A Multitude of Freertos Security Bugs Allow Hackers to Abuse Iot Devices
NEWS

A Multitude of Freertos Security Bugs Allow Hackers to Abuse Iot Devices

The FreeRTOS operating system widely used by IoT devices can be abused by computer hackers to take down the instances. A team of security researchers recently announced that it contains many bugs allowing hackers numerous pathways to the target IoT appliances.




IoT Devices Can Be Easily Taken Down Via FreeRTOS Bug Exploits

The popular FreeRTOS operating system used by many IoT devices has been found to contain numerous bugs allowing hackers to easily exploit such instances. And even though patches are being developed their implementation is not always in the expected time frame. A team of security researchers announced that during testing 13 vulnerabilities have been uncovered. They allow the criminals to carry out various attacks: data theft, information leaking, remote code execution, network attacks, denial-of-service and etc. Abuse of the FreeRTOS can be done both manually or automated using specialist penetration testing frameworks that are loaded with the proof-of-concept code against the specific bug.

Related Story:
A new hacking technique has been found affecting MikroTik routers and making use of the CVE-2018-14847 bug, read more about it in our article
CVE-2018-14847: MikroTik Routers Vulnerability Now Rated Critical

The vulnerable code was fond within the TCP/IP network stack and the AWS secure connectivity components. This is one of the fundamental modules and its abuse shows that significant damage can be done. Last year Amazon started to extend the main kernel with software libraries which allowed IoT devices to be connected to the AWS cloud services.

The full list of vulnerabilities includes the following:

  • Remote Code Execution — CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, and CVE-2018-16528.
  • Information Leak — CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603.
  • Denial-of-Service Bug — CVE-2018-16523.
  • Unspecified Vulnerability — CVE-2018-16598.

Patches are already released for deployed instances of the AWS FreeRTOS versions 1.3.2 and later. It is believed that there are many vendors using this operating system and publishing further information is halted. A wait period of 30 days has started in order to allow the vendors to patch their modules. In turn all IoT device owners will need to check if their instances run a vulnerable version of the FreeRTOS operating system and take the necessary steps to protect themselves from hacking attacks.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...