Vulnerability in current simple IoT modules could expose a significant number of devices worldwide to security risks

The dependence on technology for the population is very strong. The number of Internet linked by 2025 is expected to be devices in use around the world are expected to rise to 55,9 billion. Most of these instruments protect all industrial pieces

Computer Operator (ICS). They influence the planet, help our everyday lives at home and track and automate all from electricity utilization through successful computer repair. The potential for abuse of these systems
has attracted the attention of cybercriminals;

The 2020 IBM X-Force Threat Intelligence Report describes threats on these
After 2018, applications have risen by over 2,000 per cent.

As part of ongoing testing, the X-Force Red hacker team at IBM found a new loophole in IoT that could be mobile abused. As of February 2020, supplier Thales has issued a fix for CVE-2020-15858 to consumers.

X-Force Red has worked together to ensure users understand the patch and take protective measures the processes. Among the billions of smart devices that are in use today, Thales is one of the product suppliers that allow them to connect to the Internet, securely store information and check identities. The drug range of Thales

Connects more than 3 billion items annually, from smart energy meters to medical safety equipment yet cars and over 30.000 organisations rely on its solutions.

In September 2019, however, X-Force Red found a flaw in the Cinterion EHS8 M2 M at Thales (formerly Gemalto).
Modul used over the last decade over millions of Internet-connected computers.

On more inspection, thales reported that the flaw affects other modules within the same EHS8 product line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62), more vulnerability extension Future impact; Such modules are miniature circuit boards which implement IoT devices for mobile communication.

More specifically, their Java code normally includes sensitive information such as passwords,

Encryption passwords, certificates, etc. Use the information obtained from the module, malicious actors are able to control the system or to gain access to the central control network for a wide range of attacks
Several instances via 3 G, just locally.

An attacker can use this vulnerability to order the smart meter to shut down electricity in a area, or even an unnecessary volume of medication administered into a medical patient, as long as an unpatched element exposed to the intruder is used by the hardware responsible for certain main functions.

For example, this module has the 3G/4 G link allowed.

On the risk

The EHS8 module and other series modules are designed to ensure a secure communication between the connected modules
Equipment via 3G/4 G networks.

Find this package as a trustworthy wireless lock box, in which the business
A collection of keys like passwords, certificates and security codes can be easily kept. Some insecurity breaks the aspect and causes corporate information to be stealed by attackers.

X-Force Red has found a way to circumvent security measures, which can mask illegal data or operating codes customers. This vulnerability could allow an attacker to break into millions of devices and access the VPN or Network

It is enabled by moving these machines to the provider’s back-end network.

Turning to intellectual property ( IP),
An attacker can quickly access the identities, passwords, and encryption keys. Or bring things another way, the protected Module details can no longer be secret. You can also grab attackers
Software coding, logic shifting entirely, and computer abuse.

Which kind of effect is the potential?

The possible effect of this flaw depends on which devices the intruder is allowed to access use this Unit Row. It is known that millions of products use this element worldwide , particularly the automotive industry,
Throughout the scientific, telecommunications and energy sectors.

Targeted cyber attacks may be important , due to the criticality of many of these devices. Below are some of the following
Examples of what an intruder might do when the unpatched modules are exposed to various system types.

Health devices: Manipulating medical device measurements to mask vital signs or cause fake panics. Cyber criminals may overdose or overdose in equipment that provides input-based care, such as insulin pumps
Patients underutilized.

Energy and services. Tamper with smart meters, have faked readings, increasing monthly bills or decrease them.

By controlling network access to a large group of these devices, malicious actors can also power out Meters across the city, resulting in widespread power outages, requiring separate repairs, or worse,
The power grid itself was lost.

As other modules in this series, the EHS8 module is composed of a microprocessor with Java ME interpreter embedded and flash memory, as well as GSM, GPIO, ADC, optical and analog ports, GPS, I2C, SPI, and USB.
This also offers a platform for higher level connectivity, such as PPP and IP. The Java environment embedded enables Java “midlets” are built to provide flexible functionality and connectivity with host computers,
And / or as the logic of principle. If this module runs at the simple OEM integrator stage it is identical to a conventional module

Modem: “Hayes.” This means it can also be loaded into the framework besides the Java program
Control over the physical UART connection built into the circuit using the serial command “AT.”

In health testing activity, Java programs can be bypassed and power restored to the lower layers; Allowing attackers to access the module directly. Once you have managed the AT command gui, a significant number of standard commands such as ‘ATD’-dial,’ or ‘ATI’-display vendor details may are given.

There are also several setup commands and a limited subset of commands-” AT^SFA “to access the main file
Device overlaid on memory flash. This lets you read , write, edit and rename files
And subfolders.

There are also several Java-related commands to promote the Java environment, one of which is to “Download” the previously imported Java midlet onto the flash file system. It will easily reproduce the Java
Code for “secure storage” in the flash file system, which is “write-only” in theory-that is, data can be stored copy to storage and never read back. The OEM fabricator thus contains the private Java code the IP, and some security-related files such as PKI keys or certificates and applications-related databases;

Which could prevent theft by third parties.

However, the vulnerability found by X-Force Red allows full access to hidden areas to be read, written and deleted (Although Thales undertook further searches for different file types). This will make the onslayer
To read all of the java code that runs on the machine (including the main OEM midlet and Thales code),
Like like any other supporting “secret” files they might have.

Because Java is quickly reversed into human-readable text, this can reveal any application ‘s entire logic and any “secrets” that are hidden, such as passwords, encryption keys, etc., make IP theft very easy.

With this in hand, an attacker will quickly construct a “copy” system or, more appallingly, alter the feature for carrying out illegal or harmful acts.

Vulnerable code list


The figure above shows that the vulnerability exists in the code counting the number of characters in the line substring and testing whether the fourth character is a marker (third index of character array).
Any effort to enter secret files with a dot prefix shall be refused under normal circumstances

But replace the slash with a double slash (e.g.: a:/.hidden file)
Will trigger the condition to fail and the code execution will switch to a test loop that suits the character any character which is printable. The system will ignore that after the second slash. Anything will deter an intruder
To circumvent the authentication check conditions by using dot prefixed file names.

Disclosure of Liability and Remediation

In February 2020 Thales partnered with the X-Force Red team to study, build and deliver updates to their clients.
Patches can be handled by plugging into the program or handling the fix in two ways.

Updates on Over-the-air (OTA). The patching procedure for this flaw is solely reliant upon the vendor equipment and its features. For example, how the computer can reach the Internet can make their job more complicated

Another point to remember is that the further the system (medical equipment, industrial power, etc.) is regulated; The more complicated it becomes to install the patch, as this will entail re-certification, as is always the case a lengthy process.

We would like to congratulate Thales for coping with this flaw and for spending a lot of time working with clients ensure they understand the patch and take steps to safeguard user safety.