Getty Images

IBM: Remote Exploit Flaw Found in Millions of Connected IoT Devices

An IoT vulnerability has been uncovered in a host of Thales products, which are found in millions of connected devices, including medical devices, and can be remotely exploited.

IBM X-Force Red security researchers uncovered a bug in components made by the manufacturer Thales, which are included in millions of connected devices. The IoT vulnerability can be remotely exploited, allowing a hacker to take control of the device or access the enterprise network. 

Thales manufactures components for more than 3 billion devices used by 30,000 companies throughout a range of global sectors, including healthcare. Thales released a patch for the CVE-2020-15858 flaw in February, and X-force has been actively driving awareness throughout the year. 

Found in September 2019, the vulnerability exists in the Thales’ Cinterion EHS8 M2M module, formerly owned by Gemalto. The module has been installed in millions of connected devices over the last 10 years. 

The vulnerability was also found to impact other modules in the Thales’ product, including BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62, which further expands the potential impact of the flaw.  

“These modules are mini circuit boards that enable mobile communication in IoT devices,” researchers explained. “More importantly, they store and run Java code often containing confidential information like passwords, encryption keys, and certificates.” 

“Think of this module as the equivalent of a trustworthy digital lockbox, where companies can securely store a range of secrets such as passwords, credentials and operational code,” they added. “This vulnerability undermines that function by allowing attackers to steal organizational secrets.” 

The X-Force team was able to bypass the security checks on the device to gain access. If a hacker bypassed the Java application and control was handed back to the low level, the researchers explained that it would give them direct control of the module. This would give an individual the ability to issue many commands, including configurations or to show manufacturer information. 

A hacker could then use the data stolen from these modules to potentially gain control over a device or obtain access to the central control network to launch further widespread cyberattacks or “even remotely via 3G in some cases.” 

Further, the vulnerability could be exploited to give the threat actor the ability to instruct a device to overdose a medical patient or even knock out an electrical grid, “as long as the devices responsible for these critical functions are using an unpatched module exposed to an attacker.” 

A successful exploit could readily proliferate across other connected devices, as well as allow an attacker pivot through the victim’s backend to access other networks or Virtual Private Networks (VPNs) supporting the network. 

This attack would give the threat actor access to intellectual property, credentials, passwords, and encryption keys. The researchers stressed that a targeted cyberattack on the vulnerability would have a significant impact. 

Particularly with medical devices, an attacker could “manipulate readings from monitoring devices to cover up concerning vital signs or create false panic. In a device that delivers treatment based on its inputs, such as an insulin pump, cybercriminals could over or underdose patients.” 

Once the vulnerability was found, Thales was immediately notified. The manufacturer worked with the X-Force Red team to test, create, and distribute the patch. The patch can be administered in one of two ways: by plugging in a USB to run the update with software or administering the update over the air (OTA). 

“The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with,” researchers explained. 

“Another item to note is that the more regulated a device is (medical devices, industrial controls, etc.), the more difficult it is to apply the patch since doing so may require recertification, an often time-intensive process,” they added. 

Alternatively, organizations can apply a behavioral analysis, which consider credentials as only one part of a security layer. Users and devices are analyzed to help administrators identify unusual behaviors. Organizations can also consider pen testing, while ensuring IoT security is prioritized across the enterprise. 

This is the second major IoT vulnerability disclosed this year. Nineteen critical vulnerabilities dubbed Ripple20 also impact millions of connected devices, and healthcare is the most affected by the flaws. Some of those flaws were also able of being remotely exploited.

Next Steps

Dig Deeper on Cybersecurity strategies