Anyone who has ever traveled knows that bedbugs are the kiss of death for a hotel, and possibly the franchise, as no one likes to get bit. BlackBerry is hoping the analogy doesn’t transfer to the bugs found in its QNX embedded operating system. The company opted to quietly handle the vulnerability with its partners, apparently hoping the public wouldn’t get a whiff of the bad news.
It is hard to believe that BlackBerry’s legal, PR, and marketing teams would choose this approach given the millions of consumers in the vehicle, medical, infrastructure world who might be bitten. Putting security of one’s customers behind one’s public face is wrong, and frankly, it stinks to high heaven.
Let’s dig in.
The BadAlloc vulnerability
In late April 2021, Microsoft researchers revealed the BadAlloc bug was affecting a wide range of IoT devices and vendors. Microsoft characterised the vulnerability as potentially allowing an attacker to perform a denial of service or execute arbitrary code. Many vendors took the advisory on board and by May 2021 were mitigating and messaging how the vulnerability may impact customers and the pathway to remediation.
Though BlackBerry’s OS was installed across a multitude of industries, including critical infrastructure, the US federal government, automotive, industrial controls and medical devices, the company seemed to think this gale wind wasn’t going to affect its sails. They remained silent.
US pressured BlackBerry to go public
BlackBerry rolled out its advisory on August 17, 2021. That advisory stepped right through the fact that the vulnerability discovered in April was being revealed in August. It did, however, note that if those using the QNX do not mitigate the threat with the provided patches that there “are no known workarounds for this vulnerability.”
It isn’t known how much pressure it took to get BlackBerry to reveal that QNX was affected, as suspected in April, by the US Cybersecurity and Infrastructure Security Agency (CISA). Multiple media outlets report that CISA was unrelenting in its efforts to have BlackBerry publicly reveal the vulnerability and not simply inform their partners who were imbedding the OS into products.
BlackBerry argued, according to Politico, that it had no visibility into how its customers were using its product. Indeed, the company insisted it keeps “lists of our customers and have actively communicated to those customers regarding this issue. Software patching communications occur directly to our customers.”
Following the release of the BlackBerry advisory, CISA issued its own advisory and duly highlighted the need to mitigate across government agencies and the nation’s critical infrastructure companies, to include those involved with the US Coast Guard and the US Nuclear Regulatory Commission; both entities put out their own advisories to affected entities within their domain.
The unpatched vulnerability was not only affecting industrial controls and automotive applications, it was also affecting a plethora of medical devices. The Food and Drug Administration issued its own advisory, again, once BlackBerry had owned up, and emphasised how the vulnerability may “introduce risk for certain medical devices and drug manufacturing equipment.” What was clear from the FDA advisory is the scope of the exposure caused by BlackBerry’s QNX vulnerability is unknown. The FDA has urged those impacted to contact the FDA at once and identify product equipment and systems that have been deemed vulnerable.
Both CISA and the FDA were quick to note there have not been any confirmed adverse events associated with the BlackBerry vulnerability.
Did BlackBerry dodge a bullet?
Regardless of whether BlackBerry dodged the bullet of having the vulnerability exploited while they sorted their public-facing verbiage, the bottom line is the Canadian company took its time and needed prodding by the US government to do the right thing. They now face a shellacking in the court of public opinion. What remains to be seen is if the FDA will weigh in with fines and other administrative actions given the vulnerability left unpatched or mitigated devices within the healthcare sector.
It is unknown if input will be coming from other federal agencies/departments given BlackBerry’s recent announcement that it was integrating its technologies into vehicles with California’s “Car IQ” where the vehicle will essentially function as an electronic wallet.
The take-away for all CISOs is obvious: Manufacturers and consumers both want to know that when a vulnerability is discovered by the companies they trust, that trusted entity will let them know about vulnerabilities in a timely and forthright manner. Once trust is broken it is hard to repair and the adage “one aw-shucks wipes out a hundred atta-boys” applies.