IoT devices like insulin pumps and smart meters could be compromised.
IBM’s X-Force Red team has revealed a vulnerability in millions of Thales Wireless IoT modules that could put devices like insulin pumps and smart meters at risk. The vulnerability, CVE-2020-15858, was found last year in Thales’ Cinterion EHS8 M2M modules. It was also found in related products, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62 modules. The modules can be found in IoT devices used by a number of industries including healthcare, telecommunications, energy, and automotive. IBM refrained from announcing their discovery until Thales had produced a patched and fixed as many devices as they could.
“This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network,” Adam Laurie, X-Force Red’s lead hardware hacker, and Grzegorz Wypych, senior security consultant, write. “In turn, intellectual property, credentials, passwords, and encryption keys could all be readily available to an attacker.”
In a statement, Thales says “it takes the security of its products very seriously and therefore has, after communicating and discussing this issue with affected customers, delivered software fixes in Q1/2020.”
The team found that the vulnerability resulted in the modules having full read/write and delete access to what was supposed to be a restricted area. This could lead to some chilling attacks, including insulin pumps being hacked to overdose a patient or smart meters being bricked. It would also be possible to clone affected devices or modify their functionality.
“Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases,” IBM said.
Thales says their patch can be installed OTA or via USB, but IBM says it’s not quite that easy:
“The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with,” IBM says. “Another item to note is that the more regulated a device is (e.g., medical devices, industrial controls), the more difficult it is to apply the patch, since doing so may require recertification, an often time-intensive process.”
IBM said Thales spent “significant time working with customers to ensure they were aware of the patches and taking steps to secure their users. We commend Thales for their handling of this flaw.”