Microsoft issued an alert stating that its experts have identified 25 vulnerabilities in systems designed to install on “Internet of Things” (IoT) devices.
The vulnerabilities were found even in software from companies like Amazon, Google, Samsung, Tencent, MediaTek and Texas Instruments.
Manufacturers have already released updates to eliminate flaws that could facilitate hacker actions.
Companies like Google, Microsoft and Amazon, which are providers of “cloud computing”, provide these base systems so that product developers can accelerate the creation of solutions connected to their respective services.
Companies like MediaTek and Texas Instruments, which are hardware manufacturers, provide systems tailored to their line of cards and chips with the same purpose: to make the product more attractive and simple to use for those who really need a technological base.
Because of this, these systems come pre-installed in products of various brands or even in customized solutions, and the failures do not necessarily affect products of the manufacturers already mentioned. It is not known how many final products will actually have to be corrected.
The problems are considered serious because they are located in functions responsible for memory management. By exploiting this type of loophole to manipulate the system’s memory, it becomes possible to record and execute a malicious program even without the user’s authorization.
Although the flaws can facilitate hacker attacks, their application in practice would depend on the final product that the system was used to build. In the worst case, however, a device could be attacked remotely – if it were connected to the internet without a barrier, such as a router or firewall.
Microsoft’s warning was passed on by the US government’s Cybersecurity and Infrastructure Security Agency (CISA). According to the agency’s document, most of the 25 software packages have already received an update from the manufacturer.
Some, however, remain vulnerable. One of them is already discontinued and will no longer receive an update. Another package is expected to be updated only in June, and others still have no update date.
The obsolescence of software in the so-called “internet of things” is one of the complications for the continued use of these devices. They usually last longer than the software maintenance period, creating opportunities for attackers.
Microsoft has developed a secure coprocessor called Pluton to ensure the integrity of IoT devices. The technology was born on the Xbox console, where it helped prevent piracy and cheating in online games.