Microsoft Several Security Flaws in IoT Operating Systems
Security researchers at Microsoft recently uncovered a series of critical memory allocation vulnerabilities in the Internet of Things (IoT). Microsoft researchers said that they have discovered about 25 undocumented critical memory-allocation vulnerabilities across a number of vendors’ IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash.
‘BadAlloc,’ is the name assigned by the company’s Section 52 —which is the Azure Defender for IoT security research group. BadAlloc has the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center (MSRC).
“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” says the company. “To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible.”
“Our findings show that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device,” Microsoft researchers stated.
Memory allocation is exactly what it sounds like–the basic set of instructions device makers give a device for how to allocate memory. The vulnerabilities stem from the usage of vulnerable memory functions across all the devices, such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to the report.
From what researchers have discovered, the problem is systemic, so it can exist in various aspects of devices, including real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations, they said. And as IoT and OT devices are highly pervasive, “these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” researchers observed.
In 2019, a security researcher discovered a similar flaw impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices. The vulnerability affected the Sirep/WPCon communications protocol included with Windows IoT operating system.