As a part of our ongoing IoT platform research, zLabs recently analyzed some of the leading operating systems in the IoT market, including FreeRTOS. FreeRTOS is a market leader in the IoT and embedded platforms market, being ported to over 40 hardware platforms over the last 14 years. In November 2017, Amazon Web Services (AWS) took stewardship for the FreeRTOS kernel and its components.

AWS FreeRTOS aims to provide a fully enabled IoT platform for microcontrollers, by bundling the FreeRTOS kernel together with the FreeRTOS TCP/IP stack, modules for secure connectivity, over the air updates, code signing, AWS cloud support, and more.

[...] There is also a commercial version of FreeRTOS, named OpenRTOS and maintained by WITTENSTEIN high integrity systems (WHIS). WHIS also offers a safety-oriented RTOS named SafeRTOS, that is based on the functional model of FreeRTOS, and is certified for use in safety critical systems.

[...] During our research, we discovered multiple vulnerabilities within FreeRTOS's TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS.

[...] The patches were deployed for AWS FreeRTOS versions 1.3.2 and onwards. We also received confirmation from WHIS that they were exposed to the same vulnerabilities, and those were patched together with Amazon.

Since this is an open source project, we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities.