Bug in Thales modules endangers security of millions of connected devices

[German]A vulnerability in Thales modules threatens the security of millions of critical, interconnected devices in the automotive, energy, telecommunications and medical sectors. It allows hackers to hijack the device or access the internal network. In some cases, the vulnerability can be exploited remotely over 3G.  But there are patches from the manufacturer.


The Thales Group provides SIMs and IoT modules to interconnect IoT devices – with 3 billion devices being interconnected every year (according to this website).

Vulnerability in Thales modules   

Security researchers from IBM's hacker team, X-Force Red, found the vulnerability CVE-2020-15858 in the Gemalto Cinterion EHS8 M2M module (Gemalto was acquired by the French Thales group in 2019) in September 2019 and described it here. The Cinterion EHS8 M2M module has been used in millions of Internet-connected devices over the last ten years. Further research has now confirmed that the Thalos modules BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62 also contain the vulnerability. These modules are mini printed circuit boards that enable mobile communication in IoT devices.

Common to all modules is that Java code is stored and executed there. The Java code often contains confidential information such as passwords, encryption keys and certificates. With the information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to carry out wide-ranging attacks. In some cases, the attack can even occur remotely over 3G connections.

The vulnerability

The EHS8 module and the other modules in the series are designed to enable secure communication between connected devices over 3G/4G networks. This module al can be thought of as the equivalent of a trusted digital safe deposit box, where companies can securely store a range of secrets such as passwords, credentials and operating codes.

X-Force Red discovered a way to bypass the security checks that protect files or operation codes from unauthorized users. This vulnerability could allow attackers to compromise millions of devices and access the networks or VPNs that support these devices. In turn, intellectual property (IP), credentials, passwords, and encryption keys could be easily accessible to an attacker. In other words, confidential information stored by the module may no longer be confidential. Attackers could even appropriate the application code to completely change the logic and manipulate devices.


By exploiting this vulnerability, attackers may be able to instruct smart meters to turn off the electricity in a city or even overdose on medical devices. The details can be read here.

Thales has released an update

Once this vulnerability was discovered, it was immediately reported to Thales. Thales developed a patch which was tested together with the X-Force Red team in February 2020.

The patch can be managed in two ways – either by plugging in a USB connector to run a software update or by managing an over-the-air (OTA) update. The update process for this vulnerability depends entirely on the manufacturer of the device and its capabilities – for example, access to the Internet could make it difficult to work with the device. The more regulated a device is (medical devices, industrial controls, etc.), the more difficult it is to apply the patch, as this may require an often time-consuming recertification process. (via)

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *