BadAlloc Might Pose Risk to More Than One Hundred Million Vehicles

SHACHAR AZRIEL

AutoThreat Product Manager & Team Lead

We are constantly monitoring cyber incidents in the mobility landscape as part of our commitment to make mobility more safe and secure for everyone. With the industry’s tremendous growth in connectivity and the consequent growth of attack vectors, we anticipate that a major event in the near future will break the rules and dramatically change our world.

 

Recently, a case with this kind of watershed potential came to light with BlackBerry’s revelation of a potential vulnerability in its widely-deployed QNX operating system. The unique features of this case prove that the idea of single threat rewriting everything we know about mobility is not far-fetched: single events or exploitations can have tremendous power to impact the entire connected car industry. In this article, we outline the features we believe lend this vulnerability world-shaking potential, and recommend steps for mitigating the potential risks posed by this vulnerability and other cases like it.

 

The BadAlloc Vulnerability and Its Impact on the Automotive Industry

BlackBerry announced that one of its most popular products, the QNX operating system, contains a high-level risk security vulnerability. This vulnerability, named BadAlloc (CVE-2021-22156, CVSS Score 9.0), can be exploited remotely and allows an attacker to perform a denial of service (DOS) attack or execute malicious commands on the affected device.

 

BadAlloc is a memory allocation vulnerability that exists in various standard allocation functions. Researchers have found that over the years, memory allocation implementations haven’t incorporated proper input validations, thus enabling threat actors to exploit the memory allocation vulnerability, inject malicious data, and execute remote commands on the affected device.

This vulnerability should concern the mobility industry considering QNX’s use in a broad range of vehicles. According to BlackBerry, QNX software is used by several OEMs and Tier ones including Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota, and Volkswagen. Overall, the operating system is deployed in more than 195 million vehicles on the road.

This case has unprecedented red flag features when compared to previously uncovered mobility-related vulnerabilities:

  • A single set of vulnerabilities potentially impacts hundreds of millions of vehicles manufactured by different companies.
  • This vulnerability is categorized as an extremely high-level risk vulnerability that can be utilized to gain control of a vehicle’s systems.

If a threat were introduced to this system, which is a mutual key component in the BOM of legions of vehicles, its immensity could not be overstated. As such, the industry must take steps to ensure that vehicles and infrastructure utilizing the QNX OS will shore up opportunities for threat actors to exploit the BadAlloc vulnerability.

AutoThreat® Intelligence Mitigation Recommendations

First and foremost, relevant stakeholders must ensure that all QNX-based components are running the newest and most updated software version (a guide and technical information can be found in BlackBerry’s Security Advisory). In addition, CISA published mitigation advice for Manufacturers and End Users.

Upstream recommends keeping track of these severe vulnerabilities, especially in case an exploit is being discovered. Upstream’s AutoThreat®Intelligence includes a dedicated vulnerability section for the mobility landscape that keeps our customers updated and focused on the most consequential matters impacting mobility safety and security today. When a new vulnerability is uncovered, AutoThreat®’s component mapping dashboard enables its users to discover which OEMs and car models have been affected, and manage the risks and mitigation steps accordingly.

Potentially Affecting More Than 195 Million Vehicles and Various OEMs
Newsletter Icon

H1'2022 Automotive Cyber Trend Report

Newsletter Icon

Subscribe
to our newsletter

Sign up to receive updates delivered to your inbox

Securing Smart Mobility Requires a Fresh Approach to API Security

Connected vehicles and smart mobility services use numerous APIs. Everything from OEM-driven companion apps, infotainment systems, OTA servers, telematics servers, and EV charging management or…

Read more

EV Charging Stations Cyber Vulnerabilities Could Be EVs Achilles Heel

Electric vehicles (EVs) are a critical pillar of the global automotive revolution we’re experiencing today. Over the next five years, the US government will invest…

Read more

Upstream’s 1000th Automotive Cybersecurity Incident: Use NFC Card to Gain Control in 130 Seconds

As a part of Upstream’s ongoing effort to monitor, analyze the cyber threat landscape and assess the impact of automotive-related cybersecurity incidents and vulnerabilities, we…

Read more

Charging Station’s Cybersecurity Risks Endanger EV Adoption

Automakers and consumers are experiencing a breakthrough in electronic vehicle (EV) adoptability. Wide-spread easily accessible charging station networks are quelling range anxiety and replacing it…

Read more