A security vulnerability that impacts an older form of a BlackBerry industrial systems OS, still in use in both industrial settings and hospital equipment, was discovered by Microsoft researchers in April of this year. Many are only now learning about it, and only because the Cybersecurity and Infrastructure Security Agency (CISA) stepped in and eventually pressured the company into disclosure (after much back-and-forth).
The security vulnerability is in BlackBerry’s QNX system, widely used in a variety of industrial equipment. This includes hundreds of millions of cars as well as medical equipment, rail equipment, factory machinery and even components on the International Space Station. The vulnerability is serious, allowing attackers to execute arbitrary code and install a backdoor that can be used for remote stealth access. At this point BlackBerry has issued a patch, but it took months of dialogue to convince the company to even acknowledge the flaw’s existence.
BlackBerry security vulnerability went unaddressed for months
In use for industrial applications since the 1980s, the QNX software was acquired by BlackBerry in 2010. While the former smartphone titan has fallen all the way to 0% market share among smartphone users, it still does strong business in industrial control systems.
In April, security researchers with Microsoft found a memory allocation vulnerability in the QNX software that they dubbed “BadAlloc.” Microsoft issued a public warning, followed by confirmation from CISA along with a number of other companies impacted by the security vulnerability.
In spite of all of this, BlackBerry did not want to acknowledge the flaw or issue a patch for it. Politico cites insider sources in reporting that BlackBerry denied that the security vulnerability could be exploited in their products when confronted by CISA, declared that it was not capable of identifying all of the affected customers, and refused to make a public announcement.
The security vulnerability is particularly worrisome due to the environments in which it tends to be found. By and large, QNX is used in heavy equipment control systems that could be used to wreak havoc via physical damage if a bad actor was able to take control of them. It is also used in what the company’s own promotional literature describes as “life critical” medical devices: defibrillators, artificial hearts, x-ray machines, anesthesia equipment and ventilators to name just a few applications. And it is used in the driver assistance and digital instrument systems of about 200 million vehicles from a wide variety of manufacturers.
CISA apparently struggled to get BlackBerry to even accept that the vulnerability impacted these products. Once it did, BlackBerry pushed back on going public and instead adopted a strategy of reaching out to its customers privately. However, the company could only identify a small portion of its direct customers as it sells licenses without doing much tracking of who exactly is purchasing them. This process dragged out for months, with CISA eventually convincing the company by preparing a PowerPoint presentation illustrating the potential dangers to both customers and to national security.
A patch has been available for some time, but many customers were not aware of the security vulnerability or the need to update to the latest QNX version to fix it. There is potential for business operation disruption as some applications will need to take equipment offline for a time while it is updated. The FDA has also issued its own warning to the health care industry about the potential for exploitation of medical devices.
Software supply chain issues exacerbated by vulnerability disclosure delays
The incident highlights some of the biggest ongoing challenges in cybersecurity. One is the issue of serious vulnerabilities in the supply chain, which can create openings into even the most well-defended organizations. Some large firms are managing thousands of contractors and subcontractors that can potentially cause issues, with little direct control over the security measures they implement (and often with smaller contractors unable to afford to keep pace with the threat landscape). Under the leadership of the Commerce Department, members of the telecommunications and IT industry have been working on a voluntary “software bill of materials” standard that would at least partially address this issue. If adopted, organizations would be able to more quickly look up individual pieces of equipment that might be affected by a recent breach.
Another is the debate over how soon voluntary disclosures of security vulnerabilities should be made. One side of the debate argues for delays akin to BlackBerry’s handling of this particular issue, under the assumption that hackers will be quicker to make use of the information than those who need to implement patches. AJ King, Chief Information Security Officer at BreachQuest, is firmly on the side of disclosures being made as early as possible: “The head in the sand approach continues to come back to bite companies. Software supply chain issues are main stage now, and are the gateway drug to extortion, ransomware, and botnets. It is always worse to be forced into disclosure, than to take early, proactive measures to show your consumers that you’re doing everything in your power to keep their data (and in this case their physical security) safe … Instead of being just another company on the list of companies that were impacted by this vulnerability, they now have a story dedicated solely to their intentional decision to minimize impact.”
There are currently no known incidents of active exploitation by threat actors, but CISA is urging companies that use QNX devices to patch the security vulnerability (by updating to the most recent version if available, or otherwise following manufacturer-recommended mitigation measures) as soon as possible.