By searching the internet, hackers have begun hijacking smart building access control systems to recruit these IoT devices into botnets for launching DDoS attacks, according to firewall solutions firm SonicWall.
These distributed denial-of-service attacks (‘DDoS attacks’) — which are one of the most formidable types of internet attacks — take place when hackers disrupt a website or computer system by overwhelming and crashing it with too much traffic. The intent behind such attacks is usually to render the website or computer completely unusable.
According to SonicWall, the targeting of smart building access control systems to launch DDoS attacks is more specifically targeting a product called Linear eMerge E3 — an access control system developed by Nortek Security & Control (NSC). By hijacking smart door access systems, a remote unauthenticated attacker can exploit building access control systems by bringing them into a DDoS botnet and launching attacks.
NSC smart building access control systems under siege
Access control systems are a type of hardware that are typically installed in corporate headquarters, industrial facilities, and factories. They are designed to control the doors through which employees and visitors can pass by using a system of access cards.
The susceptibility of NSC’s Linear eMerge E3 smart building access control systems to hackers was first brought to light in May 2019, when the cybersecurity firm Applied Risk published research showing that 10 “vulnerabilities” existed in the hardware. Nevertheless, NSC did not follow up by updating its underlying software, despite Applied Risk identifying seven of the 10 vulnerabilities as being 9.8 or above out of 10 in terms of their vulnerability severity (CVSSv3) score.
The attacks that are currently being launched against NSC’s Linear eMerge E3 smart building access control systems exploit one of the 10 vulnerabilities that were originally identified by Applied Risk — with this particular vulnerability having a CVSSv3 score of 10 out of 10. In essence, this means that smart building access control systems making use of this vulnerability are open to hacking even by low-skilled hackers with “very little knowledge or skill is required to exploit.”
This is of particular urgency due to the fact that such an attacker could cause a “total shutdown of the affected resource” and “render the resource completely unavailable,” according to Common Vulnerabilities and Exposures (CVE), which comes up with the CVSS scoring system.
Hackers are using this vulnerability — called CVE-2019-7256 — to hijack devices on smart building access control systems. From here, they download and install malware from which they launch DDoS attacks on other targets. Reports of these DDoS attacks were first surfaced by intelligence firm Bad Packets on January 9, and they have been coming in ever since.
So far, DDoS attacks using eMerge smart building access control systems have been relatively few in number due to the fact that they are not easily locatable over the internet. In spite of this, however, there is nevertheless concern that hackers may up their efforts given the magnitude of the vulnerability.
DDoS attacks using IoT as a springboard
Such concerns stem from the range of vulnerabilities that are presented by Internet of Things (IoT) technologies. According to Javvad Malik, Security Awareness Advocate at cybersecurity training firm KnowBe4, “unpatched software is the second most common vector used to compromise systems after phishing.” He goes on to point out that “IoT devices in particular are notorious for either having weak default settings that can be exploited, or have poor mechanisms to allow updates and patches to be deployed in a timely manner.”
Malik points out additionally that “many IoT systems are not monitored with the same rigour as traditional IT systems, so it can be easier for a compromised device to be used for much longer by a criminal without it being detected.”
This is precisely what happened in August 2019, when Microsoft reported that a Russian hacking group called Strontium — which has known links to the Kremlin — managed successfully to exploit IoT devices and use them as a springboard to initiate further attacks on corporate networks.
According to Marc Gaffan, the CEO of cybersecurity solutions firm Hysolate, this is a concern that is in dire need of addressing because the number of IoT devices worldwide is “growing exponentially,” and that it is “estimated to be over 75 billion [devices] by 2025.”
Gaffan explains that as IoT devices continue to become an integral part of our everyday lives, attackers “naturally are finding ways to exploit them,” and that they “always look for the easiest way to establish their foothold, which happen to be these vulnerable access control systems.”
In this way, it is expected that in the coming years, hackers will not merely limit their sights to exploiting smart building access control systems in order to launch DDoS attacks, but that, to this end, they will increasingly be taking aim at IoT devices more generally.