BlackBerry has "reluctantly" admitted that its QNX operating system (OS) was vulnerable to hacking, and allegedly kept the flaw a secret “for months”.
That's according to a report from Politico, which cited two people familiar with the matter, one of them being a US government employee.
The sources, who were aware of discussions between BlackBerry and US federal cyber security officials, told the publication that the tech giant not only tried to deny the impact of the flaw on its products but also “resisted making a public announcement” about the matter.
The vulnerability, known as BadAlloc, impacts pre-2012 versions of BlackBerry’s flagship QNX software, which are still widely used by an estimated 200 million Volkswagen, BMW, and Ford cars, as well as hospital and factory equipment.
The flaw, which affected multiple different companies including Texas Instruments, NXP, and Google Cloud, was first discovered in late April by Microsoft Security Response Center. At the time, researchers said that they had “not seen any indications of these vulnerabilities being exploited”.
“However, we strongly encourage organisations to patch their systems as soon as possible,” they added. If exploited, BadAlloc would allow hackers to “cripple” IoT and smart devices powered by the OS, potentially risking the lives or safety of hospital patients and car drivers or passengers.
Despite the affected companies coming forward to help resolve the issue in cooperation with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), BlackBerry wasn’t involved in the mitigation efforts.
Instead, the company’s representatives denied the impact of the BadAlloc on its products, the anonymous sources told Politico, as CISA “pushed BlackBerry to accept the bad news”.
The company only publicly acknowledged the flaw on Tuesday, issuing a public advisory almost four months after the flaw was discovered and stating that it has notified “all potentially affected customers”.
“BlackBerry has made software patches available to resolve the matter," the company said. "Additionally, BlackBerry is providing 24/7 support to customers as required. At this time no customers have indicated that they have been impacted,” the company announced, adding that “the safety and security of our customers and the public is BlackBerry's top priority”.
BlackBerry didn’t address IT Pro’s request for comment.
-
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Neural interfaces promise to make all tech accessible – it’s not that simpleColumn Better consideration of ethics and practical implementation are needed if disabled people are to benefit from neural interfaces
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
