Researchers from IT security firm Zimperium have discovered vulnerabilities within leading IoT operating system FreeRTOS that could allow attackers to crash IoT devices used in smart homes and life-critical applications.
FreeRTOS is a leading open source OS in the IoT and embedded systems market. In November 2017, stewardship of the FreeRTOS kernel (and its components) was transferred to Amazon Web Services (AWS).
AWS FreeRTOS is Amazon’s attempt to provide a comprehensive IoT platform for microcontrollers that combines the FreeRTOS kernel and its TCP/IP stack with secure connectivity, OTA updates, code signing, and AWS cloud support.
Microcontrollers are single chip control devices found in most IoT devices, including appliances, sensors, industrial automation, and cars. Amazon says AWS FreeRTOS allows developers to securely connect small low-power devices to AWS cloud services.
However, research conducted by Zimperium security researcher Ori Karliner has revealed multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules.
Karliner says these vulnerabilities ‘allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it’.
The flaws were also found in a SafeRTOS, a commercial version of FreeRTOS maintained by WITTENSTEIN high integrity systems and certified for use in devices operating in safety-critical environments such as roads, hospitals or aerospace.
“Due to the high risk nature of devices in some of these industries, zLabs decided to take a look at the connectivity components that are paired with these OS’s,” Karliner said.
“We disclosed these vulnerabilities to Amazon, and collaborated (and continue to do so) with them to produce patches to the vulnerabilities we detected.”
AWS FreeRTOS and SafeRTOS have since fixed the security flaws. Zimperium waited 30 days before publishing details of the vulnerabilities.
Experts have warned that the proliferation of connected devices on the edge will bring new security risks and avenues for exploitation. The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) recently published a new voluntary Code of Practice to boost the security of IoT devices.