Kaspersky ICS CERT researchers have detected critical vulnerabilities in Cinterion cellular modems. The discovery showcases flaws that allow a remote unauthorized attacker to execute arbitrary code, constituting a major threat to millions of industrial devices. Kaspersky experts presented details on these vulnerabilities at OffensiveCon in Berlin, on May 11.
Kaspersky ICS CERT identified severe security vulnerabilities in Cinterion cellular modems, widely deployed in millions of devices and vital to global connectivity infrastructure. These vulnerabilities include critical flaws that permit remote code execution and unauthorized privilege escalation, posing substantial risks to integral communication networks and IoT devices foundational to industrial, healthcare, automotive, financial and telecommunications sectors.
Among the vulnerabilities detected, the most alarming is CVE-2023-47610, a heap overflow vulnerability within the modem’s SUPL message handlers. This flaw enables remote attackers to execute arbitrary code via SMS, granting them unprecedented access to the modem’s operating system. This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem’s functionalities—all without authentication or requiring physical access to the device.
Further investigations exposed significant security lapses in the handling of MIDlets, Java-based applications running on the modems. Attackers could compromise the integrity of these applications by circumventing digital signature checks, enabling unauthorized code execution with elevated privileges. This flaw poses significant risks not only to data confidentiality and integrity, but it also escalates the threat to broader network security and device integrity.
To counter the threat posed by the CVE-2023-47610 vulnerability, Kaspersky recommends the only reliable solution: disabling nonessential SMS messaging capabilities and employing private APNs with strict security settings. Regarding the other zero-day vulnerabilities registered under CVE-2023-47611 through CVE-2023-47616, Kaspersky advises enforcing rigorous digital signature verification for MIDlets, controlling physical access to devices, and conducting regular security audits and updates.
In response to these discoveries, all findings were proactively shared with the manufacturer prior to public disclosure. Cinterion modems, originally developed by Gemalto, are cornerstone components in machine-to-machine (M2M) and IoT communications, supporting a wide array of applications from industrial automation and vehicle telematics to smart metering and healthcare monitoring. Gemalto, the initial developer, was subsequently acquired by Thales. In 2023, Telit acquired Thales’ cellular IoT products business, including the Cinterion modems.
To protect systems connected with IoT devices, Kaspersky experts recommend:
- Provide the security team responsible for protecting critical systems with up-to-date threat intelligence. Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements and how to mitigate them.
- Use a reliable endpoint security solution. A dedicated component in Kaspersky Next can detect anomalies in files’ behavior and reveal fileless malware activity.
- Make sure you protect industrial endpoints as well as corporate ones. Kaspersky Industrial CyberSecurity solution includes dedicated protection for endpoints and network monitoring to reveal any suspicious and potentially malicious activity in industrial network.
- To reveal deviations in manufacturing process caused by an accident, human factor or a cyberattack, and prevent disruption, Kaspersky Machine Learning for Anomaly Detection can help.
- Consider Cyber Immune solutions to build innate protection against cyberattacks.
- Install a security solution that protects the devices from different attack vectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specs, the Kaspersky solution would still protect it with a Default Deny scenario.