A critical set of software flaws first revealed in April also affects code made by BlackBerry that is used in countless devices in the medical, automotive and energy sectors, the technology vendor confirmed on Tuesday.
A hacker who exploits the so-called BadAlloc software vulnerabilities, which Microsoft researchers uncovered, could cause devices running the software to crash. In BlackBerry’s case, the attacker would need to first gain access to a targeted network and then go after devices that are exposed to the internet.
The affected software is BlackBerry’s QNX Real-Time Operating System, a suite of software that manages data across a network. It’s unclear just how many devices are running the affected BlackBerry software. The firm said last year that its QNX software was embedded in more than 175 million cars alone. A BlackBerry spokesperson did not immediately respond to a request for comment.
“These vulnerabilities may introduce risks for certain medical devices, as well as pharmaceutical or medical device manufacturing equipment,” the Food and Drug Administration said in an advisory Tuesday, adding that it was working with other federal agencies and the private sector to mitigate the risk.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency also urged BlackBerry users to update their software because a compromise of certain infrastructure running the code “could result in a malicious actor gaining control of highly sensitive systems.”
The FDA and CISA said they were unaware of any exploitation of the vulnerabilities.
When Microsoft first disclosed the software vulnerabilities, researchers said no less than 25 products made by the likes of Google Cloud and Samsung were affected. But the list keeps growing and includes multiple vendors that, like BlackBerry, span industries.
One of the affected products is the VXWorks operating software made by California-based Wind River Systems. Like BlackBerry QNX, that software is popular in the aerospace, automotive and medical sectors, and was affected by another class of critical vulnerabilities disclosed in 2019.
Risk stemming from the vulnerable BlackBerry software may extend to the water sector.
“Every water and wastewater utility should determine the presence of impacted [real-time operating system] devices within their environments,” the Water Information Sharing and Analysis Center, a threat sharing group, told its members.
For industrial organizations and hospitals, updating these systems may not be a matter of clicking a button. Software patches often have to be tested for specific environments, and be done on a schedule that doesn’t disrupt operations.