Vulnerability In Java-powered 3G System Could Impact Millions Of IoT Devices

A vulnerability in Thales’ Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday, as reported by The Register. The bug (CVE-2020-15858), was discovered by IBM’s X-Force Red and disclosed to Thales, who addressed it in a patch made available to IoT vendors in February. This vulnerability makes it possible for a potential attacker to extract the code and other resources from a vulnerable device. When bad actors have this information, they could then reverse-engineer it to find further vulnerabilities to exploit, and secret keys and passwords to extract, possibly leading to miscreants hijacking the hardware and/or gaining access to its network.