IoT Communication Module Vulnerability Affected Millions of Devices

Security researchers discovered a vulnerability affecting a small module named Cinterion EHS8 M2M built by Thales. That’s important because this particular module was embedded in millions of IoT devices over the last decade.

The IoT ecosystem is not only about smart fridges, routers, and other well-known devices. The bulk of IoT products is present in various industries, used as Industrial Control Systems (ICS) systems controlling real hardware. Any vulnerability exposes critical infrastructure, so patches have to be deployed a soon as possible.

IBM’s X-Force Red team discovered a vulnerability in Cinterion EHS8 M2M module, and soon after, determined that the same security issue affected similar products, EHS8 (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The modules are used to enable mobile communications in IoT devices.

“The modules store and run Java code often containing confidential information like passwords, encryption keys and certificates,” says the advisory. “Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases.”

Attackers could build smart meters to knock out a city’s electricity or even overdose a medical patient. The most affected devices can be found in the medical field and the energy and utility sectors. Thales issued a patch for the affected modules in February 2020.

The information about this vulnerability was first unveiled X-Force Red’s virtual Red Con 2020 event. Right now, the only problem remains the inevitable unpatched IoT devices that will linger in various infrastructures for years to come. With millions of machines spread across the globe, it’s impossible to patch them all. Once the vulnerability was disclosed, hackers will begin to look to unpatched modules.