Video source: YouTube, WION
A security flaw in software designed by BlackBerry Limited (NYSE: Chart BB - $3.84 0.01 (0.261%) ) has left almost two million cars, as well as countless devices in the medical, automotive and energy sectors, vulnerable to hackers, two federal agencies warned.
On Tuesday, the US Food and Drug Administration (FDA) and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued advisories regarding the vulnerability, which affects older but still widely used versions of one of BlackBerry’s flagship products, an operating system called QNX.
Both CISA and the FDA said they are not aware of any incidents of active exploitation of the flaw, but warned the vulnerability gives hackers a way to attack systems remotely and urged users to update their software with a newly-released security patch from BlackBerry.
In a statement, BlackBerry said only QNX versions dating from 2012 and earlier are affected by the vulnerability and that at this time no users have reported any impacts. The company also said it notified some customers that could potentially be affected and made software patches available to resolve the matter.
Once a dominant player in smartphones, BlackBerry has morphed into a software business, supplying commercial operating systems for several industries, including medtech, aerospace, defense and rail. QNX is integrated into 195 million vehicles, including those made by Ford, Volkswagen and BMW, for a range of critical functions like advance driver assistance systems.
In May, several other software companies affected by BadAlloc revealed the flaws after Microsoft Corporation researchers discovered the problem a month earlier and urged users to patch their devices.
According to Politico, BlackBerry initially denied that the vulnerability — dubbed BadAlloc — affected its products and resisted making a public announcement for months.
Instead of going public, BlackBerry told CISA it planned to reach out privately to its direct customers and warn them of the issue, which, Politico noted, would be difficult since the company licenses QNX to manufacturers and therefore does not always know where its software winds up.
The company only disclosed the issue publicly after federal cybersecurity officials stepped in, Politico reported, citing unnamed sources familiar with the discussions.
Source: Equities News