New exploit lets attackers take control of Windows IoT Core devices
Speaking at a conference today, a security researcher has revealed a new exploit impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices.
Security
The vulnerability, discovered by Dor Azouri, a security researcher for SafeBreach, impacts the Sirep/WPCon communications protocol included with Windows IoT operating system.
Azouri said the vulnerability only impacts Windows IoT Core, the Windows IoT OS version for devices meant to run one single application, such as smart devices, control boards, hobbyist devices, and others.
The vulnerability does not impact Windows IoT Enterprise, the more advanced version of the Windows IoT operating system, the one that comes with support for a desktop functionality, and the one most likely to be found deployed in industrial robots, production lines, and other industrial environments.
The researcher said the security issue he discovered allows an attacker to run commands with SYSTEM privileges on Windows IoT Core devices.
"This exploit works on cable-connected Windows IoT Core devices, running Microsoft's official stock image," Azouri said in a research paper shared with ZDNet.
"The method described in this paper exploits the Sirep Test Service that's built-in and running on the official images offered at Microsoft's site," the researcher said. "This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on IoT devices. It serves the Sirep/WPCon protocol."
Using the vulnerability in this testing service he discovered, the SafeBreach researcher said he was able to expose a remote command interface that attackers can weaponize to take control over smart devices running Microsoft's Windows IoT Core OS.
During his tests, Azouri built such a tool, a remote access trojan (RAT) that he named SirepRAT, which he plans to open-source on GitHub.
The upside to Azouri's SirepRAT is that it doesn't work wirelessly, as the testing interface is only available via an Ethernet connection. This implies that the attacker needs to be physically present near a target, or compromise another device on a company's internal network and use as a relay point for attacks on vulnerable devices.
ZDNet has reached out for comment to Microsoft, but we did not receive a response before this article's publication.
Azouri has presented his research today at the WOPR Summit security conference in Atlantic City, NJ, USA. We'll update this article in the coming days to include links to the SirepRAT GitHub repo and Azouri's whitepaper.
The Windows IoT operating system is a free successor of the Windows Embedded project. According to SafeBreach, the OS has the second largest market share in the IoT devices market, with a 22.9 percent stake, behind Linux, which has a 71.8 percent market share.
Updated on March 4: A Microsoft spokesperson contradicted the researcher's claims and said that the testing interface is not enabled by default in retail images of Windows 10 IoT Core.
How to run Windows 10 and Windows applications on your Mac
Related cybersecurity news coverage:
- Hackers can hijack bare-metal cloud servers by corrupting their BMC firmware
- Intel open-sources HBFA app to help with firmware security testing
- Researchers hide malware in benign apps with the help of speculative execution
- Thunderclap flaws impact how Windows, Mac, Linux handle Thunderbolt peripherals
- Intel SGX Card expands SGX security protections to cloud data centers
- Adobe releases out-of-band update to patch ColdFusion zero-day
- How IoT is being used for Australian agriculture in 2019 TechRepublic
- Xiaomi electric scooter reportedly vulnerable to hijacking hack CNET