Amazon has had to patch 13 flaws found in an operating system used in smart home devices after it was discovered that the software bugs could enable hackers to take over the devices.
The flaws were found in FreeRTOS, an embedded operating system ported into over 40 hardware platforms over the last 14 years. In November 2017, Amazon Web Services (AWS) took over stewardship of the FreeRTOS kernel and its components. There is also a commercial version of FreeRTOS, named OpenRTOS and maintained by WITTENSTEIN high integrity systems (WHIS).
According to a blog post by researcher Ori Karliner of IT security firm Zimperium, the flaws affect FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS, and SafeRTOS (With WHIS Connect middleware TCP/IP components).
The flaws were found in FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in the WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS.
IoT devices could be taken over
These vulnerabilities could enable hackers to crash devices, leak data, and remotely execute code, with the latter leading to hackers being able to take control of a device.
Karliner said that the flaws were disclosed to Amazon, who then deployed patches to AWS FreeRTOS versions 1.3.2 and onwards. The vulnerabilities in RTOS WHIS were also fixed.
Internet of Business says
At the time of writing, Amazon has not issued a statement to Internet of Business about the flaws. It is unknown how many IoT devices have been affected by the bugs.
John Grimm, senior director of IoT Security Strategy at Thales eSecurity, told Internet of Business that with consumers prioritising convenience and functionality over security when it comes to the IoT – 57 percent don’t change default security settings on their digital assistants, for example – it’s down to manufacturers to ensure that security is built in, not bolted on, and embedded into devices at the point of manufacture.
“Flaws in the underlying operating system represent another entry point for cyber criminals, so it is crucial that manufacturers provide capabilities to update their products with verifiable, authentic patches to stay one step ahead and protected from security threats,” he said.