Blackberry Hid A Non Trivial Flaw That Affected Millions Of Cars As Well As Hospital And Factory Equipment….. WTF?

A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months. Politico has the details:

A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.

On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.

Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.

This isn’t a good look for Blackberry. A company that makes security software shouldn’t be acting like this. But don’t take my word for it. I got a second opinion from Jennifer Tisdale, Principal, Cyber-Physical Systems Security, www.grimm-co.com:

The pure variety of products and customers in which Blackberry provides QNX, ranges from automotive to industrial control systems to many others. The article outlines that Blackberry opted to personally disclose the vulnerability to customers while admitting they were not able to identify all companies impacted, nor notify them all promptly. Assuming these details are completely factual, Blackberry’s approach to identifying, mitigating and addressing cybersecurity vulnerabilities within QNX is borderline negligent. Providing both a public and private disclosure allows all of their customers the opportunity to self-identify and, hence, address any associated cyber risk in a manner suitable for their risk tolerance. Failure to publicly disclose creates the potential for security issues to linger longer than necessary. 

Blackberry has committed to doing better. But I would say that they are only saying this because this is now public. I would suggest that Blackberry needs to commit and demonstrate much better transparency. Otherwise, it will be very hard for Blackberry to be taken seriously as a security vendor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: