The FreeRTOS operating system widely used by IoT devices can be abused by computer hackers to take down the instances. A team of security researchers recently announced that it contains many bugs allowing hackers numerous pathways to the target IoT appliances.
IoT Devices Can Be Easily Taken Down Via FreeRTOS Bug Exploits
The popular FreeRTOS operating system used by many IoT devices has been found to contain numerous bugs allowing hackers to easily exploit such instances. And even though patches are being developed their implementation is not always in the expected time frame. A team of security researchers announced that during testing 13 vulnerabilities have been uncovered. They allow the criminals to carry out various attacks: data theft, information leaking, remote code execution, network attacks, denial-of-service and etc. Abuse of the FreeRTOS can be done both manually or automated using specialist penetration testing frameworks that are loaded with the proof-of-concept code against the specific bug.
The vulnerable code was fond within the TCP/IP network stack and the AWS secure connectivity components. This is one of the fundamental modules and its abuse shows that significant damage can be done. Last year Amazon started to extend the main kernel with software libraries which allowed IoT devices to be connected to the AWS cloud services.
The full list of vulnerabilities includes the following:
- Remote Code Execution — CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, and CVE-2018-16528.
- Information Leak — CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603.
- Denial-of-Service Bug — CVE-2018-16523.
- Unspecified Vulnerability — CVE-2018-16598.
Patches are already released for deployed instances of the AWS FreeRTOS versions 1.3.2 and later. It is believed that there are many vendors using this operating system and publishing further information is halted. A wait period of 30 days has started in order to allow the vendors to patch their modules. In turn all IoT device owners will need to check if their instances run a vulnerable version of the FreeRTOS operating system and take the necessary steps to protect themselves from hacking attacks.