BlackBerry revealed that its QNX operating system is vulnerable to the BadAlloc flaw revealed earlier this year. QNX is an embedded systems operating system that can be found in hundreds of millions of cars, as well as everything from critical infrastructure, to hospital devices, to equipment on the International Space Station. The disclosure highlights a lurking issue illustrating the much larger challenge we face when it comes to securing internet-of-things (IoT) and embedded systems like QNX.
According to the report from Politico, “BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from.”
There is no reason for BlackBerry to keep track of everywhere QNX is deployed or used, and the OEMs likely don’t want automatic updates being pushed that might break their devices. However, as an operating system vendor BlackBerry has a vested interest in providing mechanisms for continuous, regular, safe updates and committing to a high standard of security.
Vulnerability and patch management have always been challenging to manage effectively. Unfortunately for many, security is not top of mind. Typically, companies focus less on security and a lot more on product features and getting a device to market as quickly as possible. Security, if it’s even considered, is usually tacked on at the end of the development process.
Making a product more secure requires commitment, attention to detail, and the right incentives. This is especially true if you provide an operating system that millions--or billions--of devices rely on. It is important to think about security, track it, pay attention, and keep it high on your list of priorities. Unfortunately, security is generally driven by market forces--and the market only responds to security issues retroactively.
No one can say with certainty how many of the wide range of devices running QNX could be vulnerable. 200 million possibly vulnerable cars is a big number, but not nearly as big as the possible number of IoT devices, some of which are arguably critical in nature. Today, there are an estimated 46 billion IoT devices in use around the world. If one percent of the devices has terrible security, we’re still talking about hundreds of millions of vulnerable devices.
The unfortunate truth today is that only a small minority of devices today have proper protection. Then again, just because something is vulnerable doesn’t mean that vulnerability can easily be exploited. In general, IoT has terrible security, but it is hardly a concern in most cases. Some vendors do better, others do nothing. When you’re competing in a market, needing to balance cost, power consumption, size, scale and many other issues - security takes a back seat. The same was true for PCs for many years, no one cared enough.
BadAlloc is a collection of 25 different overflow vulnerabilities - the very kind that anyone who looks for will likely find in untested code. If someone figures out how to code ransomware for 100 million IoT devices of one type or another, we will start seeing vendors taking security more seriously. But if your customers don’t demand security, and you aren’t rewarded for investing in it, there’s little market incentive to fix it by making the necessary investments. In fact, there’s generally a complete market failure when it comes to security, and IOT is no exception.
But the problem with securing hundreds of billions of connected devices is that we must secure hundreds of billions of connected devices. That may seem obvious and slightly nonsensical, but it is the vast attack surface and the potential complexity of the IoT device security challenge that has us all concerned. Yet, at odds with that potentially complex challenge, is the reality that we must also make IoT security simple.
Creating more secure IoT devices means including security from the start. Security teams should question if a device needs internet connectivity and design tighter mechanisms for strong authentication and minimal attack surface. The most responsible companies adhere to a philosophy of incorporating security from the earliest stages of the design and manufacturing process; from the processor running the device to the OS it uses and how it connects to the Internet.
Unfortunately, IoT security is bad in general. Organizations can’t protect what they can’t see--and the volume and use cases for IoT devices make them largely invisible from a security perspective. The current state of IoT is a prime example of the failure of market forces to understand security.
As technology designers, we must ensure we take ownership of the complexity inherent in building resilient security systems so that it’s easy for product makers to do the right thing. Product makers need to build in security best practices from the beginning of the design process. I can’t tell you about the specifics of any potential QNX exploits that might be out there, but if it’s possible to remotely exploit these vulnerabilities, then this is not likely the end of the story.