Newly discovered vulnerability could allow attackers to take full control of Windows IoT Core devices

• The vulnerability affects only the Windows IoT Core and Windows IoT OS version devices that run in a single application such as smart devices or control boards.
• The vulnerability does not impact the Windows IoT Enterprise advanced version.

What is the issue - A security researcher for SafeBreach, Dor Azouri discovered a new vulnerability that impacts the Windows IoT Core Operating System. Azouri noted that the vulnerability could allow attackers to take full control of the Windows IoT Core devices.

What is affected?

• The vulnerability affects only the Windows IoT Core and Windows IoT OS version devices that run in a single application such as smart devices, control boards, etc.
• It impacts the Sirep/WPCon communications protocol included with Windows IoT operating system.
• However, the vulnerability does not impact the Windows IoT Enterprise advanced version.

The security researcher noted that the vulnerability works on a cable-connected Windows IoT Core devices running Microsoft’s official stock image and could allow an attacker to run commands with system privileges on Windows IoT Core devices.

Worth noting - During his analysis, Azouri developed a Remote Access Trojan (RAT) dubbed SirepRAT which the security researcher plans to open-source on Github.

The advantage of the SirepRAT is that it doesn’t work wirelessly as the testing environment is available only via an Ethernet connection. This implies that the attacker has to be physically present near the target or compromise another device on a company’s internal network and then attack the vulnerable Windows IoT Core devices.

Azouri has presented his research paper at the WOPR Summit security conference in Atlantic City on March 2, 2019.

“The method described in this paper exploits the Sirep Test Service that's built-in and running on the official images offered at Microsoft's site. This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on IoT devices. It serves the Sirep/WPCon protocol,” Azouri said, ZDNet reported.