There’s a simple vulnerability inside an extensively used operating system, although not one that most would be aware of, known as VxWorks. It happens to be the same software program used to control components of NASA’s Curiosity Mars Rover and lots of critical infrastructure systems, while another flavour of the OS, VxWorks 653 (not effected by this flaw), is utilized in Boeing 787 Dreamliners and even many military helicopters. Some versions, used by tens of thousands of machines at the very least, are also carrying a vulnerability that may be exploited from anywhere with an internet connection, according to researcher Yannick Formaggio, from Canadian outfit Istuary Innovation Labs.
Talking at the 44Con convention in London on 10th September, 2015, Formaggio stated he’d looked into the software following a request from a client working within the critical infrastructure industry. Formaggio and his fellow researchers created their very own “fuzzing” tool, which threw data at VxWorks to see where the errors occurred.
This led to the discovery of what’s generally known as an integer overflow vulnerability, which allowed him to target a particular part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control features of the OS, Formaggio claimed. “It’s a very basic vulnerability,” he added. An attacker must find targets with a certain port (port 111) open, but when they did; the exploit code could run without any interaction from the user. In other words, a silent & (possibly even a) deadly attack.
Affected versions include VxWorks 5.5 through to 220.127.116.11 (the latest version is 7.0). A simple search for ‘vxworks’ on Shodan, the security testing service for uncovering open internet servers, revealed that tens of thousands of computer systems running the OS can be accessed over the net. According to Wind River, the Intel owned company behind the 28-yr-old software, as many as 1.5 billion devices are managed by VxWorks. The company describes VxWorks as “the world’s most widely-used real-time operating system”. However, it is unclear how many are vulnerable to the attacks developed by Formaggio.
He mentioned that the flaw was reported on 22 July and was quickly acknowledged the day after. Wind River had not responded to media’s requests for comment, although Formaggio believes the firm has issued a patch,and thins that the company wouldn’t release a public advisory as it didn’t deem the issue serious enough. That may be because the researchers did not inform the firm they have been able to remotely exploit VxWorks. They merely handed over specifics on the flaw that led to control being relinquished to willing attackers.
This is not the first time VxWorks has been caught by security researchers this year. In June, the US Industrial Control Systems Computer Emergency Response Team, run by the Department of Homeland Safety, warned about a flaw uncovered by Raheem Beyah, David Formby and San Shin Jung of Georgia Tech. The problem would have allowed any hacker who could intercept an unprotected connection between a computer and a VxWorks server to completely take over a connection as soon as the user had logged in.
At the time, Beyah said the vulnerability was resident within the TCP protocol – a core internet protocol – utilized by VxWorks and that flaw was initially discovered over twenty years ago. While he didn’t believe the vulnerability was especially critical, he pondered: “What other legacy vulnerabilities that have been addressed by the ‘mainstream’ computing community persist in our critical infrastructure?”
A NASA spokesperson stated: “While we don’t discuss specific security issues regarding our infrastructure, we do take the necessary steps to ensure safe and secure operation of all our systems.” Certainly, without doubt, NASA would not take any chances with Curiosity, so don’t expect the intrepid robot explorer to be controlled by criminal mastermind hackers any time soon.
Boeing doesn’t run a vulnerable version of VxWorks on its planes. Nevertheless the firm said it had multiple layers of safety “designed to ensure the security of all critical flight systems from intrusion”.
However that doesn’t detract from researchers’ findings this year. They’ve uncovered some severe weaknesses at the heart of the world’s critical infrastructure.