Millions of IoT devices at risk from integrated modem

Millions of IoT devices in sectors such as financial services, telecommunications, healthcare and automotive are at risk of being compromised due to several vulnerabilities in the cellular modem technology that the devices use to communicate with each other and with centralized servers.

Vulnerabilities in Telit’s Cinterion modems include remote code execution errors, including those that require an attacker to have local access to the affected machine before they can be exploited. The most serious of them is the memory heap overflow vulnerability (CVE-2023-47610) which allows remote attackers to execute arbitrary code via SMS on affected devices.

Seven serious vulnerabilities

Kaspersky scientists discovered loopholes and reported them – seven in all – to Telit last November. According to Kaspersky, which published a report on its findings this week, Telit, for reasons best known to itself, released patches to address some, but not all, vulnerabilities.

Telit did not immediately respond to Dark Reading’s request for comment submitted through the media contact form on its main website.

Telit Cinterion modems are integrated with IoT devices from many vendors. Examples of IoT products that integrate Cinterion for cellular communications include industrial equipment, smart meters, telematics, vehicle tracking, healthcare and medical devices. Because modems are typically integrated with IoT devices in a nested manner with products from other vendors, compiling a list of all affected products is a challenge, Kaspersky said.

“While we cannot provide an exact estimate of the number of IoT vendors or products affected, millions of devices across industries could potentially be affected,” a Kaspersky researcher said in comments emailed to Dark Reading. “Given the widespread use of these modems in sectors including automotive, healthcare, industrial automation and telecommunications, the potential impact is wide-ranging.”

CVE-2023-47610, the most severe of the seven vulnerabilities discovered by Kaspersky, affects the Cinterion protocol for location-based services. Attackers could potentially exploit this vulnerability to gain access to the modem’s operating system and/or manipulate the device’s RAM and flash memory to gain full control over its functions. This would enable an attacker to potentially compromise the integrity and availability of connected devices and networks, according to a Kaspersky researcher.

“This scenario could lead to unauthorized access to sensitive data or disruption of core operations, which will have far-reaching effects across many industries, including healthcare, telecommunications and transportation,” the researcher said. “Such impacts could range from operational disruptions to serious threats to public safety.”

Turning off the best SMS option

Kaspersky recommended that organizations using vulnerable IoT devices disable all non-essential SMS functionality and use private access point names (APNs) with strict security settings to ensure dedicated connectivity. According to the vendor, disabling SMS is the only reliable way to mitigate the risk of CVE-2023-47610.

The Kaspersky researcher says telecom service providers will also need to play a role in making it harder for attackers to exploit this vulnerability: “Because CVE-2023-47610 allows remote code execution via SMS, telecom service providers are uniquely positioned to implement level-control network security, that can prevent malicious SMS messages from being delivered to vulnerable devices.”

Six other vulnerabilities in Cinterion modems discovered by Kaspersky (designated CVE-2023-47611 through CVE-2023-47616) relate to the way the devices handle Java applets running on them. The vulnerabilities allow attackers to perform multiple malicious actions, including bypassing digital signature checks, executing unauthorized code, and elevating privileges. Kaspersky has identified vulnerabilities as posing a significant risk to data confidentiality and device and device integrity.

“Kaspersky recommends enforcing rigorous digital signature verification for (Java applets) controlling physical access to devices and conducting regular security audits and updates,” the researcher notes.

The problem of IoT errors is growing

Although Kaspersky reported these vulnerabilities last November, the company delayed disclosing full details to give the vendor a reasonable opportunity to inform customers about the threats so they can implement risk mitigation measures. “Our goal was to ensure appropriate protective measures were in place before we publicly released detailed research into the feasibility of exploiting these vulnerabilities,” the researcher says.

Attacks on IoT environments – especially in industrial control systems and operational technologies – are a growing problem. Analysis of 2023 threat data by Nozomi Network shows an increase in the number of attacks on IoT and OT networks, driven by a sharp increase in the number of IoT vulnerabilities. One example was a set 11 vulnerabilities in three industrial routers as reported by Otorio scientists last year. These vulnerabilities are believed to affect thousands of industrial IoT products across various sectors. In several cases, suppliers of the affected products has not patched the reported vulnerabilities– results from another study conducted by SynSaber.