Researchers from a security firm disclosed that hackers are actively exploiting smart building access control systems to launch DDoS attacks.
According to researchers from the firewall provider SonicWall, attackers are targeting Linear eMerge E3—a product of Nortek Security & Control (NSC), to access the internet and hijack smart door or building access control systems.
Researchers from Applied Risk, another cybersecurity firm, had uncovered around ten vulnerabilities impacting NSC’s Linear eMerge E3 devices.
A security advisory by the firm read that six of the ten vulnerabilities had a severity score of 9.8 or 10 out of a maximum of 10. Applied Risk also released the proof-of-concept exploit code in November 2019. NSC is yet to provide security patches, as per the advisory.
The vulnerability in question — CVE-2019-7256
SonicWall researchers said in its report that hackers first scan the internet for exposed NSC Linear eMerge E3 devices and then exploit one of the ten vulnerabilities.
In its alert, SonicWall researchers said, "This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request."