Microsoft’s Internet of Things (IoT) version of Windows is vulnerable to an exploit that could give an attacker complete control of the system, according to a presentation given by a security company over the weekend.
At the WOPR Summit in New Jersey, SafeBreach security researcher Dor Azouri demonstrated an exploit that will allow a connected device to run system-level commands on IoT devices running Microsoft’s operating system.
Windows IoT is effectively the successor to Windows Embedded. The lightweight version of Windows 10 is designed with low-level access for developers in mind and also supports ARM CPUs, which are extensively used in IoT devices. According to the Eclipse Foundation’s 2018 IoT Developer Survey, the operating system accounts for 22.9% of IoT solutions development, featuring heavily in IoT gateways.
Windows Phone: How it works
The attack comes with some caveats. According to the whitepaper published yesterday, it only works on stock downloadable versions of the Core edition of Windows IoT, rather than the custom versions that might be used in vendor products. An attacker can also only launch the exploit from a machine directly connected to the target device via an Ethernet cable.
The exploit targets the Hardware Library Kit (HLK), which is a certification tool used to process hardware tests and send back results. The proprietary protocol that HLK uses is called Sirep, and this is its weak spot. A Sirep test service regularly broadcasts the unique ID on the network to advertise the IoT device’s presence. Windows IoT Core also listens for incoming connections through three open ports on its firewall.
However, incoming connections to the Sirep test service are not authenticated, meaning that any device can communicate with it as long as it is connected via an ethernet cable rather than wirelessly. Azouri believes that this may be because the IoT testing service was ported from the old Windows Phone operating system, which