BlackBerry Cybersecurity Flaw May Affect Your Medical Device

A flaw in BlackBerry’s software potentially left some medical devices vulnerable to hacking, but the company reportedly chose to remain silent about the issue for months.

Best known for its old-fashioned smartphones, BlackBerry has grown into a leading provider of software for industrial equipment, including QNX, which powers a variety of critical infrastructure, including factory machines and Medical equipement.

The FDA on Tuesday issued an advisory on cybersecurity vulnerabilities with a real-time operating system (RTOS) designed by QNX and owned by BlackBerry. These vulnerabilities may introduce risks to some medical devices, although the agency said it is currently not aware of any confirmed adverse events related to these vulnerabilities.

The FDA said manufacturers are assessing medical devices that may be affected by BlackBerry QNX cybersecurity vulnerabilities, assessing the risks, and developing mitigation measures that may include BlackBerry software fixes. The agency is addressing all questions related to this issue to the Cybersecurity and Infrastructure Security Agency (CISA).

According to a opinion from CISA, BlackBerry publicly revealed on Tuesday that its QNX RTOS is affected by a BadAlloc vulnerability — CVE-2021-22156. BadAlloc is a collection of 25 vulnerabilities affecting several RTOS and support libraries. A remote attacker could exploit CVE-2021-22156 to cause a denial of service or execute an arbitrary code on affected devices, the cybersecurity agency noted. Although the agency said it is currently unaware of the active exploitation of this vulnerability, a hacker could potentially take control of highly sensitive systems due to the types of products using the BlackBerry QNX RTOS.

Has BlackBerry kept its customers in the dark?

Perhaps the most serious concern over this news is that BlackBerry reportedly waited until this week to publicly disclose the issue, when other software companies affected by BadAlloc revealed the flaws in May, after Microsoft security researchers discovered the vulnerability in late April.

According to a Politics report published Tuesday, which quoted two “anonymous people familiar with discussions between BlackBerry and federal cybersecurity officials, including a government employee,” the company initially denied that BadAlloc had any impact on its products. The company later reportedly declined to make a public announcement, even though it could not identify all of the customers using the software.

Comments are closed.