Earlier this year, in April, Microsoft’s Azure Defender for IoT security research group, also known as Section 52, revealed a number of critical memory allocation vulnerabilities in IoT and OT devices [1]. Among the list of products affected is a software designed by BlackBerry. BlackBerry, may be best known for their old-school smartphones with manual keyboards, but in recent years BlackBerry has become a major supplier of software for industrial equipment, especially the QNX Real Time Operating System (QNX RTOS), which powers a lot of different things. For example, factory machinery, medical devices, rail equipment, components on the International Space Station, and cars. Automakers, including Volkswagen Group, BMW and Ford Motor, use the QNX software in their vehicles for critical functions such as the advanced driver assistance systems (ADAS). A typical function, like every other, where memory allocation issues is unwanted.
The name of this class of memory overflow vulnerabilities that belongs to the family of vulnerabilities discovered in embedded IoT and OT operating systems and software, has been assigned by Microsoft’s Section 52 to: “BadAlloc”, which runs malicious code through vulnerable memory functions.
Initially BlackBerry denied that BadAlloc impacted their products and resisted to make a public announcement about it. Until now, last Tuesday August 17, BlackBerry admitted that their old but still widely used versions of one of its flagship products, QNX RTOS, contain the BadAlloc vulnerability [2]. A secret that the company have kept for months. Hence, approx. two hundred million cars, along with critical hospital and factory equipment have been vulnerable to hackers. Furthermore, in June, BlackBerry actually advertised about QNX’s integration into 195 million vehicles and called the operating system “key to the future of the automotive industry” because it provides “a safe, reliable, and secure foundation” for autonomous vehicles. Adding that QNX was the embedded software of choice for 23 of the top 25 electric vehicle makers. Even though they knew about the security issue.
According to Politico [3] BlackBerry did not believe that BadAlloc had impacted their QNX RTOS product, but when the U.S. federal agency: The Cybersecurity and Infrastructure Security Agency (CISA), an operational component under Department of Homeland Security (DHS), concluded that it sure did and pushed BlackBerry to accept the bad news. BlackBerry responded that their intention was to reach out privately to its direct customers and warn them about the QNX issue, instead of going public with the problem [4].
Of course, BlackBerry is not the first company to disclose a security issue in a widely used industrial software, and such flaws are expected to happen again. Nevertheless, BlackBerry are now facing the major task of resolving their QNX problem with the with the U.S. government.
[2] https://support.blackberry.com/kb/articleDetail?articleNumber=000082334
[3] https://www.politico.com/news/2021/08/17/blackberry-qnx-vulnerability-hackers-505649
[4] https://us-cert.cisa.gov/ncas/alerts/aa21-229a
Written by Joakim Rosell
