A cybersecurity flaw in BlackBerry-designed software could expose cars and medical equipment that use it, possibly risking exfiltration or destruction of highly sensitive systems and data. This information comes from the U.S. drugs regulator and a federal agency.
The warning comes on the heels of a disclosure by the Canadian company that its QNX Real Time Operating System has a vulnerability that could allow an attacker to execute arbitrary code or flood a server with traffic to crash or paralyze it.
The software is in cars by automakers like Volkswagen, Ford Motor, and BMW in many critical functions that include Advanced Driver Assistance System.
Who it affects
The issue does not affect the current or recent versions of the QNX RTOS. However, versions dating 2012 and earlier are at risk, according to BlackBerry. The company added that at this time, no customers have indicated they have experienced attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CSIA) said the software is used in many products, adding that compromising it could lead to malicious actors gaining the ability to control sensitive systems, risking a nation’s critical systems and functions.
The agency comes under the Department of Homeland Security and, in conjunction with BlackBerry, said they had not seen exploitation in the wild.
BlackBerry initially denied the flaw
The company said it notified potential customers affected that software patches are ready for deployment to resolve the risk.
BlackBerry had initially denied that the vulnerability (named BadAlloc) impacted its products and even held back on making a public announcement about it, according to a report by Politico.
There was substantial back and forth between the company and federal cybersecurity officials and a government employee before the decision was reached to acknowledge, announce, and fix the flaw.