BlackBerry Admits to QNX Operating System Flaw Leaving Cars, Medical Devices Vulnerable to Attack

BlackBerry has “reluctantly” admitted that its QNX operating system was vulnerable to hacking, and allegedly kept the flaw a secret “for months.”

BlackBerry may be a name from the past for many consumers, but the company’s QNX software continues to play a key role in a wide range of products, many of which are classed as sensitive or critical. So a QNX vulnerability a remote attacker can exploit is being taken very seriously, reads a new report from Politico.

QNX is a microkernel-based, real-time operating system used in automotive systems, medical devices, commercial vehicles, heavy machinery, robotics, rail, industrial controls, and aerospace and defense. According to the report, BadAlloc vulnerability in QNX was disclosed by BlackBerry on Aug. 17 that “could potentially allow a successful attacker to perform a denial of service or execute arbitrary code.”

BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.

According to BlackBerry’s security advisory, a successful attack could exploit the vulnerability to execute denial of service attacks or run arbitrary code on the affected devices.

“A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” the Cybersecurity and Infrastructure Security Agency’s (CISA) alert said.

“At this time, CISA is not aware of active exploitation of this vulnerability. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”

There are no workarounds for the vulnerability, according to BlackBerry, but they noted that users can reduce the possibility of an attack “by enabling the capability for ASLR to randomize process segment addresses.”