09-09-2020 | | By Robin Mitchell
A Java vulnerability, called CVE-2020-15858, was discovered back in 2019 with a fix available since February. Now, X-Force Red, IBMs A-Team in security, is urging manufacturers to update EHS8 modules that are vulnerable from the exploit.
With the number of IoT devices rapidly increasing, and the growing integration into everyday life, security in IoT devices has never been more important. Devices that used to send benign information with the processing capability of a potato are now able to stream video and process AI algorithms while having enough processing room left to run applications in the background thanks to dual and quad-core SoCs. As a result, modern IoT devices can be used in a wide range of malicious applications including DDoS attacks, crypto mining, surveillance, sidechain attacks on networks, and theft of personal information.
IoT devices have suffered many attacks in the past, and a classic example of how designers and users can easily overlook the deadly nature of IoT devices was when a casino network was hacked and data on players stolen. The network itself was incredibly strong, and a direct attack would never allow attackers to gain entry, but a small IoT aquarium thermometer which was connected to the network was totally exposed. Since a chain is as strong as its weakest link, the thermometer allowed attackers to use its network connection to get access to the casino’s servers, and from there obtain personal information on high rollers.
Such attacks express the importance of security, and when flaws are found, it is essential that both manufacturers and owners apply updates to their products to protect from such attacks. Of course, other security practices such as not using common passwords, default passwords, or the storage of sensitive data in unprotected areas of memory also greatly help to strengthen a system.
The EHS8 module is a module that integrates a Java ME 3.2 client runtime for global IoT applications requiring cellular connectivity. Integrated into the EHS8 is also a GPS, jamming detection, advanced temperature management, embedded TCP/IP stack, and USB controllers allowing for the creation of a wide range of different designs including those found in industrial, commercial, and residential environments.
The use of 2G and 3G connectivity allows for downlink connection speeds up to 7.2Mbps and uplink speeds of 5.7Mbps. While these may seem low by modern standards, IoT devices are designed to send hundreds of bytes at a time, and such speeds ensure that data packets are quickly sent and received with minimal latency. The module’s small size of 25.4mm x 27.6mm makes it an ideal candidate for IoT devices and the use of a Java runtime allows for fast development of applications, easy maintenance, and high code reusability.
Back in September 2019, IBMs elite team of hackers called X-Force Red discovered a vulnerability in the EHS8 M2M module that is currently in used by many millions of devices. The vulnerability, known as CVE-2020-15858, affects the ability for the EHS8 module to safely store sensitive information and was able to view code and data from areas in memory that are not allowed to be viewed by unauthorised users. The issue with the vulnerability is that it allows attackers to compromise devices, obtain intellectual property via reverse engineering of core code, obtain passwords, and encryption keys. The problems presented by the vulnerability only make matters worse when considering that Java code is very easily reversed engineered into human-readable code.
The root cause of the vulnerability relates to how the module can be used with AT commands (like the ESP32 and ESP8266 modules). These commands do not use Java, and are essentially “low-level”, and since these commands can be sent over UART, a Java application that can access UART is able to bypass any runtime below it. If an application is able to access the AT command structure, it can use a whole range of commands including ATI (get manufacture details), or ATD (dial a number). In the case of the vulnerability, the AT^SFA command provides reading, writing, deleting, and renaming files and subdirectories, allowing an application to access restricted areas.
Because the EHS8 (along with other products in the same line that are also affected), are used by a wide range of different applications including medical and energy, attackers have the ability to affect readings from such devices, which could either hide problematic events or create false alarms. Those same devices, if used in smart meters, could either reduce a user’s bill, or worse, absurdly increase it.