Blackberry 'reluctantly' admits to QNX flaw

The vulnerability, known as BadAlloc, impacts pre-2012 versions of BlackBerry’s flagship operating system

BlackBerry has "reluctantly" admitted that its QNX operating system (OS) was vulnerable to hacking, and allegedly kept the flaw a secret “for months”.

That's according to a report from Politico, which cited two people familiar with the matter, one of them being a US government employee. 

The sources, who were aware of discussions between BlackBerry and US federal cyber security officials, told the publication that the tech giant not only tried to deny the impact of the flaw on its products but also “resisted making a public announcement” about the matter.

The vulnerability, known as BadAlloc, impacts pre-2012 versions of BlackBerry’s flagship QNX software, which are still widely used by an estimated 200 million Volkswagen, BMW, and Ford cars, as well as hospital and factory equipment. 

The flaw, which affected multiple different companies including Texas Instruments, NXP, and Google Cloud, was first discovered in late April by Microsoft Security Response Center. At the time,  researchers said that they had “not seen any indications of these vulnerabilities being exploited”. 

“However, we strongly encourage organisations to patch their systems as soon as possible,” they added. If exploited, BadAlloc would allow hackers to “cripple” IoT and smart devices powered by the OS, potentially risking the lives or safety of hospital patients and car drivers or passengers.

Despite the affected companies coming forward to help resolve the issue in cooperation with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), BlackBerry wasn’t involved in the mitigation efforts.

Instead, the company’s representatives denied the impact of the BadAlloc on its products, the anonymous sources told Politico, as CISA “pushed BlackBerry to accept the bad news”.

The company only publicly acknowledged the flaw on Tuesday, issuing a public advisory almost four months after the flaw was discovered and stating that it has notified “all potentially affected customers”.

“BlackBerry has made software patches available to resolve the matter," the company said. "Additionally, BlackBerry is providing 24/7 support to customers as required. At this time no customers have indicated that they have been impacted,” the company announced, adding that “the safety and security of our customers and the public is BlackBerry's top priority”.

BlackBerry didn’t address IT Pro’s request for comment.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022