Critical vulnerabilities in Cinterion cellular modems pose significant threat to industrial devices

Researchers from Kaspersky ICS CERT discovered critical vulnerabilities in Cinterion cellular modems, presenting a significant threat to industrial devices. These flaws allow remote unauthorized attackers to execute arbitrary code. The modems are crucial for global connectivity infrastructure and are widely deployed in millions of devices across various sectors. The vulnerabilities include issues like remote code execution and unauthorized privilege escalation, posing risks to communication networks and IoT devices in industrial, healthcare, automotive, financial, and telecommunications sectors.

Among the vulnerabilities detected, the most alarming is CVE-2023-47610, a heap overflow vulnerability within the modem’s SUPL message handlers, Kaspersky researchers detailed in a Friday blog post. “This flaw enables remote attackers to execute arbitrary code via SMS, granting them unprecedented access to the modem’s operating system. This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem’s functionalities—all without authentication or requiring physical access to the device,” they added.

Further investigations exposed significant security lapses in the handling of MIDlets, Java-based applications running on the modems. Attackers could compromise the integrity of these applications by circumventing digital signature checks, enabling unauthorized code execution with elevated privileges. This flaw poses significant risks not only to data confidentiality and integrity, but it also escalates the threat to broader network security and device integrity.

“The vulnerabilities we found, coupled with the widespread deployment of these devices in various sectors, highlight the potential for extensive global disruption,” Evgeny Goncharov, head of Kaspersky ICS CERT, detailed. “These disturbances range from economic and operational impacts to safety issues. Since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging.” 

Goncharov added that affected vendors must undertake extensive efforts to manage risks, with mitigation often feasible only on the telecom operators’ side. “We hope that our in-depth analysis will help stakeholders implement urgent security measures and establish a valuable reference point for future cybersecurity research.”

To counter the threat posed by the CVE-2023-47610 vulnerability, Kaspersky recommends disabling nonessential SMS messaging capabilities and employing private APNs with strict security settings. 

Regarding the other zero-day vulnerabilities registered under CVE-2023-47611 through CVE-2023-47616, Kaspersky advises enforcing rigorous digital signature verification for MIDlets, controlling physical access to devices, and conducting regular security audits and updates.

In response to these discoveries, all findings were proactively shared with the manufacturer prior to public disclosure. Cinterion modems, originally developed by Gemalto, are cornerstone components in machine-to-machine (M2M) and IoT communications, supporting various applications from industrial automation and vehicle telematics to smart metering and healthcare monitoring. 

Gemalto, the initial developer, was subsequently acquired by Thales. In 2023, Telit acquired Thales’ cellular IoT products business, including the Cinterion modems.

To safeguard systems connected to IoT devices, Kaspersky experts advise equipping the security team overseeing critical systems with current threat intelligence, implementing a trusted endpoint security solution, and securing both industrial and corporate endpoints. Organizations can detect anomalies in manufacturing processes resulting from accidents, human errors, or cyberattacks to prevent disruptions. Installing a comprehensive security solution can protect devices from various attack vectors, enhancing overall cybersecurity posture.

Recently, Kaspersky released data from its ICS CERT team detailing cybercriminal and hacktivist attacks on industrial organizations. Additionally, a separate report focuses on APT attacks in this sector. Some links to corporate website pages containing incident information are broken, but the team chose to retain them based on the victim’s company statements. The overview focuses on incidents confirmed by affected organizations or government officials, excluding reports solely from cybercriminal groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.