A flaw in BlackBerry's software left critical hospital equipment vulnerable to hackers for months, according to an Aug. 17 Politico report.
On Aug. 17, BlackBerry disclosed its Real Time Operating System is affected by a BadAlloc vulnerability. A hacker could exploit these vulnerabilities to deploy malware or cause a denial of service, according to an Aug. 17 Cybersecurity and Infrastructure Security Agency news release.
Six things to know:
- Some companies affected by the flaw disclosed the news in May, while BlackBerry chose to be discreet about the vulnerability, Politico reported. Sources said Blackberry resisted making a public announcement even though it couldn't identify all of the people using the software, Politico reported.
- Tech companies may prefer privately disclosing vulnerabilities so it doesn't notify hackers that systems are vulnerable. It also delays public backlash or financial losses that can result in a breach.
- CISA told BlackBerry that the vulnerability potentially created risks for national security and the Defense Department was involved in finding acceptable timing for Blackberry to disclose the vulnerability, Politico reported.
- Eric Goldstein, the head of CISA's cyber division said the vulnerable systems are "used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems. While we are not aware of any active exploitation, we encourage users of [the system] to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible."
- BlackBerry didn't deny in a statement to Politico it was hesitant about publicly disclosing the vulnerability. The company said it maintains a list of customers and has been communicating with them directly.
- "Software patching communications occur directly to our customers," BlackBerry said. "However, we will make adjustments to this process in order to best serve our customers."