Windows IoT Core Vulnerable to SirepRAT Attack, Researcher Says
NEWS

Windows IoT Core Vulnerable to SirepRAT Attack, Researcher Says

According to a new security report, Microsoft’s IoT version of Windows can be exploited in an attack, called SirepRAT, where hackers can take complete control of the system.

The vulnerability was announced during the WOPR Summer in New Jersey where SafeBreach researcher Dor Azouri demonstrated the exploit which allows a connected device to run system-level commands on other devices running the OS.



What Is Windows IoT?

Windows IoT, previously Windows Embedded, is a family of operating systems intended for use in embedded systems. It should be noted that Windows Embedded operating systems are available to original equipment manufacturers that make it available to end users preloaded with their hardware.

The lightweight version of Windows 10 in particular is created with low-level access for developers. It supports ARM CPUs widely used in IoT devices. Statistics show that this OS accounts for nearly 23 percent of the IoT solutions development, and is featured massively in IoT gateways.

What about the attack surface? Meet SirepRAT

The attack demonstrated by Dor Azouri and presented in a recently published whitepaper is only valid for stock downloadable versions of the Core edition of Windows IoT, leaving the custom versions used in vendor products aside. The researcher says that the attack can be launched from a machine directly connected to the target device via an Ethernet cable.

More specifically, the demonstrated exploit targets the Hardware Library Kit (HLK), a test framework used to test hardware devices for Windows10 and Windows Server 2006. The HLK consists of a server and client software, with the server being called HLK Controller and the client being a piece of software installed on target test devices called Sirep.

Related:
The FreeRTOS operating system widely used by IoT devices can be abused by computer hackers to take down the instances, read more in our article
A Multitude of Freertos Security Bugs Allow Hackers to Abuse Iot Devices

This is where the problem is – the Sirep proprietary protocol is a weak spot. A Sirep test service regularly broadcasts the unique ID on the network to showcase the presence of the IoT device. Moreover, Windows IoT Core is also designed to listen for incoming connections through three open ports on its firewall.

The issue is that these incoming connections are not authenticated which means that any device can communicate with the Sirep test device via an Ethernet cable. The researcher also says that the issue may be triggered by the way the IoT testing service was ported from the old Windows Phone OS which relied on USB connections.

How can this loophole be exploited? Unauthenticated devices may be able to send a range of commands via the ports, thus allowing them to obtain system information from the device. Other unwanted activities include retrieving and uploading files, and getting file information. However, the most potent is the LaunchCommandWithOutput command which retrieves program path and command-line parameters needed to launch commands on the device. This information can be exploited by the threat actor to run processes on an IoT device from an unauthenticated machine.

That being said, Dor Azouri and his team were able to create a tool dubbed SirepRAT which enables their attack scenario based on the flaw in Windows IoT.

Related:
Almost half of the Smart Homes of Today?s world have at least one weak device due to an outdated and unpatched software. Researchers and experts at Avast alike have established that around 40.8% of the smart homes at the moment...Read more
40% of Smart Homes Currently Vulnerable to Hacking

How did Microsoft respond?

Apparently, the company said it will not acknowledge the report because Sirep is an optional feature in Windows IoT core, security researchers reported.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...