DigitalCIO
  • Home
  • Tech News
  • Market Insights
  • CIO Interviews
  • Events and Conferences
  • Opinion and Analysis
  • Resources
No Result
View All Result
DigitalCIO
  • Home
  • Tech News
  • Market Insights
  • CIO Interviews
  • Events and Conferences
  • Opinion and Analysis
  • Resources
No Result
View All Result
Digitalcio
No Result
View All Result
Home Archive

How Hackers are Targeting Smart Building Systems

DigitalCIO Bureau by DigitalCIO Bureau
February 4, 2020
in Archive
0
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Researchers revealed that hackers are attempting to compromise smart building access systems. Read on to know more about it…

Researchers revealed that hackers are attempting to compromise smart building access systems. According to researchers from SonicWall revealed that hackers are attempting to compromise Linear eMerge E3 smart building access systems to recruit them in a DDoS botnet. The Linear E3 devices are installed in commercial, Industrial, banking, medical, retail, hospitality, and other businesses to secure their facilities and manage access to personnel. The key role of Linear eMerge E3 devices is to regulate access to employees and visitors for doors and rooms based on their credentials (access codes) or smart cards.

Hackers have already compromised more than 2,300 Linear eMerge E3 building access systems exploiting a severe vulnerability that has yet to be fixed.

Research Report
Linear eMerge E3 smart building access systems designed by Nortek Security & Control (NSC) are affected by a severe vulnerability (CVE-2019-7256) that has yet to be fixed and attackers are actively scanning the internet for vulnerable devices.

In May 2019, security researcher Gjoko Krstic from Applied Risk discovered over 100 vulnerabilities in management and access control systems from four major vendors, including Nortek. An attacker can exploit the vulnerabilities to gain full control of the vulnerable products and access to the devices connected to them.

Krstic conducted a year-long study on building management (BMS), building automation (BAS) and access control products from Nortek, Prima Systems, Optergy, and Computrols. The experts analyzed several products, including Computrols CBAS-Web, Optergy Proton/Enterprise, Prima FlexAir, and of course two Nortek Linear eMerge products.

“Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the Internet.” reads the advisory published by Applied Risk. “It is possible to identify exposed systems using search engines like Shodan, and it is feasible to scan the entire IPv4 internet. Applied Risk has calculated a CVSSv3 score of 9.8 for this vulnerability”

Proof of Concept
In November, Applied Risk released a proof-of-concept exploit code for the CVE-2019-7256 flaw along with a Metasploit module that exploits a command injection vulnerability in the Linear eMerge E3 Access Controller.

According to a report recently published by SonicWall, hackers are scanning the Internet for NSC Linear eMerge E3 devices to exploit the CVE-2019-7256 flaw. The experts warn that the vulnerability is very easy to exploit, attackers are triggering it via a specially crafted HTTP request that is sent to vulnerable systems.

Mitigation
In its alert, SonicWall researchers said, “This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.”

“SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.” reads the advisory published by SonicWall.

Share30Tweet19
DigitalCIO Bureau

DigitalCIO Bureau

Recommended For You

Data Recovery Experts Expand their Cloud and Security Skills at VeeamON Tour India

by DigitalCIO Bureau
September 1, 2023
0
Data Recovery Experts Expand their Cloud and Security Skills at VeeamON Tour India

Veeam Software flagged off its highly anticipated VeeamON Tour India 2023 in Mumbai today, delivering a rich experience to over 600 registrants. This month-long tour comes as an...

Read more

Dell Technologies Announces Intent to Acquire Moogsoft

by DigitalCIO Bureau
August 20, 2023
0
Dell Technologies Announces Intent to Acquire Moogsoft

Dell Technologies (NYSE: DELL) announced it has signed a definitive agreement to acquire Moogsoft, an AI-driven provider of intelligent monitoring solutions that support DevOps and ITOps.This transaction will further enhance...

Read more

Government Technology Agency of Singapore concludes third HackerOne bug bounty programme

by DigitalCIO Bureau
August 20, 2023
0

GovTech Singapore resolved 33 security weaknesses and awarded global hacker community over US$30,800 for contributing to a more secure and resilient smart nation HackerOne and Singapore's Government Technology...

Read more

XProtect(R) on Amazon Web Services Now Available in AWS Marketplace

by DigitalCIO Bureau
August 20, 2023
0

Customers with a cloud-first strategy and those looking for a hybrid VMS solution can now deploy a pre-configured XProtect as an elastic solution available globally with high flexibility...

Read more

OurCrowd Pandemic Innovation Conference to host global leaders, startups and investors online

by DigitalCIO Bureau
August 20, 2023
0

June 22 forum features tech solutions to global crisis, $100m OurCrowd Pandemic Innovation Fund OurCrowd will host the OurCrowd Pandemic Innovation Conference on June 22 to explore the...

Read more
Next Post

Catherine Graham Appointed as Chief Financial Officer of Darktrace

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related News

Firefox Notifies Users of Compromised Accounts

September 28, 2018

OneTrust Raises $210m in New Funding at a $2.7b Valuation

February 24, 2020

Cryptocurrency exchange DragonEx hacked as customer funds remain ‘missing’

March 28, 2019

Browse by Category

  • Acquisition
  • Appointment
  • Archive
  • Artificial Intelligence
  • CIO Interviews
  • Cloud
  • Datacenter
  • Events and Conferences
  • Market Insights
  • News
  • Opinion and Analysis
  • Products
  • Resources
  • Security
  • Storage
  • Tech News
Digitalcio

Welcome to DigitalCIO, your ultimate source for staying ahead in the ever-evolving world of technology and business.

CATEGORIES

  • Tech News
  • Market Insights
  • CIO Interviews
  • Events and Conferences
  • Opinion and Analysis
  • Resources
  • Archive

BROWSE BY TAG

Acquisition AI AIOps Appointment artificial intelligence Artificial Intelligence and Machine Learning AWS Big Data and Analytics Blockchain CISCO Cloud Computing Cloudflare CrowdStrike Customer Experience Cybersecurity Data Protection Deloitte Digital Transformation E-books Fortinet Gartner Generative AI IBM IDC Infographics Infosys Internet of Things (IoT) Microsoft Ministry of Education MSSPs Nessus Expert Netskope New Relic Oracle Panel Discussion Public cloud ransomware Salesforce Sophos Tenable Trend Micro Veeam Software Vertiv Webinars Whitepaper

NAVIGATION

  • Home
  • About Us
  • Advertise with Us
  • Contact Us

© 2023 digitalcio.in - All rights reserved.

No Result
View All Result
  • Home
  • Tech News
  • Market Insights
  • CIO Interviews
  • Events and Conferences
  • Opinion and Analysis
  • Resources

© 2023 digitalcio.in - All rights reserved.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?