Amazon’s FreeRTOS Powering Millions Of IoT Devices Is Plagued With Massive Security Flaws

Internet of Things
It does not seem all that farfetched that one day even your toaster will connect to the web and download crusty designs to sear into your bread. We have entered the Internet of Things (IoT) era. The focus on IoT devices can lead to some fun and interesting things (and of course useful), but also comes with added risk. To that end, security researchers warn of newly discovered vulnerabilities affecting one of the most popular IoT platforms out there.

That platform is FreeRTOS, which is widely used in a range of IoT and embedded devices. FreeRTOS is a real-time operating system kernel with a small memory footprint and low overhead. It's also pretty fast and supported on a whole bunch of architectures, including ARM, Intel x86, Freescale, and more. Amazon is among those that employs a version of FreeRTOS.

Amazon FreeRTOS

Amazon's AWS FreeRTOS combines the FreeRTOS kernel with the FreeRTOS TCP/IP stack, providing a sort of all-encompassing infrastructure for developers. Researchers at Zimperium say they have discovered multiple vulnerabilities within FreeRTOS's TCP/IP stack and in the AWS security connectivity modules, along with the commercial WITTENSTEIN high integrity systems (WHIS) Connect's TCP/IP component for OpenRTOS and SafeRTOS.

These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it. We disclosed these vulnerabilities to Amazon, and collaborated (and continue to do so) with them to produce patches to the vulnerabilities we detected," Zimperium said.

The researchers discovered more than a dozen vulnerabilities, four of which are remote code execution flaws. Seven of them deal with information leaks, one other could be used for a denial of service attack, and more is labeled as "other."

Amazon and WHIS have already deployed patches. This being an open source project, Zimperium said it will wait 30 days before publishing technical details so that smaller vendors will have ample time to patch the security holes.

IoT security is big deal, in part because of the number of devices out in the wild. Some of these devices have also been known to employ weak protection against outside threats, like generic default passwords. This has made IoT gadgets a popular target for multiple DDoS botnet attacks. It's nice to see that security researchers are actively looking for exploits in IoT infrastructures.