When it comes to computer security, an ostrich policy is never a good strategy. However, this was the option Blackberry made when Microsoft discovered “BadAlloc,” a series of critical flaws in memory allocation methods for 25 real-time operating systems and development kits for connected objects. Exploiting these flaws allowed at worst to disrupt the system and at best to execute arbitrary remote code, and thus take control.
However, we just learned that QNX, Blackberry’s real-time operating system, has also been affected by this issue. Of course, only older versions of the software will be affected, but the impact is still huge, because QNX is integrated into more than 195 million vehicles and on-board systems, spread across a huge number of industries: automotive, defense, aviation, health, transportation, robotics, etc.
Also to discover the video:
According to Politico, if that announcement arrives too late, it’s because Blackberry has gone out of its way to avoid a public alert regarding QNX, which is now a flagship product of the former Canadian smartphone manufacturer. Against the US cybersecurity agency CISA, Blackberry first denied the existence of BacAlloc flaws in its operating system. Then, facing reality, the supplier wanted to be limited to a special alert, which is sent directly to its customers and partners.
But this secret alert has proven largely insufficient, as it will not make it possible to address the end users, who are directly affected by this vulnerability. In fact, since QNX is indirectly distributed via OEM licensing, Blackberry only has a rough view of its installed base. The result: CISA and Blackberry finally agreed to issue a joint public alert, which happened last Tuesday.
national security risks
It’s not too early, because QNX is installed “In a large number of products whose compromise would allow a harmful agent to take over highly sensitive systems”, Eric Goldstein, director of cybersecurity at CISA, said at Politico. In other words, there was a danger to the national security of the United States. At the moment, no real attacks on QNX systems have been identified, which is good news. The difficulty now is keeping track of updates.
This story illustrates, once again, the risks inherent in software supply chains. Due to the lack of traceability in the distribution and reuse of software, it is very difficult to assess the potential impact of the vulnerability. Last July, the National Telecommunications and Information Administration (NTIA) published the first draft of the dubbed tracking method Software bill of materials (SBOM), which would make it possible to identify the different brick units of the system, to know their origin and end use.
Source: Politico