Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit


A vulnerability in Thales’ Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM’s X-Force Red.

The bug (CVE-2020-15858), disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it possible for an attacker to, for instance, extract the code and other resources from a vulnerable device. This information could be reverse-engineered to find vulnerabilities to exploit, and secret keys and passwords to extract, potentially leading to miscreants hijacking the hardware and/or gaining access to its network.

Read more…