BlackBerry’s popular operating system for medical devices affected by critical vulnerabilities, drawing fed warnings

The disclosure expands the number of devices that could be at risk due to the "BadAlloc" flaw.
medical device
Infusion pumps are among the devices affected by the vulnerabilities. (Getty Images)

A critical set of software flaws first revealed in April also affects code made by BlackBerry that is used in countless devices in the medical, automotive and energy sectors, the technology vendor confirmed on Tuesday.

A hacker who exploits the so-called BadAlloc software vulnerabilities, which Microsoft researchers uncovered, could cause devices running the software to crash. In BlackBerry’s case, the attacker would need to first gain access to a targeted network and then go after devices that are exposed to the internet.

The affected software is BlackBerry’s QNX Real-Time Operating System, a suite of software that manages data across a network. It’s unclear just how many devices are running the affected BlackBerry software. The firm said last year that its QNX software was embedded in more than 175 million cars alone. A BlackBerry spokesperson did not immediately respond to a request for comment.

“These vulnerabilities may introduce risks for certain medical devices, as well as pharmaceutical or medical device manufacturing equipment,” the Food and Drug Administration said in an advisory Tuesday, adding that it was working with other federal agencies and the private sector to mitigate the risk.


The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency also urged BlackBerry users to update their software because a compromise of certain infrastructure running the code “could result in a malicious actor gaining control of highly sensitive systems.”

The FDA and CISA said they were unaware of any exploitation of the vulnerabilities.

When Microsoft first disclosed the software vulnerabilities, researchers said no less than 25 products made by the likes of Google Cloud and Samsung were affected. But the list keeps growing and includes multiple vendors that, like BlackBerry, span industries.

One of the affected products is the VXWorks operating software made by California-based Wind River Systems. Like BlackBerry QNX, that software is popular in the aerospace, automotive and medical sectors, and was affected by another class of critical vulnerabilities disclosed in 2019.

Risk stemming from the vulnerable BlackBerry software may extend to the water sector.


“Every water and wastewater utility should determine the presence of impacted [real-time operating system] devices within their environments,” the Water Information Sharing and Analysis Center, a threat sharing group, told its members.

For industrial organizations and hospitals, updating these systems may not be a matter of clicking a button. Software patches often have to be tested for specific environments, and be done on a schedule that doesn’t disrupt operations.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts