A problem with a popular BlackBerry operating system could serve up pharmaceutical tech to hackers, multiple U.S. agencies and the company warned this week.
The FDA has put the word out to patients, healthcare providers and manufacturers about a vulnerability in BlackBerry’s QNX real-time operating system that could present a cybersecurity risk for certain medical devices and drug production machines. Manufacturers are currently working to pinpoint which equipment or systems could be affected. They’re sizing up the risk, “developing mitigations” and rolling out BlackBerry patches, the regulator said.
So far, officials haven't received any side effects or safety flags linked to the cybersecurity issue, the agency said Wednesday.
In its own notice, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified the issue as a so-called BadAlloc vulnerability. BadAlloc is comprised of vulnerabilities affecting multiple real-time operating systems, the agency said.
CISA urged critical infrastructure organizations and others using affected QNX-based systems to patch their products “as quickly as possible.”
Aside from pharmaceutical manufacturing equipment, BlackBerry QNX is used in the medical device arena. The operating system also plays a part in the automotive, robotics, aerospace and defense industries and more, BlackBerry says on its website.
BlackBerry laid out the technical details of the issue in a notice Tuesday. Like the FDA, it said it wasn’t aware of any successful attempts to exploit the operating system vulnerability.
Apart from rolling out software patches, BlackBerry says it’s on call 24/7 to support affected customers as needed. The tech firm noted that it’s working with government agencies and other industry groups to get a handle on the problem.
Microsoft researchers discovered the BadAlloc vulnerability back in late April, Politico reported this week. Despite other companies coming forward with their vulnerability claims in May, BlackBerry initially denied that its products were affected, Politico said, citing two unnamed sources close to discussions between BlackBerry and U.S. cybersecurity officials. CISA had to push BlackBerry to get them to go public with the news, Politico’s sources claim.
Cybersecurity was one of the many issues to plague the pharmaceutical sector amid its gung-ho COVID-19 efforts last year. Last July, the U.K.’s National Cyber Security Centre accused the hacker group APT29—aka “the Dukes,” aka “Cozy Bear”—of targeting COVID-19 vaccine researchers in Canada, the U.S. and the U.K., with the likely “intention of stealing information and intellectual property,” the agency said in an advisory at the time. That group is “almost certainly” part of Russian Intelligence, British authorities said, and Canadian and U.S. government agencies agreed.
North Korean hackers were separately accused of trying to pinch COVID-19 vaccine information from AstraZeneca, Johnson & Johnson and Novavax. And India’s Dr. Reddy’s Laboratories in October had to temporarily close “key” plants in its production network over the risk of a potential cyberattack.