Modems used in many industrial IoT sectors could be easily hacked

(Image credit: Shutterstock) (Image credit: Shutterstock)

Modems used in many industrial Internet of Things (IoT) devices can easily be hacked, allowing threat actors root access, remotely and without authentication. The result could be highly disruptive, as many industries rely on IoT devices and other internet-connected sensors for proper operations of entire facilities.

A report from cybersecurity researchers Kaspersky claims to have discovered the flaws in February 2023, and is only reporting on them now, since the vendor has now released the fix.

The result could be highly disruptive, as many industries rely on IoT devices and other internet-connected sensors for proper operations of entire facilities.

Fixes released

As per the report, Kaspersky’s pros found a total of eight issues, in multiple cellular modems built by Telit Cinterion. The most important issue is tracked as CVE-2023-47610, and carries a severity score of either 8.8 (per Kaspersky) or 9.8 (per NIST). This issue allows threat actors, with previous knowledge of the subscriber number of the target modem in the cellular operator's network, to trigger arbitrary code execution via SMS.

"This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem's functionalities—all without authentication or requiring physical access to the device," Kaspersky’s researchers explained.

Here is the full list of affected models:

Cinterion BGS5
Cinterion EHS5/6/7
Cinterion PDS5/6/8
Cinterion ELS61/81
Cinterion PLS62

Telit released fixes for some of the vulnerabilities, but the biggest problem is the fact that other manufacturers used the modems in their devices, as well. Hence, the actual number of vulnerable devices is difficult to determine.

"The vulnerabilities we found, coupled with the widespread deployment of these devices in various sectors, highlight the potential for extensive global disruption," Evgeny Goncharov, head of Kaspersky ICS CERT, said in the report.

Via BleepingComputer

More from TechRadar Pro

Many top 5G phones could have major security issues - what you need to know
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.