Millions of IoT devices across various sectors, including financial services, telecommunications, healthcare, and automotive, are currently facing a serious risk of compromise due to several vulnerabilities in the cellular modem technology they rely on to communicate with each other and with centralized servers.
The vulnerabilities in the Cinterion modems from Telit have raised major concerns in the cybersecurity community. These flaws include remote code execution vulnerabilities, some of which require the attacker to have local access to the affected device before they can be exploited. Among these vulnerabilities, the most critical one is a memory heap overflow vulnerability (CVE-2023-47610) that enables remote attackers to execute arbitrary code via SMS on vulnerable devices.
Recently, researchers from Kaspersky identified a total of seven severe vulnerabilities in these modems and reported them to Telit last November. While Telit has issued patches to address some of the flaws, not all vulnerabilities have been fully resolved, as per Kaspersky’s report on the discoveries.
Telit Cinterion modems are integrated into a wide range of IoT devices from various vendors, including industrial equipment, smart meters, telematics, vehicle tracking systems, healthcare devices, and more. Given the nested integration of these modems into IoT products from different manufacturers, compiling a comprehensive list of affected devices has proven to be a complex task.
The impact of these vulnerabilities could potentially be significant, affecting millions of devices across multiple industries. The wide use of these modems in critical sectors such as automotive, healthcare, industrial automation, and telecommunications underscores the extensive reach of the potential risks associated with these vulnerabilities.
One of the most severe vulnerabilities, CVE-2023-47610, poses a significant threat as it allows attackers to access the operating system of the modem and manipulate device RAM and flash memory, potentially gaining complete control over its functions. Such a compromise could lead to unauthorized data access, operational disruptions, and threats to public safety and security, highlighting the urgent need for remediation efforts.
To mitigate the risks associated with these vulnerabilities, Kaspersky has recommended organizations using vulnerable IoT devices to disable all nonessential SMS capabilities and implement private Access Point Names (APNs) with stringent security configurations for dedicated connectivity. Disabling SMS capabilities is considered the most effective way to address the risks linked to CVE-2023-47610.
In addition to CVE-2023-47610, the other six vulnerabilities discovered by Kaspersky in the Cinterion modems (designated as CVE-2023-47611 through CVE-2023-47616) are related to the handling of Java applets on the devices. These vulnerabilities could enable attackers to execute malicious actions like bypassing digital signature checks, running unauthorized code, and escalating privileges, posing a severe risk to data confidentiality and device integrity.
As the IoT bug problem continues to escalate, with a surge in attacks targeting IoT and OT networks, organizations and vendors need to prioritize security measures to safeguard connected devices and networks. By addressing vulnerabilities promptly, enforcing stringent security practices, and implementing regular security audits and updates, stakeholders can enhance the resilience of IoT environments against evolving cyber threats.