A vulnerability in Thales’ Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday, as reported by The Register. The bug (CVE-2020-15858), was discovered by IBM’s X-Force Red and disclosed to Thales, who addressed it in a patch made available to IoT vendors in February. This vulnerability makes it possible for a potential attacker to extract the code and other resources from a vulnerable device. When bad actors have this information, they could then reverse-engineer it to find further vulnerabilities to exploit, and secret keys and passwords to extract, possibly leading to miscreants hijacking the hardware and/or gaining access to its network.
The importance of patching has never been so vital, but when it comes to the internet of things, people tend to favour convenience over protection.
IoT devices are notorious for weak security and a lack of updates from users. However, once a threat actor has access via an insecure device, they can penetrate other, more important devices behind the firewall and deploy further devious attacks.
If your IoT device offers auto updating and two factor authentication then it is vital that they are implemented.