately reach out to those customers about the issue, but that means end users won't find out unless manufacturers tell them, as well. In the end, CISA was able to convince BlackBerry that a public announcement is the best course of action.
In its notice, BlackBerry said it's "not aware of any exploitation of this vulnerability." Both the company and CISA are advising organizations using QNX for their products to roll out updates that will patch the flaw regardless. The FDA also issued a warning specifically for medical devices running the OS, though it said it wasn't aware of any confirmed events related to BadAlloc.