Millions of IoT devices in sectors including financial services, communications, healthcare and automotive are at risk of being compromised due to multiple vulnerabilities in the cellular modem technology that devices use to communicate with each other and with central servers.
The vulnerabilities in Telit’s Cinterion modems include remote code execution flaws, some of which require an attacker to have local access to the affected machine to exploit, the most severe of which is a memory heap overflow vulnerability (CVE-2023-47610) that could allow a remote attacker to execute arbitrary code on affected devices via SMS.
Seven Critical Vulnerabilities
Kaspersky researchers discovered the vulnerabilities in November last year and reported a total of seven to Telit. Kaspersky said that for reasons known only to Telit, the company released patches to fix some of the flaws but not all of them. The company released a report on the vulnerabilities it found this week.
Telit did not immediately respond to a request for comment from Dark Reading, submitted through a media contact form on its main website.
Telit Cinterion modems are integrated into IoT devices from many vendors. Examples of IoT products that integrate Cinterion for cellular communications include industrial equipment, smart meters, telematics, vehicle tracking, and healthcare and medical equipment. Kaspersky said it is difficult to compile a list of all affected products because modems are typically integrated into IoT devices in a nested way with products from other vendors.
“While we cannot provide an exact estimate of the number of IoT vendors and products affected, millions of devices across various industries are likely affected,” Kaspersky researchers said in emailed comments to Dark Reading. “Given the widespread use of these modems in sectors such as automotive, medical, industrial automation and communications, the potential impact would be widespread.”
The most severe of the seven vulnerabilities discovered by Kaspersky, CVE-2023-47610, affects the Cinterion protocol for location services. Attackers could exploit the flaw to gain access to the modem’s operating system or manipulate the device’s RAM or flash memory to gain full control over its functionality. This could allow attackers to compromise the integrity and availability of connected devices and networks, Kaspersky researchers said.
“This scenario could lead to unauthorized access to sensitive data and disruption of critical operations, with far-reaching implications across multiple industries, including healthcare, communications, and transportation,” the researchers wrote. “The impacts could range from operational disruptions to severe threats to public safety and security.”
Best options to disable SMS
Kaspersky recommends organizations with vulnerable IoT devices disable all unnecessary SMS functionality and use private access point names (APNs) with strict security settings for dedicated connections. According to the vendor, disabling SMS is the only surefire way to mitigate the risks associated with CVE-2023-47610.
Kaspersky researchers say telecommunications vendors will also need to play a role in making it harder for attackers to exploit the vulnerability: “Because CVE-2023-47610 allows remote code execution via SMS, telecommunications vendors are uniquely positioned to implement network-level controls that can prevent delivery of malicious SMS messages to vulnerable devices.”
The other six vulnerabilities in Cinterion modems discovered by Kaspersky (assigned as CVE-2023-47611 to CVE-2023-47616) are related to how Java applets running on the device are handled. These vulnerabilities could allow attackers to perform multiple malicious actions, including bypassing digital signature checks, executing unauthorized code and escalating privileges. Kaspersky identified these vulnerabilities as posing a significant risk to data confidentiality, device and integrity.
“Kaspersky Lab recommends implementing strict digital signature verification. [Java applets] “Physical access to devices should be controlled and regular security audits and updates should be conducted,” the researchers note.
The growing problem of IoT bugs
Kaspersky Lab reported the vulnerabilities to Telit in November of last year, but the company delayed fully disclosing details, giving the vendor ample opportunity to inform customers of the risks and enable them to implement mitigation measures. “Our goal was to ensure that appropriate protections were in place before publishing detailed findings about how these vulnerabilities could be exploited,” the researchers said.
Attacks on IoT environments, especially those for industrial control and operational technology, are of growing concern. Nozomi Network’s analysis of 2023 threat data found an increase in attacks targeting IoT and OT networks, fueled by a surge in IoT vulnerabilities. One example is the 11 vulnerabilities across three industrial routers reported by researchers at Otorio last year. These vulnerabilities were believed to affect thousands of industrial IoT products across a range of sectors. A separate investigation by SynSaber found several cases in which vendors of affected products did not fix the reported vulnerabilities.