Just when you thought cyberattacks on the IoT couldn’t get any more worrisome, last month Ori Karliner of Zimperium, a US-based, global company focused on in mobile security offering real-time, on-device protection against both known and unknown Android and iOS threats, shared in a blog that FreeRTOS TCP/IP Stack Vulnerabilities are so serious they are putting a wide range of devices at risk of compromise, from smart homes to critical infrastructure.
In his post, Karliner wrote:
“As a part of our ongoing IoT platform research, zLabs recently analyzed some of the leading operating systems in the IoT market, including FreeRTOS. FreeRTOS is a market leader in the IoT and embedded platforms market, being ported to over 40 hardware platforms over the last 14 years. In November 2017, Amazon Web Services (AWS) took stewardship for the FreeRTOS kernel and its components.”
The goal of AWS FreeRTOS is to provide a fully-enabled IoT for microcontrollers, combining the FreeRTOS kernel together with the FreeRTOS TCP/IP stack, modules for secure connectivity, over the air updates, code signing, AWS cloud support and more.
Karliner’s post also covered the commercial OpenRTOS and SafeRTOS maintained by WITTENSTEIN high integrity systems (WHIS). SafeRTOS is based on the functional model of FreeRTOS and certified for use in mission critical safety critical systems.
“FreeRTOS and SafeRTOS have been used in a wide variety of industries,” Karliner’s post continued, including IoT, aerospace, medical, automotive, and more. Due to the high-risk nature of devices in some of these industries, zLabs tested connectivity components that are paired with these operating systems.
“Clearly, devices that have connectivity to the outside world are at a higher degree of risk of being attacked,” Karliner wrote, and continued to share “multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOSSafeRTOS.”
These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it, and were disclosed to Amazon, who is collaborating with Zimperium to address them, producing patches for the detected vulnerabilities.
We asked IoT entrepreneur, expert, author and President and COO of Centri, Don DeLoach, about his response to this news, and he responded, “With an ever-expanding mesh of connected devices throughout the world, can we now feel safe since we are aware and have remediated numerous viruses, along with vulnerabilities like those in BLE, OpenSSL, and now FreeRTOS? Probably not.”
DeLoach went on to say, “Mathematically speaking, there will be other attacks, other vulnerabilities. Moreover, this undermines the necessary trust required for our emerging cyber-physical world. The answer is to re-think the problem.”
Security vulnerabilities are nothing new to the tech industry. Industry observers may recall the Heartbleed security bug, which was introduced in 2012 but not disclosed until 2014, which exploited a vulnerability in OpenSSL.
Likewise, there are other known vulnerabilities, especially ones associated with the Internet of Things. Devices like Bluetooth Low Energy equipped devices have experienced widely documented vulnerabilities, and while there are patches for some of these, millions of these devices are likely still in operation and remain vulnerable. Over the years there have been countless examples of devices and systems being compromised via various protocols and viruses.
“Many IoT enthusiasts, myself included, often refer to the unmistakable move to a hyper-connected world as a baseline for widespread optimism, creative stimulation, and vast monetary rewards,” DeLoach said, “but unfortunately we are also facing very real threats. The more we move towards the cyber-physical world, the more we depend on the capabilities and the data associated with that progression. We are probably past the point of no return; it’s not going away. That is a great thing when we contemplate optimizing supply chains, creating better cities, extending healthcare, running more efficient factories, growing more and better food, and so much more.”
DeLoach shared this analogy: “Think of it like this: a long time ago, villagers each lived in a one-room bungalow. If the heating went out, or the lights were not working, it impacted one bungalow. Over time they moved into a four-unit apartment complex. Now the infrastructure affected four tenants. A few years ago, they moved to an 80-story building with 3,000 tenants. If the infrastructure is compromised there, the impact is far more significant. In the cyber-physical world we are headed for is like a 60,000 story, 100 square mile condo housing most of the world’s population. When the electric gets shut off, or the gas leaks, or the water gets compromised, it’s a really, really bad day. That’s the fear part of the Internet of Things.”
DeLoach believes our hyper-connected world increases the attack vectors in ways that can undermine all the tremendous potential benefits.
“The tire valve in the SUV and the thermometer in the fish tank of the casino both seemed incredibly innocuous, yet both were the source of attacks,” he said. “If we are going to continue to extend the reach of the Internet of Things (and we are), then we have to have trust that the devices we use and the interactions we have cannot been compromised. Trust means everything. Without it, everything else is compromised.”
DeLoach believes new layered security models are emerging, and that it’s high time the industry began paying more attention to these.
“Layered security models began in the military and had nothing to do with cyber-security,” DeLoach explained. “However, a layered security model is precisely what is emerging as the best practice for digitally securing enterprises, governments, and even consumers. It’s not enough to change your password. It’s not enough to use a VPN. It’s not enough to avoid public Wifi. It’s not enough to password protect your devices. However, doing them all in combination goes a long way.”
DeLoach is happy Free RTOS is being patched, but says “It has been already, and there will be many devices out there running unpatched versions, just like there are many BLE 4.0 and 4.1 devices still running that remain vulnerable. That said, there are good options that are designed specifically for low form factor, low powered devices that can layer-in communication channel and protocol agnostic layered security that goes a long, long way to bolster the security of these devices. Putting these safeguards in place is not difficult, any more than installing a VPN on your laptop or designating a decent password, but they don’t get put in place by accident.”
DeLoach counsels the industry to take full initiative in securing the environment.
“It would be best if you were looking deeper into how your device makers secure those devices. If you are responsible for the corporate enterprise or the city infrastructure, you should be concerned, but you should be enabling a layered security model, pure and simple. That goes a long way to a ‘Trusted IoT’ world, without which, we have a great opportunity that could well go unrealized.”
Edited by Ken Briodagh