Critical Zero-Day Vulnerability Exposes Millions of IoT Devices to Attack

Internet of Things (IoT) security firm Armis announced this week the discovery of 11 zero-day vulnerabilities affecting multiple versions of the Wind River VxWorks real-time operating system (RTOS) for IoT devices. The VxWorks RTOS is the most widely deployed in the world, present in more than 2 billion IoT devices and systems across sectors including enterprises, manufacturing and healthcare.

Six of the 11 identified vulnerabilities, collectively known as "Urgent/11," are described by Armis as critical in nature, allowing for remote code execution by an attacker. What's most concerning is that the flaws are in the VxWorks TCP/IP networking stack, which makes affected IoT devices vulnerable to hijacking just by receipt of a malformed network packet.

Armis estimates that as many as 200 million IoT devices could be affected by the code flaw.

Jack Marsal, senior director of product marketing at Armis, described Urgent/11 in a blog post as "unusual from a risk mitigation point of view" for two reasons. First, many of the IoT devices are used in critical industrial, manufacturing and healthcare processes, where it's difficult to scan them with a traditional network vulnerability scanner. Doing so might crash or knock devices offline. And second, he writes, "All of the potential attacks against Urgent/11 would be 'fileless' attacks, so they can't be detected or blocked by most kinds of network security products (e.g. network sandbox, web filters, firewalls)."

Arlen Baker is chief security architect at Wind River. In a blog post he urged organizations to immediately patch impacted devices. He went on to further clarify the scope of the vulnerability, noting that the latest release of VxWorks is not affected by Urgent/11. Likewise, Wind River "safety-critical products" such as VxWorks 653 and VxWorks Cert Edition are likely unaffected by the flaw.

"Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are non-critical and internet-facing such as modems, routers, and printers, as well as some industrial and medical devices," Baker writes. "The 200 million number cited by Armis is not confirmed, nor do we believe it to be that high."

Dr. James McCaffrey, a research engineer at Microsoft Research focusing on machine learning and AI, calls Urgent/11 "one of the scariest things I've heard of in many years." He expects devices running VxWorks to be targeted by ransomware attacks or, worse, by foreign cyber warfare teams that could potentially do "catastrophic damage."

"Any company or entity that doesn't patch their VxWorks system immediately is in danger that really can't be overstated," McCaffrey warns.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.