More than two months after being first reported by Microsoft, BlackBerry has admitted that its devices are not immune to critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) and operational technology (OT) devices.
The vulnerabilities, collectively referred to as BadAlloc, arise from the use of memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, etc. Basically, these memory allocation functions are widely used in software stacks of IoT devices.
BlackBerry has finally admitted that its embedded operating system, QNX, also suffers from the BadAlloc vulnerability, leaving millions of cars, as well as critical hospital and industrial equipment, exploitable by hackers.
According to BlackBerry Security Advisory, a successful attack could exploit the vulnerability to perform denial of service attacks or execute arbitrary code on affected devices.
Dilly hanging out
Microsoft Security Response Center (MSRC) Team Reported BadAlloc Vulnerabilities in the United States Cyber security and Infrastructure Security Agency (CISA) earlier this year.
However, based on details gathered from two anonymous sources, Political reports that BlackBerry initially denied that its products were sensitive to BadAlloc, and then resisted the public announcement that its QNX-powered devices were indeed vulnerable.
Security experts consulted by TechRadar Pro are not happier. Yossi Naar, visionary director and co-founder of Cybereason, says the BlackBerry disclosure is “appalling” and illustrates the sad state of IoT security.
“In general, the IoT has terrible security, but that’s hardly a problem in most cases. Some sellers do better, others do nothing. When you compete in a market and you have to balance cost, power consumption, size, scale and many other issues, safety takes a back seat, ”he said.
BlackBerry urged users to patch their devices.