Amazon has had to patch 13 flaws found in an operating system used in smart home devices after it was discovered that the software bugs could enable hackers to take over the devices.
The flaws were found in FreeRTOS, an embedded operating system ported into over 40 hardware platforms over the last 14 years. In November 2017, Amazon Web Services (AWS) took over stewardship of the FreeRTOS kernel and its components. There is also a commercial version of FreeRTOS, named OpenRTOS and maintained by WITTENSTEIN high integrity systems (WHIS).
According to a blog post by researcher Ori Karliner of IT security firm Zimperium, the flaws affect FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS, and SafeRTOS (With WHIS Connect middleware TCP/IP components).
The flaws were found in FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in the WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS.
IoT devices could be taken over
These vulnerabilities could enable hackers to crash devices, leak data, and remotely execute code, with the latter leading to hackers being able to take control of a device.
Karliner said that the flaws were disclosed to Amazon, who then deployed patches to AWS FreeRTOS versions 1.3.2 and onwards. The vulnerabilities in RTOS WHIS were also fixed.