• A recently discovered IoT vulnerability in a range of Thales products found in millions of connected devices, including medical devices, can be exploited remotely.

IBM X-Force Red security researchers have detected a flaw in components manufactured by Thales that are installed in millions of connected devices. The IoT vulnerability in these products can be exploited remotely by permitting the threat actor to take control of the device or access the enterprise network.


Thales, the French multinational involved in designing and building electrical systems for multiple sectors, including healthcare, manufactures over 3 billion components used by 30,000 companies across the globe.

In February, Thales released a patch for CVE-2020-15858, and since then, IBM X-Force has been consistently spreading awareness throughout the year.

Discovered in September 2019, the flaw is present in the Thales’ Cinterion EHS8 M2M module, previously owned by Gemalto. It is important to note that this module has been installed in millions of connected devices over a decade.

Additionally, the bug was also responsible for affecting other modules in products manufactured by Thales, including EHS5/6/8, BGS5, PDS5/6/8, ELS61, ELS81, and PLS62, which further intensifies the impact of the vulnerability.

Module details

Researchers explained that these modules are mini circuit boards responsible for mobile communication in IoT-powered devices.

Moreover, these products store and run Java code often containing a series of confidential information such as passwords, certificates, and encryption keys.

Further, the researchers stated that these modules are equivalent to a trustworthy digital lockbox, where businesses can securely store a variety of sensitive information or data such as passwords, operation code, and credentials. They also mentioned that this vulnerability weakens this function by permitting cybercriminals to swindle organizational secrets.

The IBM X-Force research team could evade security checks on the device to gain access. If a cybercriminal trespassed the Java application giving back control to the low level, it would allow them direct access of the module resulting in offering the threat actor the control to issue several commands including configurations or to show manufacturer information.

After gaining access, threat actors can misuse the data from these modules to gain control over a device, or they can gain access to the central control network to initiate widespread cyber-attacks. Alternatively, these attacks can be carried out remotely, even via 3G, in some instances.

Intensity of the flaw

Once hackers have control, the vulnerability can be further exploited by allowing threat actors to instruct a medical device to overdose a patient or destroy an electrical grid, until these devices are using an unpatched module that is exposed to the hacker.

However, a successful attack would thrive across various other connected devices. It will also permit hackers to navigate through the victim’s backend to access other networks.

When a hacker gets control over medical devices, they could easily play with the readings from medical monitoring devices and camouflage vital signs or create a hoax panic. In devices that help offer treatment based on input such as insulin pumps, hackers can easily over or underdose patients.

On detection of the flaw, researchers immediately informed Thales for further action. The manufacturer then teamed up with X-force to test, create, and distribute the security patch.

The patch can be administered in two ways –

1. By plugging it in a USB to carry out the update with software

2. By administering the update over the air (OTA)

Researchers explained, “The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with.”

The Thales vulnerability is recorded as the second-largest disclosed this year. Nineteen critical flaws called Ripple20 also impacted millions of connected devices, leaving healthcare as the most affected sector. A few of these flaws could also be manipulated remotely.