A team of IBM hackers has discovered a vulnerability in a component used in millions of Internet of Things (IoT) devices.
The flaw in Thales' (formerly Gemalto) Cinterion EHS8 M2M module was uncovered by IBM's X-Force Red team.
After further testing, Thales confirmed that the newly detected vulnerability also affected nine other modules within the same product line of the EHS8, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62.
The modules found to carry the weakness are mini circuit boards that enable mobile communication in IoT devices. These modules run and store Java code that frequently includes sensitive data like encryption keys and passwords.
If a malicious actor managed to steal such information from the modules, they could potentially get control over a device or gain access to the central control network to conduct widespread attacks.
Thales is one of the leading manufacturers of components that enable smart devices to connect to the internet, verify identities, and securely store information. The company's vast portfolio connects over 3 billion devices per year ranging from cars to medical monitoring devices.
Explaining how such an attack could work on a medical device, a spokesperson for X-Force Red said: "Cybercriminals could manipulate readings from monitoring devices to cover up concerning vital signs or create false panic. In a device that delivers treatment based on its inputs, such as a pacemaker or insulin pump, they could also over or underdose patients."
If attackers used the flaw to target energy and utilities devices such as smart energy meters, the consequences could potentially be just as dire.
The spokesperson said: "Attackers could hack smart meters to deliver falsified readings that increase or reduce a monthly bill. With access to a large group of these devices through a control network, a malicious actor could also shut down meters for an entire city causing wide-reaching blackouts that require individual, in-person repair visits, or even worse, damage to the grid itself."
The vulnerability was discovered by X-Force Red in September 2019 and discussed by the team at their virtual Red Con 2020 event earlier today.
In February 2020, Thales released patch CVE-2020-15858 to customers.