Overview
Millions of Internet of Things (IoT) devices across multiple industries are vulnerable to serious security threats due to flaws in a widely-used cellular modem. These devices, critical in sectors like healthcare, automotive, telecommunications, and financial services, face potential compromise from these vulnerabilities, posing significant risks.
The Vulnerabilities
The vulnerabilities, discovered in Cinterion modems made by Telit, include several severe issues:
- Remote Code Execution Flaws: Some of these require local access for exploitation, but others can be triggered remotely.
- Memory Heap Overflow (CVE-2023-47610): The most critical flaw allows attackers to execute arbitrary code via SMS on affected devices.
Discovery and Reporting
Kaspersky researchers identified a total of seven vulnerabilities and reported them to Telit last November. Telit has patched some, but not all, of these flaws.
Impacted Devices
Cinterion modems are integrated into IoT devices from many vendors. Examples include:
- Industrial equipment
- Smart meters
- Telematics and vehicle tracking systems
- Healthcare and medical devices
Due to their widespread use, compiling a complete list of affected devices is difficult, but potentially millions of devices are at risk.
Potential Consequences
The most severe vulnerability, CVE-2023-47610, affects a protocol for location-based services. Exploiting this flaw could allow attackers to:
- Access the modem’s operating system
- Manipulate device memory
- Gain complete control over device functions
Such control could lead to unauthorized access to sensitive data, disruption of essential operations, and significant threats to public safety and security.
Mitigation Measures
Disabling SMS
Kaspersky recommends disabling all nonessential SMS capabilities on vulnerable devices. This is considered the most effective way to mitigate risks associated with CVE-2023-47610.
Private APNs
Using private Access Point Names (APNs) with strict security settings for dedicated connectivity can further protect against these vulnerabilities.
Role of Telecom Vendors
Telecom vendors are in a unique position to help prevent the delivery of malicious SMS messages to vulnerable devices, thus mitigating remote code execution risks.
Additional Vulnerabilities
The other six vulnerabilities (CVE-2023-47611 through CVE-2023-47616) relate to Java applets on the devices. These flaws can:
- Bypass digital signature checks
- Execute unauthorized code
- Perform privilege escalation
Kaspersky advises enforcing rigorous digital signature verification for Java applets and conducting regular security audits and updates.
Growing IoT Security Concerns
The rising number of attacks on IoT environments, especially in industrial control and operational technology settings, is alarming. Nozomi Network’s analysis of 2023 threat data highlights an increase in IoT and OT network attacks, driven by a surge in IoT vulnerabilities. A notable example includes 11 vulnerabilities in industrial routers reported by Otorio last year, affecting thousands of industrial IoT products. Some vendors did not patch the reported vulnerabilities, exacerbating the issue.
Conclusion
The discovery of these vulnerabilities in Cinterion modems underscores the critical need for robust security measures in IoT devices. Organizations must take proactive steps to secure their devices, including disabling SMS capabilities and enforcing strict security protocols. Collaboration between device manufacturers, telecom vendors, and security researchers is essential to protect against these evolving threats.
Key Points
- Vulnerabilities: Seven severe flaws in Cinterion modems, including remote code execution and memory heap overflow.
- Impact: Millions of IoT devices in critical sectors at risk.
- Mitigation: Disable nonessential SMS, use private APNs, enforce digital signature verification.
- Industry Response: Immediate action required from device manufacturers and telecom vendors to mitigate risks.
By addressing these vulnerabilities proactively, we can safeguard the critical infrastructure that relies on these IoT devices and prevent potential security breaches.
