Researchers from Zimperium’s zLabs team have discovered that the popular Internet of Things real-time operating system from AWS – FreeRTOS – is riddled with serious vulnerabilities that could let hackers crash connected devices in homes or critical infrastructure systems.
The FreeRTOS is an open source operating system commonly used in embedded devices. With support for more than 40 hardware platforms, FreeRTOS is used in millions of embedded devices – from sensors, smart lights, home door locks, medical devices and industrial applications - across multiple industries. An Aspencore survey from 2017 shows FreeRTOS as the top pick by IT professionals when asked which operating system they are considering using in the next 12 months.
The bugs in the system would allow hackers to access and leak personal data from the devices’ memory and then completely take the devices over.
And while patches have been issued, researchers warn that it still may take time for smaller vendors to update.
“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it,” said Ori Karliner, a Zimperium researcher, in a recent blog post. “We disclosed these vulnerabilities to Amazon and collaborated (and continue to do so) with them to produce patches to the vulnerabilities we detected.”
Due to the number of vendors impacted by the bugs, the researchers said that they would hold off on publishing further details until all holes have been sealed. “Since this is an open source project, we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities,” they said.
Connected IoT devices continue to cause security concerns, with new, more sophisticated IoT botnets targeting a wide range of devices. From connected cars to power grids, the potentially negative impact of IoT security issues seems to be escalating. At the same time, the scope of IoT attack vectors proliferate, with the global number of IoT devices expected to reach 10 billion by 2020 and 22 billion by 2025.
“We are seeing more and more vulnerabilities with IoT devices that are easy for hackers to exploit,” said Luis Corrons, security evangelist from Avast. “Because connected devices will be an easy target for the foreseeable future, companies and consumers need to proactively seek and implement measures to protect themselves from malicious actors.”
Here are Avast’s top tips to secure your IoT devices
-
Conduct an audit to understand what devices you have connected to the internet. Outside of laptops, smartphones and tablets, many homes today have smart TVs, games consoles, smart speakers, and webcams. Keeping an audit of these devices will help you manage which devices to protect over time.
-
Protect connected devices with strong passwords. Smart devices today ship with default username and passwords which are easy for bad actors to discover and compromise.
-
Check with the vendors of your smart devices about how to keep them updated. Security updates help patch identified flaws. Installing these updates as soon as they are released will help to keep them secure online.