Serious security flaws has been discovered in VxWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. The OS is used from network routers to critical instruments like NASA's Curiosity Rover on Mars and Boeing 787 Dreamliners.
A Canadian researcher Yannick Formaggio presented a detailed significant flaw in VxWorks at 44Con, an information security conference in London. He said that, "VxWorks is the world's most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few." Formaggio added, "In this age of IoT, the issue will have a widespread impact."
The researcher discovered the flaw after an Istuary client requested about the understanding of the critical infrastructure industry.
The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system."
One of the another major finding of his research was that the “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.
The current version of VxWorks is 7, Versions 653 has the problem, which might have affected many millions of devices and they need to be patched. Wind River has acknowledged the flaw and is in the process of providing patches.