VXWORKS EXPOSES 200 MILLION CRITICAL DEVICES

VxWorks is said to be designed as a secure, “real-time” operating system for continuously functioning devices, like medical equipment, elevator controllers, or satellite modems, with the recent vulnerability had captured with operating systems like Microsoft Windows, that makes it a popular choice for Internet of Things and industrial control products. Now they can be weaponized and exploited, the fallout potentially impacting millions of devices.

Today, researchers from the enterprise security firm Armis are detailing just such a group of vulnerabilities in a popular operating system that runs on more than 2 billion devices worldwide. The researchers found a cluster of 11 vulnerabilities in the platform's networking protocols, six of which could conceivably give an attacker remote device access, and allow a worm to spread the malware to other VxWorks devices around the world.

Wind River VxWorks is a real-time operating system that is widely used in IoT and embedded applications, such as networking, telecom, automotive, medical, industrial, consumer electronics, aerospace and beyond.

Roughly 200 million devices appear to be vulnerable; the bugs have been present in most versions of VxWorks going back to version 6.5, released in 2006.The result could be anything from device malfunctions to full system takedowns.

VxWorks developer Wind River is in the process of distributing patches for the bugs. But the Armis researchers, who first disclosed their findings to Wind River in March, say that the patching process will be long and difficult. The researchers will present their findings at the Black Hat security conference in Las Vegas next week.

This reality is taking hold in the minds not only of security practitioners, but also of government regulators, as the hundreds of millions of IoT devices are found to be vulnerable and remain unpatched.Vulnerabilities are eventually discovered for even the best software, and the security of the internet and the online ecosystem relies on the ability to roll out and deploy the fixes.

In the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers have already logged 13.5 million IoT attacks, which outpaces the first two quarters of 2018 by 54.6%. SonicWall STRONGLY advises to apply the SonicOS patch immediately. Patches are available for all recent SonicOS versions. Detailed instructions are provided in the Security Advisory.

"Finding a vulnerability in the network layer means it would affect any device that is using this operating system and that has networking capabilities," says Ben Seri, vice president, Armis Research. "It’s like the holy grail of vulnerability research finding something in that layer."

The report further says, "the worst-case scenario for me is what a determined nation-state could do with such a powerful vulnerability," Armis' Seri says. "We know that SCADA devices have been targeted, we know that power grids have been targeted. And these VxWorks devices all have industrial use cases. I’m not saying tomorrow morning it will happen, but that's the worst case concern for me."