BlackBerry stayed quiet for months on software backdoor that could let hackers CRIPPLE 200mn cars & hospital ventilators – reports
On Tuesday, the Canadian tech firm finally issued an alert that widely-used versions of one of its premier products – an old operating system called QNX – were affected by the flaw called ‘BadAlloc’. Other tech companies had gone public with their own warnings about the issue in May.
The same day, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) announced the company’s QNX Real Time Operating System (RTOS) could be compromised by “malicious actor(s).”
Due to the “wide range of products” using the software, the alert warned that the loss of “highly sensitive systems” posed a “risk to the nation’s critical functions.”
The operating system is also embedded in train controls, factory automation systems, medical robots, hydroelectric plants and even the International Space Station’s “mission-critical command and data handling subsystem.” The CISA urged “critical infrastructure organizations” to patch their products immediately.
Despite the ominous warning and potential danger, however, both the CISA and BlackBerry had apparently sat on the info for months while privately discussing how best to disclose the information.Also on rt.com US issues ‘urgently needed’ cybersecurity warning to pipeline operators amid new rift with China over hacking
A Politico report cites two unnamed sources “familiar with [these] discussions” as claiming the company had first denied the problem existed and then “resisted making a public announcement.”
Even after the CISA had confirmed its products were impacted, the sources said BlackBerry officials only acknowledged the problem after months of official prodding.
But the company told the agency it would “reach out privately” to its direct customers and warn them – instead of making a public alert.
“Their initial thought was that they were going to do a private advisory,” a CISA employee told Politico, adding that BlackBerry “realized that there was more benefit to being public” over time.
The outlet accessed a CISA presentation that showed many BlackBerry customers would not come to know about the potential danger unless informed by the company, the government or the various equipment manufacturers that embedded the RTOS in their devices.
The CISA apparently even noted that the US Defense Department was helping to find “acceptable timing” for BlackBerry’s announcement. However, the outlet noted that the company only agreed to issue a public statement “a few weeks ago.”Also on rt.com ‘Colossal and devastating’ ransomware attack targets hundreds of US companies, cyber researchers say
BlackBerry representatives did not deny that it initially resisted a public announcement in a statement to Politico, but maintained that it had “actively communicated to those customers regarding this issue.”
When asked about whether the company originally believed QNX was not affected by the flaw, the company said an initial probe had “identified several versions that were affected,” but claimed the “list of impacted software was incomplete.”
Meanwhile, the CISA cyber division chief Eric Goldstein told the outlet that they “were not aware of any active exploitation” of the issue but declined to address the CISA’s conversations with BlackBerry.
The CISA reportedly expects to brief foreign governments on the risks.
If you like this story, share it with a friend!