Blackberry Admits QNX OS Vulnerability

Blackberry’s QNX OS has left vehicles and medical devices exposed to a code execution flaw.

Written by Callum Cyrus
13th September 2021

BlackBerry has said that its connected device operating system, QNX, is affected by a major security vulnerability.

The BadAlloc critical vulnerabilities affect memory allocation configurations in real-time IoT and OT operating systems, along with their supporting libraries.

It’s a remote code execution flaw, which grants system-level privileges and enables a cascade of denial-of-service or arbitrary code instructions to be mounted by the attacker.

Blackberry QNX’s flaw, dubbed QNX-2021-001, is in the C Runtime Library of its QNX Software Development Platform, as well as its specialized OSes for medical and safety applications.

Blackberry said it wasn’t aware of any current exploitations. BadAlloc mainly affects previous Blackberry QNX versions, according to ITPro, and it was unclear whether the problem is fixed once the OS is updated.

The vulnerability was discovered by a Microsoft IoT security research group in April 2021, when dozens of vendor system breaches linked to it were registered on the Common Vulnerabilities and Exposure database.

BlackBerry’s QNX is installed as the embedded operating system on “millions” of car dashboards, medical devices and infrastructure systems. Reportedly, it also powers some of the International Space Station’s equipment.

ITPro said the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) persuaded Blackberry to disclose QNX-2021-001 after it refused in the initial batch in Spring.

CISA was concerned that Blackberry’s stance left QNX users in the dark, reports claimed. As the OS is installed through licenses with third-party device manufacturers, it arguably makes the brand less visible than if QNX was integrated hardware and software.