Quote:A patch has been issued for the flaw in a widely-used module, and researchers are urging IoT manufacturers to update their devices ASAP.
 
Researchers are urging connected-device manufacturers to ensure they have applied patches addressing a flaw in a module used by millions of Internet-of-Things (IoT) devices. If exploited, researchers speculated that the flaw could allow attackers to knock out a city’s electricity or even overdose a medical patient.
 
The vulnerability exists in a widely used Cinterion module, a small electronic device embedded in IoT devices that connects to wireless networks and sends and receives data. The module is manufactured by Thales, a French company that designs and builds electrical systems for aerospace markets.
 
Researchers discovered the flaw in Cinterion’s EHS8 module – however, further testing revealed that five other models in the same product line were also affected (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The flaw could be exploited to steal confidential information, take control of devices, gain access to control networks and more.
 
“[The modules] store and run Java code, often containing confidential information like passwords, encryption keys and certificates,” said Adam Laurie, with IBM X-Force Threat Intelligence, in a Wednesday post. “Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases.”