Windows IoT Core exploitable via ethernet

Microsoft’s Internet of Things (IoT) version of Windows is vulnerable to an exploit that could give an attacker complete control of the system, according to a presentation given by a security company over the weekend.

At the WOPR Summit in New Jersey, SafeBreach security researcher Dor Azouri demonstrated an exploit that will allow a connected device to run system-level commands on IoT devices running Microsoft’s operating system.

Windows IoT is effectively the successor to Windows Embedded. The lightweight version of Windows 10 is designed with low-level access for developers in mind and also supports ARM CPUs, which are extensively used in IoT devices. According to the Eclipse Foundation’s 2018 IoT Developer Survey, the operating system accounts for 22.9% of IoT solutions development, featuring heavily in IoT gateways.

How it works

The attack comes with some caveats. According to the whitepaper published yesterday, it only works on stock downloadable versions of the Core edition of Windows IoT, rather than the custom versions that might be used in vendor products. An attacker can also only launch the exploit from a machine directly connected to the target device via an Ethernet cable.

The exploit targets the Hardware Library Kit (HLK), which is a certification tool used to process hardware tests and send back results. The proprietary protocol that HLK uses is called Sirep, and this is its weak spot. A Sirep test service regularly broadcasts the unique ID on the network to advertise the IoT device’s presence. Windows IoT Core also listens for incoming connections through three open ports on its firewall.

However, incoming connections to the Sirep test service are not authenticated, meaning that any device can communicate with it as long as it is connected via an ethernet cable rather than wirelessly. Azouri believes that this may be because the IoT testing service was ported from the old Windows Phone operating system, which relied on USB connections.

Unauthenticated devices can send a range of commands via the ports, enabling them to get system information from the device, retrieve files, upload files, and get file information.

Perhaps the most powerful, though, is the LaunchCommandWithOutput command. This retrieves the program path and command-line parameters needed to launch commands on the device. These operate with system-level privileges. The attacker can use this information to run processes on an IoT device from an unauthenticated computer.

The researchers created a Python tool called SirepRAT that allows attackers to exploit the flaw in Windows IoT. They even provided a template file used to pass payloads for different commands, along with examples.

Microsoft’s response

According to the researchers’ WOPR slides, Microsoft told them that it will not address the report because Sirep is an optional feature on Windows IoT Core, and its documentation calls the feature out as a test package, and that it reportedly plans to…

update the documentation to mention that images running the TestSirep package allow anyone with network access to the device to execute any command as SYSTEM without *any* authentication and that this is by design.