Hackers are exploiting a vulnerability to hijack building access control systems
More than 2,300 smart access systems are vulnerable to the bug
Hackers are attempting to exploit a command injection bug in Linear eMerge E3 devices in an effort to hijack smart building access control systems.
That's according to researchers from firewall company SonicWall, who claim that more than 2,300 access systems are vulnerable to the bug.
Linear eMerge E3 devices are 'access control systems' used in corporate buildings, industrial parks or factories to control ingress/egress of visitors and employees to doors and rooms. The system runs on embedded Linux OS, and operators can manage it from a browser through an embedded web server.
In May, researchers from cyber security firm Applied Risk announced that they had discovered ten serious security flaws in Linear eMerge E3 devices manufactured by Nortek Security & Control (NSC).
The vulnerabilities were found and validated in Linear eMerge E3-Series 1.00-06, with researchers adding that some older versions were also affected.
Although all those vulnerabilities were reported to NSC, the company has not released a patch to fix the issues at the time of writing - despite the fact that six of the ten flaws were assigned a CVSS v3 score of 9.8 or 10 out of 10.
According to SonicWall researchers, hackers are now trying to target devices by using only one vulnerability.
Even hackers without advanced technical skills can exploit the command injection bug, which is indexed as CVE-2019-7256 and received a severity score of 10 out of 10, remotely. The issue arises due to inadequate sanitising of user-supplied inputs to a PHP function, enabling unauthenticated individuals to run arbitrary commands within the context of the application, through a specially crafted HTTP request.
After a successful attack, hackers can download and install malware on the device and launch distributed denial-of-service (DDoS) attacks on other targets.
Cyber intelligence company Bad Packets, which spotted the first of these attacks on 9th January, says the number of attacks is on the rise.
"Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most observed in U.S.," the researchers warned.
The attack surface, however, is not very wide, and only "2,375 Internet-accessible eMerge devices are listed by the Shodan search engine," researchers said.