Millions of Devices Impacted by Vulnerability Found in Thales Wireless IoT Modules

There’s a vulnerability identified in a component that is utilized in countless IoT devices. Hackers could exploit this vulnerability for stealing sensitive data and manipulating vulnerable devices to attack internal networks. Over 30,000 companies use Thales components for a wide range of industries which include energy, telecom, and healthcare.

The vulnerability exists in the Cinterion EHS8 M2M module, together with some other products in a similar category (BGS5, EHS5/6/8, ELS81, PDS5/6/8, ELS61, PLS62). The embedded modules give processing power and enable devices to transmit and receive information via wireless mobile connections. They are also employed as an electronic secure repository for sensitive data like credentials, passwords, and operational code. The vulnerability could make it possible for an attacker to access the files in that repository.

Researchers of X-Force Red found a way to circumvent the security that protect the code and data in the EHS8 module. The information stored in the module includes the Java code, which usually contain confidential data such as encryption keys, passwords, and certificates.

Attackers exploiting this vulnerability could possibly compromise hundreds of thousands of devices and gain access to networks or VPNs that support those devices by leveraging the backend network of the provider. Consequently, the attacker could get access to credentials, passwords, intellectual property, and encryption keys. Malicious actors could also use the stolen information from the modules to manipulate a device or get access to the central control system to carry out even more attacks – possibly remotely through 3G in certain cases.

With medical devices, exploiting the vulnerability could allow changes to readings in patient monitoring devices, whether to create false alerts or conceal crucial changes in the vital signs of a patient. If changes are made to a drug pump, it is possible to give an overdose or halt a dose when administering critical medication.

The researchers furthermore state that the vulnerability in smart meters employed by energy firms can be exploited to wrongly report energy consumption. This would bring about a higher or lower bills, however if an attacker controls enough numbers of devices, it could lead to grid damage and cause blackouts.

The researchers discovered the vulnerability, monitored as CVE-2020-15858, in September 2019 and notified Thales immediately. Thales, together with IBM X Force Red team worked to create, test, and supply a patch. The patch was available last February 2020. Thales is making sure that its customers know about the patch so as to apply it promptly.

Device manufacturers are taking a while to apply the patches. The patching process is noticeably slower for units employed in extremely controlled industry areas. For example, medical devices will call for recertification following patching, which is a time-consuming procedure.

Dealing with the vulnerability is mostly down to device companies, who need to prioritize patching. IBM X Force Red states that operation has been in progress for 6 months, yet there are still a lot of vulnerable devices. Patches can be applied using a USB device connected directly into the vulnerable gadget utilizing the management system or through a remote update. The latter is better, however that depends on whether the unit has internet access.