Discover how cybersecurity researchers uncover vulnerabilities in Zephyr OS, a real-time operating system used in IoT and embedded devices — Learn about the risks of IP address spoofing and denial-of-service attacks and the importance of maintaining strong security measures in connected device environments.
Cybersecurity researchers at the Synopsys Cybersecurity Research Center (CyRC) have uncovered vulnerabilities within the Zephyr OS network stack, potentially leaving connected devices susceptible to IP spoofing (or IP address spoofing) attacks.
Zephyr OS, a widely used real-time operating system prevalent in the Internet of Things (IoT) and embedded devices, boasts extensive customizability and broad compatibility with multiple architectures and boards, catering to diverse applications.
One of Zephyr OS’s key features is its built-in network stack, which supports various networking protocols, including IPv4 and IPv6. This flexibility enables developers to create connected devices capable of seamless communication across different networks.
However, the CyRC identified a flaw in the Zephyr OS implementation, particularly concerning its handling of IP address spoofing attacks. IP address spoofing involves the creation of IP packets with falsified source IP addresses, often with malicious intent to deceive recipients into believing they are from legitimate sources.
The vulnerability originates from Zephyr OS’s failure to drop IP packets arriving from an external interface with a source address equal to the local host or the destination address, contrary to recommended security practices. Therefore, responses sent back to the fake source IP address bypass host-side IP address–based access control, potentially leading to unauthorized access or data manipulation.
Furthermore, the flaw exposes devices to denial-of-service attacks (DoS attacks), as responses handled by loopback interfaces can overwhelm the system, resulting in instability or crashes. The vulnerability shares a similar modus operandi with a recently identified attack known as Loop DoS, where IP spoofing is exploited, leaving devices susceptible to denial-of-service (DoS) attacks.
The affected versions include Zephyr OS v.3.5, v.3.4, and 2.7 (LTS v2), as well as other releases supporting IPv6 or IPv4. However, patches have been integrated into the main branch and specific release branches to mitigate these vulnerabilities.
According to CyRC’s blog post, the discovery credit for these vulnerabilities goes to the company’s Senior Software Engineer Kari Hulkko, who utilized the Defensics® fuzz testing tool with IPv4 and IPv6 protocol test suites. In response to the disclosure, Synopsys acknowledges the collaboration and responsiveness of the Zephyr OS team in addressing these vulnerabilities.
The timeline of events surrounding the disclosure and resolution of the vulnerabilities highlights the collaborative efforts of cybersecurity researchers and software maintainers to ensure the security and integrity of connected devices powered by Zephyr OS.
As IoT and embedded devices continue to grow in number, it’s essential to prioritize strong security measures to defend against threats and vulnerabilities found in operating systems like Zephyr OS.