Microsoft uncovers flaws in systems used by IoT and OT devices

May 13, 2021

Researchers at Microsoft have discovered vulnerabilities in operating systems used by IoT and OT devices in commercial, medical, and industrial environments. The Azure Defender for IoT group at the Microsoft Security Response Center has revealed that such critical memory allocation flaws, dubbed BadAllocallow security controls to be bypassed in order to execute malicious code or cause systems to crash.

The vulnerabilities are present in memory allocation functions ranging from Real-Time Operating Systems (RTOS) Software Development Kits (SDKs) and C language libraries (libc).

Microsoft itself acknowledges that installing patches on IoT/OT devices can be complex, so it recommends trying to reduce the attack surface by minimizing the exposure of vulnerable devices on the Internet, monitoring networks for indicators of strange behavior, and strengthening the network segmentation process to protect critical assets.

As far as is known, the vulnerabilities have not been detected in the wild, but offer potential attackers a wide surface area to cause damage. The full list of affected products is available on the US Department of Homeland Security’s website.

Some experts point out that the rampant adoption rate of IoT devices is not necessarily good news, as security may have been left on the sidelines, opening up loopholes for attacks on devices and entire networks. A recent survey by Tripwire, which specializes in IT security and compliance automation, revealed that 99% of respondents said they have considerable difficulty when trying to secure IoT and IIoT (Industrial Internet of Things) devices. Two-thirds also said they face problems identifying and fixing

With the thought of helping developers, manufacturers, businesses, and consumers promote the security of IoT systems, OWASP (Open Web Application Security Project), a non-profit foundation working towards software security, maintains a list of the top 10 behaviors to avoid when it comes to the Internet of Things.

The truth is that there is a big disparity between how often the firmware of IoT devices is updated and how quickly vulnerabilities in their critical components are emerging. Who will lead this race in the coming years?