BadAlloc Might Pose Risk to More Than One Hundred Million Vehicles

SHACHAR AZRIEL

AutoThreat Product Manager & Team Lead

August 25, 2021

We are constantly monitoring cyber incidents in the mobility landscape as part of our commitment to make mobility more safe and secure for everyone. With the industry’s tremendous growth in connectivity and the consequent growth of attack vectors, we anticipate that a major event in the near future will break the rules and dramatically change our world.

 

Recently, a case with this kind of watershed potential came to light with BlackBerry’s revelation of a potential vulnerability in its widely-deployed QNX operating system. The unique features of this case prove that the idea of single threat rewriting everything we know about mobility is not far-fetched: single events or exploitations can have tremendous power to impact the entire connected car industry. In this article, we outline the features we believe lend this vulnerability world-shaking potential, and recommend steps for mitigating the potential risks posed by this vulnerability and other cases like it.

 

The BadAlloc Vulnerability and Its Impact on the Automotive Industry

BlackBerry announced that one of its most popular products, the QNX operating system, contains a high-level risk security vulnerability. This vulnerability, named BadAlloc (CVE-2021-22156, CVSS Score 9.0), can be exploited remotely and allows an attacker to perform a denial of service (DOS) attack or execute malicious commands on the affected device.

 

BadAlloc is a memory allocation vulnerability that exists in various standard allocation functions. Researchers have found that over the years, memory allocation implementations haven’t incorporated proper input validations, thus enabling threat actors to exploit the memory allocation vulnerability, inject malicious data, and execute remote commands on the affected device.

This vulnerability should concern the mobility industry considering QNX’s use in a broad range of vehicles. According to BlackBerry, QNX software is used by several OEMs and Tier ones including Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota, and Volkswagen. Overall, the operating system is deployed in more than 195 million vehicles on the road.

This case has unprecedented red flag features when compared to previously uncovered mobility-related vulnerabilities:

  • A single set of vulnerabilities potentially impacts hundreds of millions of vehicles manufactured by different companies.
  • This vulnerability is categorized as an extremely high-level risk vulnerability that can be utilized to gain control of a vehicle’s systems.

If a threat were introduced to this system, which is a mutual key component in the BOM of legions of vehicles, its immensity could not be overstated. As such, the industry must take steps to ensure that vehicles and infrastructure utilizing the QNX OS will shore up opportunities for threat actors to exploit the BadAlloc vulnerability.

AutoThreat® Intelligence Mitigation Recommendations

First and foremost, relevant stakeholders must ensure that all QNX-based components are running the newest and most updated software version (a guide and technical information can be found in BlackBerry’s Security Advisory). In addition, CISA published mitigation advice for Manufacturers and End Users.

Upstream recommends keeping track of these severe vulnerabilities, especially in case an exploit is being discovered. Upstream’s AutoThreat®Intelligence includes a dedicated vulnerability section for the mobility landscape that keeps our customers updated and focused on the most consequential matters impacting mobility safety and security today. When a new vulnerability is uncovered, AutoThreat®’s component mapping dashboard enables its users to discover which OEMs and car models have been affected, and manage the risks and mitigation steps accordingly.

Potentially Affecting More Than 195 Million Vehicles and Various OEMs
Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

As Cyber Risks Escalate, ISO/WD 24882 Sets New Standards for Safety and Availability in Agricultural OEMs

The digital transformation sweeping through the Automotive and Mobility ecosystem has also made its mark on the Agriculture sector. As a result, OEMs, suppliers, and…

Read more

SIM-Enabled IoT Devices as Critical Infrastructure: The Data Imperative

In our ongoing series exploring why SIM-enabled IoT devices in the automotive and smart mobility ecosystem should be classified as critical infrastructure, we’ve examined two…

Read more

Ensuring Continuous Operations: The Critical Role of SIM-Enabled IoT in Mobility

In our ongoing series, exploring the critical nature of SIM-enabled IoT devices, we’ve previously discussed the safety implications of these devices. Our H1’2024 report identifies…

Read more

SIM-Enabled IoT Devices as Critical Infrastructure: The Safety Imperative

Upstream’s latest H1’2024 report asserts that SIM-enabled IoT devices in the automotive and smart mobility ecosystem should be classified as critical infrastructure. This classification is…

Read more
Skip to content