Vulnerabilities in the new IoT basic module or posing security risks to a large number of devices

2024-02-29

Society is highly dependent on technology. It is estimated that by 2025, the number of Internet connection devices used will grow to 55.9 billion. Many of these devices cover various parts of Industrial Control Systems (ICS), influencing the world, assisting us in our daily lives at home, and monitoring and automating everything from energy use to machine maintenance in production work. The potential for abusing these systems has attracted the attention of cybercriminals; According to the 2020 IBM X-Force Threat Intelligence Index, attacks against these systems have increased by over 2000% since 2018.

As part of ongoing research, IBM's hacker team X-Force Red has discovered a new IoT vulnerability that can be remotely exploited. Manufacturer Thales has been providing customers with a patch for CVE-2020-15858 since February 2020, and X-Force Red has been collaborating to ensure that users are aware of the patch and take measures to protect their systems.

Of the billions of smart devices used today, Thales is one of the suppliers of components that enable them to connect to the Internet, securely store information, and verify identity. Thales' entire product portfolio connects over 3 billion devices annually, from smart energy meters to medical monitoring devices and cars, with over 30000 institutions relying on its solutions.

However, in September 2019, X-Force Red found a vulnerability in the Cinerion EHS8 M2M module of Thales (formerly Kinyarto), which has been used for millions of Internet connection devices in the past decade. After further testing, Thales confirmed that the vulnerability would affect other modules in the same EHS8 product line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62), further expanding the potential impact of the vulnerability. These modules are miniature circuit boards that enable mobile communication of IoT devices.

More importantly, the Java code they store and run typically contains confidential information such as passwords, encryption keys, and certificates. By exploiting information stolen from modules, malicious actors may control devices or gain access to the central control network, leading to widespread attacks - in some cases, even remotely via 3G. By exploiting this vulnerability, an attacker may instruct a smart meter to turn off the electricity in a city, or even inject excessive medication into medical patients, as long as the device responsible for these critical functions uses an unpatched module exposed to the attacker, such as a 3G/4G connection enabled through this module.

Regarding this vulnerability

The EHS8 module and other modules in its series aim to achieve secure communication between connected devices through 3G/4G networks. Consider this module as a trustworthy digital lockbox, where the company can securely store a series of secrets such as passwords, credentials, and operation codes. This vulnerability disrupts this feature, allowing attackers to steal organizational secrets.

X-Force Red has discovered a method to bypass security checks, which can hide files or operating code from unauthorized users. This vulnerability could allow attackers to invade millions of devices and access networks or VPNs that support these devices by transitioning into the provider's backend network. Conversely, intellectual property (IP), credentials, passwords, and encryption keys can all be easily obtained by attackers. In other words, the confidential information stored by the module may no longer be confidential. Attackers can even steal application code, completely alter logic, and manipulate devices.

What are the potential impacts?

The potential impact of this vulnerability varies depending on which devices the attacker may be invading and using this line module. It is understood that millions of devices use this module, spanning across the automotive, medical, energy, and telecommunications industries.

Given the criticality of many of these devices, targeted network attacks may be important. Here are some examples to illustrate what attackers may do if unpatched modules are exposed in various types of devices.

Medical equipment: Manipulating the readings of monitoring devices to mask vital signs or create false panic. In devices that provide treatment based on input, such as insulin pumps, cybercriminals may cause patients to overdose or underuse medication.

Energy and utilities. Tampering smart meters, providing fake readings, and increasing or decreasing monthly bills. By controlling network access to a large group of these devices, malicious actors can also shut down the entire city's electricity meters, causing widespread power outages that require separate repairs, and even worse, damage to the power grid itself.

Technical details

The EHS8 module, like other modules in this series, consists of a microprocessor embedded with a Java ME interpreter and flash memory, as well as GSM, GPIO, ADC, digital and analog audio, GPS, I2C, SPI, and USB interfaces. It also provides a higher-level communication stack, such as PPP and IP. The embedded Java environment allows for the installation of Java "midlets" to provide customizable functionality and interaction with host devices, and/or as the main logic. When running at the basic OEM integrator level, this module behaves much like a traditional "Hayes" modem. This means that in addition to Java applications loaded into the system, control can also be achieved through a physical UART connection built into the circuit using the "AT" serial command.

In security research practice, Java applications can be bypassed and control can be returned to lower layers, allowing attackers to directly control modules. Once the AT command interface is controlled, a large number of standard commands can be issued, such as "ATD" - dial, or "ATI" - display manufacturer information. There are also some configuration commands and a specific subset of commands for accessing the basic file system overlaid on flash memory - "AT ^ SFA". This provides reading, writing, deleting, and renaming of files and subdirectories.

For the convenience of the Java environment, there are also some Java related commands, one of which is to "install" the Java midlet that was previously uploaded to the flash file system. This can effectively copy Java code to "secure storage" in the flash file system, which is theoretically "write only" - meaning data can be copied to that storage but never read back. In this way, OEM manufacturers can prevent third-party theft of their private Java code containing their IP, as well as any security related files such as PKI keys or certificates and application related databases.

However, the vulnerabilities discovered by X-Force Red allow for complete read, write, and delete access to hidden areas (although Thales has conducted additional checks for specific file types). This will allow attackers to read out all Java code running on the system (including the main code of OEM midlets and Thales), as well as any other "hidden" support files they may have.

Due to Java being easily inverted into human readable code, this may expose the complete logic of any application and any embedded "secrets" such as passwords, encryption keys, etc., making IP theft a very simple operation. With this data in hand, attackers can easily create "clones" of devices, or even more terrifyingly, modify features to achieve fraudulent or malicious activities.

Liability Disclosure and Remedies

Thales collaborated with the X-Force Red team to test, create, and distribute patches to its customers in February 2020.

Patches can be managed in two ways - by inserting software into USB to run updates, or by managing over the air (OTA) updates. The patching process for this vulnerability depends entirely on the manufacturer of the device and its capabilities. For example, whether the device can access the Internet may complicate its work. Another thing to note is that the more regulated the device is (medical devices, industrial controls, etc.), the more difficult it is to apply patches, as doing so may require re certification, which is often a time-consuming process.

Facebook and New York University use AI to accelerate MRI scanning speed by four times