>> DIRTY COW - LINUX KERNEL EXPLOIT, RISK FOR IOT?

It is scary to know that bug of this severity and so distributed can go unhandled for so long.

I had a few people ask me about the Dirty Cow exploit and what it means to IoT; so, I figured it was worth a write up. Dirty Cow, aka CVE 2016-5195 is a low level exploit in the Linux kernel utilizes a race condition to break read-only memory mappings - allowing users to gain write access to typically read-only memory mappings on the system. In a matter of seconds; root based privileges could be exposed on the target platform making it a hackers resource.

To see how quickly one could use this exploit to gain root access; watch the following video:

In the traditional Linux world; the risk is low if you simply do not have third party user accounts (other than your own) on your servers. If you do; then keeping your kernel up-to-date is a must - in fact, a fix for the exploit is a measly few lines of code. But the easiest way is to upgrade your kernel and patch the vulnerability. There are a few sample programs that you can run to verify that the exploit is fixed - available on github, ranging from root exploits to modifying read-only files.

So; what about the IoT implications?

I mentioned only a few days ago the increased threat of 0-day exploits when using existing operating systems within your IoT projects. DirtyCow is a Linux specific exploit and there are a tonne of products that utilize the Linux operating system that will be vulnerable to this exploit - such as the very popular Raspberry Pi, BeagleBone and Intel Edison IoT development boards. This doesn't include the millions of CCTV cameras, DVR and routers that utilize Linux.

Raspberry Pi has announced a kernel patch - other hardware manufacturers should follow suit.

A key factor of this exploit does require a user account on the system where the hacker will attempt to escalate privileges; but personally, with open source quite common amongst IoT projects - the risk may be more cynical. It wouldn't take much for someone to inject some code into open source projects that goes unnoticed - maintainers of repositories need to watch commits more closely.

This doesn't even cover the more serious threat from the largest mobile operating system available on the market - with over 87.6% market share in 2016-Q2, the popular mobile platform Android. Innocent users could have their mobile phones exploited with malicious code injected into mobile applications that can be distributed by Google Play or side-loaded - the threat is real - the exploit started with version 2.6.22, Android 1.0 started on version 2.6.25 - nasty.

Time for mobile phone manufactures (Samsung, Sony, LG et al) to roll out kernel updates ASAP.