In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise. We identified a number of security-related problems in user applications – MIDlets, and the OEM–developed firmware of these modems.

We have found that it is possible to compromise confidentiality and integrity of user MIDlets while having physical access to the modem. The study revealed that it is possible to extract, substitute and bypass the digital signature of both user and manufacturer MIDlets and also elevate the execution privileges of any user MIDlet to the manufacturer level.

During the study of the modem firmware, a heap overflow vulnerability was discovered in the AT command and SUPL message handlers. The latter one allowed us to remotely execute arbitrary code on the modem by sending several SMS messages. This vulnerability also made it possible to unlock access to the OEM’s special AT commands to read and write to RAM and flash memory of the modem.

In order to demonstrate the possibility of remotely compromising the modem we developed our own SMS-based File System, which we installed into the modem through the vulnerability discovered in the SUPL message handler. Using it we could remotely activate the Over The Air Provisioning to install an arbitrary MIDlet onto the modem, that was protected from removal using standard mechanisms provided by the manufacturer but required a full reflash of the modem firmware to wipe it.

Our research revealed several significant security flaws in Telit’s modems. This was the first time such a broad study of modems from this vendor had been carried out and constitutes a starting point for other researchers.