Security News > 2020 > August > Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit: Patch me if you can
A vulnerability in Thales' Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM's X-Force Red.
The bug, disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it possible for an attacker to extract the code and other resources from a vulnerable device.
The flaw is present not only in the EHS8 module, but also in related IoT modules including BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62.
The chip runs programs called Java "Midlets" that are installed by vendors and Thales.
According to X-Force Red, Thales' Java code includes an attempt to check if the fourth character in a path substring is a dot, to ensure that no attempt is made to access sensitive hidden files.