Millions of Internet of Things (IoT) devices are currently at risk due to critical vulnerabilities in widely-used cellular modem technology manufactured by Telit Cinterion. These vulnerabilities, known as the Cinterion Modem Vulnerabilities, have raised concerns about the security of communication networks and IoT devices across various sectors such as industrial, healthcare, automotive, financial, and telecommunication.
Telit Cinterion, a prominent IoT technology provider based in Irvine, California, specializes in offering edge-to-cloud IoT services including connectivity plans, IoT SIMs, embedded software, and PaaS IoT deployment managed services. However, the recent discovery of vulnerabilities in their Cinterion modems has brought attention to potential security risks that could lead to global disruptions.
The vulnerabilities were first presented by researchers from Kaspersky at the OffensiveCon international security conference in Berlin. These vulnerabilities include remote code execution (RCE) flaws and unauthorized privilege escalation within user applications (MIDlets) and OEM-bundled firmware integrated with the modems. The most severe vulnerability identified, CVE-2023-47610, allows attackers to execute arbitrary commands remotely through specially crafted SMS messages without any authentication or physical access, potentially compromising the integrity of the devices.
In addition to the RCE vulnerability, researchers also discovered several security flaws in user applications (MIDlets) and OEM-bundled firmware, labeled as CVE-2023-47611 through CVE-2023-47616. These vulnerabilities could allow attackers with physical access to the modems to compromise user MIDlets, execute unauthorized code, manipulate digital signatures, and elevate execution privileges to the manufacturer level.
Despite researchers reporting these vulnerabilities to Telit Cinterion last November, not all of the flaws have been fully addressed, leaving millions of IoT devices vulnerable to potential attacks. These modems are embedded in various IoT products including industrial equipment, smart meters, telematics systems, and medical devices, making it challenging to identify all affected products.
To mitigate these risks, organizations are advised to disable non-essential SMS messaging capabilities, implement private Access Point Names (APNs), control physical access to devices, and regularly update security measures to prevent unauthorized access.
The discovery of these vulnerabilities underscores the increasing concerns over IoT security, particularly in industrial control and operational technology environments. Recent threat data analysis highlighted a rise in attacks targeting IoT and OT networks, driven by vulnerabilities like those found in Cinterion modems and other devices.
In conclusion, urgent action is needed from both device manufacturers and telecom operators to address these vulnerabilities and safeguard critical infrastructure from potential cyber threats. The researchers behind the findings plan to publish a detailed white paper on modem security internals by May 2024 to further educate the industry on these risks.