1. Dashboards
  2. Companies
August 18, 2021

Blackberry’s automotive dreams throttled by new cyber vulnerability

By Eric Johansson

BlackBerry has reluctantly confirmed that a vulnerability in its software could cripple cars, hospital equipment and drug manufacturing devices. Its announcement on the so-called BadAlloc bug comes months after market stakeholders including Microsoft publicly warned about the vulnerability.

For BlackBerry, which has spent the past decade pivoting away from its failed smartphone range to pursue its ambition of becoming the go-to software supplier for automakers, publicly revealing the gaping security hole in its QNX platform is embarrassing to say the least.

The fact that BlackBerry seems to have spent the past few months arguing with regulators about whether or not to publicly declare the weakness only for Politico to make that squabble public knowledge isn’t great for the software company’s image either.

That, however, is exactly what has happened, according to the publication, which has spoken to sources within the US Cybersecurity and Infrastructure Security Agency (CISA).

Both the CISA and the US Food & Drug Administration (FDA) issued warnings regarding the BadAlloc vulnerability on Tuesday just as BlackBerry also publicly acknowledged the bug. However, the announcement came months after the industry started to alert companies about the security weakness.

In April, Microsoft warned that the memory allocation vulnerabilities now linked to BlackBerry could empower hackers to bypass security controls, take control of connected devices and to cause system crashes. Its researchers had found BadAlloc vulnerabilities in a number of companies’ solutions. At the time, Microsoft didn’t name BlackBerry or QNX.

Several of the companies affected by the bug worked with Department of Homeland Security’s CISA in May to publicly reveal the flaws and urge users to patch their devices. Notably, BlackBerry was not among them.

Instead, the company has reportedly spent the past few months arguing with the CISA about whether the vulnerability actually existed and if it should go public with it at all, according to Politico‘s sources.

Instead, BlackBerry is said to have preferred to disclose the vulnerability privately to its direct customers to avoid tipping off bad actors.

However, this approach had one big drawback: it would mean that many companies using QNX would still be unaware of the bug because BlackBerry itself didn’t know that they used the software.

The reason for this is that BlackBerry licenses QNX to hardware manufacturers who in turn build products and devices. Think about how Microsoft sells its Windows operating system to HP and Dell and you get the idea.

The problem with this is that BlackBerry doesn’t know where its product ends up. That’s at least what BlackBerry told the US government, according to Politico‘s sources.

While it’s unclear how many customers and systems are affected by the BadAlloc bug, BlackBerry itself announced in June that versions of the QNX software have been embedded in over 195 million vehicles across the globe. Clients using QNX include Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota and Volkswagen. The software is a key solution in advanced driver assistance systems, digital cockpits and secure data gateways.

The system is also one of the reasons why GlobalData researchers identified BlackBerry as a key player in the race towards creating true autonomous vehicles in a recent report.

One saving grace seems to be that the vulnerability does not impact current or recent versions of QNX, but rather versions dating from 2012 and earlier. BlackBerry, the CISA and the FDA said that no exploitation of the bug has occurred so far.

BlackBerry chasing cars

For most people, BlackBerry is the name of a range of smartphones that in the early noughties led the market. BlackBerry handsets were some of the first to offer push email, seen as a unique selling point at that time. However, as Apple and Google steamrolled the competition, people (and perhaps most crucially, companies) stopped using BlackBerries, apart from a small cluster of die-hard enthusiasts.

The Canadian company officially stopped designing its own smartphones in 2016, but it still licenses the development of new devices to partners.

Around the same time, Blackberry announced plans to double down on the development of its cybersecurity and car software solutions, starting by deepening its partnership with Ford in October 2016.

BlackBerry has suffered setbacks along the way.  During Covid-19, demand for its solutions fell as the pandemic slowed auto sales in the US, BlackBerry’s biggest market. Its revenue from its cybersecurity solutions also dropped during the Covid-19 crisis.

Then, at the start of 2021, Ford announced plans to drop BlackBerry’s QNX infotainment software for Google’s similar solutions.

Fast-forward to June 2021 and the company’s reports for the fiscal first quarter of 2022. In that period, its smartphone licensing made up 14% of the company’s $174m in total revenue. Comparatively, enterprise software made up 44% and 31% was made up of licensing IP.

BlackBerry’s internet of things unit generated $43m in revenue, up by 48% from last year, while its cybersecurity suffered a slight decline in the same period but still raked in $107m during the quarter.

Part of the success can be explained by BlackBerry being one of the memestocks championed by Reddit investors during the GameStop chaos earlier this year.

Cybersecurity in connected cars

Over the past two decades, connected cars have grown commonplace. Today, basically all new cars can communicate with systems outside of the vehicle.

The global connected car market was valued at $32bn in 2016 and is expected to reach a worth of nearly $100bn by 2030, according to a recent GlobalData report.

However, the growing popularity of connected cars has also increased the risk of of hackers attacking them.

A third of connected car owners fear their vehicles will be hacked, according to recent research from cyber insurer HSB.

The risk is amplified when it comes to self-driving cars where the human driver gives away control of the vehicle to a computer. The risk of hacks has been identified as a key factor holding back the adoption of autonomous vehicles.

Given that BlackBerry’s QNX system has been used by Jaguar Land Rover to develop its self-driving car projects, the news about the BadAlloc vulnerability could hold back the adoption of autonomous vehicles further.

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.