Although the company informed its OEM customers of the vulnerability, users of IoT devices running its QNX OS were potentially kept in the dark. Credit: Pavlo Gonchar / SOPA Images / Shutterstock Anyone who has ever traveled knows that bedbugs are the kiss of death for a hotel, and possibly the franchise, as no one likes to get bit. BlackBerry is hoping the analogy doesn’t transfer to the bugs found in its QNX embedded operating system. The company opted to quietly handle the vulnerability with its partners, apparently hoping the public wouldn’t get a whiff of the bad news.It is hard to believe that BlackBerry’s legal, PR, and marketing teams would choose this approach given the millions of consumers in the vehicle, medical, infrastructure world who might be bitten. Putting security of one’s customers behind one’s public face is wrong, and frankly, it stinks to high heaven.Let’s dig in. The BadAlloc vulnerabilityIn late April 2021, Microsoft researchers revealed the BadAlloc bug was affecting a wide range of IoT devices and vendors. Microsoft characterized the vulnerability as potentially allowing an attacker to perform a denial of service or execute arbitrary code. Many vendors took the advisory on board and by May 2021 were mitigating and messaging how the vulnerability may impact customers and the pathway to remediation. Though BlackBerry’s OS was installed across a multitude of industries, including critical infrastructure, the US federal government, automotive, industrial controls and medical devices, the company seemed to think this gale wind wasn’t going to affect its sails. They remained silent.US pressured BlackBerry to go publicBlackBerry rolled out its advisory on August 17, 2021. That advisory stepped right through the fact that the vulnerability discovered in April was being revealed in August. It did, however, note that if those using the QNX do not mitigate the threat with the provided patches that there “are no known workarounds for this vulnerability.” It isn’t known how much pressure it took to get BlackBerry to reveal that QNX was affected, as suspected in April, by the US Cybersecurity and Infrastructure Security Agency (CISA). Multiple media outlets report that CISA was unrelenting in its efforts to have BlackBerry publicly reveal the vulnerability and not simply inform their partners who were imbedding the OS into products.BlackBerry argued, according to Politico, that it had no visibility into how its customers were using its product. Indeed, the company insisted it keeps “lists of our customers and have actively communicated to those customers regarding this issue. Software patching communications occur directly to our customers.”Following the release of the BlackBerry advisory, CISA issued its own advisory and duly highlighted the need to mitigate across government agencies and the nation’s critical infrastructure companies, to include those involved with the US Coast Guard and the US Nuclear Regulatory Commission; both entities put out their own advisories to affected entities within their domain. The unpatched vulnerability was not only affecting industrial controls and automotive applications, it was also affecting a plethora of medical devices. The Food and Drug Administration issued its own advisory, again, once BlackBerry had owned up, and emphasized how the vulnerability may “introduce risk for certain medical devices and drug manufacturing equipment.” What was clear from the FDA advisory is the scope of the exposure caused by BlackBerry’s QNX vulnerability is unknown. The FDA has urged those impacted to contact the FDA at once and identify product equipment and systems that have been deemed vulnerable.Both CISA and the FDA were quick to note there have not been any confirmed adverse events associated with the BlackBerry vulnerability.Did BlackBerry dodge a bullet?Regardless of whether BlackBerry dodged the bullet of having the vulnerability exploited while they sorted their public-facing verbiage, the bottom line is the Canadian company took its time and needed prodding by the US government to do the right thing. They now face a shellacking in the court of public opinion. What remains to be seen is if the FDA will weigh in with fines and other administrative actions given the vulnerability left unpatched or mitigated devices within the healthcare sector. It is unknown if input will be coming from other federal agencies/departments given BlackBerry’s recent announcement that it was integrating its technologies into vehicles with California’s “Car IQ” where the vehicle will essentially function as an electronic wallet.The take-away for all CISOs is obvious: Manufacturers and consumers both want to know that when a vulnerability is discovered by the companies they trust, that trusted entity will let them know about vulnerabilities in a timely and forthright manner. Once trust is broken it is hard to repair and the adage “one aw-shucks wipes out a hundred atta-boys” applies. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe