New exploit lets attackers take control of Windows IoT Core devices
Speaking at a conference today, a security researcher has revealed a new exploit impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices.
The vulnerability, discovered by Dor Azouri, a security researcher for SafeBreach, impacts the Sirep/WPCon communications protocol included with Windows IoT operating system.
Azouri said the vulnerability only impacts Windows IoT Core, the Windows IoT OS version for devices meant to run one single application, such as smart devices, control boards, hobbyist devices, and others.
The vulnerability does not impact Windows IoT Enterprise, the more advanced version of the Windows IoT operating system, the one that comes with support for a desktop functionality, and the one most likely to be found deployed in industrial robots, production lines, and other industrial environments.
The researcher said the security issue he discovered allows an attacker to run commands with SYSTEM privileges on Windows IoT Core devices.
“This exploit works on cable-connected Windows IoT Core devices, running Microsoft’s official stock image,” Azouri said in a research paper shared with ZDNet.
“The method described in this paper exploits the Sirep Test Service that’s built-in and running on the official images offered at Microsoft’s site,” the researcher said. “This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on IoT devices. It serves the Sirep/WPCon protocol.”
Using the vulnerability in this testing service he discovered, the SafeBreach researcher said he was able to expose a remote command interface that attackers can weaponize to take control over smart devices running Microsoft’s Windows IoT Core OS.
During his tests, Azouri built such a tool, a remote access trojan (RAT) that he named SirepRAT, which he plans to open-source on GitHub.
The upside to Azouri’s SirepRAT is that it doesn’t work wirelessly, as the testing interface is only available via an Ethernet connection. This implies that the attacker needs to be physically present near a target, or compromise another device on a company’s internal network and use as a relay point for attacks on vulnerable devices.
ZDNet has reached out for comment to Microsoft, but we did not receive a response before this article’s publication.
Azouri has presented his research today at the WOPR Summit security conference in Atlantic City, NJ, USA. We’ll update this article in the coming days to include links to the SirepRAT GitHub repo and Azouri’s whitepaper.
The Windows IoT operating system is a free successor of the Windows Embedded project. According to SafeBreach, the OS has the second largest market share in the IoT devices market, with a 22.9 percent stake, behind Linux, which has a 71.8 percent market share.
Updated on March 4: A Microsoft spokesperson contradicted the researcher’s claims and said that the testing interface is not enabled by default in retail images of Windows 10 IoT Core.