FDA Cites Possible Cybersecurity Vulnerabilities in Drug Mfg Equipment
The US Food and Drug Administration (FDA) is informing patients, healthcare providers, and manufacturers about cybersecurity vulnerabilities with a real-time operating system (RTOS) designed by QNX and owned by BlackBerry that may introduce risks for certain medical devices and drug-manufacturing equipment. More details about the RTOS vulnerability can be found here.
This week (August 17. 2021), the US Cybersecurity & Infrastructure Security Agency (C(SA), part of the US Department of Homeland Security reported that BlackBerry had publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.
The FDA and the CISA say they are not aware of any confirmed adverse events related to these vulnerabilities. Manufacturers are advised to assess which equipment or systems may be affected by the BlackBerry QNX cybersecurity vulnerability, evaluate the risk, and develop mitigations, including deploying patches from BlackBerry.
Source: US Food and Drug Administration