Blackberry Hid A Non Trivial Flaw That Affected Millions Of Cars As Well As Hospital And Factory Equipment….. WTF?

A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months. Politico has the details:

A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.

On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.

Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.

This isn’t a good look for Blackberry. A company that makes security software shouldn’t be acting like this. But don’t take my word for it. I got a second opinion from Jennifer Tisdale, Principal, Cyber-Physical Systems Security, www.grimm-co.com:

The pure variety of products and customers in which Blackberry provides QNX, ranges from automotive to industrial control systems to many others. The article outlines that Blackberry opted to personally disclose the vulnerability to customers while admitting they were not able to identify all companies impacted, nor notify them all promptly. Assuming these details are completely factual, Blackberry’s approach to identifying, mitigating and addressing cybersecurity vulnerabilities within QNX is borderline negligent. Providing both a public and private disclosure allows all of their customers the opportunity to self-identify and, hence, address any associated cyber risk in a manner suitable for their risk tolerance. Failure to publicly disclose creates the potential for security issues to linger longer than necessary. 

Blackberry has committed to doing better. But I would say that they are only saying this because this is now public. I would suggest that Blackberry needs to commit and demonstrate much better transparency. Otherwise, it will be very hard for Blackberry to be taken seriously as a security vendor.

Leave a Reply

%d bloggers like this: