ERROR: BadAlloc! - Broken Memory Allocators Led to Millions of Vulnerable IoT and Embedded Devices

Conference:  BlackHat USA 2021



The presentation discusses a vulnerability in IoT devices that allows for remote code execution and provides mitigation techniques.
  • The vulnerability allows for remote code execution in IoT devices
  • The presentation provides a demonstration of the vulnerability being exploited
  • Mitigation techniques include understanding the allocation functions used in applications, reverse engineering binaries, and checking source code and macros
  • 30 affected products are listed in the advisory
  • The presenters thank those involved in the disclosure process
The presenters demonstrate the vulnerability by breaking into a device and redirecting the user to a maliciously controlled domain.


"BadAlloc" is our code name for a class of integer-overflow related security issues found in popular memory allocators' core functions such as malloc and calloc. BadAlloc vulnerabilities affect 17 different widely used real time operating systems (i.e., VxWorks, FreeRTOS, eCos), standard C libraries (i.e., newlib, uClibc, Linux klibc), IoT device SDKs (i.e., Google Cloud IoT SDK, Texas Instruments SimpleLink SDK) and other self-memory management applications (i.e., Redis). Some of these vulnerabilities go as far back as the early 90's and all of them collectively impact millions of devices worldwide, mainly IoT and embedded devices as this was our focus.In this talk, we'll present some of the most interesting findings and discuss how we found them. We'll do a quick root-cause analysis for each of the selected cases and show, in high depth technical level, how this specific kind of vulnerability could be leveraged to a full-blown remote code execution exploit on affected systems. We'll discuss possible mitigation techniques and propose a method to check whether your application is affected by BadAlloc or similar vulnerability. Finally, a demo of a working RCE exploit will be presented.