There was a time where somebody in SF has figured admin access code to older apartment intercoms (I believe they were manufactured by Linear and maybe other companies too). These intercoms would call the programmed in phone number whenever you type in the apartment access code at the door.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
I did something similar to my highschool in the 90s. They had a free student phone in the office. It had long distance blocked on it, but I learned you could circumvent the block using those 1010-321 and other long distance prefixes. Some of them had $5 access fees, billed once, in addition to the per minute rate. I called several of these and prided myself on getting the phone removed from the office for a few months.
Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
> "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
I saw someone joke that there's only one generation in the history of mankind that knows how to set the time on a microwave. Our parents couldn't do it. And now our children can't do it.
Same I just was talking with my daughter (16) about this because she hated her intro programming class in high school. No biggie if it isn't for her, slightly disappointing that I can't share knowledge, but she should pursue what she enjoys.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
I don't know if it's a "uses tech" issue or just not realizing the steps needed. Even we knew you had to go to the campus gate to meet Dominos after dark (when the gate would be automatically closed).
There was no fancy intercom ability to remotely open it.
Well - kind of. PC gaming is bigger than ever before, and PC gaming was how a lot of my generation got into computers.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
Its not the same. Nowadays you press a button in steam and the game is installed for you and just works. It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did.
That hasn't changed. Of course there are pre builts but there were twenty years ago, too. I should know -- I had one. I built my third gaming PC myself.
Yeah, I know someone who works in a high school and the average skill level is "struggles to figure out how to save a document on a USB stick". Kids know how to press the power button on an Xbox or tap an icon on their iPhone. The staff member I know is aware of ONE kid in the entire school who has used Linux. When I was a kid, basically every single kid who had a computer at home (and actually used it) knew how to defrag the hard drive (and probably install Windows lol), set IRQ values for their sound card, all that kind of stuff -- because you had to know this to even use it. My friends and I went on BBSes and later stuff like IRC and Hotline, ran Linux or pre-release versions of our respective OSes, set up our own bedroom LANs and personal game/web servers, etc. etc..
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
Ahh, the modern verson of the written note under the keyboard...
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the ownersfeel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
Modern apartment building. Low rise. Full visibility of courtyard. Cycle gone missing with a baby seat attached. Nothing anyone can do about it. How did they get the key, who let them in, how did they manage to pry open the lock in full visibility? I was seething for a week. But somehow I knew this wasn’t really that big a security challenge for the thief.
That's not true. They raise the bar above the bare minimum. Lots of crimes are ones of opportunity. A gate is the difference between 0 effort and some effort. It makes it a bit harder for a petty thief to cruise through and find low hanging fruit.
I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
That only works if there's a single code? I would think many keypad systems assign a code to each apartment (so the one written on the side is not a master key, just Joe in #303).
I've definitely worked somewhere they tell all the users they have individual codes, not to share them, and if there is unauthorized access it can be traced who leaked their code. Everyone gets told the same story and given the same code.
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
Look like you belong and act confident and you can get nearly anywhere. Props help-- wear a high-vis vest and a hard hat, carry a tablet / folio / clipboard around an office, etc.
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
My townhouse HOA decided it was totally worth money to replace our fob system with a system that's deliberately incompatible with Homelink. They claimed without evidence that used car sales were a severe security risk.
Nevermind that you can wave any conductor under the gate to trigger the egress wire loop sensor, or just wait a minute or two for someone else to go through. From 6AM to 10PM the other gate is simply open, too.
Now I have to pay more for crappier fobs with worse range. It's deeply disappointing.
The only gated community / apartment complex's I've ever seen where that was not normal are a subset of the ones that have an on-duty guard - specifically the subset with guards who recognize all the occupants and take the information of anyone they don't recognize.
Her community is not guard-gated, but it's extremely snooty/snobby. A number of years ago, before the weekly gate-code changes, the HOA started doing annual code changes on Halloween. Why Halloween, you might ask? Because the service staff of the community (landscapers, house cleaners, etc.) had the audacity to bring their children/grand-children to the neighborhood to trick-or-treat. Residents felt the service staff was just trying to guilt them into giving candy. Keep in mind, all these residents are multi-millionaires, mostly retirees, and they were bitching about having to spend 5 bucks in candy to make children happy.
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
On Android User A taps on the wifi they are connected to and gets a QR code, and User B taps on the icon for scanning wifi QR codes, so one tap each once you are in your wifi settings.
On iOS, the guest attempts to connect and anyone with them in their contacts list is prompted to share. The common use case of a friend visiting is very simple. If you want to share a different network, there's a similar flow to the Android one:
A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.
How do you change the label on the router that got installed 8 years ago and is working fine? Especially since the owner of the cabin in the woods that you just rented for the weekend is into ... renting cabins in the woods, not geekery.
> have these complicated passwords that seem like overkill. You're probably right that they're some sort of default.
It is the default. If you find their router you'll find that overkill password printed on a label on the bottom. More enlightened ISPs give you extra stickers with the same info that you can put on the fridge or somewhere like that.
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.
Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.
To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?
Yes. I'm no longer a Mormon, but I baptized around a dozen people on my mission and they were all found from knocking on doors. But this was also thirty years ago, before the internet was a thing for most people.
Yes. The inevitable rejection is the point. It reinforces the otherness of the outside world, creating more separation from non-believers and stronger connection and devotion to the cult.
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
i worked as an engineer in an industry that required on-site access to buildings all over manhattan, some residential. all you have to do is hit a couple random buttons on the intercom and 100% of the time one of them would just buzz the lock
This is pretty much all it takes in any western country. Some areas might require a little more effort but nothing substantial.
In fairness, the blame for this kind of enabling attitude is mostly attributable to me locking myself out of the building and having to buzz my long suffering neighbours at all kinds of ungodly hours. Proud moments.
Could you also lock out specific residents? Or get their daily home arrival patterns for the last few years? Or find unused flats to squat in? IoT still wins. :)
> Default credentials that “should” be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they’d surely have no reason to expose this thing to the Internet, right?
My theory is this is one of the reasons so many internet-of-things devices nowerdays omit any sort of offline/local network control.
No default passwords, no ports you can forward without knowing what you're doing, all the credentials sorted out on a cloud server.
I don't want some complicated random password. At least where I live, my router password is a very modest security shim to protect against very random casual access. If I have a visitor who needs WiFi access, I want to give them an easy password to type in.
So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.
If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.
You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.
No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.
GL-inet devices come off the shelf with OpenWRT. They don't have a blank password. Every single one ships with 'goodlife' as the default password, as printed on the label on the back.
I am only thinking of a router with OpenWRT installed. Nothing about a wifi router with OpenWRT has anything to do with a door access device installed by a trained technician or not. The conversation only pertains to the words used, not the unwritten ones you're trying to insert in between the lines of my comment to make a totally unrelated point
Jesus. The whole system seems to have been designed to maximise the damage that can be caused with minimal effort.
Why are these admin pages web findable? Why is there a public database of them? Why have they tried so hard to make it so accessible? Why is there no security? Arrrrrgggh.
Such ridiculous laws. The real crime here is that the software vendor lets people use the software without creating a new password. Even that is suspect, since I bet most people's password would be 1234 anyway. So really they should force people to set up passkeys to access the system. Or, cut out the setup, and just send them a couple of USB's which allow them to access the system.
This "manufacturer" is not doing its due diligence in any way, shape, or form. They are the ones who should face jail time for not implementing bare minimum security practices.
The idea that the guy revealing a complete lack of security is committing a crime is like saying a guy informing someone that they're naked is guilty of forcibly stripping that person. Or that telling someone there's a giant red button that drains the landlord's bank account is guilty of pressing it. Maybe they should remove the giant red button?! Or at least put it in a locked room?
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
I just tried it (via Tor) and was able to get into the first 5 that duckduckgo found. Someone had been there before me and (apparently) changed names of things. (I looked but didn't touch.)
You can get in the building with a bit of social engineering. I live in an apartment complex. Put on a DHL or Dominos cap and nobody cares.
It's your front door lock that is the real barrier.
Interesting story but a CVE for this is a bit melodramatic and why no one takes security folk seriously (cry wolf too many times).
OpenWRT ships with no password at all (!) with full root access on default install. The situation is the same: they politely suggest you change it from the default (blank) password but do not force you to do so.
By this logic every OpenWRT install (and many other softwares) dating back many years should be subject to CVE.
I assume you have to be on that network to access the login. I'm 95% sure it the UI/admin is not accessible to the internet by default... but also, yes that shit should be way better. Even Comcast and other ISPs have done better than this for a decade or more now.
There was a time where somebody in SF has figured admin access code to older apartment intercoms (I believe they were manufactured by Linear and maybe other companies too). These intercoms would call the programmed in phone number whenever you type in the apartment access code at the door.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
I did something similar to my highschool in the 90s. They had a free student phone in the office. It had long distance blocked on it, but I learned you could circumvent the block using those 1010-321 and other long distance prefixes. Some of them had $5 access fees, billed once, in addition to the per minute rate. I called several of these and prided myself on getting the phone removed from the office for a few months.
Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
> "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
I saw someone joke that there's only one generation in the history of mankind that knows how to set the time on a microwave. Our parents couldn't do it. And now our children can't do it.
Same I just was talking with my daughter (16) about this because she hated her intro programming class in high school. No biggie if it isn't for her, slightly disappointing that I can't share knowledge, but she should pursue what she enjoys.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
I don't know if it's a "uses tech" issue or just not realizing the steps needed. Even we knew you had to go to the campus gate to meet Dominos after dark (when the gate would be automatically closed).
There was no fancy intercom ability to remotely open it.
Well - kind of. PC gaming is bigger than ever before, and PC gaming was how a lot of my generation got into computers.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
Its not the same. Nowadays you press a button in steam and the game is installed for you and just works. It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did.
It's not the same, but I don't know if it's worse.
My IRQ conflict resolution skills or knowledge about himem.sys aren't really useful these days.
But I've seen genz kids do incredible things with Minecraft mods and the like that make me reminisce about quake modding.
The masses are just blindly using devices, but the masses didn't even have a PC at home 30 years ago.
It used to be that if you wanted to do gaming on a PC you started by building the PC.
That hasn't changed. Of course there are pre builts but there were twenty years ago, too. I should know -- I had one. I built my third gaming PC myself.
Yeah, I know someone who works in a high school and the average skill level is "struggles to figure out how to save a document on a USB stick". Kids know how to press the power button on an Xbox or tap an icon on their iPhone. The staff member I know is aware of ONE kid in the entire school who has used Linux. When I was a kid, basically every single kid who had a computer at home (and actually used it) knew how to defrag the hard drive (and probably install Windows lol), set IRQ values for their sound card, all that kind of stuff -- because you had to know this to even use it. My friends and I went on BBSes and later stuff like IRC and Hotline, ran Linux or pre-release versions of our respective OSes, set up our own bedroom LANs and personal game/web servers, etc. etc..
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
Gated communities around me have 2 lanes, one with a sensor activated gate for residents and a guest lane next to the guard hut
If it's busy and you pull up in a nice enough car and just wait in front of the sensor gate looking annoyed, the guard will eventually just let you in
Ahh, the modern verson of the written note under the keyboard...
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the owners feel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
Modern apartment building. Low rise. Full visibility of courtyard. Cycle gone missing with a baby seat attached. Nothing anyone can do about it. How did they get the key, who let them in, how did they manage to pry open the lock in full visibility? I was seething for a week. But somehow I knew this wasn’t really that big a security challenge for the thief.
That's not true. They raise the bar above the bare minimum. Lots of crimes are ones of opportunity. A gate is the difference between 0 effort and some effort. It makes it a bit harder for a petty thief to cruise through and find low hanging fruit.
I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
That only works if there's a single code? I would think many keypad systems assign a code to each apartment (so the one written on the side is not a master key, just Joe in #303).
I've definitely worked somewhere they tell all the users they have individual codes, not to share them, and if there is unauthorized access it can be traced who leaked their code. Everyone gets told the same story and given the same code.
> These days, of course, the alarms use...
And the crooks use RF jammers instead of axes.
These days, alarms use quantum entanglement. Beat that :)
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
> The whole building is secure
Given what you just said and the article you're commenting under, are you sure?
Anyone wearing a maintenance uniform and carrying a step-ladder could surely find a way in via an overly helpful victim.
Look like you belong and act confident and you can get nearly anywhere. Props help-- wear a high-vis vest and a hard hat, carry a tablet / folio / clipboard around an office, etc.
Confidence is the key, though.
You also have to fit a certain expected demographic.
Sadly, yes-- that's true. It's a game of playing to stereotypes, for sure.
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
My townhouse HOA decided it was totally worth money to replace our fob system with a system that's deliberately incompatible with Homelink. They claimed without evidence that used car sales were a severe security risk.
Nevermind that you can wave any conductor under the gate to trigger the egress wire loop sensor, or just wait a minute or two for someone else to go through. From 6AM to 10PM the other gate is simply open, too.
Now I have to pay more for crappier fobs with worse range. It's deeply disappointing.
The only gated community / apartment complex's I've ever seen where that was not normal are a subset of the ones that have an on-duty guard - specifically the subset with guards who recognize all the occupants and take the information of anyone they don't recognize.
Her community is not guard-gated, but it's extremely snooty/snobby. A number of years ago, before the weekly gate-code changes, the HOA started doing annual code changes on Halloween. Why Halloween, you might ask? Because the service staff of the community (landscapers, house cleaners, etc.) had the audacity to bring their children/grand-children to the neighborhood to trick-or-treat. Residents felt the service staff was just trying to guilt them into giving candy. Keep in mind, all these residents are multi-millionaires, mostly retirees, and they were bitching about having to spend 5 bucks in candy to make children happy.
Isn’t that usually how the rich stay rich? Does this really seem to surprising?
In my experience, and I’m generalizing a lot, the less people have the more generous they tend to be.
They're doing a great job of "protecting" themselves from feeling anxious about Bad Things somehow happening.
For an all-too-large fraction of humanity, that's the "protection" which actually matters.
I was under the impression that delivery drivers had a book or something with these codes.
Like, the HOA just like calls the delivery companies and says "hey, here's a code to get in"
Missed the stories about these guys shitting in the backs of the trucks and vans for lack of time to do their jobs, eh?!
> Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
These manufacturers’ recommendations are not acceptable. They should mandate a non-default secure password before allowing the system to be used.
Even my parents & grandparents modems/routers each have a unique password printed on the bottom! There's just no excuse for this.
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
>Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
You can do that easily on iOS, I'd be surprised if Android didn't allow it as well...
Tap in the password field, tap Autofill from the popup, and tap Scan Text.
Slightly off topic, but sharing WiFi passwords on iOS is so very user friendly.
How does it work in iOS?
On Android User A taps on the wifi they are connected to and gets a QR code, and User B taps on the icon for scanning wifi QR codes, so one tap each once you are in your wifi settings.
On iOS, the guest attempts to connect and anyone with them in their contacts list is prompted to share. The common use case of a friend visiting is very simple. If you want to share a different network, there's a similar flow to the Android one:
* Go to Wi-Fi in the Passwords app
* Select the Wi-Fi network you want to share
* Share Network QR Code
So they know when you're trying to access a wifi network?
If you are near them, yes.
A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.
You can generate and print a QR code. It's quite a nice solution
google lenses works for this as an OCR copy & paste
QR codes?
> QR codes?
How do you change the label on the router that got installed 8 years ago and is working fine? Especially since the owner of the cabin in the woods that you just rented for the weekend is into ... renting cabins in the woods, not geekery.
> have these complicated passwords that seem like overkill. You're probably right that they're some sort of default.
It is the default. If you find their router you'll find that overkill password printed on a label on the bottom. More enlightened ISPs give you extra stickers with the same info that you can put on the fridge or somewhere like that.
There is a wifi credentials QR code standard that can be used to pass the network name, and authentication details. Anyone can generate one, here's a generator app: https://www.qr-code-generator.com/solutions/wifi-qr-code/
Most modern phones recognize the standard and can be used through the native camera app.
We used this for our guests at home.
https://qifi.org/
Oh pretty. Now I just need to tell all the hosts in my future holidays about those :)
I have a framed wifi QR code in my house. It's great. Looks like a photo on the wall.
I should cross-stitch one.
Yes I saw it literally few days ago when visiting relative (not even airbnb just her home), so easy to do yet it never occured to me.
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
German fritzbox routers (the most common non-isp routers here, and actually very capable) have a fully random password
Idk in Romania routers come with random passwords.
https://imgur.com/a/x915ZfO
function generatePassword() { // comply with Romanian regulations return "gaGc52eP" }
This function doesn’t evaluate, something something expected expression of }, premature end of file.
I know you're making a joke but it's just HN formatting not respecting single line breaks in comments.
That's usually the wifi password, not the admin password.
I’ve always wondered: how do all these things end up in Google? What’s submitting the link, or public thing links to it?
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
Needless to say, I moved.
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.
Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.
To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?
Leviticus 19:11 bypasses the whole "עֵ֥ד" vs. "בְרֵעֲךָ֖" shenanigans.
New International Version (NIV): "Do not steal. Do not lie. Do not deceive one another"
King James: "Ye shall not steal, neither deal falsely, neither lie one to another."
New Living Translation (NLT): "Do not steal. Do not deceive or cheat one another"
New Century Version (NCV): "You must not steal. You must not cheat people, and you must not lie to each other"
The Holman Christian Standard Bible (HCSB): "You must not steal. You must not act deceptively or lie to one another"
devil worship is a hell of a drug
What’s does the letters in their name have to do with it?
Less likely to speak English in my experience.
Does anyone ever actually get converted by a door knocking missionary?
Yes. I'm no longer a Mormon, but I baptized around a dozen people on my mission and they were all found from knocking on doors. But this was also thirty years ago, before the internet was a thing for most people.
It's not for the benefit of the potential convertees, it's for the benefit of the ones doing the converting.
Yes. The inevitable rejection is the point. It reinforces the otherness of the outside world, creating more separation from non-believers and stronger connection and devotion to the cult.
I hope you are doing better!
I'm not going to especially defend but you have a way more sophisticated model of how most burglars work than is almost certainly the case.
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
In fairness I think that these "locked doors" are to keep the homeless/drug users out or kids starting fires not really burglars.
They unlocked a lot more power than simply getting into buildings.
This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.
> infrared fobs
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
That's probably because it's not so good as a building non-entry system.
> 2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
Ah, yes. It's the children who are wrong.
That sounds complicated and too much work. I’d prefer <https://www.youtube.com/watch?v=Rctzi66kCX4>
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
Was that enough pain to force some sort of change in how the things were deployed thereafter?
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
It seems she’s almost right !
i worked as an engineer in an industry that required on-site access to buildings all over manhattan, some residential. all you have to do is hit a couple random buttons on the intercom and 100% of the time one of them would just buzz the lock
This is pretty much all it takes in any western country. Some areas might require a little more effort but nothing substantial.
In fairness, the blame for this kind of enabling attitude is mostly attributable to me locking myself out of the building and having to buzz my long suffering neighbours at all kinds of ungodly hours. Proud moments.
Could you also lock out specific residents? Or get their daily home arrival patterns for the last few years? Or find unused flats to squat in? IoT still wins. :)
> Default credentials that “should” be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they’d surely have no reason to expose this thing to the Internet, right?
My theory is this is one of the reasons so many internet-of-things devices nowerdays omit any sort of offline/local network control.
No default passwords, no ports you can forward without knowing what you're doing, all the credentials sorted out on a cloud server.
Consumer routers have had this issue solved for ages: you generate a random password and put it physically on the device.
I don't want some complicated random password. At least where I live, my router password is a very modest security shim to protect against very random casual access. If I have a visitor who needs WiFi access, I want to give them an easy password to type in.
So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.
(See also: opt-in versus opt-out for retirement plans, organ donation...heck, even this from yesterday: https://news.ycombinator.com/item?id=43144611)
If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.
https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...
You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.
Wifi password != admin password. The admin password should be random and then you can change it when you take ownership of the device.
OpenWRT, the crown jewel of open source firmwares for "insecure" consumer routers, uses a blank (null) password by default with full root access.
No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.
GL-inet devices come off the shelf with OpenWRT. They don't have a blank password. Every single one ships with 'goodlife' as the default password, as printed on the label on the back.
(But remote ssh login is disabled by default.)
Thanks. I was unaware of that company.
Your logic is poor.
If you assume this, you have to assume door access device is installed by trained technician.
Your assumption is large.
I am only thinking of a router with OpenWRT installed. Nothing about a wifi router with OpenWRT has anything to do with a door access device installed by a trained technician or not. The conversation only pertains to the words used, not the unwritten ones you're trying to insert in between the lines of my comment to make a totally unrelated point
Love this stuff, reminds me of old 2600 articles
Jesus. The whole system seems to have been designed to maximise the damage that can be caused with minimal effort.
Why are these admin pages web findable? Why is there a public database of them? Why have they tried so hard to make it so accessible? Why is there no security? Arrrrrgggh.
Exposing a loophole in the best way. Great job
Isn't logging into any system unauthorized - in practice - a violation of the Computer Fraud & Abuse Act?
The EFF has a good guide about the relevant laws: https://clinic.cyber.harvard.edu/wp-content/uploads/2020/10/...
Such ridiculous laws. The real crime here is that the software vendor lets people use the software without creating a new password. Even that is suspect, since I bet most people's password would be 1234 anyway. So really they should force people to set up passkeys to access the system. Or, cut out the setup, and just send them a couple of USB's which allow them to access the system.
This "manufacturer" is not doing its due diligence in any way, shape, or form. They are the ones who should face jail time for not implementing bare minimum security practices.
The idea that the guy revealing a complete lack of security is committing a crime is like saying a guy informing someone that they're naked is guilty of forcibly stripping that person. Or that telling someone there's a giant red button that drains the landlord's bank account is guilty of pressing it. Maybe they should remove the giant red button?! Or at least put it in a locked room?
It is, like getting into a home with open doors without the consent of the inhabitants.
Which is keeping away only the honest and polite persons.
Holy freaking crap. ALL OF THESE ARE ONLINE. "It's possible" to log in to the first result with the default password.
If anyone wants, perhaps login, change the password and make a new client as the password or something. This is going to get bad FAST.
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
If something bad happens because of this…
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
This is the only recourse left when the vendor kicks and screams at the CVE disclosure process.
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
https://www.youtube.com/watch?v=fKHaNIEa6kA
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Pr...
And tell him no. If he still wants it, you just report him to Reddit or whatever. :D
[dead]
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
Shining a spotlight on an issue is completely different than the issue already existing.
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
Reaching out to the residents leaves you open to legal risks. You processed their data without any kind of opt in.
[dead]
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
I flagged it for this reason.
I just tried it (via Tor) and was able to get into the first 5 that duckduckgo found. Someone had been there before me and (apparently) changed names of things. (I looked but didn't touch.)
You can get in the building with a bit of social engineering. I live in an apartment complex. Put on a DHL or Dominos cap and nobody cares. It's your front door lock that is the real barrier.
Interesting story but a CVE for this is a bit melodramatic and why no one takes security folk seriously (cry wolf too many times).
OpenWRT ships with no password at all (!) with full root access on default install. The situation is the same: they politely suggest you change it from the default (blank) password but do not force you to do so.
By this logic every OpenWRT install (and many other softwares) dating back many years should be subject to CVE.
I assume you have to be on that network to access the login. I'm 95% sure it the UI/admin is not accessible to the internet by default... but also, yes that shit should be way better. Even Comcast and other ISPs have done better than this for a decade or more now.
If you believe you need to be on same network to compromise internal interface web application you are gravely mistaken.