back to article Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking

Serious security flaws in FreeRTOS – an operating system kernel used in countless internet-connected devices and embedded electronics – can be potentially exploited over the network to commandeer kit. Simply sending specially crafted malicious data to a vulnerable gadget, over the internet or network, can be enough to crash or …

  1. elDog Silver badge

    The normal response is: You get what you paid for.

    However even tho FreeRTOS is free it is still a much better deal and security risk than those black-box proprietary and more expensive solutions.

    Of course the huge fly in the ointment is that the actual vendors using an OSS solution won't want to pony up the resources to fix these problems in their end-user products.

    1. Christian Berger Silver badge

      Re: The normal response is: You get what you paid for.

      As someone who has worked with FreeRTOS and seen the code inside of those "black-box proprietary and more expensive solutions", I can say that FreeRTOS is a very good deal.

  2. Mage Silver badge
    Facepalm

    Update and IoT in same paragraph?

    How many vendors will bother?

    How much stuff can be updated even by the vendor?

    If if can be updated remotely with no user intervention, that's a vulnerability. Yet many of these things have no sensible user interface.

  3. K Silver badge

    It's the same story over and over again - Shock... Horror... Grimace.. ROFLMAO

    Whilst manufacturers should take the heat.. at least some of it should be direct at the Idiots who keep exposing system's (unnecessarily) to the wider internet!

    I see this time and time again where I work, so-called engineers forget the first rule of security - Whitelist!

    1. Paul Crawford Silver badge

      Re: It's the same story over and over again - Shock... Horror... Grimace.. ROFLMAO

      Actually you forget the zeroth rule - don't connect stuff in the first place.

      If this is a network stack fault it could be exploitable before any IP style firewall/filter. Its more of a wakeup call, for those sleeping for a 100 years after eating the poison apple, that if you have connectivity you need an active patching/update system and some focus on security to make it happen without users having to do anything, As another commentard pointed out, that alone is also a risk.

  4. redpawn Silver badge

    Nothing to hide nothing to patch

    How am I supposed to manage a household without my toothbrush telling the wold I am low on paste or my refrigerator telling amazon the milk is sour or Alexa telling the Goog that no one is home. I want my light bulb to unlock the car when I go out and lock the house. The toaster should switch on the burner in the morning so I don't have to wait to cook eggs as long as there are some in the refrigerator. Burdensome patching only makes life harder.

    If you have nothing to hide, you have nothing to patch!

  5. EveryTime Silver badge

    No details yet on the key CVEs.

    That means we can't evaluate if these are actually exploitable flaws, or theorized vulnerabilities that aren't exploitable in real-world scenarios.

  6. OldCrow

    Misleading headline

    The FreeRTOS itself does not have an integrated TCP/IP stack. There is an official stack available, but it's only free if used on certain hardware. If you use an MCU that's supported by the OS but not the stack, then you'll have to pony up or provide your own TCP/IP stack.

    TL;DR: the flaw is not IN the FreeRTOS. It is beside the FreeRTOS.

    Case in point, the bugs in this article do not touch my current employer's products. For while we do use FreeRTOS, we use a different TCP/IP stack; one not listed here. (No, I'm not going to tell you which one.)

  7. Sixtysix
    Alert

    30 Days....

    ... would usually be plenty.

    In this case, 30 weeks would not be enough, and I suspect that most of these "thinglets" will never ever be patched/upgraded, and will become a zombie army for someone/thing.

    Dearly hope that "we" can identify and block traffic from them in the future, or this is how the Internet will die :(

  8. batfink
    FAIL

    Patch? HOW??

    Patch all those Idiocy-of-Things already out there in the wild? How? How would I force an Internet-connected toothbrush to update? Press the button 13 times with a pause between 10 & 11? Or do we rely on a Push from the vendor, which just means other security flaws?

    Tbf I do have a couple of remotely-accessible radiators in an Airbnb/rental flat I own, mainly for the fun of sitting on my sofa and turning the heating down on the fuckers energy efficiency. Their software does provide a very obvious and easy way to update the firmware, but of course most users' reaction will be "what's firmware?".

    Gaah. Intractable problem, caused by numpties who think that just because something can be connected to the net, it should be, regardless of use cases (or lack of).

  9. amanfromMars 1 Silver badge

    Wishful Thinking

    before exploits are developed.

    That ship sailed yonks ago.

  10. Michael H.F. Wilkinson Silver badge
    Coat

    Is it just me

    who thinks the "design" of many IoT products makes the marketing division of Sirius Cybernetics look smart?

    <sigh>

    Next we'll have a load of chatty computers, talkative fridges, doors generating an intolerable air of smugness whenever you approach them, elevators sulking in basements, and a drinks machine that only ever serves cups filled with a liquid that is almost, but not quite, entirely unlike tea (hang on, I think we have one of those in our coffee corner at work)

    I'll get me coat. Doffs hat (grey Tilley once more) to the late, great Douglas Adams

  11. Anonymous Coward
    Anonymous Coward

    Dash Buttons?

    I wonder what OS those Dash (IoT) buttons run on to fire off their Lambda requests into the cloud.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019