Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System (RTOS) such as Mbed or FreeRTOS. However, we have recently begun to field questions from our customers who seek our opinion regarding whether the Zephyr RTOS and MCUboot bootloader are suitable for their needs. NCC Group decided to undertake an independent research effort in order to analyze the security posture of Zephyr and MCUboot. The results of our analysis, including discovered vulnerabilities, are contained in this research report.

Zephyr is an RTOS for microcontrollers and is specifically designed for applications in IoT—the types of resource constrained embedded devices where Linux is simply “too big”. The Zephyr project is sponsored by the Linux Foundation and recently has been receiving a lot of coverage at industry events. Furthermore, although Zephyr is governed by a vendor-neutral steering committee, it benefits from the strong support of numerous silicon vendors such as Intel, NXP, Nordic Semiconductor, and Texas Instruments. Consequently, Zephyr supports a wide variety of chipset architectures and popular development kits, including broad support for the ARM Cortex-M platform and some support for select x86, ARC, XTENSA, and RISC-V platforms.

MCUboot is an open source hardware-independent bootloader. It is seen as a companion project to Zephyr, as many of Zephyr’s supported platforms are also supported by MCUboot. The project’s stated goal is to define a common system flash layout and to provide a secure bootloader that enables easy software upgrades.

Through January and February of 2020, NCC Group performed independent research to review the Zephyr project in order to test and verify its overall security posture. NCC Group also briefly reviewed MCUboot, to determine whether its secure boot mechanism was robust, as a part of that research project.

In total, our research uncovered 25 vulnerabilities affecting the Zephyr RTOS and 1 vulnerability affecting MCUboot. These findings include both locally and remotely exploitable memory corruption vulnerabilities, multiple paths that allow a compromised user application to escalate privilege to kernel mode, as well as multiple weaknesses in the design of certain exploit mitigation systems that exist within the kernel.

The full research report can be downloaded below:

Published