Millions of IoT devices at risk from flaws in integrated cellular modem

Millions of IoT devices in sectors such as financial services, telecommunications, healthcare, and automotive are at risk of compromise from several vulnerabilities in a cellular modem technology the devices use to communicate with each other and with centralized servers.

The vulnerabilities in Cinterion modems from Telit include remote code execution flaws, including some that require an attacker to have local access to an affected machine before they can be exploited. The most serious one is a memory heap overflow vulnerability (CVE-2023-47610) that gives remote attackers a way to execute arbitrary code via SMS on affected devices.

Seven Severe Vulnerabilities

Researchers from Kaspersky discovered the vulnerabilities and reported them — a total of seven — to Telit last November. Telit, for reasons best known to itself, has issued patches to address some of the flaws, but not all of them, according to Kaspersky, which released a report on its discoveries this week.

Telit did not immediately respond to a Dark Reading request for comment submitted via a media contact form on its main website.

Telit Cinterion modems are integrated into IoT devices from numerous vendors. Examples of IoT products that integrate Cinterion for cellular communication include industrial equipment, smart meters, telematics, vehicle tracking, healthcare, and medical devices. Since the modems are typically integrated into IoT devices in a nested fashion with products from other vendors, compiling a list of all affected products is challenging, Kaspersky said.

“Although we cannot provide a precise estimate of the number of IoT vendors or products impacted, potentially millions of devices across various industries could be affected,” a researcher from Kaspersky says in comments emailed to Dark Reading. “Considering the widespread use of these modems in sectors including automotive, healthcare, industrial automation, and telecommunications, the potential impact is extensive.”

CVE-2023-47610, the most severe of the seven vulnerabilities that Kaspersky uncovered, affects a Cinterion protocol for location-based services. Attackers can potentially exploit the flaw to access the modem’s operating system and/or to manipulate device RAM and flash memory to gain complete control of its functions. This would allow an attacker to potentially compromise the integrity and availability of connected devices and networks, the Kaspersky researcher says.

To read the complete article, visit Dark Reading.