News Centre

AWS FreeRTOS Vulnerability Allow Hackers To Control Your IoT Device

Article by diogo@techpatrol.com.au
October 22, 2018

SHARE THIS POST:

Amazon-FreeRTOS-Tech-Patrol

Researchers earlier this week have found bugs within a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities. The bug allows potential hackers to crash IoT devices, leak their information, and completely take them over.

The vulnerability allows hackers to crash connected devices in smart homes or critical infrastructure systems, take them over, and leak information from the devices’ memory. The critical vulnerability is one of the most popular embedded real-time operating systems (FreeRTOS), exposing a wide range of IoT devices and critical infrastructure systems to hackers. And whilst patches have been issued, researchers warn that it still may take time for smaller vendors to update.

Researcher Ori Karliner, with Zimperium’s zLabs team, recently analyzed some of the leading operating systems in the IoT market – including FreeRTOS, an open-source OS specifically designed for the microcontrollers that are within IoT devices. Within several versions of FreeRTOS, Karliner found 13 vulnerabilities enabling an array of attacks, including remote code execution, information leak and denial-of-service bugs.

What is FreeRTOS (Amazon, WHIS OpenRTOS, SafeRTOS)?

A Real-Time Operating System is an operating system that is optimised for use in embedded/real-time applications. Their primary objective is to ensure a timely and deterministic response to events. An event can be external, like a limit switch being hit, or internal like a character being received.

Using a real-time operating system allows a software application to be written as a set of independent tasks. Each task is assigned a priority and it is the responsibility of the Real-Time Operating System to ensure that the task with the highest priority that is able to run is the task that is running. Examples of when a task may not be able to run include when a task is waiting for an external event to occur, or when a task is waiting for a fixed time period.

Since late last year, FreeRTOS project is being managed by Amazon, who created Amazon FreeRTOS (a:FreeRTOS) IoT operating system for microcontrollers by upgrading FreeRTOS kernel and some of its components.

 

Amazon enhanced FreeRTOS functionalities by adding modules for secure connectivity, over the air updates, code signing, AWS cloud support, and more.

Besides Amazon, WITTENSTEIN high integrity systems (WHIS) also maintains two variants of FreeRTOS—a commercial version of FreeRTOS called WHIS OpenRTOS, and a safety-oriented RTOS called SafeRTOS, for use in safety-critical devices.

Vulnerabilities and Affective Patches:

Ori Karliner, a security researcher at Zimperium Security Labs (zLabs), discovered a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack that also affect its variants maintained by Amazon and WHIS, as shown below:

freeRTOS

 

 

he vulnerabilities specifically exist in FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules (in as well as in the WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS).

Zimperium responsibly reported the vulnerabilities to Amazon, and the company yesterday deployed security patches for AWS FreeRTOS versions 1.3.2 and onwards (latest v1.4.2).

“We also received confirmation from WHIS that they were exposed to the same vulnerabilities, and those were patched together with Amazon,” zLabs says.

To allow smaller vendors to patch the issues before attackers try to leverage them, zLabs has decided not to disclose technical details of these vulnerabilities to the public for at least a month. If you require any assistance please contact us as soon as possible.

 

Other Articles You May Enjoy:

 

 

Share your thoughts in the Comments section:

Subscribe For The Latest In Technology

Other Posts You May Like

TECH NEWS & UPDATES

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

RECENT POSTS

Panda-Banker-Malware-Tech-Patrol

PANDA Banker Malware Targeting Financial Institution, Cryptocurrency Exchanges And Social Media

Deloitte-Tech-Patrol

Deloitte Hacked – Clients’ Emails Exposed

White Paper

Enjoy this free eBook

Tech Patrol - Microsoft Office 365

White Paper (Why businesses Are Migrating to Cloud)

  • This field is for validation purposes and should be left unchanged.
aws-freertos-vulnerability-allow-hackers-to-control-your-iot-device-tech-success
Scroll to Top