2 Billion IoT Devices Have Critical “Update Now” Warnings Pending

VxWorks, one of the world’s most widely used IoT device operating system, is plagued with as much as 11 zero-day exploits, according to security researchers Armis. VxWorks is estimated to be a critical element of over 2 billion IoT devices spread out around the world. While the exposure does not affect all 2 billion devices, a large portion of the total amount, as much as 10% of them to a potential attack. The update, however, affects all the devices running the operating system.

In a statement to the press, a spokesperson from Wind River, the company responsible for developing and shipping VxWorks contested that the number of affected products were that high. Even if the number of exposed devices isn’t quite 200 million in number, the volume of exposure is still extremely high. To date, the vulnerabilities within the devices haven’t suffered from exploitation, but if they were to be, they could cause a catastrophic event for all connected IoT devices.

A Severe Vulnerability

The vulnerability, tagged as URGENT/11 by Armis, affects the core networking stack of the device. Any vulnerability which exploits the core networking stack can potentially gain access to the underlying operating system. There isn’t a sophisticated methodology involved; the attacker simply needs to know that the vulnerability exists and an ability to connect to the same network as the compromised device.  Once inside, the attacker doesn’t need to go around NAT solutions of firewalls; they can gain access to the device by hiding in unobtrusive TCP/Ip transfers.

The Remote Code Execution vulnerabilities, which make up six of the eleven potential exploits, enable a malicious user to bypass the security layers and enter the core system without any user response. The significance of this trait is that the devices are now ‘wormable’ meaning that they have the potential to collect and spread malware across the entirety of the connected network, infecting other devices just by sharing a connection with the compromised machine. Wind River is looking into developing a mitigation plan and informing users of potential risks associated with the current version of VxWorks.