According to a new security report, Microsoft’s IoT version of Windows can be exploited in an attack, called SirepRAT, where hackers can take complete control of the system.
The vulnerability was announced during the WOPR Summer in New Jersey where SafeBreach researcher Dor Azouri demonstrated the exploit which allows a connected device to run system-level commands on other devices running the OS.
What Is Windows IoT?
Windows IoT, previously Windows Embedded, is a family of operating systems intended for use in embedded systems. It should be noted that Windows Embedded operating systems are available to original equipment manufacturers that make it available to end users preloaded with their hardware.
The lightweight version of Windows 10 in particular is created with low-level access for developers. It supports ARM CPUs widely used in IoT devices. Statistics show that this OS accounts for nearly 23 percent of the IoT solutions development, and is featured massively in IoT gateways.
What about the attack surface? Meet SirepRAT
The attack demonstrated by Dor Azouri and presented in a recently published whitepaper is only valid for stock downloadable versions of the Core edition of Windows IoT, leaving the custom versions used in vendor products aside. The researcher says that the attack can be launched from a machine directly connected to the target device via an Ethernet cable.
More specifically, the demonstrated exploit targets the Hardware Library Kit (HLK), a test framework used to test hardware devices for Windows10 and Windows Server 2006. The HLK consists of a server and client software, with the server being called HLK Controller and the client being a piece of software installed on target test devices called Sirep.
This is where the problem is – the Sirep proprietary protocol is a weak spot. A Sirep test service regularly broadcasts the unique ID on the network to showcase the presence of the IoT device. Moreover, Windows IoT Core is also designed to listen for incoming connections through three open ports on its firewall.
The issue is that these incoming connections are not authenticated which means that any device can communicate with the Sirep test device via an Ethernet cable. The researcher also says that the issue may be triggered by the way the IoT testing service was ported from the old Windows Phone OS which relied on USB connections.
How can this loophole be exploited? Unauthenticated devices may be able to send a range of commands via the ports, thus allowing them to obtain system information from the device. Other unwanted activities include retrieving and uploading files, and getting file information. However, the most potent is the LaunchCommandWithOutput command which retrieves program path and command-line parameters needed to launch commands on the device. This information can be exploited by the threat actor to run processes on an IoT device from an unauthenticated machine.
That being said, Dor Azouri and his team were able to create a tool dubbed SirepRAT which enables their attack scenario based on the flaw in Windows IoT.
How did Microsoft respond?
Apparently, the company said it will not acknowledge the report because Sirep is an optional feature in Windows IoT core, security researchers reported.