BlackBerry Finally Admits Vulnerability Affected 200M Cars
For months BlackBerry sat on a vulnerability in its software that put 200 million cars as well as systems at hospitals and factories at risk.
“This does spur a new debate. Is there any circumstance where keeping such widespread vulnerabilities under wraps is beneficial?” said Setu Kulkarni, vice president, strategy at NTT Application Security. “After all, unlike physical adversarial threats, cyberthreats cannot be seen or contained by borders or treaties. In this case, the earlier the disclosure is, the earlier preventative measures can be rolled out.”
The BadAlloc flaw was first uncovered last April by Microsoft researchers, who found it in operating systems and software from multiple companies. A month later, the Cybersecurity and Infrastructure Security Agency (CISA) advisory warned that the vulnerability must be patched. But BlackBerry didn’t take action or publicly alert organizations until Tuesday when it revealed the flaw was in its QNX operating system.
The integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier and QNX OS for Safety 1.0.1 earlier “could potentially allow a successful attacker to perform a denial of service or execute arbitrary code,” BlackBerry said, underscoring that there was no evidence the flaw had been exploited.
BlackBerry’s disclosure prompted a warning from CISA which noted that BlackBerry QNX RTOS is found in a wide range of products. A compromise, the agency said, “could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the nation’s critical functions.”
CISA urged manufacturers whose products use vulnerable versions to contact BlackBerry for the patch. “Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code,” the alert said.
In what sounded suspiciously like justification for keeping BadAlloc under wraps, the company said it issues a security advisory “once the investigation is complete and the software update is released,” but did offer updates that it encouraged users to implement.
With one assault after another hitting the supply chain, BlackBerry’s reluctance to go public is difficult to understand. “The head-in-the-sand approach continues to come back to bite companies,” said AJ King, CISO at BreachQuest. “Software supply chain issues are mainstage now, and are the gateway drug to extortion, ransomware and botnets.”
King noted that “it is always worse to be forced into disclosure than to take early, proactive measures to show your consumers that you’re doing everything in your power to keep their data (and, in this case, their physical security) safe.” He advocates for “getting experienced security executives a seat at the table, and ensuring that they have direct lines of accountability to the board.” That is a good first step toward “destroying the toxic management culture of keeping things as quiet as possible for as long as possible,” King said.
Acknowledging that BlackBerry might have perceived disclosures “as painting a target on devices that use QNX,” Kulkarni contended that assuming “cybercriminals wait for disclosures in this day and age is naïve.”
Since President Biden signed an executive order (EO) on supply-chain risk mitigation, “there is a heightened impetus on information sharing—and that should be the go-forward approach on most, if not all, disclosures especially when there is no comprehensive way to privately reach out to thousands of manufacturers who have hundreds of millions of systems using their components,” Kulkarni said.
BlackBerry’s pivot from private to public disclosure ‘suggests that BlackBerry determined that it could not fully estimate the extent of the proliferation of their QNX system,” he said. “In addition, given that the BadAlloc disclosures were already public, an earlier disclosure could have accelerated preventative steps to prevent exploits on and through QNX based systems.”
Unfortunately, the price for BlackBerry’s silence might be paid in reputational capital. “Instead of being just another company on the list of companies that were impacted by this vulnerability, they now have a story dedicated solely to their intentional decision to minimize impact,” said King. “In today’s world, no one expects perfection. Things happen. But showing that you have integrity and maintain accountability in your business practices will set you apart from your competitors. If I was sourcing from BlackBerry I would be asking myself, ‘What else are they hiding?’”
