Recently, the researchers found that the popular Internet of Things (IoT) real-time operating system FreeRTOS has serious vulnerabilities. These vulnerabilities can allow hackers to break connected devices in smart homes or critical infrastructure systems, reveal information from device memory, and take over devices. Although patches have been released, the researchers alerted that updates from small vendors still take time.
The researcher recently analyzed some of the major operating systems in the IoT market, including FreeRTOS (an open source operating system designed for microcontrollers in IoT devices). In several versions of FreeRTOS, the researchers discovered 13 vulnerabilities that support the implementation of a range of attacks. The same vulnerability exists in the TCP/IP component that connects to OpenRTOS\SafeRTOS.
FreeRTOS provides an operating system for microcontrollers that vendors can bundle with IoT devices and other components in the solution, such as TCP/IP stacks, connectivity modules, and wireless (OTA) updates.
The most affected by these vulnerabilities are FreeRTOS V10.0.1 and below (using FreeRTOS+TCP) and AWS FreeRTOS V1.3.1 and below. Also affected are the commercial version of FreeRTOS, WHIS OpenRTOS, and the version of SafeRTOS for security systems based on the FreeRTOS functional model. These vulnerabilities exist in the TCP/IP stack of FreeRTOS and the AWS Secure Connection Module (and the WHIS Connect TCP/IP component of OpenRTOS\SafeRTOS). These vulnerabilities include four remote code execution vulnerabilities (CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528); 7 information disclosure vulnerabilities (CVE-2018-16524, CVE-2018) -16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603) 1 Denial of Service Vulnerability (CVE-2018-16523), 1 not specified (CVE-2018-16598).
The researcher said it has disclosed security issues to Amazon and worked with them to fix the vulnerability. These fixes have been deployed for AWS FreeRTOS version 1.3.2 and higher. The vulnerabilities in the RTOS WHIS have also been fixed. Due to the large number of vendors affected by these vulnerabilities, the researchers said they will postpone more details until all vulnerabilities have been fixed. “Because this is an open source project, we will post the technical details of the results of the investigation after delaying the 30-day period for small vendors to fix the vulnerability.”
Although the researcher does not explicitly state the number of devices affected, FreeRTOS is a large operating system in the Internet of Things that has been ported to more than 40 hardware platforms in the past 14 years. In fact, in Aspencore’s 2017 survey, FreeRTOS was the first choice for IT professionals when asked what operating system they were considering for the next 12 months. Based on these details, the quantity level is at least not low.
From the release of DDOS attacks by the Mirai botnet in 2016 through 300,000 vulnerable IoT devices (such as cameras, routers, video recorders, etc.), the negative impact of IoT security issues seems to be growing, and at the same time, potential The range of attack vectors has also increased dramatically, such as Google Home devices, smart plugs and smart padlocks. The application scope of the FreeRTOS system has also spread throughout the Internet of Things, aerospace, medical industry, and the automotive industry. Therefore, once the vulnerability is exploited, the consequences are unimaginable, and the security of the Internet of Things requires more attention and measures.
Learn more about 360 Total Security