Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking

AWS-stewarded net-connected platform has multiple remote code execution vulnerabilities

Serious security flaws in FreeRTOS – an operating system kernel used in countless internet-connected devices and embedded electronics – can be potentially exploited over the network to commandeer kit.

Simply sending specially crafted malicious data to a vulnerable gadget, over the internet or network, can be enough to crash or hijack it, meaning miscreants can potentially seize control of strangers' devices – if they use a vulnerable kernel.

Commandeered equipment – think Internet-of-Things sensors and gizmos, and automotive and industrial systems – can then be used to, say, spy on owners, siphon data out of a network, launch other cyber-attacks, and so on.

Ori Karliner of Zimperium this month detailed 13 CVE-tagged security flaws, including several that allow for full remote code execution or a denial-of-service attack against at-risk devices.


Available under an MIT license, the FreeRTOS kernel is these days stewarded by Amazon Web Services, and used by embedded device developers as a low-footprint, low-power real-time operating system for microcontroller-grade kit. Thanks to its networking capabilities, it can talk to backend cloud services and other systems. Amazon offers an IoT cloud service involving the FreeRTOS kernel.

Karliner's research focused on the TCP/IP stack in AWS FreeRTOS and in the connectivity modules AWS uses for its service, though he noted that the WHIS TCP/IP component used for the OpenRTOS and SafeRTOS projects contain the same vulnerabilities. All of the vulnerable components are patched in version 1.3.2 of AWS FreeRTOS and the latest versions of WHIS.

Basically, if you ship FreeRTOS-based network-connected kit, make sure your customers' products are updated to a non-vulnerable version of the operating system as soon as possible.

"FreeRTOS and SafeRTOS have been used in a wide variety of industries: IoT, Aerospace, Medical, Automotive, and more. Due to the high risk nature of devices in some of these industries, zLabs decided to take a look at the connectivity components that are paired with these OS’s," Karliner said in blog post explaining why he focused the research on the TCP/IP stack.

Curiosity selfie as it drills for water

Curiosity Rover's OS has backdoor bug


"Clearly, devices that have connectivity to the outside world are at a higher degree of risk of being attacked."

The most serious of the flaws would likely be the four remote code execution vulnerabilities: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528. Because of the bare-bones nature of FreeRTOS, a remote code exploit is essentially game over for the targeted device.

Similarly, CVE-2018-16523 is a denial of service flaw that could be used by the attacker to crash the targeted device, while CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, and CVE-2018-16603 would all allow information disclosure. Another bug, CVE-2018-16598, was simply classified as "other".

Because FreeRTOS is an open-source project, and versions of the kernel are so widely used, Karliner said he will hold off on releasing technical details of the flaws for another 30 days, to give people a chance to patch devices before exploits are developed. ®

Similar topics

Other stories you might like

  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading

Biting the hand that feeds IT © 1998–2021