Home Threats Researcher points out multiple vulnerabilities in IoT operating systems

Researcher points out multiple vulnerabilities in IoT operating systems

Internet of Things

A research expert from the security firm Zimperium recently pointed several vulnerabilities in a number of IoT (Internet of Things) operating systems, including FreeRTOS from AWS. Ori Karliner, the researcher from zLabs, came across 13 flaws in the FreeRTOS operating system that could let attackers compromise the connected devices or leak data in infrastructure systems and smart homes.

“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS,” explained Karliner. “These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.”

Karliner stated the discovered vulnerabilities include four remote code execution bugs (CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528), seven information leak vulnerabilities (CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603), one denial of service flaw (CVE-2018-16523), and an unspecified flaw (CVE-2018-16598), which impact FreeRTOS V10.0.1, AWS FreeRTOS V1.3.1 and its below versions. The vulnerabilities have been disclosed to Amazon Web Services (AWS).

Recently, the experts from Edinburgh Napier University and US electronics manufacturer Keysight Technologies started working on a research project to assess the vulnerabilities of the Internet of Things (IoT) devices to cyber- attacks. The 12-month project maintained by the Innovation Centre for Sensor and Imaging Systems (Censis) will use data analytics to create an outline for manufacturers to estimate the risks associated with different IoT devices.

“The biggest thing holding back the development of the IoT is security – specifically, concerns about the vulnerabilities of devices, the ease of hacking them, and the consequences of such hacks. In healthcare, for example, IoT could transform the way we monitor health and manage conditions like asthma. Only if we can improve confidence in IoT security can we realize the potential of smart technology,” said Professor Bill Buchanan, supervisor of the project.