IBM Finds Flaw in Millions of Thales Wireless IoT ModulesInsulin Pumps Could Be Manipulated and Smart Meters Could Be Wrecked, IBM Warns
A patching effort has been underway for six months to upgrade Thales wireless communication modules that are embedded in millions of IoT devices, including smart meters and insulin pumps. Left unpatched, a vulnerability in the modules could allow attackers to control devices, IBM warns.
See Also: Hybrid IT-OT Security Management
These types of large-scale remediation efforts have become familiar when IoT devices sold by a variety of vendors share a common but problematic component. Rather than announce a vulnerability in tandem with the patch, a concerted effort takes place to remedy as many devices as possible before going public.
On Wednesday, IBM’s X-Force Red team revealed the vulnerability, CVE-2020-15858, which it found last September in Thales’ Cinterion EHS8 M2M modules. The flaw is also in related products, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81 and PLS62 modules. The modules are used in devices in a variety of industries, including healthcare, automotive, energy and telecommunications.
The modules, which IBM describes as mini circuit boards, enable 3G or 4G connectivity, but also store secrets such as passwords, credentials and code, according to Adam Laurie, X-Force Red’s lead hardware hacker, and Grzegorz Wypych, senior security consultant, who wrote a blog post.
“This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network,” Laurie and Wypych write. “In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker.”
In a statement, Thales says "it takes the security of its products very seriously and therefore has, after communicating and discussing this issue with affected customers, delivered software fixes in Q1/2020."
Full Read, Write Access
The modules run microprocessors with an embedded Java ME interpreter and use flash storage. Also, there are Java “midlets” that allow for customization. One of those midlets copies custom Java code added by an OEM to a secure part of the flash memory, which should only be in write mode so that code can be written there but not read back.
“This way, an OEM’s private Java code containing their IP, as well as any security related files such as PKI keys or certificates and application related databases are secured against theft by third parties,” IBM says.
"This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network. In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker."
—IBM X-Force Red
X-Force Red found, however, the modules had full read, write and delete access to what should be a restricted area.
“Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases,” IBM says.
The possibilities for attack are sweeping: Smart meters could be wrecked or an insulin pump could be manipulated to overdose a patient, according to the researchers. Because Java code can be easily reversed, it would also be possible to clone a device or modify its functionality, they write.
How to Patch
The patch can be installed either over the air or via USB, IBM says. But it might not be completely straightforward.
“The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with,” IBM says. “Another item to note is that the more regulated a device is (medical devices, industrial controls, etc.), the more difficult it is to apply the patch, since doing so may require recertification, an often time-intensive process.”
IBM says Thales spent “significant time working with customers to ensure they were aware of the patches and taking steps to secure their users. We commend Thales for their handling of this flaw.”