Thales Wireless IoT Modules Flaw Impacts Millions of Devices

The discovery of a security flaw IoT device components could allow cybercriminals to illegally obtain valuable private data or use the devices in further cyberattacks.

More than 30,000 businesses use Thales components in products that perform a number of different functions in sectors including energy, telecommunications, and healthcare.

The flaw is present in the Cinterion EHS8 M2M module, along with a number of other components  in the same line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The embedded modules supply processing power and permit devices to send and receive data across wireless mobile connections. The module is also deployed as a digital secure repository for sensitive information such as passwords, details and operational code. The flaw would permit allow a hacker to obtain access to the interior of that particular repository.

X-Force Red security experts found a way of getting around security in place to keep code and files safe in the EHS8 module.

They said: “[The modules] store and run Java code, often containing confidential information like passwords, encryption keys and certificates,” said Adam Laurie, of IBM’s X-Force Threat Intelligence team. This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network. In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker,” explained the researchers in a recent blog post. “Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases.”

Readings could be changed in medical devices by targeting the vulnerability. This would lead to false alerts being issued or critical changes being made in relation to a patient’s vital signs.

The experts also said that the flaw could be exploited in smart meters used by energy businesses to falsely record energy usage. This would leads to a rise and fall in bills, but if sufficient numbers of devices were attacked and managed by a hacker, it could cause damage to the grid and lead to blackouts.

The CVE-2020-15858 vulnerability was first recorded during September 2019 and Thales was immediately made aware of it. Thales has been assisting the IBM X Force Red team to create, review, and share a patch. This patch was made available during February 2020 and Thales has been working hard to make sure its clients know about the patch and then update it quickly, idf they have not already done so. The patching process is much more cumbersome for devices used in highly regulated industry sectors.