A problem found in certain communication modules leaves many wireless medical devices vulnerable to cyberattacks if left unpatched, reports Bank Info Security.

A patching effort has been underway for six months to upgrade Thales wireless communication modules that are embedded in millions of IoT devices, including smart meters and insulin pumps. Left unpatched, a vulnerability in the modules could allow attackers to control devices, IBM warns.

On Wednesday, IBM’s X-Force Red team revealed the vulnerability, CVE-2020-15858, which it found last September in Thales’ Cinterion EHS8 M2M modules. The flaw is also in related products, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81 and PLS62 modules. The modules are used in devices in a variety of industries, including healthcare, automotive, energy and telecommunications.

The possibilities for attack are sweeping: Smart meters could be wrecked or an insulin pump could be manipulated to overdose a patient, according to the researchers. Because Java code can be easily reversed, it would also be possible to clone a device or modify its functionality, they write.

The patch can be installed either over the air or via USB, IBM says. But it might not be completely straightforward.

Read the full story on Bank Info Security