Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules

A vulnerability in components used in millions of IoT devices could be exploited by hackers and used to steal sensitive information and gain control of vulnerable devices, which could then be used in attacks on internal networks. Thales components are used by more than 30,000 companies, whose products are used across a broad range of industry sectors including energy, telecommunications, and healthcare.

The flaw exists in the Cinterion EHS8 M2M module, along with several other products in the same line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The embedded modules provide processing power and allow devices to send and receive data over wireless mobile connections. The module is also used as a digital secure repository for sensitive information such as passwords, credentials and operational code. The flaw would allow an attacker to gain access to the contents of that repository.

X-Force Red researchers discovered a method for bypassing security measures protecting code and files in the EHS8 module. “[The modules] store and run Java code, often containing confidential information like passwords, encryption keys and certificates,” said Adam Laurie, of IBM’s X-Force Threat Intelligence team.

“This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network. In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker,” explained the researchers in a recent blog post. “Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases.”

In medical devices, the flaw could be exploited to alter readings from patient monitoring devices, either to generate false alerts or hide critical changes in a patient’s vital signs. In the case of a drug pump, changes could be made to deliver an overdose or stop a dose of critical medication from being administered.

The researchers also point out that the flaw could be exploited in smart meters used by energy companies to falsely report energy usage. This would result in increases or decreases in bills, but if sufficient numbers of devices were compromised and controlled by an attacker, it could cause damage to the grid and result in blackouts.

The vulnerability, tracked as CVE-2020-15858, was identified in September 2019 and Thales was immediately notified. Thales has been working closely with IBM X Force Red team to develop, test, and distribute a patch. The patch was released in February 2020 and Thales has been working hard to make sure its customers are aware of the patch and the need to apply that patch promptly.

It is taking some time for the patches to be applied by device manufacturers. The patching process is considerably slower for devices used in highly regulated industry sectors. For instance, medical devices may will require recertification after patching, which is a time-incentive process.

Addressing the vulnerability is largely down to device manufacturers, who must make patching a priority. IBM X Force Red says that process has been ongoing for 6 months, but there are still many devices that remain vulnerable. Patches could be applied via a USB device plugged directly into the vulnerable device using the management console or via an over-the-air update. The latter would be preferable, but that would depend on whether the device is accessible over the Internet.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.