Researchers Warn of Flaw Affecting Millions of IoT Devices

iot bug CVE-2020-15858

A patch has been issued for the flaw in a widely-used module, and researchers are urging IoT manufacturers to update their devices ASAP.

Researchers are urging connected-device manufacturers to ensure they have applied patches addressing a flaw in a module used by millions of Internet-of-Things (IoT) devices. If exploited, researchers speculated that the flaw could allow attackers to knock out a city’s electricity or even overdose a medical patient.

The vulnerability exists in a widely used Cinterion module, a small electronic device embedded in IoT devices that connects to wireless networks and sends and receives data. The module is manufactured by Thales, a French company that designs and builds electrical systems for aerospace markets.

Researchers discovered the flaw in Cinterion’s EHS8 module – however, further testing revealed that five other models in the same product line were also affected (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The flaw could be exploited to steal confidential information, take control of devices, gain access to control networks and more.

“[The modules] store and run Java code, often containing confidential information like passwords, encryption keys and certificates,” said Adam Laurie, with IBM X-Force Threat Intelligence, in a Wednesday post. “Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases.”

The vulnerability (CVE-2020-15858) was first discovered last September, and Thales issued a fix in early 2020 – but while patches are available, researchers warn that it will take a while for many critical-infrastructure manufacturers to apply them to their devices. Researchers disclosed the flaw on Wednesday, after working with Thales “to ensure users are aware of the patch and taking steps to secure their systems.”

Researchers found a way to bypass security checks that keep files or operational code hidden from unauthorized users.

The flaw exists in the way that AT commands are processed by the module, Dan Crowley, research director at IBM X-Force Red, told Threatpost. It is related to a string of Java code that counts the number of characters in the path substring.

This string of code checks if the fourth character of a path substring is a dot. Normally, any attempt to access hidden files with a dot prefix will be denied (example: a:/.hidden_file) – However, replacing the slash with double slash (example: a://.hidden_file) will cause the condition to fail. An attacker could therefore use the dot-prefixed filename to bypass the security test condition.

“A real-world attacker could go wardialing to try to identify modems over the cellular network, attempting to issue the AT command that exploits the flaw,” Crowley explained. “Some of these will be the vulnerable module, and an attacker will then have an assortment of phone numbers and associated code retrieved from the device at that number. By inserting backdoors into the code and writing them back, the attacker would be in control of various IoT devices around the world. ”

If exploited, attackers could potentially access the wealth of confidential data stored by the modules. This may include  intellectual property (IP), credentials, passwords, encryption keys and more. And, due to the sheer breadth of connected devices that are powered by this module – from medical devices to connected utilities – researchers warn that the potential impact of the flaw could be dire if not patched.

For instance, the flaw could be used in medical devices that leverage the module to manipulate readings from monitoring devices, to cover up concerning vital signs or create false panic.

“In a device that delivers treatment based on its inputs, such as an insulin pump, cybercriminals could over- or underdose patients,” said researchers.

And in the utility space, it could be used to compromise smart meters to deliver falsified readings that increase or reduce a monthly bill.

“With access to a large group of these devices through a control network, a malicious actor could also shut down meters for an entire city, causing wide-reaching blackouts that require individual repair visits, or, even worse, damage to the grid itself,” said researchers.

Vulnerabilities and security issues continue to plague connected devices – even as the number of internet-connected devices used globally is predicted to grow to 55.9 billion by 2025.  More than half of all IoT devices are vulnerable to medium- or high-severity attacks, meaning that enterprises are sitting on a “ticking IoT time bomb,” researchers warned earlier this year.

X-Force security researchers for their part said that this specific patch can be administered by IoT manufacturers in two ways – either by plugging in a USB to run an update via software, or by administering an over-the-air (OTA) update. However, the more heavily regulated devices, including connected medical devices or industrial-control gear, will have more difficulty applying the patch, since doing so may require recertification, an often time-intensive process, they said.

“The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with,” they said.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.

Suggested articles