Hackers Are Exploiting Vulnerable Smart Buildings to Launch DDoS Campaigns

Hackers are hijacking smart building access systems to launch DDoS attacks https://t.co/GpptpbCrZx

— ZDNet (@ZDNet) February 3, 2020

Highly Flawed Central Building Systems

According to a report from firewall company SonicWall, these attacks are primarily being targeted at Linear eMerge E3, a product of Nortek Security & Control (NSC) and whose devices are hardware access points systems components, the devices themselves are installed in central locations on buildings, and they control the access that people have to their rooms based on their access cards and online credentials. A vulnerability in the system is the CVE-2019-7256, which was described as a command injection flaw. It received a severity score of 10, meaning it can be exploited from a remote location and by low-skilled hackers who don’t have much technical acumen. SonicWall confirmed that attackers were targeting these devices multiple times daily, adding that they’ve seen tens of thousands of hits on a daily basis, all of which have encompassed 100 countries already.

The mass exploitation of CVE-2019-7256 by DDoS botnet operators started on January 9th – https://t.co/HgEJSYoEFu https://t.co/8GhGhy51gO

— Bad Packets (@bad_packets) February 2, 2020

Regulating the IoT Space Could Enhance User Security

The issue is the latest pointed to the dangers of the Internet of Things (IoT) from a security perspective. The entire point of this technology- as seen in smart homes- is to allow all devices to work in tandem by being connected to a central server placed strategically. However, as expected, the caveat of this is that a successful attack on that server could be devastating to the entire house. As previously reported, Ring cameras have been in the middle of the storm of late. Hacking tools for breaching the cameras were even offered for retailing for as low as $8 on online hacker groups and message boards. The IoT technology remains one of the most revolutionary concepts ever developed, but it’s still rather nascent, and as we’ve come to find out time and again, there are some kinks that need to be worked out. The United Kingdom, however, is making some progress with enhancing security, as a new government policy passed last week puts forth requirements that all smart devices will need to adhere to in order to boost security. According to Total Telecom, the new U.K. law requires that devices much have a unique password that can’t be set to a universal factory setting, manufacturers must provide a contact point for vulnerabilities to be reported, and manufacturers need to be accountable for releasing updates- whether online or in-store. The regulations were developed by the National Cyber Security Centre after consultations with several industry representatives. Per the news medium, Matt Warman, the digital minister, said, “We want to make the UK the safest place to be online with pro-innovation regulations that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people’s privacy and safety.”

---

Images are courtesy of Twitter, Shutterstock, Pixabay.