/>
X

New exploit lets attackers take control of Windows IoT Core devices

Exclusive: Researcher creates a remote access trojan for Windows IoT Core smart devices.
catalin-cimpanu.jpg
Written by Catalin Cimpanu, Contributor on
Windows IoT
Image: Microsoft // Composition: ZDNet

Speaking at a conference today, a security researcher has revealed a new exploit impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices.

The vulnerability, discovered by Dor Azouri, a security researcher for SafeBreach, impacts the Sirep/WPCon communications protocol included with Windows IoT operating system.

Azouri said the vulnerability only impacts Windows IoT Core, the Windows IoT OS version for devices meant to run one single application, such as smart devices, control boards, hobbyist devices, and others.

The vulnerability does not impact Windows IoT Enterprise, the more advanced version of the Windows IoT operating system, the one that comes with support for a desktop functionality, and the one most likely to be found deployed in industrial robots, production lines, and other industrial environments.

The researcher said the security issue he discovered allows an attacker to run commands with SYSTEM privileges on Windows IoT Core devices.

"This exploit works on cable-connected Windows IoT Core devices, running Microsoft's official stock image," Azouri said in a research paper shared with ZDNet.

"The method described in this paper exploits the Sirep Test Service that's built-in and running on the official images offered at Microsoft's site," the researcher said. "This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on IoT devices. It serves the Sirep/WPCon protocol."

Using the vulnerability in this testing service he discovered, the SafeBreach researcher said he was able to expose a remote command interface that attackers can weaponize to take control over smart devices running Microsoft's Windows IoT Core OS.

During his tests, Azouri built such a tool, a remote access trojan (RAT) that he named SirepRAT, which he plans to open-source on GitHub.

The upside to Azouri's SirepRAT is that it doesn't work wirelessly, as the testing interface is only available via an Ethernet connection. This implies that the attacker needs to be physically present near a target, or compromise another device on a company's internal network and use as a relay point for attacks on vulnerable devices.

ZDNet has reached out for comment to Microsoft, but we did not receive a response before this article's publication.

Azouri has presented his research today at the WOPR Summit security conference in Atlantic City, NJ, USA. We'll update this article in the coming days to include links to the SirepRAT GitHub repo and Azouri's whitepaper.

The Windows IoT operating system is a free successor of the Windows Embedded project. According to SafeBreach, the OS has the second largest market share in the IoT devices market, with a 22.9 percent stake, behind Linux, which has a 71.8 percent market share.

Updated on March 4: A Microsoft spokesperson contradicted the researcher's claims and said that the testing interface is not enabled by default in retail images of Windows 10 IoT Core.

How to run Windows 10 and Windows applications on your Mac

Related cybersecurity news coverage:

Related

Fake domains offer Windows 11 installers - but deliver malware instead
Confused businesswoman annoyed by online problem looking at laptop

Fake domains offer Windows 11 installers - but deliver malware instead

Security
Linux kernel 5.18 arrives: Here's what's new
linus-torvalds-072013.jpg

Linux kernel 5.18 arrives: Here's what's new

Linux
This Russian botnet does far more than DDoS attacks - and on a massive scale
botnet-bug.jpg

This Russian botnet does far more than DDoS attacks - and on a massive scale

Security