Speaking at a conference today, a security researcher has revealed a new exploit impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices.
The vulnerability, discovered by Dor Azouri, a security researcher for SafeBreach[1], impacts the Sirep/WPCon communications protocol included with Windows IoT operating system.
Azouri said the vulnerability only impacts Windows IoT Core, the Windows IoT OS version for devices meant to run one single application, such as smart devices, control boards, hobbyist devices, and others.
The vulnerability does not impact Windows IoT Enterprise, the more advanced version of the Windows IoT operating system, the one that comes with support for a desktop functionality, and the one most likely to be found deployed in industrial robots, production lines, and other industrial environments.
The researcher said the security issue he discovered allows an attacker to run commands with SYSTEM privileges on Windows IoT Core devices.
"This exploit works on cable-connected Windows IoT Core devices, running Microsoft's official stock image," Azouri said in a research paper shared with ZDNet.
"The method described in this paper exploits the Sirep Test Service that's built-in and running on the official images offered at Microsoft's site," the researcher said. "This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on IoT devices. It serves the Sirep/WPCon protocol."
Using the vulnerability in this testing service he discovered, the SafeBreach researcher said he was able to expose a remote command interface that attackers can weaponize to take control over smart devices running Microsoft's Windows IoT Core OS.
During his tests, Azouri built such a tool, a remote access trojan (RAT) that