{"id":10511,"date":"2022-07-07T07:26:06","date_gmt":"2022-07-07T07:26:06","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?post_type=session&#038;p=10511"},"modified":"2024-09-03T02:17:58","modified_gmt":"2024-09-03T02:17:58","slug":"one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/","title":{"rendered":"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices"},"content":{"rendered":"<div class=\"simple_format\">\n<p><strong><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/materials\/D2T1%20-%20%20One%20SMS%20to%20Root%20Them%20All%20-%20Exposing%20Critical%20Threats%20in%20Millions%20of%20Connected%20Devices%20%20-%20%20Sergey%20Anufrienko%20&amp;%20%20Alexander%20Kozlov.pdf\">PRESENTATION SLIDES<\/a><\/strong><\/p>\n<p style=\"text-align: justify;\"><strong>In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.<\/strong> We identified a number of security-related problems in user applications \u2013 MIDlets, and the OEM\u2013developed firmware of these modems.<\/p>\n<p style=\"text-align: justify;\">We have found that it is possible to compromise confidentiality and integrity of user MIDlets while having physical access to the modem. The study revealed that it is possible to extract, substitute and bypass the digital signature of both user and manufacturer MIDlets and also elevate the execution privileges of any user MIDlet to the manufacturer level.<\/p>\n<p style=\"text-align: justify;\">During the study of the modem firmware, a heap overflow vulnerability was discovered in the AT command and SUPL message handlers. The latter one allowed us to remotely execute arbitrary code on the modem by sending several SMS messages. This vulnerability also made it possible to unlock access to the OEM\u2019s special AT commands to read and write to RAM and flash memory of the modem.<\/p>\n<p style=\"text-align: justify;\">In order to demonstrate the possibility of remotely compromising the modem we developed our own SMS-based File System, which we installed into the modem through the vulnerability discovered in the SUPL message handler. Using it we could remotely activate the Over The Air Provisioning to install an arbitrary MIDlet onto the modem, that was protected from removal using standard mechanisms provided by the manufacturer but required a full reflash of the modem firmware to wipe it.<\/p>\n<p style=\"text-align: justify;\">Our research revealed several significant security flaws in Telit\u2019s modems. This was the first time such a broad study of modems from this vendor had been carried out and constitutes a starting point for other researchers.<\/p>\n<\/div>\n","protected":false},"template":"","class_list":["post-10511","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices - HITBSecConf2024 - Bangkok<\/title>\n<meta name=\"description\" content=\"In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices\" \/>\n<meta property=\"og:description\" content=\"In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2024 - Bangkok\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-03T02:17:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-content\/uploads\/sites\/22\/2024\/06\/alexander.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/\",\"name\":\"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices - HITBSecConf2024 - Bangkok\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\"},\"datePublished\":\"2022-07-07T07:26:06+00:00\",\"dateModified\":\"2024-09-03T02:17:58+00:00\",\"description\":\"In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\",\"name\":\"HITBSecConf2024 - Bangkok\",\"description\":\"August 26 - 30 @ InterContinental\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices - HITBSecConf2024 - Bangkok","description":"In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/","og_locale":"en_US","og_type":"article","og_title":"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices","og_description":"In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/","og_site_name":"HITBSecConf2024 - Bangkok","article_modified_time":"2024-09-03T02:17:58+00:00","og_image":[{"width":300,"height":300,"url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-content\/uploads\/sites\/22\/2024\/06\/alexander.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/","name":"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices - HITBSecConf2024 - Bangkok","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website"},"datePublished":"2022-07-07T07:26:06+00:00","dateModified":"2024-09-03T02:17:58+00:00","description":"In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise.","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/one-sms-to-root-them-all-exposing-critical-threats-in-millions-of-connected-devices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/"},{"@type":"ListItem","position":3,"name":"One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/","name":"HITBSecConf2024 - Bangkok","description":"August 26 - 30 @ InterContinental","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session\/10511"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/media?parent=10511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}