Millions of Internet of Things (IoT) devices across sectors such as financial services, telecommunications, healthcare, and automotive are at risk due to vulnerabilities in a widely used cellular modem technology. These modems, known as Cinterion from Telit, are critical components in many IoT devices, enabling communication between devices and centralized servers. However, recent research has revealed multiple security flaws that could leave these devices vulnerable to cyberattacks.
The vulnerabilities in the Cinterion modems include remote code execution flaws, with some requiring local access to an affected device before exploitation is possible. The most serious of these vulnerabilities, CVE-2023-47610, is a memory heap overflow that allows remote attackers to execute arbitrary code via SMS on affected devices, potentially giving attackers full control over the device’s functions.
Seven Severe Vulnerabilities Identified
These vulnerabilities were discovered by researchers from Kaspersky and reported to Telit last November. Kaspersky identified a total of seven vulnerabilities in the modems. While Telit has patched some of these flaws, Kaspersky reports that several vulnerabilities remain unaddressed. According to Kaspersky’s research, the potential impact of these vulnerabilities is significant, given the widespread use of Cinterion modems in various industries.
The Cinterion modems are integrated into a range of IoT products, including industrial equipment, smart meters, telematics, vehicle tracking, and healthcare devices. However, since the modems are often integrated with other products from different vendors, compiling a comprehensive list of affected devices is a challenge. Kaspersky has stated that although an exact number of affected devices cannot be determined, millions of IoT devices across different industries are likely at risk.
A Kaspersky researcher emphasized the broad potential impact, saying,
“Considering the widespread use of these modems in sectors including automotive, healthcare, industrial automation, and telecommunications, the potential impact is extensive.”
The Severity of CVE-2023-47610
The most severe of the identified vulnerabilities, CVE-2023-47610, affects the Cinterion protocol for location-based services. This flaw could allow attackers to gain access to the modem’s operating system, manipulate RAM and flash memory, and gain complete control over the device. Such a breach could compromise the integrity and availability of connected devices, leading to disruptions in critical operations across multiple industries.
Kaspersky warned that the impact of this vulnerability could range from operational disruptions to severe threats to public safety and security. For instance, in the healthcare sector, attackers could gain unauthorized access to sensitive patient data, while in transportation and telecommunications, the vulnerabilities could disrupt essential services.
Recommended Mitigation Steps
To address the risks associated with CVE-2023-47610, Kaspersky has recommended that organizations disable all nonessential SMS capabilities on affected devices and implement private Access Point Names (APNs) with strict security settings. Disabling SMS is considered the most reliable method to mitigate the risks of this vulnerability, as SMS-based attacks are the primary vector for exploitation.
Telecom providers may also play a critical role in preventing attacks, as CVE-2023-47610 allows remote code execution through SMS. The Kaspersky researcher suggests that telecom vendors could implement network-level controls to prevent the delivery of malicious SMS messages to vulnerable devices, thereby reducing the likelihood of successful exploitation.
Other Vulnerabilities in Cinterion Modems
In addition to CVE-2023-47610, Kaspersky discovered six other vulnerabilities (ranging from CVE-2023-47611 to CVE-2023-47616) related to how Cinterion modems handle Java applets. These flaws allow attackers to bypass digital signature checks, execute unauthorized code, and escalate privileges on affected devices. These vulnerabilities also pose significant risks to data confidentiality, device integrity, and device security.
To mitigate these risks, Kaspersky recommends enforcing rigorous digital signature verification for Java applets that control physical access to devices, as well as conducting regular security audits and software updates to stay ahead of potential threats.
The Growing Threat to IoT Environments
The discovery of these vulnerabilities highlights the growing cybersecurity challenges facing IoT environments. With the increasing reliance on connected devices across critical sectors such as industrial control, healthcare, and telecommunications, the potential impact of IoT vulnerabilities is becoming more significant. In 2023, attacks targeting IoT and operational technology (OT) networks rose sharply, driven by an increase in IoT vulnerabilities.
Recent research by Nozomi Networks found that attacks on IoT and OT networks are on the rise, with a notable increase in vulnerabilities across IoT devices. One notable example is a set of 11 vulnerabilities identified by Otorio in industrial routers that impacted thousands of IoT products across various sectors. Additionally, research from SynSaber highlighted cases where vendors did not patch vulnerabilities in their IoT products, further exposing these systems to cyberattacks.
The vulnerabilities discovered in Cinterion modems present a significant security risk to millions of IoT devices across industries. The potential for exploitation is high, and the consequences could range from operational disruptions to severe threats to public safety. To mitigate these risks, organizations are encouraged to implement robust security measures, including disabling SMS capabilities, enforcing digital signature verification, and conducting regular security audits. Given the extensive use of these modems in critical sectors, it is essential for both device manufacturers and telecom vendors to collaborate and strengthen security measures to protect against these vulnerabilities.
Source: Dark Reading
