Millions of Thales Wireless IoT Modules Vulnerable to Attack

IBM’s X-Force Red team has revealed a vulnerability in millions of Thales Wireless IoT modules that could put devices like insulin pumps and smart meters at risk. IBM announced its discovery once Thales had produced a patch and fixed as many devices as possible. The company delivered software fixes in Q1/2020 after contacting and discussing the issue with affected customers.

“This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network,” Adam Laurie, X-Force Red’s lead hardware hacker, and Grzegorz Wypych, senior security consultant, write. “In turn, intellectual property, credentials, passwords, and encryption keys could all be readily available to an attacker.”

In addition to its discovery last year in Thales’ Cinterion EHS8 M2M modules, the CVE-2020-15858 vulnerability appeared in related products including:

• BGS5
• EHS5/6/8
• PDS5/6/8
• ELS61
• ELS81
• PLS62

The healthcare, telecommunications, energy, and automotive industries rely on IoT devices that use these modules.

See also: Researchers Sound Alarms About IoT Security

Securing Wireless IoT Modules

The IBM team discovered that the vulnerability led to modules gaining full read/write and delete access in what should be a restricted area. This critical issue had potential to allow serious attacks where hackers could:

• Reprogram insulin pumps to overdose patients
• Brick smart meters
• Clone affected devices or modify their functionality

“Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases,” IBM says.

Challenges to Resolving the Vulnerability

Although Thales says that users can install their patch over the air (OTA) or via USB, IBM says it’s not quite that easy:

“The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with,” IBM says.

Significantly regulated devices present additional difficulties. Industrial or medical controls that need a patch may then require time-intensive recertification.

IBM commended Thales for their handling of the flaw. Thales spent “significant time working with customers to ensure they were aware of the patches and taking steps to secure their users.”