Millions of IoT Devices Vulnerable Due to Flaws in Telit Cinterion Modems

May 10, 2024

A series of vulnerabilities in Telit Cinterion modems, commonly used in IoT devices across industries such as finance, telecoms, healthcare, and automotive, have been discovered, putting millions of devices at risk. These flaws could allow for remote code execution, with some requiring local access to the device to be exploited. The most critical vulnerability identified is a memory heap overflow issue (CVE-2023-47610) that enables remote attackers to execute arbitrary code via SMS on the affected devices.

These vulnerabilities were discovered by researchers from cybersecurity firm Kaspersky, who reported a total of seven vulnerabilities to Telit in November. Telit has released patches for some, but not all, of these vulnerabilities. Telit Cinterion modems are integrated into a wide range of IoT devices from various vendors, making it difficult to compile a comprehensive list of all affected products.

'Potentially millions of devices across various industries could be affected,' a Kaspersky researcher commented. The potential impact is significant given the wide use of these modems in sectors including automotive, healthcare, industrial automation, and telecommunications. The most severe vulnerability (CVE-2023-47610) affects a Cinterion protocol for location-based services, and if exploited, could give attackers complete control of the device's functions, compromising the integrity and availability of connected devices and networks.

'This scenario might lead to unauthorized access to sensitive data or disruption of essential operations, with far-reaching effects across multiple industries, including healthcare, telecommunications, and transportation,' the researcher added. To mitigate the risks associated with CVE-2023-47610, Kaspersky recommends disabling all nonessential SMS capabilities and employing private Access Point Names (APNs) with strict security settings for dedicated connectivity.

The remaining six vulnerabilities (CVE-2023-47611 through CVE-2023-47616) relate to how the devices handle Java applets running on them, allowing attackers to bypass digital signature checks, execute unauthorized code, and perform privilege escalation. These vulnerabilities pose a severe risk to data confidentiality and device integrity. Kaspersky advises enforcing rigorous digital signature verification, controlling physical access to devices, and conducting regular security audits and updates.

The rise in attacks on IoT environments, particularly in industrial control and operational technology settings, is a growing concern. A recent analysis of 2023 threat data by Nozomi Network found an increase in attacks targeting IoT and OT networks, bolstered by a sharp rise in IoT vulnerabilities.

Latest News

• QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft
• Microsoft's May 2024 Patch Tuesday Addresses 61 Vulnerabilities Including 3 Zero-Days
• Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape
• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024