Researchers have found that a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities.
The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over. And while patches have been issued, researchers warn that it still may take time for smaller vendors to update.
Researcher Ori Karliner, with Zimperium’s zLabs team, recently analyzed some of the leading operating systems in the IoT market – including FreeRTOS, an open-source OS specifically designed for the microcontrollers that are within IoT devices. Within several versions of FreeRTOS, Karliner found 13 vulnerabilities enabling an array of attacks, including remote code execution, information leak and denial-of-service bugs.
“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS,” according to a Thursday post by zLabs.
FreeRTOS provides an OS for microcontrollers, which vendors can bundle together with other components in IoT devices and solutions – including the TCP/IP stack, connectivity modules, and over the air (OTA) updates.
The kernel has gained traction in the IoT market, and in 2017, Amazon took stewardship of the OS and extended the FreeRTOS kernel to its with software libraries – so IoT devices could be connected to AWS cloud services like AWS IoT Core.
Specifically impacted by these vulnerabilities was FreeRTOS V10.0.1 and below (with FreeRTOS+TCP), and AWS FreeRTOS V1.3.1 and below.
Also affected are FreeRTOS’ commercial version WHIS OpenRTOS, and its “safety-oriented” version SafeRTOS which is based on the functional model of FreeRTOS, and is certified for use in safety critical systems.
The vulnerabilities specifically exist in FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules (in as well as in the WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS).
These vulnerabilities include four remote code execution bugs (CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, and CVE-2018-16528); seven information leak vulnerabilities (CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603) one denial of service flaw (CVE-2018-16523) and a final (CVE-2018-16598) that was unspecified.
zLabs said it has disclosed the security issues to Amazon and collaborated with them to patch the vulnerabilities. Those fixes were deployed for AWS FreeRTOS versions 1.3.2 and onwards. The vulnerabilities in RTOS WHIS were also patched.
Amazon did not respond to a request for comment from Threatpost.
Due to the amount of vendors impacted by the bugs, the researchers said that they would hold off on publishing further details until all holes have been sealed.
“Since this is an open source project, we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities,” they said.
While zLabs didn’t specify the number of devices impacted, FreeRTOS is a big OS in the IoT landscape, and has been ported to over 40 hardware platforms in the past 14 years. In fact, in a 2017 survey by Aspencore, FreeRTOS was the top pick by IT professionals when asked which operating system they are considering using in the next 12 months.
The number of connected devices continues to plague the community with worries about how they are concerned – particularly since a 2016 Mirai botnet mounted a distributed denial of service (DDoS) attack through 300,000 vulnerable IoT devices, like webcams, routers and video recorders.
Since then, from connected cars to power grids, the impact of IoT security issues seem to be getting graver (including privacy issues in connected consumer devices and the potential for dangerous industrial IoT system hacks).
At the same time, the sheer scope of potential attack vectors is proliferating. For instance, Google Home devices, smart plugs and smart padlocks have all recently been in the spotlight for security flaws.
FreeRTOS and SafeRTOS, for their part, “have been used in a wide variety of industries: IoT, Aerospace, Medical, Automotive, and more,” according to the company’s post. “Due to the high risk nature of devices in some of these industries, zLabs decided to take a look at the connectivity components that are paired with these OS’s. Clearly, devices that have connectivity to the outside world are at a higher degree of risk of being attacked.”