Millions of IoT Devices at Risk From Flaws in Integrated Cellular Modem

Millions of IoT devices in sectors such as financial services, telecommunications, healthcare, and automotive are at risk of compromise from several vulnerabilities in a cellular modem technology the devices use to communicate with each other and with centralized servers.

The vulnerabilities in Cinterion modems from Telit include remote code execution flaws, including some that require an attacker to have local access to an affected machine before they can be exploited. The most serious one is a memory heap overflow vulnerability (CVE-2023-47610) that gives remote attackers a way to execute arbitrary code via SMS on affected devices.

Seven Severe Vulnerabilities

Researchers from Kaspersky discovered the vulnerabilities and reported them — a total of seven — to Telit last November. Telit, for reasons best known to itself, has issued patches to address some of the flaws, but not all of them, according to Kaspersky, which released a report on its discoveries this week.

Telit did not immediately respond to a Dark Reading request for comment submitted via a media contact form on its main website.

Telit Cinterion modems are integrated into IoT devices from numerous vendors. Examples of IoT products that integrate Cinterion for cellular communication include industrial equipment, smart meters, telematics, vehicle tracking, healthcare, and medical devices. Since the modems are typically integrated into IoT devices in a nested fashion with products from other vendors, compiling a list of all affected products is challenging, Kaspersky said.

"Although we cannot provide a precise estimate of the number of IoT vendors or products impacted, potentially millions of devices across various industries could be affected," a researcher from Kaspersky says in comments emailed to Dark Reading. "Considering the widespread use of these modems in sectors including automotive, healthcare, industrial automation, and telecommunications, the potential impact is extensive."

CVE-2023-47610, the most severe of the seven vulnerabilities that Kaspersky uncovered, affects a Cinterion protocol for location-based services. Attackers can potentially exploit the flaw to access the modem's operating system and/or to manipulate device RAM and flash memory to gain complete control of its functions. This would allow an attacker to potentially compromise the integrity and availability of connected devices and networks, the Kaspersky researcher says.

"This scenario might lead to unauthorized access to sensitive data or disruption of essential operations, with far-reaching effects across multiple industries, including healthcare, telecommunications, and transportation," the researcher says. "Such impacts could vary from operational disruptions to severe threats to public safety and security."

Disabling SMS Best Option

Kaspersky has recommended that organizations using the vulnerable IoT devices disable all nonessential SMS capabilities and employ private Access Point Names (APNs), with strict security settings, for dedicated connectivity. According to the vendor, SMS disabling is the only reliable way to mitigate the risks associated with CVE-2023-47610.

Telecom vendors will likely need to play a role as well in making it harder for attackers to exploit the vulnerability, the Kaspersky researcher says: "Since CVE-2023-47610 allows remote code execution through SMS, telecom vendors are uniquely positioned to implement network-level controls that can prevent the delivery of malicious SMS messages to vulnerable devices."

The six other vulnerabilities in Cinterion modems that Kaspersky discovered (assigned as CVE-2023-47611 through CVE-2023-47616) have to do with how the devices handle Java applets running on them. The vulnerabilities give attackers a way to execute multiple malicious actions, including bypassing digital signature checks, executing unauthorized code, and performing privilege escalation. Kaspersky identified the vulnerabilities as posing a severe risk to data confidentiality and device and integrity.

"Kaspersky advises enforcing rigorous digital signature verification for [Java applets] controlling physical access to devices, and conducting regular security audits and updates," the researcher notes.

The Rising IoT Bug Problem

Though Kaspersky reported the vulnerabilities to Telit last November, the company delayed full release of the details to give the vendor adequate opportunity to inform customers about the risks so they could implement risk mitigation measures. "Our goal was to ensure that appropriate protective measures were in place before we publicly shared the detailed research on how these vulnerabilities could be exploited," the researcher says.

Attacks on IoT environments — especially in industrial control and operational technology settings — are a growing concern. An analysis of 2023 threat data by Nozomi Network found an increase in attacks targeting IoT and OT networks, buoyed by a sharp increase in IoT vulnerabilities. One example was a set of 11 vulnerabilities across three industrial routers that researchers at Otorio reported last year. The vulnerabilities were thought to impact thousands of industrial IoT products across a variety of sectors. In several instances, the vendors of affected products did not patch reported vulnerabilities, another study by SynSaber found.