BlackBerry Resisted Announcing Major Flaw in Software Powering Cars, Hospital Equipment (politico.com) 40
A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers -- and the company opted to keep it secret for months. Politico: On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May. Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn't identify all of the customers using the software.
The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software -- leaving hardware makers, their customers and the government in the dark about where the biggest risks lie. BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station.
The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software -- leaving hardware makers, their customers and the government in the dark about where the biggest risks lie. BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station.
Supply the source code? (Score:2, Insightful)
"they rarely provide detailed records of the code that goes into the software -- leaving hardware makers, their customers and the government in the dark about where the biggest risks lie"
And thats different how from every other supplier? Do you think MS hands the source code for Windows Embedded to every OEM? Government maybe but few else. Ditto every other software company that provides code as is.
Re: (Score:2)
The difference is people expect Microsoft to suck. It's why no manufacturer lets them into cars nor submarines (anymore). [wired.com]
Re: (Score:3)
The USS Yorktown isn't a submarine. Yet. In spite of the best efforts of Microsoft.
Prior to this, it's been quite a few years since a Navy ship was crippled by a zero [aerocorner.com].
Re: (Score:2)
Microsoft has always shared their code, under NDA, with important clients.
I remember something like 15 years ago somebody leaked a Windows version, and we all laughed at them.
Re: Supply the source code? (Score:1)
Re: (Score:2)
Source Code isn't a cure to security problems.
It sometimes may help to get them out in the open with the community giving a possible fix...
However these are only for projects where there are enough interested people to have eyes on them.
Often for embedded products they go with these companies so they don't have to code their own OS, but just focus coding on the software their product needs to run. A company is not going to be paying their own developers to fix a vendors product. Besides if they did, and t
Prediction (Score:5, Interesting)
Until we have an e-9/11, this shit will be allowed to continue. If I murder 1 person, I can get the death penalty. If a CEO's greed kills thousands, they get let go with a golden parachute (cough Boeing). The Afghan army ran off due to lack of discipline and motivation. Well, the CEO's have insufficient discipline and motivation to take security seriously because our legal system treats the 1% with kid gloves. They've been (legally) bribing their soft laws into place by buying politicians. So when CEO's act like jerks and cowards, don't be surprised. History repeats.
Re: (Score:2)
"If I murder 1 person, I can get the death penalty. If a CEO's greed kills thousands, they get let go with a golden parachute (cough Boeing)."
There's a big difference in law in most countries between deliberate murder and callous indifference to the consequences of my actions. That might not be just but thats the way it is.
Re: Prediction (Score:2)
The Nuremberg trials show there is a legal precedence for concern of callous indifference when the death toll is significant and systematic. The biggest argument against this being a fair precedent is to show that the damage was not systematically intended... I think that's debatable but I think even if we consider callous indifference to the death of a significant portion of people or loss of economic value, we can begin to make a fair argument that the legal system should punish these people but likely re
Self defense? (Score:2)
Re: (Score:2)
I don't know if they could give a not guilty ruling but they could certainly jury nullify. I honestly think more juries should practice nullification because it would push the legislative body to do a better job. Instead the judicial branch would rather juries are unaware of this right.
Re: (Score:2)
The last time I was up for jury duty, we were asked to swear an oath to not nullify. When I said that I couldn't conscionably swear to that I was sent home.
Re: (Score:2)
Holy crap. Really? What state? I am use to them generally not bringing it up. I don't see how they could legally require that oath...
Re: (Score:2)
Georgia. Specifically, I was supposed to swear to "Judge only the facts, not the law or the penalty". The judge engaged me in a brief conversation about where moral and ethical responsibility begins and ends, but I indicated that knowing I might be enabling an inappropriate punishment would be enough to make me ethically responsible, so I was dismissed. I believe the conversation was to see if I was expressing an actual moral/ethical concern or just wanted out of jury duty.
They couldn't legally REQUIRE the
Re: (Score:2)
The last part makes the most sense because yeah, the judges main role at this point is to check if you are just trying to "opt-out". I think the part before makes zero sense to me for a Judge but makes sense in terms of a prosecutor. Prosecutors are always trying to weed out conscientious objectors or people who feel morally and informed enough to potentially utilize jury nullification which is why it effectively never happens considering the minority who understand it's implication. I think the logic is nu
Re: (Score:1)
If callousness results in hundreds or thousands of deaths, then it should be treated the same as direct murder, because of the shear quantity of those affected. It's not just a philosophical opinion, it's reality: CEO's keep acting callous because they know the legal risks are relatively small. They are paid big bucks, they should be accountable and held accountable. If you don't like bright lights, then get off the fucking stage!
The opiate med crisis has killed hundreds of thousands, and left as least as m
Re: (Score:2)
I'm trying to imagine what an e-9/11 would be? It would almost have to be something that wiped out a specific infrastructure service for a . . . let's say wide area. Say, every bank system in America drops within a few minutes of each other and can't be spun back up for several days. Or shutting off the power grid entirely for a period of time.
We've already seen small attacks on infrastructure, where the damage remains localized and relatively quick to fix (hours rather than weeks), but it's entirely pos
Re: (Score:1)
Make 5 million cloud-connected cars suddenly accelerate.
And/or take down several infrastructure services at once. For example, make the power go out and police radio and ambulance radio go out at the same time. There could be chaos, panic, crime, and looting feeding into each other. Toss in conspiracies pumped into social media. Jan 6. was a lite preview of what could happen.
Superbowl (Score:2)
Re: (Score:2)
It fell short of apocalypse, but the recent attack on the Colonial pipeline affected a fair sized region of the U.S. and took several days to resolve.
Re:Prediction (Score:4, Insightful)
It's a very difficult problem to solve and 'greed' in this case is not the first problem.
This is mainly a problem of standardization and professionalism.
There was a bug in QNX.
QNX is a part that BB/QNX sends to other companies to integrate into their actual products.
The real problem here is:
Who maintains the list of 'customers' and 'end devices' that could actually have these 'bad' versions of QNX? No one really. How is a customer/end product to know exactly version of internal components are used in their product?
As mentioned in the article, the government has been trying to flesh out some kind of software bill of materials that companies will be required to provide. In simple cases, this seems easy enough. If you have a java application for example and are you using a modern practices like maven... you can probably comes up with a reasonable SBOM for your application pretty easily.
Legacy systems, customized products, older languages... that's a non trivial task. A lot of that has little to do with CEO 'greed' are more just crappy practices. Heck, BB bought out QNX at some point. Who knows if they had to migrate QNX systems and lost some of the information historically or the know how on how to get all that information could have been lost.
This is a problem much better served by standardization and professionalism that worrying about greed.
An SBOM should be considered a standard way of doing things just as there are electrical codes to show which electrical wires get what color (green is ground...). And only certified electricians can do electrical work and they are held liable for their work.
Modern development practices like dependency downloading... really make this much easier, but as someone who has worked on a lot of older industrial software, I can tell you it wasn't 'CEO greed' that prevented this attention to security or SBOMS... it just wasn't a thing that was done. No one was paying attention to it.
I'm not saying that CEOs are not trying to limit regulation or anything like that. They probably are. But I'd put that as a far second to just poor practices.
Re: (Score:2)
This is a stupidly easy problem.
As in, QNX is not free in any sense of the word. Thus, every device using QNX pays Blackberry a licensing fee to use QNX in their product.
Thus, Blackberry has a list of all the devices using QNX because their licensees have paid for licenses to ship pr
Re: (Score:2)
They've been (legally) bribing their soft laws into place by buying politicians. So when CEO's act like jerks and cowards, don't be surprised.
The astonishing thing is how cheap they sell out for too. You’d think that giving a 5 billion dollar tax break handout would cost millions when it probably only costs a few tens of thousands. Since that comes out to only a few cents per constituent, It’s about time we stated a go fund me to bribe our politicians back to actual constituent interests.
Re: (Score:2)
People get into politics because they want to make a difference but they would much rather spend their time schmoozing with constituents than write bills.. The money is seconary and needed for reelection campaigns.
Crowdsourcing a campaign donation is easy, the tough part would be crowdsourcing the bill you want passed. The open source community is probably
Re: (Score:2)
The real bribery is not the money. Its the research and law writing. Special interests provide well written bills to lawmakers to put their name on.
It takes far less money to just flatly reject all law from corporate sponsors unless they play ball. The reason politicians pass this BS is because they believe their constituents won’t ever know how bad it is or attribute it fairly and then they will have the re-election money and never have to listen to constituents. This way they will if they want even more money than they offer.
People get into politics because they want to make a difference but they would much rather spend their time schmoozing with constituents than write bills.. The money is seconary and needed for reelection campaigns.
Actually, many of them don’t want to spend that time, they have too. The most money wins something like 90% of
Re: (Score:2)
Re: (Score:2)
All this secrecy, it's why we need "hackers" (Score:4, Insightful)
If anybody finds a flaw, publicize it immediately. It's the only way to force a response from these people. Otherwise they will just sit on it until the headlines make it too obvious. Demand full disclosure
Re: (Score:1)
No. As a whistleblower you'd be liable for jail time.
You're supposed to do it anonymously, not seek fame and glory
Good case for open source... (Score:2, Insightful)
Having bugs that are swept under the rug make quite a good case for open source. The ironic thing is that QNX has an excellent reputation overall, and has been in use in production critical systems before Linux was even a kernel. It is sad that Blackberry had to go this route, as opposed to just getting a bug fix out there, and worrying about its significance later on.
BB Stock (Score:2)
Re: BB Stock (Score:2)
Yeah but I bet it will still get shorted first...
The more sophisticated software gets (Score:2)
The higher the chance there will be security flaws. This is not surprising in the least.
There is no OS out there that could be considered free of security risks unless it's absolute bare metal assembly, measuring in the single or double digit kilobyte range, with no network (especially the Internet) connection.
QNX is real good for what it's for, but when it has a GUI, the ability to run external programs and is a general purpose OS- anything above bare metal assembly and being purpose built, you can't assum
Didn't anyone look at this? (Score:3)
This is Microsoft FUD attacking their competition. QNX uses the same code as every GNU/Linux system and most likely everything compiled by Microsoft SDK since forever.
It is calloc(n,s) just calls malloc(n*s) where if n*s overflows (they are size_t), it allocates less than requested rather than failing while trying to grab an insane amount of memory. calloc should be rarely used since it can waste memory when the size of the object isn't 8.
There seem to be quite a few people that think calloc does a check for overflow. There are comments in GCC that it can't happen but there is no code to check it and a trival program proves it doesn't.
A simple fix for is if (n & mask | s & mask) { do more complex check for overflow }. Mask is 0xff..00 with have a type_t being set.
Using calloc on large values is stupid. Do you want to be running memset on 4+ gig of data when the mmap will already return cleared allocated memory.