Critical Zero-Day Vulnerability Exposes Millions of IoT Devices to Attack

Internet of Things (IoT) security firm Armis announced this week the discovery of 11 zero-day vulnerabilities affecting multiple versions of the Wind River VxWorks real-time operating system (RTOS) for IoT devices. The VxWorks RTOS is the most widely deployed in the world, present in more than 2 billion IoT devices and systems across sectors including enterprises, manufacturing and healthcare.

Six of the 11 identified vulnerabilities, collectively known as "Urgent/11," are described by Armis as critical in nature, allowing for remote code execution by an attacker. What's most concerning is that the flaws are in the VxWorks TCP/IP networking stack, which makes affected IoT devices vulnerable to hijacking just by receipt of a malformed network packet.

Armis estimates that as many as 200 million IoT devices could be affected by the code flaw.

Jack Marsal, senior director of product marketing at Armis, described Urgent/11 in a blog post as "unusual from a risk mitigation point of view" for two reasons. First, many of the IoT devices are used in critical industrial, manufacturing and healthcare processes, where it's difficult to scan them with a traditional network vulnerability scanner. Doing so might crash or knock devices offline. And second, he writes, "All of the potential attacks against Urgent/11 would be 'fileless' attacks, so they can't be detected or blocked by most kinds of network security products (e.g. network sandbox, web filters, firewalls)."

Arlen Baker is chief security architect at Wind River. In a blog post he urged organizations to immediately patch impacted devices. He went on to further clarify the scope of the vulnerability, noting that the latest release of VxWorks is not affected by Urgent/11. Likewise, Wind River "safety-critical products" such as VxWorks 653 and VxWorks Cert Edition are likely unaffected by the flaw.

"Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are non-critical and internet-facing such as modems, routers, and printers, as well as some industrial and medical devices," Baker writes. "The 200 million number cited by Armis is not confirmed, nor do we believe it to be that high."

Dr. James McCaffrey, a research engineer at Microsoft Research focusing on machine learning and AI, calls Urgent/11 "one of the scariest things I've heard of in many years." He expects devices running VxWorks to be targeted by ransomware attacks or, worse, by foreign cyber warfare teams that could potentially do "catastrophic damage."

"Any company or entity that doesn't patch their VxWorks system immediately is in danger that really can't be overstated," McCaffrey warns.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.


  • Orange Shapes

    AI and Machine Learning Hot Topics at RSA Security Conference

    Several announcements of new and updated products that use these technologies stood out at this year's RSAC event.

  • Microsoft's Azure Sphere IoT Security Solution Goes GA

    Microsoft's long-awaited Azure Sphere security solution for IoT devices became generally available (GA) on Monday, almost two years after it was originally unveiled at the 2018 RSA Security Conference.

  • Architecture Small Graphic

    5G Mobile Tech Highlights Cisco Internet Report

    Blazing mobile connectivity speeds provided by next-gen 5G technology -- up to 13x more than today's average -- are highlighted in Cisco's big new Annual Internet Report, which also warns of bigger and more frequent distributed denial-of-service (DDoS) attacks.

  • EU Proposes Strict Regulations for AI

    The European Union this week unveiled its first proposed regulations for artificial intelligence technology, along with a strategy for handling personal digital data.