X-Force Red, International Business Machine Corp.’s team of hackers today revealed the details of a serious vulnerability in a series of “internet of things” connectivity chips that leaves millions of devices open to attackers.

The vulnerability was initially found in Cinterion EHS8 M2M modules manufactured by Thales SA. They’re used to create secure communication channels for industrial IoT machines that are operated in factories, the energy sector and medical roles.

Discovered by X-Force Red in September, Thales subsequently confirmed that the vulnerability also affects other modules within the same product line of the EHS8: BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81 and PLS62.

The vulnerability involves a method to bypass security checks that keep files or operational code hidden from unauthorized users. If exploited, the vulnerability could allow attackers to compromise devices and access the networks or virtual private networks supporting those devices by pivoting onto the provider’s backend network. Once access is gained, an attacker could then steal intellectual property, credentials, passwords and encryption keys.

Attackers could also potentially access the application code of a given device to completely change the manipulate how the device operates. Potential risks include manipulating readings from medical monitoring devices concerning vital signs or to create a false panic. Attackers could also change treatments delivered to patients as well. In the utilities sector, an attacker could compromise smart meter readings or could even shut down meters for a whole city, causing widespread blackouts.

A patch for the vulnerability has been available to customers since February with X-Force Red working with Thales to ensure users are aware of the patch and taking steps to deploy it. That said, given the scale of the number of devices using the connectivity chips, the deep concern is that many devices in use remain unpatched and vulnerable to attack.

“This vulnerability highlights the risk of using legacy IoT communications devices that weren’t designed to be secure from the ground up,” Phil Neray, vice president of IoT & Industrial Cybersecurity at the Microsoft Corp.-owned IoT security firm CyberX, told SiliconANGLE. “Modern security architectures incorporate properties such as compartmentalization, which are hardware-enforced boundaries that prevent a flaw in one software component from giving adversaries access to other parts of the system — such as where certificates are stored. When we’re talking about industrial and critical infrastructure environments, such as oil and gas pipelines, this type of vulnerability could lead to serious safety and environmental incidents as well as costly downtime.”

Image: Thales/Gemalto