Saturday, February 22, 2020

Critical vulnerability in the Nortek Linear eMerge E3 access controller

    Take a look around and note all of the electronics around you. How many devices
are in the room with you? How many are communicating? Look beyond the
obvious computer, cell phone, and smart watch. Are there headphones? Key
fobs? Door locks? Anything with a circuit board can be hacked and anything
that is trying to connect makes it easier. Every device comes with vulnerabilities
- it's just a matter of whether someone has found them yet.

    When security researchers come across a vulnerability they typically report it to
the company that develops the product before going public with the discovery.
This is done in good faith so that the company has time to issue a patch. In a
perfect world, the vulnerability is announced and includes a statement that it's
already been fixed so we can all grab the update if we need to. Unfortunately,
that isn't always the case.

    This week, researchers from SonicWall reported active exploitation of proof of
concept code for a critical vulnerability in the Nortek Linear eMerge E3 access
controller. This is a physical access control that determines who can use which
door and when. The Linear eMerge E3 has been deployed across multiple industries
from healthcare to banking to manufacturing and more. According to the
SonicWall team, "It runs on embedded Linux Operating System and the system
can be managed from a browser via embedded web server."

    But SonicWall didn't discover the vulnerability. It's over eight months old and
it's actually 10 vulnerabilities that exist on the E3 controllers. It was originally
made public in a May 2019 research report from Applied Risk where six of the
10 vulnerabilities were identified as critical. Some of the issues, such as default
credentials on the devices and stored cleartext credentials, should be shocking.
But sadly they are all too commonplace, especially in the world of IoT.
After Nortek neglected to issue patches, Applied Risk released proof of concept
exploit code in November 2019 with the hope of forcing the company to address
the issue. At this time, no patch has been released. SonicWall noted that
over 2300 eMerge devices could be easily found - a small number compared to
how many connected devices there are in total - but this is just one model from
one manufacturer. There are still millions of IoT devices out there, easily discoverable,
and every single one has vulnerabilities waiting to be found.