US Agencies Urge Patch To Tackle BlackBerry QNX Flaw

Former smartphone powerhouse BlackBerry is at the centre of a security scare surrounding its QNX operating system, used in cars and medical devices.

Earlier this year, Microsoft researchers had discovered a high-risk vulnerability in older versions of QNX, which was dubbed ‘BadAlloc’ by Microsoft.

Redmond warned the vulnerability was present in “standard memory allocation functions” that appear in everything from operating systems to software development kits (SDKs). It could allow attackers to gain control of affected devices.

QNX OS

The QNX operating system is used in a variety of industries, including for medical devices and cars.

Indeed, it is used by Ford and many other big name car makers, and Apple’s CarPlay in-car operating system for example is also partly powered by the QNX platform.

It should be remembered that QNX has a long history in the automotive market after BlackBerry acquired the in-vehicle “infotainment and telematics systems” provider QNX Software Systems for $200m back in 2010.

The QNX technology is also used to control nuclear-power plants and unmanned aerial drones.

According to a Politico report, BlackBerry was initially reluctant to go public with the news of the flaw discovered by Microsoft.

When initially pressed by the Cybersecurity and Infrastructure Security Agency (CISA), BlackBerry reportedly preferred to privately notify its customers.

CISA warning

But this week CISA, part of the US Department for Homeland Defence, opted to issue a warning about the flaw, after BlackBerry also issued a public declaration about the issue.

“On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability – CVE-2021-22156,” wrote CISA. “BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.

“A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices,” it added. “BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions.”

CISA added that it is not aware of active exploitation of this vulnerability, but it “strongly encourages critical infrastructure organisations and other organisation developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”

FDA warning

The US Food and Drug Administration (FDA) meanwhile also issued its own warning about the QNX vulnerability.

“The US Food and Drug Administration is informing patients, health care providers, and manufacturers about cybersecurity vulnerabilities with a ‘real-time operating system (RTOS)’ designed by QNX and owned by BlackBerry,” it said.

“These vulnerabilities may introduce risks for certain medical devices and drug manufacturing equipment,” it added, although it is not aware of any confirmed adverse events related to these vulnerabilities.

It advised all those concerned to download patches from BlackBerry.