Some smart home device owners may have dodged a bullet. Amazon recently patched 13 security flaws in an operating system for the Internet of Things, FreeRTOS, as well as Amazon Web Services connection modules. The holes let intruders crash devices, leak the contents of their memory and remotely run code, effectively giving attackers full control. The flaws might have been far-reaching if they’d gone unfixed — both FreeRTOS and its safety-oriented counterpart SafeRTOS are used in a wide range of devices inside and outside the home, including cars, aircraft and medical gear.
Zimperium, which found the flaws, is waiting until 30 days after the disclosure to provide the technical details required by FreeRTOS’ open source license. This should give smaller outfits an opportunity to fix the flaws, Zimperium said.
These kinds of flaw disclosures are far from unusual, but they’re relatively new here. Amazon Web Services took the reins for FreeRTOS’ core just under a year ago in November 2017. This was a test of sorts for Amazon’s ability to respond to these issues, and so far it appears to have passed.