Following an announcement by Blackberry the U.S. Food & Drug Administration (FDA) and the Cybersecurity & Infrastructure Security Agency (CISA) have put out alerts that vulnerabilities found in the Blackberry QNX real-time operating system (RTOS) may introduce risks for certain medical devices.

Manufacturers are assessing which devices may be affected by the BlackBerry QNX cybersecurity vulnerabilities and are evaluating the risk and developing mitigations, including deploying patches from BlackBerry.

FDA and CISA warnings

The FDA, in its warning that certain medical devices may be affected by BlackBerry QNX cybersecurity vulnerabilities, points to the CISA alert. CISA mentions CVE-2021-22156 which describes an integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.

Balckberry’s QNX is an RTOS. RTOS is a term to describe an operating system (OS) intended to serve real-time applications that process data as it comes in. Typically this type of software is deployed in devices that require immediate interaction based on incoming information. The best example in this case may be the driver assistance options that many car manufacturers provide nowadays.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). CISA mentions CVE-2021-22156 is part of a collection of integer overflow vulnerabilities, known as BadAlloc.

What is BadAlloc?

In April of 2021 the Azure Defender for IoT security research group uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash.

These Remote Code Execution (RCE) vulnerabilities were dubbed BadAlloc and they were found to affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems. Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds.

We blogged about BadAlloc back in April if you are interested in more details.

Blackberry

If you are in my age group, you may remember Blackberry as a producer of smartphones that went the same way as VHS tapes and vinyl records. Appreciated by a few but hardly a serious competitor for the big guns.

Nowadays Blackberry produces software that is widely used—for example, in two hundred million cars, along with critical hospital and factory equipment. Automakers use BlackBerry® QNX® software in their advanced driver assistance, digital instrument clusters, connectivity modules, handsfree, and infotainment systems that appear in multiple car brands, including Audi, BMW, Ford, GM, Honda, Hyundai, Jaguar, Land Rover, KIA, Maserati, Mercedes-Benz, Porsche, Toyota, and Volkswagen.

Keep it under the hood

Back when BadAlloc was made public, Blackberry kept quiet. But now BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it.

Insiders have accused Blackberry of purposefully keeping this information to themselves at first. Blackberry initially even denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify and inform all of the customers using the software.

Mitigation

CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.

  • Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
  • Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
  • End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied. Note: installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.

A full list of affected QNX products and versions are available at the QNX website.

Unlike computers, Internet-connected devices can be difficult, or even impossible to update. When these devices require internet access for their operation this poses a big security risk. All you can try to do is reduce the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets.

Stay safe, everyone!