New exploit allows attackers to control Windows IoT Core smart devices

New exploit iot

A security researcher at a conference today revealed a new exploit impacting the Windows IoT Core operating system that gives full control of vulnerable devices to threatening actors.

The vulnerability discovered by SafeBreach’s security researcher Dor Azouri affects the Sirep / WPCon communications protocol included with the operating system of Windows IoT. Azouri said the vulnerability only affects Windows IoT Core, the device version of Windows IoT OS is designed to run one application, such as smart devices, control boards, hobby devices, and others.

The vulnerability does not affect Windows IoT Enterprise, the more advanced version of the Windows IoT operating system, the one that supports desktop functionality, and the one most likely to be found in industrial robots, manufacturing lines, and other industrial environments.

The researcher said the security issue that he found allows an attacker to run commands on Windows IoT Core devices with SYSTEM privileges.

“This exploits works on Windows IoT Core cable-connected devices running the official stock image of Microsoft”.

The method described in this paper takes advantage of the Sirep Test Service that is built-in and running on Microsoft’s website’s official images,” the researcher said. “This service is the client part of the HLK setup that can be built to perform driver / hardware testing on IoT devices. It serves the Sirep / WPCon protocol.”

Using the vulnerability discovered in this testing service, SafeBreach researcher said he was able to expose a remote control interface that could be armed by attackers to take control of Microsoft’s Windows IoT C smart devices.

Azouri built such a tool during his tests, a remote access trojan (RAT) he called SirepRAT, which he plans to open on GitHub. The upside of Azouri’s SirepRAT is that it doesn’t work wirelessly because the test interface is only available through an Ethernet connection.

This implies that the attacker must be physically present close to a target, or compromise the internal network of a company with another device and use it as a relay point for attacks on vulnerable devices.

A zouri presented his research today at the WOPR Summit Security Conference in Atlantic City, NJ, USA. Links to the SirepRAT GitHub repo and Azouri’s whitepaper will be updated to include this article in the coming days.

The operating system Windows IoT is a free successor to the project Windows Embedded. The OS has the second largest market share on the market for IoT devices, with a 22.9 percent stake behind Linux, which has a market share of 71.8 percent, according to SafeBreach.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.