Serious Flaw Affects Millions of IoT Devices

Walden Systems Geeks Corner News Serious Flaw Affects Millions of IoT Devices Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Researchers are urging IoT manufacturers to apply patches addressing a flaw in a module used by millions of IoT devices. If exploited, the flaw could allow hackers to knock out power to a city. The vulnerability exists in a widely used Cinterion module, a small electronic device embedded in IoT devices that connects to wireless networks and sends and receives data. The module is manufactured by Thales.

Researchers first discovered the flaw in Cinterion's EHS8 module but further testing revealed that five other models in the same product line were also affected. The flaw could be exploited to steal information, take control of devices and gain access to control networks. The modules run Java code which often confidential information like passwords, encryption keys and certificates. By using information stolen from the modules, hackers can control a device. The vulnerability was first discovered in September 2019, and Thales issued a fix in early 2020 but while patches are available, it will take a while for many manufacturers to apply them to their devices.


The flaw exists in the way that AT commands are processed by the module. It is related to a string of Java code that counts the number of characters in the path substring. This code checks if the fourth character of a path substring is a dot. Normally, any attempt to access hidden files with a dot prefix will be denied but, by replacing the slash with double slash, the condition to fail. A hacker could use the dot-prefixed filename to bypass the security test condition.

If exploited, hackers could potentially access the data stored by the modules. This may include credentials, passwords, encryption keys and others. Due to the huge number of connected devices that are powered by the module, researchers warn that the potential impact of the flaw could be devastating if not patched. It could be used to compromise smart meters to deliver fake readings that change the monthly bill. With large groups of these devices and a control network, a hacker could also shut down meters for an entire city, causing blackouts.

Vulnerabilities and security issues continue to affect connected devices. The number of internet connected devices will grow to 55 billion by 2025. More than half of all IoT devices are vulnerable to attacks, meaning that we are sitting on a IoT time bomb.