Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking Serious security flaws in FreeRTOS – an operating system kernel used in countless internet-connected devices and embedded electronics – can be potentially exploited over the network to commandeer kit. Simply sending specially crafted malicious data to a vulnerable gadget, over the internet or network, can be enough to crash or …
However even tho FreeRTOS is free it is still a much better deal and security risk than those black-box proprietary and more expensive solutions.
Of course the huge fly in the ointment is that the actual vendors using an OSS solution won't want to pony up the resources to fix these problems in their end-user products.
Whilst manufacturers should take the heat.. at least some of it should be direct at the Idiots who keep exposing system's (unnecessarily) to the wider internet!
I see this time and time again where I work, so-called engineers forget the first rule of security - Whitelist!
Actually you forget the zeroth rule - don't connect stuff in the first place.
If this is a network stack fault it could be exploitable before any IP style firewall/filter. Its more of a wakeup call, for those sleeping for a 100 years after eating the poison apple, that if you have connectivity you need an active patching/update system and some focus on security to make it happen without users having to do anything, As another commentard pointed out, that alone is also a risk.
How am I supposed to manage a household without my toothbrush telling the wold I am low on paste or my refrigerator telling amazon the milk is sour or Alexa telling the Goog that no one is home. I want my light bulb to unlock the car when I go out and lock the house. The toaster should switch on the burner in the morning so I don't have to wait to cook eggs as long as there are some in the refrigerator. Burdensome patching only makes life harder.
If you have nothing to hide, you have nothing to patch!
The FreeRTOS itself does not have an integrated TCP/IP stack. There is an official stack available, but it's only free if used on certain hardware. If you use an MCU that's supported by the OS but not the stack, then you'll have to pony up or provide your own TCP/IP stack.
TL;DR: the flaw is not IN the FreeRTOS. It is beside the FreeRTOS.
Case in point, the bugs in this article do not touch my current employer's products. For while we do use FreeRTOS, we use a different TCP/IP stack; one not listed here. (No, I'm not going to tell you which one.)
... would usually be plenty.
In this case, 30 weeks would not be enough, and I suspect that most of these "thinglets" will never ever be patched/upgraded, and will become a zombie army for someone/thing.
Dearly hope that "we" can identify and block traffic from them in the future, or this is how the Internet will die :(
Patch all those Idiocy-of-Things already out there in the wild? How? How would I force an Internet-connected toothbrush to update? Press the button 13 times with a pause between 10 & 11? Or do we rely on a Push from the vendor, which just means other security flaws?
Tbf I do have a couple of remotely-accessible radiators in an Airbnb/rental flat I own, mainly for the fun of sitting on my sofa and turning the heating down on the fuckers energy efficiency. Their software does provide a very obvious and easy way to update the firmware, but of course most users' reaction will be "what's firmware?".
Gaah. Intractable problem, caused by numpties who think that just because something can be connected to the net, it should be, regardless of use cases (or lack of).
who thinks the "design" of many IoT products makes the marketing division of Sirius Cybernetics look smart?
<sigh>
Next we'll have a load of chatty computers, talkative fridges, doors generating an intolerable air of smugness whenever you approach them, elevators sulking in basements, and a drinks machine that only ever serves cups filled with a liquid that is almost, but not quite, entirely unlike tea (hang on, I think we have one of those in our coffee corner at work)
I'll get me coat. Doffs hat (grey Tilley once more) to the late, great Douglas Adams
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
