Researcher finds critical flaws in IoT products powered by the popular FreeRTOS

A security researcher has uncovered 13 vulnerabilities in software that powers a multitude of smart devices, all of them critical in nature and very dangerous in the wrong hands.

Ori Karliner with Zimperium discovered the critical flaws in FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components).

According to the documentation, four of the vulnerabilities allow remote code execution, one enables denial of service attacks (i.e. building a botnet of smart devices), and seven others would enable information leaks. The dangers involving the remaining bug are classified as “other.”

FreeRTOS is deeply embedded in the IoT ecosystem. Maintained by Amazon, which took stewardship of its kernel and components, “AWS FreeRTOS aims to provide a fully enabled IoT platform for microcontrollers, by bundling the FreeRTOS kernel together with the FreeRTOS TCP/IP stack, modules for secure connectivity, over the air updates, code signing, AWS cloud support, and more,” explains Karliner.

FreeRTOS drastically reduces development time and costs, letting developers focus entirely on innovation. But this convenience comes at a cost.

“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS,” Karliner writes. “These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.”

Karliner and his colleagues disclosed the bugs responsibly, keeping the technicalities away from the public to give the vendors time to repair the software.

“We disclosed these vulnerabilities to Amazon, and collaborated (and continue to do so) with them to produce patches to the vulnerabilities we detected,” the team said. “Since this is an open source project, we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities.”

Amazon has already patched some of the bugs, and WHIS told the researchers that the vulnerabilities in its own backyard were patched together with Amazon.