Hackers Breach Building Access Control Systems and Use Them for DDoS Attacks
Security experts at SonicWall have issued a warning about a wave of attacks targeting smart building access control systems, which cybercriminals are then using to launch DDoS attacks. According to researchers, the attacks are focused on Linear eMerge E3 devices manufactured by Nortek Security & Control. These are so-called “hardware access control systems” commonly installed in offices, factories, and other facilities. Their main function is to control which doors and rooms employees and visitors can access, based on their credentials (access codes) and smart cards.
Back in May of last year, experts from Applied Risk disclosed details about ten vulnerabilities affecting Linear eMerge E3 devices. Although six out of the ten issues received a severity score of 9.8 out of 10 on the CVSS3 scale, the developers never released patches for these bugs. After waiting a sufficient amount of time, in November 2019, Applied Risk specialists published proof-of-concept exploits publicly.
Now, SonicWall researchers warn that hackers are actively searching for vulnerable Linear eMerge E3 devices and exploiting one of the previously discovered vulnerabilities: CVE-2019-7256. This issue is described as a command injection bug and was one of two vulnerabilities to receive a perfect 10 out of 10 on the CVSS3 scale. This means the bug can be exploited remotely, even by low-skilled attackers without deep technical knowledge.
SonicWall explains that a remote, unauthenticated attacker can use this vulnerability to execute arbitrary commands within the application context via a specially crafted HTTP request. Currently, hackers are using this bug to take control of devices, download and install malware, and subsequently launch DDoS attacks. According to SonicWall, there are approximately 2,375 vulnerable devices accessible online, based on Shodan statistics.
The first attacks were recorded on January 9, 2020, and were detected by the company Bad Packets. These attacks have continued since then.
Additional Risks and Recommendations
Researchers also warn that, in addition to DDoS attacks, vulnerable devices could be used as entry points into organizations’ internal networks. System administrators are strongly advised to disconnect vulnerable devices from the internet or restrict access to them using firewalls and VPNs.