Security News > 2021 > August > BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices
A major vulnerability affecting older versions of BlackBerry's QNX Real-Time Operating System could allow malicious actors to cripple and gain control of a variety of products, including cars, medical, and industrial equipment.
BlackBerry QNX technology is used worldwide by over 195 million vehicles and embedded systems across a wide range of industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.
BlackBerry, in an independent advisory, characterized the issue as "An integer overflow vulnerability in the calloc() function of the C runtime library" affecting its QNX Software Development Platform version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1.
"Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices."
In a separate report, Politico revealed that BlackBerry resisted efforts to publicly announce the BadAlloc vulnerability in late April, citing people familiar with the matter, instead planned to privately contact its customers and warn them about the issue - an approach that could have put several device manufacturers at risk, as the company couldn't identify all of the vendors using its software.
"BlackBerry representatives told CISA earlier this year that they didn't believe BadAlloc had impacted their products, even though CISA had concluded that it did," the report said, adding "Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed."