BlackBerry has revealed that its QNX operating system is vulnerable to the BadAlloc bug discovered earlier this year. QNX is an embedded operating system that can be found on hundreds of millions of machines, as well as everything from critical infrastructure, to hospital equipment, to equipment on the International Space Station. The discovery highlights a wiretapping issue illustrating the much bigger challenge we face when it comes to Internet of Things (IoT) security and embedded systems like QNX.
According to the report from Politico, “BlackBerry told the government that it does not know where its software ends up and the people who use it do not know where it came from.”
There is no reason for BlackBerry to monitor wherever QNX is deployed or used, and OEMs probably do not want to delay automatic updates that could corrupt their devices. However, as a vendor of the BlackBerry operating system it has a keen interest in providing mechanisms for constant, regular, secure updates and commitment to a high standard of security.
Vulnerability and patch management have always been challenging to manage effectively. Unfortunately for many people, security is not at the top of the mind. Typically, companies focus less on security and much more on product features and getting a device on the market as quickly as possible. Security, if taken into account, is usually taken at the end of the development process.
To make a product safer requires commitment, attention to detail and proper incentives. This is especially true if you provide an operating system on which millions – or billions of devices rely. It is important to think about safety, follow it, pay attention to it and keep it high on your list of priorities. Unfortunately, security is generally driven by market forces – and the market only responds to security issues retroactively.
No one can say for sure how many of the wide range of QNX-enabled devices may be vulnerable. 200 million potentially tangible machines is a large number, but not as large as the potential number of IoT devices, some of which are undoubtedly critical in nature. Today, there are about 46 billion IoT devices in use worldwide. If one percent of devices have terrible security, we are still talking about hundreds of millions of tangible devices.
The unfortunate truth today is that only a small minority of devices today have the proper protection. Then again, just because something is tangible does not mean that weakness can be easily exploited. Overall, the IoT has terrible security, but it is hardly a concern in most cases. Some sellers do better, others do nothing. When competing in a market, you need to balance cost, energy consumption, size, scale and many other issues – safety comes second. The same was true for PCs for many years, no one cared enough.
BadAlloc is a collection of 25 different overflow vulnerabilities – the same type that anyone looking for will find in unproven code. If anyone understands how to encrypt ransomware for 100 million IoT devices of one type or another, we will start to see vendors taking security more seriously. But if your customers do not ask for security and you are not rewarded for investing in it, there is little market incentive to fix it by making the necessary investments. In fact, there is generally a complete market failure when it comes to security, and IoT is no exception.
But the problem with securing hundreds of billions of connected devices is that we have to provide hundreds of billions of connected devices. This may seem obvious and pointless, but it is the large area of attack and the potential complexity of the IoT device security challenge that has bothered us all. However, in contrast to that potentially complex challenge, it is the reality that we must also simplify IoT security.
Creating more secure IoT devices means incorporating security from the start. Security teams should ask if a device needs an internet connection and establish stronger mechanisms for strong authentication and minimal attack area. The most responsible companies adhere to a philosophy of incorporating safety from the earliest stages of design and production process; from the processor that runs the device to the OS it uses and how it connects to the internet.
Unfortunately, IoT security is generally bad. Organizations can’t defend what they can’t see – and the volume and use cases for IoT devices make them largely invisible from a security perspective. The current state of the IoT is a prime example of the failure of market forces to understand security.
As technology designers, we need to make sure that we take ownership of the complexity inherent in building resilient security systems so that product manufacturers can easily do the right thing. Product manufacturers need to build on best safety practices from the beginning of the design process. I can not tell you about the specifics of any potential use of QNX that may be there, but if it is possible to remotely exploit these vulnerabilities, then this is unlikely to be the end of the story.