IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

AWS FreeRTOS vulnerabilities could crash IoT devices, warn cyber security researchers

Flaws in IoT operating system could allow hackers to compromise devices and leak data

Security researchers have discovered vulnerabilities in a popular operating system aimed at IoT devices that could enable attackers to crash connected devices in critical infrastructure systems and smart homes.

Researchers at IT security firm Zimperium discovered there are around 13 flaws in the FreeRTOS operating system that could let hackers crash devices, leak data or remotely execute code on them, allowing the devices to be compromised.

The flaws impact FreeRTOS V10.0.1 and below (with FreeRTOS+TCP), and AWS FreeRTOS V1.3.1 and below.

FreeRTOS has been ported to over 40 hardware platforms over the last 14 years, according to Zimperium researcher Ori Karliner. In November 2017, Amazon Web Services (AWS) took stewardship for the FreeRTOS kernel and its components.

He said that AWS FreeRTOS aims to provide a fully-enabled IoT platform for microcontrollers, by bundling the FreeRTOS kernel together with the FreeRTOS TCP/IP stack, modules for secure connectivity, over the air updates, code signing, AWS cloud support, and more.

"During our research, we discovered multiple vulnerabilities within FreeRTOS's TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS," explained Karliner.

"These vulnerabilities allow an attacker to crash the device, leak information from the device's memory, and remotely execute code on it, thus completely compromising it."

The bugs include four remote code execution bugs (CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, and CVE-2018-16528); seven information leak vulnerabilities (CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603) one denial of service flaw (CVE-2018-16523) and an unspecified flaw (CVE-2018-16598).

Karliner said the bugs were disclosed to Amazon who collaborated with them to create patches for the bugs. These patches were deployed for AWS FreeRTOS versions 1.3.2 and onwards.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022