We live in a world where things talk to things in order to make our lives easier, safe, more efficient, or more profitable. These things exchange information using the internet of things (IoT), which will connect 55.9 billion devices by 2025, according to IDC predictions.
We trust these interconnected devices with immeasurable amounts of data, which is why researchers devote a great deal of effort to testing their security. A team of IBM hackers called X-Force Red have been doing exactly this—and their recent explorations have revealed an IoT vulnerability that can be remotely exploited—with massive implications.
Thales IoT Module
The vulnerability appeared in the Cinterion EHS8 M2M module made by Thales, leading creators of IoT components. This module is used in millions of IoT devices, according to a report by Security Intelligence. Thales conducted additional testing and found that the vulnerability also impacted other Thales-made modules—mini circuit boards that not only make IoT communication possible, but also store passwords, certificates, encryption keys, and other confidential information.
According to the report, hackers can use this information to control devices or to gain entry to a central control network and attack on a wider scale. The potential impact of this type of vulnerability is almost unthinkable.
Potential Points of Impact
Security Intelligence reporters explain that attackers can compromise any of millions of devices across the globe that use Thales’ module, provided the modules have not been patched (Thales has made a patch available for customers). Many of these modules appear in various applications throughout the telecom, energy, automotive, and medical industries.
If a hacker were to compromise a device that delivers insulin to an insulin pump, for example, they could overdose a patient. Alternatively, they could conceal vital signs from a monitoring device, thereby preventing a patient from seeking appropriate medical treatment.
If a hacker were to compromise a utility smart meter, they could manipulate their monthly bills. They could even create a citywide black out or compromise the entire grid.
Fixing the Problem
Security Intelligence commends Thales on its responsiveness to the discovery of this vulnerability. The special report explains that patching devices for this weakness depends on the device’s manufacturers and its functionality. Regulated devices, the report says, may prove more complicated to patch.
For more information on the affected module, visit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15858.