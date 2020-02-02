Image: Nortek Security & Control, LLC

Hackers are actively searching the internet and hijacking smart door / building access control systems that they use to launch DDoS attacks, according to firewall company SonicWall.

The attacks are aimed at Linear eMerge E3, a product of Nortek Security & Control (NSC).

Linear eMerge E3 devices (1, 2, 3) fall into the “access control systems” hardware category. They are installed in head offices, factories or industrial parks. Their primary goal is to determine to which doors and rooms employees and visitors have access based on their login details (access codes) or smart cards.

In May 2019, researchers from Applied Risk, a cyber security company specializing in industrial security services, disclosed details about ten vulnerabilities that impact NSC Linear eMerge E3 devices.

Despite the fact that six out of ten vulnerabilities had a vulnerability score (CVSSv3) of 9.8 or 10 out of a maximum of 10, NSC did not provide patches, according to a security advice from Applied Risk.

Applied Risk released a proof-of-concept exploit code later in November.

CVE-2019-7256 exploitation

Now, in a report published last week, SonicWall researchers say hackers scan the internet for exposed NSC Linear eMerge E3 devices and use one of the ten vulnerabilities.

The vulnerability they use is CVE-2019-7256. Applied Risk described this vulnerability as a command injection error. It is one of two with a severity score of 10/10, which means that it can be operated remotely, even by low-skilled attackers without advanced technical knowledge.

“This problem is caused by insufficient cleansing of user-supplied input for a PHP function that allows arbitrary command execution with root rights,” said SonicWall in a security warning published last week. “An external unauthenticated attacker can use this to execute arbitrary commands within the context of the application, via a manufactured HTTP request.”

Hackers use CVE-2019-7256 to take over devices, download and install malware, and then launch DDoS attacks on other targets.

“Attackers seem to be actively targeting these devices because we see tens of thousands of hits every day, targeting more than 100 countries with the most (attacks being observed) in the US,” said SonicWall.

However, the attack surface is not too large. SonicWall reports that only “2,375 internet-accessible eMerge devices are listed by the Shodan search engine.”

This number is much lower than the millions of security cameras and home routers that are also available online. However, the small number of vulnerable devices has not deterred attackers so far and exploitation attempts are likely to continue.

IoT devices used as access points

But while your smart building door system starts DDoS attacks on Steam or the PlayStation Network, a bigger problem is that these vulnerable systems can also be used as access points to an organization’s internal networks.

In August last year, Microsoft reported that it saw a Russian state-sponsored hacking team using the Internet of Things (IoT) smart devices as launch points for other attacks on corporate networks.

The Russian hackers tried to operate a VOIP telephone, an office printer and a video decoder, Microsoft said, but the NSC Linear eMerge E3 devices are just as attractive targets, mainly due to the high severity of the ten security bugs announced last year.

System administrators who manage networks where NSC Linear eMerge E3 devices are installed are advised to remove these systems from the internet, or at least limit access to these devices with a firewall or VPN.