Dive Brief:
- The Food and Drug Administration on Tuesday issued a cybersecurity alert warning that BlackBerry's QNX real-time operating system is vulnerable to remote attack by hackers, potentially putting certain medical devices at risk.
- The agency is not aware of any confirmed adverse events and manufacturers are assessing which devices may be impacted by the vulnerabilities and are developing mitigations, including patches from BlackBerry. Cyber experts are recommending that affected products be patched immediately.
- The operating system, designed by QNX and owned by BlackBerry, is used in a wide range of products and industries including medtech, according to a Cybersecurity and Infrastructure Security Agency alert. Nick Yuran, CEO of security consultancy Harbor Labs, said the news "comes as a surprise" as his firm has promoted QNX to its clients as a high availability, high security OS. "More testimony to the fact that even the most trusted and broadly used systems can still have yet undiscovered vulnerabilities," Yuran said.
Dive Insight:
BlackBerry, which acquired QNX in 2010, has positioned itself as a trusted supplier of commercial operating systems for industries including aerospace, automotive, defense, industrial controls and medical. However, separate cybersecurity alerts on Tuesday from CISA and FDA made it clear that BlackBerry's reputation has taken a hit.
Politico reported BlackBerry initially denied that the vulnerability affected its products and later resisted making a public announcement, even though it couldn't identify all of the customers using the software,until federal cybersecurity officials stepped in.
"Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions," CISA's alert said. The agency strongly encouraged companies with QNX-based systems to patch affected products as quickly as possible.
The FDA is working with medical device manufacturers and the private sector to address cybersecurity vulnerabilities with BlackBerry's QNX real-time operating system version 6.5 Service Pack 1 and earlier, the agency said in its alert.
The QNX real-time operating system is a widely used OS in the medtech industry and is often deployed in devices such as cardiac and patient monitors, drug infusion pumps, imaging systems and robotic surgical systems, among others, according to Harbor Labs' Yuran.
"We have several clients who use QNX Neutrino for at least one of their clinical device operating systems. We only have just begun to assess how these vulnerabilities might affect their systems, but as you can imagine there is some anxiousness in the industry over this," Yuran said.
Mike Rushanan, director of medical security at Harbor Labs, pointed to a BlackBerry marketing document that claims QNX software products, not necessarily OS, are used in more than 50 types of medical devices.
"This is a significant vulnerability that needs to be patched immediately," Rushanan said. "An attacker can perform any action, avoid detection and auditing, and harm the patient."
News of the potential risk to a wide swath of medical devices comes as the FDA is seeking additional legislative authorities meant to bolster device cybersecurity amid growing ransomware and other cyberattacks on healthcare organizations. Among the regulatory powers the agency is pursuing a new requirement for medtechs , as part of a premarket submission, to provide a Software Bill of Materials (SBOM).
The FDA contends that making SBOM, an electronic inventory of third-party components in devices, a premarket requirement for medical device makers will make it much easier for government and the private sector to know if they are affected by potential vulnerabilities such as BlackBerry's QNX operating system and enable timely postmarket mitigations.
QNX is the latest addition to the dozens of real-time operating systems (RTOSes) affected by a set of cyber vulnerabilities known as BadAlloc and another example of the ongoing supply chain problems plaguing the medtech industry, according to Chris Gates, director of product security at medical device engineering firm Velentium.
"This is where SBOMs really provide value," Gates said. "The manufacturer can instantly know which of their legacy products are affected, without spending weeks and months performing an investigation, and the consumer can also leverage SBOMs to determine what mitigations need to be performed, such as disconnecting it to safeguard their organization until such time as a patch for the medical device is made available."
Manufacturers of devices that use vulnerable versions of the QNX operating system should contact BlackBerry to obtain the patch, CISA advised. FDA recommended that manufacturers that may be affected by the vulnerabilities should communicate with their customers and coordinate with CISA.