Small Internet of Things (IoT) devices running a Windows IoT operating system (OS) are vulnerable to a flaw that could allow an attacker to seize full operational control.
Microsoft's Windows 10 IoT Core OS is designed to run on smaller smart devices like the Raspberry Pi used by hobbyist computer programmers and tinkerers. But a flaw with its Sirep/WPCon communications protocol can allow a malicious actor to take over the device.
The vulnerability was discovered by a security researcher with SafeBreach, Dor Azouri, who presented his findings at the hacking-oriented WOPR Summit in Atlantic City this weekend.
Outlining his research, he said the vulnerability does not affect the industrial arm of the Windows IoT ecosystem, namely devices running other IoT systems, like Windows 10 IoT Enterprise and Windows 10 IoT Mobile. These would normally be deployed in large-scale industrial contexts, such as for automated machines on a production line.
The built-in Sirep Test Service, that allows users to perform tests on hardware, is the main source of the issue, Azouri told attendees. This mechanism also serves the Sirep/ WPCon protocol.
A vulnerability discovered in this testing service exposes a remote control interface, which could, in turn, be exploited with a tool to seize control of IoT Core devices. He also built an example of such a tool, a remote access trojan (RAT) dubbed SirepRAT, that is now available on Github.
When deployed, this presents users with an easy-to-use user interface to send commands to a Windows IoT Core target device through a wired connection as long as the IP address is also known.
The threat facing businesses and individuals who use smart devices is well established, given IoT devices tend to raise an organisation's attack surface when deployed.
This has manifested in a variety of ways, including research which found that malware targeting IoT devices had tripled in the first half of 2018, with attacks becoming increasingly sophisticated.
The IoT Core flaw exposed this weekend presents yet another potential risk to users, albeit not as serious as it could have been given it affects just the Windows 10 IoT Core OS, and not its enterprise-centric cousins.
Microsoft has not yet released a fix for the vulnerability, but IT Pro approached the firm to establish whether or not this was in progress.
The company did not provide comment, but a spokesperson clarified that the issue requires a user to enable a developer feature that should not be used in a retail build.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.