The flawed software is used by equipment aboard the International Space Station as well.
A corporation normally does not want to face the public revelation of software vulnerabilities. Patches must be prepared rapidly, and the eventual announcement might have an immediate impact on the developer’s reputation. BlackBerry eventually reported a weakness that it has been aware of for months, but only after the Department of Homeland Security intervened.
On Tuesday, BlackBerry announced a vulnerability found in its QNX operating system. The security glitch, dubbed BadAlloc, can allow bad actors to disable devices. What’s troubling is that the aging operating system is still used in factory machinery, medical devices, rail equipment, automobiles, and even in components used on the International Space Station.
It’s also bothering that BlackBerry took so long to disclose it, considering vital equipment it powers. While BlackBerry only acknowledged the flaw this week, Microsoft security researchers discovered it in April. They notified the companies involved in the study, and in May, those firms publicly disclosed the vulnerability with the aid of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Politico notes that insiders with knowledge of the situation said that in talks with the federal cybersecurity officials, BlackBerry denied BadAlloc affected its products. The company also resisted going public with the security hole despite its inability to identify its entire QNX client base.
The sources said that BlackBerry batted the issue back and forth with the CISA regarding disclosure before finally agreeing to put out an alert on Tuesday. Customers are urged to update to the latest version of QNX, which patches the hole. The CISA also issued a warning. The CISA said that there is no indication that the vulnerability was being actively exploited.