Former smartphone powerhouse BlackBerry is at the centre of a security scare surrounding its QNX operating system, used in cars and medical devices.

Earlier this year, Microsoft researchers had discovered a high-risk vulnerability in older versions of QNX, which was dubbed ‘BadAlloc’ by Microsoft.

Redmond warned the vulnerability was present in “standard memory allocation functions” that appear in everything from operating systems to software development kits (SDKs). It could allow attackers to gain control of affected devices.

QNX OS

The QNX operating system is used in a variety of industries, including for medical devices and cars.

Indeed, it is used by Ford and many other big name car makers, and Apple’s CarPlay in-car operating system for example is also partly powered by the QNX platform.

It should be remembered that QNX has a long history in the automotive market after BlackBerry acquired the in-vehicle “infotainment and telematics systems” provider QNX Software Systems for $200m back in 2010.

The QNX technology is also used to control nuclear-power plants and unmanned aerial drones.

According to a Politico report, BlackBerry was initially reluctant to go public with the news of the flaw discovered by Microsoft.

When initially pressed by the Cybersecurity and Infrastructure Security Agency (CISA), BlackBerry reportedly preferred to privately notify its customers.

CISA warning

But this week CISA, part of the US Department for Homeland Defence, opted to issue a warning about the flaw, after BlackBerry also issued a public declaration about the issue.

“On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability – CVE-2021-22156,” wrote CISA. “BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.

“A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices,” it added. “BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions.”

CISA added that it is not aware of active exploitation of this vulnerability, but it “strongly encourages critical infrastructure organisations and other organisation developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”

FDA warning

The US Food and Drug Administration (FDA) meanwhile also issued its own warning about the QNX vulnerability.

“The US Food and Drug Administration is informing patients, health care providers, and manufacturers about cybersecurity vulnerabilities with a ‘real-time operating system (RTOS)’ designed by QNX and owned by BlackBerry,” it said.

“These vulnerabilities may introduce risks for certain medical devices and drug manufacturing equipment,” it added, although it is not aware of any confirmed adverse events related to these vulnerabilities.

It advised all those concerned to download patches from BlackBerry.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

WeChat Fixes Content ‘Glitch’ Amidst Regulatory Pressure

Tencent fixes 'loophole' that allowed Bing and Google to temporarily display WeChat results, as China…

4 hours ago

REvil Hacking Gang Forced Offline In Multi-Country Operation

Law enforcement and intelligence agencies in the US and partner countries hack REvil's infrastructure and…

5 hours ago

Snap Shares Slump On Apple Privacy Disruption

Shares in Snapchat developer Snap drop after it projects prolonged slump in ad revenues from…

5 hours ago

Italy ‘Negotiating With Intel’ Over 4bn Euro Chip Plant

Italy reportedly preparing offer to Intel over plans for 4bn advanced microprocessor packaging plant, part…

6 hours ago

Robot Artist Freed By Egyptian Customs After Spy Detention

Ai-Da, a robot that uses artificial intelligence to create art, was detained by Egyptian customs…

6 hours ago

Amazon Faces Fresh Union Drive In New York City

More than 2,000 Amazon warehouse workers in New York City sign union cards, as company…

7 hours ago