AWS FreeRTOS vulnerabilities could crash IoT devices, warn cyber security researchers

Flaws in IoT operating system could allow hackers to compromise devices and leak data

Security researchers have discovered vulnerabilities in a popular operating system aimed at IoT devices that could enable attackers to crash connected devices in critical infrastructure systems and smart homes.

Researchers at IT security firm Zimperium discovered there are around 13 flaws in the FreeRTOS operating system that could let hackers crash devices, leak data or remotely execute code on them, allowing the devices to be compromised.

Advertisement - Article continues below

The flaws impact FreeRTOS V10.0.1 and below (with FreeRTOS+TCP), and AWS FreeRTOS V1.3.1 and below.

FreeRTOS has been ported to over 40 hardware platforms over the last 14 years, according to Zimperium researcher Ori Karliner. In November 2017, Amazon Web Services (AWS) took stewardship for the FreeRTOS kernel and its components.

He said that AWS FreeRTOS aims to provide a fully-enabled IoT platform for microcontrollers, by bundling the FreeRTOS kernel together with the FreeRTOS TCP/IP stack, modules for secure connectivity, over the air updates, code signing, AWS cloud support, and more.

"During our research, we discovered multiple vulnerabilities within FreeRTOS's TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS," explained Karliner.

"These vulnerabilities allow an attacker to crash the device, leak information from the device's memory, and remotely execute code on it, thus completely compromising it."

Advertisement
Advertisement - Article continues below

The bugs include four remote code execution bugs (CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, and CVE-2018-16528); seven information leak vulnerabilities (CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603) one denial of service flaw (CVE-2018-16523) and an unspecified flaw (CVE-2018-16598).

Karliner said the bugs were disclosed to Amazon who collaborated with them to create patches for the bugs. These patches were deployed for AWS FreeRTOS versions 1.3.2 and onwards.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020