According to the US Food and Drug Administration and a government agency, a cybersecurity hole in BlackBerry Ltd’s software might put cars and medical equipment at risk, as well as expose highly sensitive systems to attackers.
The announcement came after the Canadian firm revealed a flaw in its QNX Real Time Operating System that might allow an attacker to run arbitrary code or overload a server with traffic until it crashes or becomes immobilised.
“A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” CISA’s alert said.
Automakers such as Volkswagen, BMW, and Ford Motors utilise the software in a variety of key operations, including the Advanced Driver Assistance System.
“At this time, CISA is not aware of active exploitation of this vulnerability. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”
The federal agency, which is part of the Department of Homeland Security, and the corporation both stated that they were not aware of any active exploitation of the weakness at this time.
Even as medical equipment manufacturers analyse which systems may be compromised, the US Food and Drug Administration stated it was unaware of any adverse outcomes.
According to Politico, BlackBerry originally disputed that the vulnerability, codenamed BadAlloc, affected its products and later opposed making a public statement, citing two people familiar with the company’s discussions with federal cybersecurity officials, one of whom is a government employee.
“CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible,” the alert said.
“Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch. Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code,” CISA explained, adding that some organizations may have to create their own software patches.
According to Politico, CISA officials worked with affected industries and even the Defense Department on the security notification concerning the QNX system, and CISA would also educate international officials on the issue.
BlackBerry announced in June that the QNX royalty revenue backlog had grown to $490 million at the end of fiscal year 2022’s first quarter. Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota, and Volkswagen all brag that their technology is used in millions of automobiles.