Security Flaws In Smart Buildings

Security Flaws In Smart Buildings

Smart buildings equipped with a large number of networked devices and relying on Internet control are considered easy targets for hackers. Because smart buildings’ security vulnerabilities allow hackers to gain control easily. Many movie enthusiasts may understand how dangerous criminal attacks against building technology systems and precisely timed schedules through some movie scenes. However, many executives don’t seem to be aware of the risks that today’s Internet-connected devices pose to their operations.

Recently, the Linear eMerge E3 devices by Nortek Security & Control (NSC), which regulate access to employees and visitors for doors and rooms based on their credentials, such as access codes, or smart cards, have been exploited by DDoS botnet operators. Linear eMerge E3 devices are installed in corporate headquarters, factories, or industrial parks. Researchers found approximately 14 vulnerabilities of NSC’s Linear eMerge E3 devices. Moreover, there are 6 out of these 14 vulnerabilities are considered severe vulnerabilities as they are all rated from 9.8 to 10 severity scores out of the full score of 10:


  • CVE-2019-7252
  • CVE-2019-7253
  • CVE-2019-7254
  • CVE-2019-7255
  • CVE-2019-7256
  • CVE-2019-7257
  • CVE-2019-7258
  • CVE-2019-7259
  • CVE-2019-7260
  • CVE-2019-7261
  • CVE-2019-7262
  • CVE-2019-7263
  • CVE-2019-7264
  • CVE-2019-7265

According to researchers, hackers first scanned the internet for exposed NSC Linear eMerge E3 devices and then exploit one of the ten vulnerabilities. Among all these vulnerabilities, CVE-2019-7256 is the one that we have to mention here. This vulnerability is related to command injection and is one of two vulnerabilities rated 10. Even novices can use it for long-range attacks. CVE-2019-7256 can be used to take over devices, install malware, and launch DDoS attacks, including on other targets.

The researchers warned that “This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.”


Let Us Know If LIFARS Can Help

Solving Your Cybersecurity Issues