This article is more than 1 year old

Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking

AWS-stewarded net-connected platform has multiple remote code execution vulnerabilities

Serious security flaws in FreeRTOS – an operating system kernel used in countless internet-connected devices and embedded electronics – can be potentially exploited over the network to commandeer kit.

Simply sending specially crafted malicious data to a vulnerable gadget, over the internet or network, can be enough to crash or hijack it, meaning miscreants can potentially seize control of strangers' devices – if they use a vulnerable kernel.

Commandeered equipment – think Internet-of-Things sensors and gizmos, and automotive and industrial systems – can then be used to, say, spy on owners, siphon data out of a network, launch other cyber-attacks, and so on.

Ori Karliner of Zimperium this month detailed 13 CVE-tagged security flaws, including several that allow for full remote code execution or a denial-of-service attack against at-risk devices.


Available under an MIT license, the FreeRTOS kernel is these days stewarded by Amazon Web Services, and used by embedded device developers as a low-footprint, low-power real-time operating system for microcontroller-grade kit. Thanks to its networking capabilities, it can talk to backend cloud services and other systems. Amazon offers an IoT cloud service involving the FreeRTOS kernel.

Karliner's research focused on the TCP/IP stack in AWS FreeRTOS and in the connectivity modules AWS uses for its service, though he noted that the WHIS TCP/IP component used for the OpenRTOS and SafeRTOS projects contain the same vulnerabilities. All of the vulnerable components are patched in version 1.3.2 of AWS FreeRTOS and the latest versions of WHIS.

Basically, if you ship FreeRTOS-based network-connected kit, make sure your customers' products are updated to a non-vulnerable version of the operating system as soon as possible.

"FreeRTOS and SafeRTOS have been used in a wide variety of industries: IoT, Aerospace, Medical, Automotive, and more. Due to the high risk nature of devices in some of these industries, zLabs decided to take a look at the connectivity components that are paired with these OS’s," Karliner said in blog post explaining why he focused the research on the TCP/IP stack.

Curiosity selfie as it drills for water

Curiosity Rover's OS has backdoor bug


"Clearly, devices that have connectivity to the outside world are at a higher degree of risk of being attacked."

The most serious of the flaws would likely be the four remote code execution vulnerabilities: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528. Because of the bare-bones nature of FreeRTOS, a remote code exploit is essentially game over for the targeted device.

Similarly, CVE-2018-16523 is a denial of service flaw that could be used by the attacker to crash the targeted device, while CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, and CVE-2018-16603 would all allow information disclosure. Another bug, CVE-2018-16598, was simply classified as "other".

Because FreeRTOS is an open-source project, and versions of the kernel are so widely used, Karliner said he will hold off on releasing technical details of the flaws for another 30 days, to give people a chance to patch devices before exploits are developed. ®

More about


Send us news

Other stories you might like