A vulnerability affecting components used in millions of critical connected devices in the automotive, energy, telecom, and medical sector could let hackers hijack the device or access the internal network.
In some cases, the flaw is remotely exploitable over 3G. Researchers found it in the Cinterion EHS8 M2M module from Thales (formerly from Gemalto, acquired by Thales in 2019) but the vendor also confirmed it in BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62.
Over 30,000 companies use products from Thales, which connects more than 3 billion things worldwide every year.
Java Code Inside
Cinterion EHS8 and components in the same product line are embedded modules that provide processing power and machine-to-machine (M2M) secure communication over wireless mobile connections (2G, 3G, 4G).
They store and run Java code and companies use them to host operational files and sensitive data like login credentials for various network services.
Researchers at X-Force Red, IBM’s independent team of veteran hackers, discovered a method to bypass security checks protecting the files and operational code in the EHS8 module.
“Think of this module as the equivalent of a trustworthy digital lockbox, where companies can securely store a range of secrets such as passwords, credentials and operational code. This vulnerability undermines that function by allowing attackers to steal organizational secrets” IBM X-Force Red
A technical report from X-Force Red today explains that EHS8 and the other products in its line have a microprocessor with an embedded Java ME interpreter, flash storage, and interfaces for GSM, GPIO, ADC, Digital and Analogue Audio, GPS, I2C, SPI, and USB.
There is also support for the PPP (Point-to-Point Protocol) and IP (Internet Protocol) communication stacks and it is possible to install on the host device Java applications (MIDlet) for custom functionality and interaction.
“The module behaves much like a traditional ‘Hayes’ modem when operating at the fundamental OEM integrator level. This means, that aside from the Java application loaded onto the system, it can be controlled using ‘AT’ serial commands via a physical UART connection built into the circuit”
AT commands are instructions that control a modem. As such, an attacker controlling the AT interface also has direct control over the module and can issue configuration commands; or to access the filesystem of the flash memory, letting them read, write, delete, and rename available files and directories.
The flash memory has a secure area for Java code that allows only writing operations, prohibiting reading. Original Equipment Manufacturers (OEMs) can use this sector to store private Java code and sensitive files (certificates, private keys, app databases).
The vulnerability discovered by X-Force Red bypasses the restrictions for this secure area, allowing reading the Java code running on the system from both the OEM and Thales, thus exposing all embedded secrets.
According to the researchers, malicious hackers could exploit the issue “to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network.”
Attackers could use the flaw to alter a medical device’s reading of a patient’s vital signals, or the treatment dosage in medical pumps.
Applied to devices in the energy sector, beyond increasing and reducing the monthly bill by compromising the data delivered by smart meters, hackers could cause damage to the grid by taking control of a large number of such devices in an area, or cause blackouts.
Thales received a report about the vulnerability in September 2019 and in February 2020 released patches for its clients. The tracking number assigned for the flaw is CVE-2020-15858 (details reserved at the time of writing).
The critical nature of the devices with vulnerable modules makes patching them a priority. Depending on device and vendor, the fix is possible through an over-the-air (OTA) update or by installing it from a USB drive using the device’s management interface.
However, in if the device does not have access to the internet, as is the case in the medical and the industrial control sector, applying the patch promptly is more difficult because recertification may be needed or requires scheduling to a proper time and date.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.