IBM finds vulnerability in IoT chips present in billions of devices

Manufactured by Thales, the EHS8 module family has security flaws that could allow attackers to take total control over internet-connected industrial machines.

istock-829483130iotsecurity.jpg

EtiAmmos, Getty Images/iStockphoto

A security flaw in a series of IoT connectivity chips could leave billions of industrial, commercial, and medical devices open to attackers. The flaw was discovered by IBM's X-Force Red hacking team and affects Cinterion EHS8 M2M modules built by French manufacturer Thales. EHS8 modules are built for industrial IoT machines that operate in factories, the energy sector, and medical roles, and are designed to create secure communication channels over 3G and 4G networks. 

Luckily, Thales has been working with IBM since it discovered the vulnerability in September 2019, and has released a security patch for affected devices, which includes Thales' BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62 modules as well. 

The threat posed by this flaw is a serious one for EHS8 users: An attacker targeting an EHS8 module can exploit it remotely to gain total control over the machine hosting it.

SEE: 5 Internet of Things (IoT) innovations (free Pdf) (TechRepublic)

EHS8 modules host a lot of sensitive information: Passwords, encryption keys, and certificates are all commonly trusted to EHS8 modules to enable communication. An attacker that manages to break in using IBM's method could "potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases."

As IBM notes, the role that machines with EHS8 modules fill makes this a critical security flaw. Medical devices that an attacker penetrates could be manipulated to cover up concerning vital signs, create false panic situations, overdose patients, or cut off essential life-saving functions.

In the energy and utilities sector, a compromised EHS8 module could be used to manipulate smart meter readings, shut down meters to cut off power, or damage the power grid itself.

To make matters worse, Thales reports that its devices connect more than three billion devices a year. In short, this is a big deal for companies and governments that operate industrial IoT hardware. 

The vulnerability stems from the embedded Java environment, which allows the installation of Java midlets for customization of the module. At its most basic level, the EHS8 module operates like an old-fashioned Hayes modem, meaning it can be manipulated using the same types of basic commands a Hayes modem could. 

SEE: Incident response policy (TechRepublic Premium)

"In practice, this means that the Java application could be bypassed and the control handed back to the low level, allowing an attacker to control the module directly," IBM said. 

Once an attacker has access they can launch standard commands that allow the module to dial a number, show manufacturer information, or install Java midlets. It's this latter element that makes this flaw so serious. 

Installing a midlet copies the code to the module's secure storage area which is designed to be write only. IBM's X-Force Red found that wasn't the case, though: Researchers were able to use the same steps to gain full read, write, and delete access. 

"Since Java is easily reversed back to human readable code, this could expose the full logic of any application as well as any embedded 'secrets' such as passwords, crypto keys etc. and makes IP theft a very simple operation," IBM said. 

IBM's advice for organizations, which have machines that use any of these chips: Apply the patch Thales released, rethink what you store on IoT devices, use behavioral analysis to determine if any unusual activity is occurring, and hire hackers to conduct penetration tests on your network.

Also see