BlackBerry resisted announcing major flaw in software powering cars, hospital equipment

/in


The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.

BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.

Microsoft security researchers announced in April that they’d discovered the vulnerability and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to publicly reveal the flaws and urge users to patch their devices.

BlackBerry wasn’t among them.

Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.

Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.

Technology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting…

Source…