Today, reporters Betsy Woodruff Swan and Eric Geller at Politico published a story: “BlackBerry resisted announcing major flaw in software powering cars, hospital equipment.” They outline how BlackBerry willfully hid the fact that their key operating system QNX contained a collection of vulnerabilities (originally discovered and named BadAlloc by Microsoft). It seems other companies affected by BadAlloc announced the issue way back in May. Not so BlackBerry; instead they followed a deny–obstruct–surrender playbook, presumably to protect their reputation (I wonder how that’s working out) and their bottom line (I guess we’ll see).
These guys are the poster child for why we need SBOMs, especially for critical infrastructure.
If you’re not familiar with QNX, it powers critical embedded systems across many industries, from Autonomous Vehicles, Aerospace & Defense systems, and Industrial Control Systems to Robotics & Automation. It is deeply and widely present in OT environments.
Initially, BlackBerry argued with CISA that QNX was unaffected by the vulnerabilities. But CISA informed them otherwise. Politico reports that BlackBerry then declined to make any public acknowledgement of the vulnerabilities, preferring instead to contact their customers directly. The problem is, BlackBerry only kept track of their direct customers and didn’t appreciate their role as a link in the supply chain. All the OEMs that embedded QNX in their products along with their customers, who went on to sell their own products (and so on and so on), were unaware they were harbouring the vulnerabilities.
From the article:
When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.
The Executive Order we’ve been writing about aims to end this situation with the provisioning of SBOMs. If BlackBerry had provided an SBOM to their OEM customers, they would be properly informed about the risks and they would have been in a position to share that information with their customers. The federal government has frequently referred to their cybersecurity policies requiring a "whole-nation-effort" but that requires good faith participation. BlackBerry can't just furtively whisper in the ears of a few customers and hope no one else notices.
One other troubling consequence of BlackBerry’s behaviour is the potential impact this stance could have on SBOM-related initiatives, such as VEX. One of the concerns about SBOMs is that they can trigger a tidal wave of vulnerability alerts that’s paralyzing. VEX provides vendors with the capability to identify which vulnerabilities are actually exploitable in their products (since most of them aren’t) to get the list down to priority vulnerabilities that need attention. But VEX relies on transparency from vendors. If a company is trying to be sneaky, all they’ll do is produce misleading documents that add to rather than reduce supply chain risk.
Since BlackBerry doesn't seem to want to do the right thing and warn QNX users that their critical devices have a major vulnerability, we plan to do the work for them. We are currently scanning through our SBOM database of millions of OT files looking for the offending firmware. We will then provide private notifications to our customers. If you want to be on that notification list (and have a valid reason to be on it), contact us: