It has been reported that a flaw in software made by BlackBerry has left two hundred million cars, plus critical hospital and factory equipment, vulnerable to hackers. What is more, the company opted to keep it secret for months.
On Tuesday August 17th, BlackBerry disclosed that old but still widely used versions of an operating system called QNX contain a vulnerability that could let hackers cripple connected devices using it. However, other companies affected by the BadAlloc flaw, revealed the news in May. QNX is one of its flagship products, ,
It is also reported that the company initially denied that BadAlloc impacted its products at all. The company later resisted making a public announcement, even though it couldn’t identify and therefore inform all the customers using the software.
Commenting on this, Yossi Naar, co-founder and chief visionary officer at Cybereason, says, “vulnerability disclosure is appalling when you read what Blackberry said about fixing the vulnerability or even admitting it existed.
This is a good illustration of how broken IoT security really is. However, the QNX case isn’t special in any way. Hardware vendors should provide mechanisms for easy remote updates for their software and limit the attack surface of their devices as much as possible. Unfortunately for many, security is not top of mind.
“No one can say with certainty how any of the cars running QNX can be exploited. 200 million possible vulnerable cars is a big number, but IoT devices already outnumber everything else. We don’t know how these cars are connected, or who controls the connection, as that plays a major factor in the impact on the exploitability.
Just because something is vulnerable doesn’t mean you can exploit it. Today, there are an estimated 46 billion IoT devices in use around the world. If 1% of the devices has terrible security, we’re still talking about hundreds of millions of vulnerable devices. The unfortunate truth today is that only a small minority of devices today have proper protection,” he adds.
“One problem is that you might find more than one billion devices running QNX on the open web, and updating a device isn’t like updating your Windows installation or even a server it’s very likely that the specific vendor making a particular piece of hardware must patch it, and then it somehow needs to be delivered.
In general, IoT has terrible security, but it is hardly a concern in most cases. Some vendors do better, others do nothing. When you’re competing in a market, needing to balance cost, power consumption, size, scale and many other issues security takes a back seat. The same was true for PCs for many years, no one cared enough.
“Before hackers found a way to charge ransom through Bitcoin and other anonymous currency, there was much less incentive to hack. When it became a business, it turned out to be lucrative for hackers and devastating for defenders. Only now, more and more people are making it top of mind. If someone figures out how to code ransomware for 100 million IoT devices of one type or another, we will start seeing vendors taking it more seriously. But if your customers don’t demand security, and you aren’t rewarded for investing in it there’s little incentive to fix it.”
Naar concedes, “I don’t know the specifics of the exploit, but if it’s possible to remotely exploit these vulnerabilities then this could truly be a dangerous thing. BadAlloc is a collection of 25 different overflow vulnerabilities the very kind that anyone who looks for will likely find in untested code. These are extremely common and many have plagued Windows and other operating systems for years.”
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow