Researchers Discovered a New Vulnerability That Could Put Millions of IoT Devices at Risk

Patches have been issued for a vulnerability in a widely-used module in IoT devices, and researchers are urging IoT manufacturers to make sure that they applied the fixes. According to security researchers, if hackers are able to exploit this flaw, they could knock out a city’s electricity or even overdose a patient.

X-Force Red, IBM’s team of hackers, discovered a new vulnerability that could be exploited remotely. This flaw exists in the Cinterion module that is used in millions of IoT devices. It is manufactured by a French company, Thales, and Thales has made a patch available for this flaw since February of this year. X-Force Red has been working with Thales to make sure that users are aware of patches.

It is important to note that Thales is one of the leading manufacturers of components that enable smart gadgets to connect to the internet, verify identities, and securely save data. Back in September of 2019, X-Force Red found a flaw in the Cinterion EHS8 M2M module, and further investigations revealed that this flaw also affects other models in the same product line including BGS5, PLS62, PDSF5/6/8, EHS5/6/8, ELS81, and ELS61.

If exploited, the vulnerability could allow hackers to steal sensitive information, gain access to control networks, and more. It is important to note that these modules save as well as run Java code that often contain confidential data such as passwords, certificates, and encryption keys. Attackers can use the stolen information to control a device or even gain access to the central control network.

While researchers discovered the flaw, CVE-2020-15858, in 2019 and a fix was issued in early 2020, researchers say that it will take a while for several manufacturers to apply patches to their IoT devices. X-Force Red found a way to bypass security checks that keep data or operations code hidden from an unauthorized user. The vulnerability could allow hackers to access confidential data stored by modules such as login credentials, IP, and encryption keys.

Researchers said that the patch can be administrated either by plugging in a USB to run the update through software, or IoT manufacturers can administer an OTA update. X-Force security researchers also said that the patching process depends entirely on manufacturers of IoT devices and the capabilities of these devices. For instance, if a device has access to the internet, it could make the patching process complicated.

Security issues continue to plague IoT devices, and it is noteworthy that the number of IoT devices used across the globe is expected to grow to 55.9 billion by the year 2025. Earlier this year, researchers also warned that over 50% of all Inter-of-Things devices are vulnerable to medium or high-severity hacks.



Read next: How to Secure Your Smart Home Devices
Previous Post Next Post