Commonly used modems in industrial IoT devices are vulnerable to SMS attacks

Vulnerabilities in Telit Cinterion cellular modems, widely used in sectors including industrial, healthcare and telecommunications, could allow remote attackers to execute arbitrary code via SMS messages.

A set of eight separate issues, seven of which have IDs CVE-2023-47610 to CVE-2023-47616 and the other is yet to be reported, were disclosed last November by security researchers at Kaspersky’s ICS CERT division.

Before publishing the security issues, the security company reported them to the vendor in February 2023.

On Saturday at the OffensiveCon conference in Berlin, Alexander Kozlov and Sergey Anufrienko will provide detailed technical information on security issues and how a threat actor can use them to gain control of vulnerable Telit Cinterion devices.

SMS to take over the device

The most serious of the vulnerabilities is CVE-2023-47610, a heap overflow issue that affects modem SUPL (User Plane Location) message handling.

Kaspersky, in cooperation with Telit and based on a thorough analysis of technical details, gave it a severity rating of 8.8 out of a maximum of 10. However, the NIST assessment shows that the issue is of critical impact and received a severity rating of 9.8.

Attackers exploiting this vulnerability via specially crafted SMS messages can trigger the vulnerability and remotely execute arbitrary code on the modem without requiring authentication.

In a report shared with BleepingComputer, researchers claim that the SMS messaging interface is present in all modems and access to it is possible if the subscriber number of the target modem in the mobile operator’s network is known.

They explain that carrier restrictions can sometimes prevent sending binary SMS messages, but a fake base station should bypass this restriction.

By leveraging CVE-2023-47610 to execute arbitrary code via SMS, an attacker could gain deep access to the modem’s operating system.

“This access also makes it easier to manipulate RAM and flash memory, increasing the potential to take full control of the modem’s functionality – all without authentication or the need for physical access to the device” – Kaspersky

Although the remaining vulnerabilities discovered by Kaspersky researchers have a lower severity rating, they can be exploited to compromise the integrity of MIDlets – Java-based applications with various functions.

According to Kaspersky, an attacker could execute code with elevated privileges (at the manufacturer level) by bypassing digital signature checks (CVE-2023-47611). This would pose a risk not only to data confidentiality and integrity, but also to broader network security and device integrity.

Although the research focused on the Cinterion EHS5-E series modem, since other products from this supplier have similar software and hardware architecture, additional variants are also affected:

  • Cinterion BGS5
  • Cinterion EHS5/6/7
  • Cinterion PDS5/6/8
  • Cinterion ELS61/81
  • Cinterion PLS62

Kaspersky told BleepingComputer that Telit has fixed some of the disclosed vulnerabilities, but some remain unpatched.

“The vulnerabilities we discovered, combined with the widespread deployment of these devices across sectors, highlight the potential to cause widespread disruption on a global scale,” says Yevgeny Goncharov, head of Kaspersky ICS CERT.

Goncharov notes that because modems are embedded in other solutions, determining which products are affected is a challenge.

The security company has certain recommendations on how to reduce threats, which in most cases is possible by working with a telecommunications operator. One strategy is to disable SMS sending to affected devices and use a securely configured private APN.

Kaspersky also recommends enforcing application signature verification to prevent installation of untrusted MIDIets on your modem and taking steps to prevent unauthorized physical access to devices.