Critical vulnerabilities in Cinterion cellular modems expose millions of industrial devices to remote code execution attacks. Patching is limited, highlighting the need for stricter security measures and threat intelligence.
Kaspersky ICS CERT researchers have detected critical vulnerabilities in Cinterion cellular modems. The discovery showcases flaws that allow a remote unauthorized attacker to execute arbitrary code, constituting a major threat to millions of industrial devices. Kaspersky experts presented details on these vulnerabilities at OffensiveCon in Berlin on May 11.
Kaspersky ICS CERT identified severe security vulnerabilities in Cinterion cellular modems, which are widely deployed in millions of devices and vital to global connectivity infrastructure. These vulnerabilities include critical flaws that permit remote code execution and unauthorized privilege escalation, posing substantial risks to integral communication networks and IoT devices foundational to industrial, healthcare, automotive, financial and telecommunications sectors.
Among the vulnerabilities detected, the most alarming is CVE-2023-47610, a heap overflow vulnerability within the modem’s SUPL message handlers. This flaw enables remote attackers to execute arbitrary code via SMS, granting them unprecedented access to the modem’s operating system. This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem’s functionalities—all without authentication or requiring physical access to the device.
Further investigations exposed significant security lapses in handling MIDlets, Java-based applications running on the modems. Attackers could compromise the integrity of these applications by circumventing digital signature checks, enabling unauthorized code execution with elevated privileges. This flaw poses significant risks to data confidentiality and integrity and escalates the threat to broader network security and device integrity.
“The vulnerabilities we found, coupled with the widespread deployment of these devices in various sectors, highlight the potential for extensive global disruption. These disturbances range from economic and operational impacts to safety issues. Since the modems are typically integrated into a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging. Affected vendors must undertake extensive efforts to manage risks, with mitigation often feasible only on the telecom operators’ side. We hope our in-depth analysis will help stakeholders implement urgent security measures and establish a valuable reference point for future cybersecurity research,” says Evgeny Goncharov, head of Kaspersky ICS CERT.
To counter the threat posed by the CVE-2023-47610 vulnerability, Kaspersky recommends the only reliable solution: disabling nonessential SMS messaging capabilities and employing private APNs with strict security settings. Regarding the other zero-day vulnerabilities registered under CVE-2023-47611 through CVE-2023-47616, Kaspersky advises enforcing rigorous digital signature verification for MIDlets, controlling physical access to devices, and conducting regular security audits and updates.
In response to these discoveries, all findings were proactively shared with the manufacturer before public disclosure. Cinterion modems, originally developed by Gemalto, are cornerstone components in machine-to-machine (M2M) and IoT communications, supporting various applications from industrial automation and vehicle telematics to smart metering and healthcare monitoring. Gemalto, the initial developer, was subsequently acquired by Thales. In 2023, Telit acquired Thales’ cellular IoT products business, including the Cinterion modems.
Also Read: Beyond Compliance: Why Data Protection Needs Strong Cybersecurity
To protect systems connected with IoT devices, Kaspersky experts recommend:
- Provide the security team responsible for protecting critical systems with up-to-date threat intelligence. Threat Intelligence Reporting service provides insights into current threats and attack vectors, the most vulnerable elements, and how to mitigate them.
- Use a reliable endpoint security solution. A dedicated component in Kaspersky Next can detect file behavior anomalies and reveal fileless malware activity.
- Protect industrial and corporate endpoints. The Kaspersky Industrial CyberSecurity solution includes dedicated protection for endpoints and network monitoring to reveal any suspicious and potentially malicious activity in the industrial network.
- Kaspersky Machine Learning for Anomaly Detection can help reveal deviations in the manufacturing process caused by an accident, human factor, or cyberattack and prevent disruption.
- Consider Cyber Immune solutions to build innate protection against cyberattacks.
- Install a security solution that protects the devices from attack vectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specs, the Kaspersky solution would still protect it with a Default Deny scenario.
