Flaws could have affected smart homes and critical infrastructure

A popular operating system used by Internet of Things (IoT) devices was found to harbor 13 serious vulnerabilities, including remote code execution bugs.

The flaws, which could allow hackers to completely compromise smart systems, were discovered in FreeRTOS by security firm Zimperium.

FreeRTOS is an open source OS kernel which has been ported to 40 hardware platforms, according to the researchers.

It was taken over by Amazon Web Services (AWS) in November 2017, which took stewardship of the kernel and its components.

The vulnerabilities affected FreeRTOS versions up to v10.0.1 (with FreeRTOS+TCP) and AWS FreeRTOS up to v1.3.1, as well as commercial versions OpenRTOS, and SafeRTOS (with WHIS TCP/IP components), maintained by WHIS Connect.

These bugs have now been patched by Amazon, in cooperation with Zimperium, researcher Ori Karliner confirmed.

He wrote: “These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.

“We disclosed these vulnerabilities to Amazon, and collaborated (and continue to do so) with them to produce patches to the vulnerabilities we detected.”

He added: “Since this is an open source project, we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities.”