- Hackers are using a PoC exploit on well-known vulnerabilities to take over smart building access control systems.
- From there, the malicious actors are using the hijacked terminals to launch DDoS attacks or to infiltrate deeper.
- The vendor of the vulnerable systems is not interested in fixing the flaws, although they know about them for almost a year now.
Hackers are hijacking smart door/building access control systems made by Nortek Security & Control (NSC), and use them as platforms to launch DDoS attacks. The product that is targeted the most is the “Linear eMerge E3”, which is still plagued by vulnerabilities that were disclosed back in May 2019. The set of vulnerabilities was quite rich, and their discovery was the work of researchers from Applied Risk. As for the types of problems, there is cross-site scripting, command injection, weak default hard-coded credentials, privilege escalation, authorization bypass, request forgery, directory traversal, stack-based buffer overflow, and root access over SSH.
Six out of the ten vulnerabilities that were discovered back then were classified as “highly critical”, but the NSC still chose to ignore the security advisory. Six months later, in November 2019, Applied Risk released a proof of concept (PoC), so hackers had everything they needed to hijack these systems. The most prominent exploitation method according to the recent reports is the one which involved command injection (CVE-2019-7256). Using this flaw, hackers manage to execute commands remotely via specially-crafted HTTP requests. This eventually leads to the downloading of malware, which renders the target machine into a DDoS bot.
CVE-2019-7256 is actively being exploited by DDoS botnet operators.
— Bad Packets Report (@bad_packets) January 10, 2020
Security experts “SonicWall”, who have also been following these attacks state that the hackers are seeking vulnerable targets anywhere in the world and not just the United States where NSC enjoys its biggest market success. In fact, they have counted 2375 vulnerable eMerge systems in over 100 countries from around the globe. Of course, this number isn’t a staggering one, but the implications of having your building access system hacked go beyond just getting involuntarily signed up for DDoS botnets. The eMerge hacks could very easily serve as entry points for deeper infiltration into the corporate network, and all the consequences come with it.
Smart building systems are convenient, but they constitute a new attack surface as well. For as long as the Nortek Security and Control insists on ignoring the problems and choosing not to issue a fixing patch for the eMerge, the firms that deploy these systems should take then offline immediately. If that’s impossible, admins are advised to set up a strict firewall or a VPN to limit the access of hackers to the vulnerable terminals. Since the NSC hasn’t made an official statement about this, it is unknown when and even if they are planning to fix the 10 flaws that are still plaguing eMerge.