Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google

A broken lock on a PCB.
(Image credit: Shutterstock)

A number of apartment complexes using internet-connected intercom/entry systems still use their default credentials, which make them fully accessible to anyone savvy enough to Google their unit's manual. In fact, Programmer Eric Daigle easily broke into a building management system, enabling him to unlock any apartment door remotely. Daigle discovered this vulnerability in Hirsch Enterphone Mesh IoT security systems, a product line of secure access terminals for building safety largely used in Canada.

The Internet of Things has firmly rooted itself into modern building security systems, including modern apartment complexes looking to use something more secure or modern than phone lines to regulate access to secure entryways. In the case of Hirsch-made Mesh systems, an online portal monitors and records all key fob used across a building and can be used to access locked doors remotely.

Unfortunately, the same website and its default login are readily available in the instruction manual for the system, which is trivial to find with a Google search. Daigle, while waiting at a bus stop, was able to Google the product name of a nearby apartment security terminal, find its manual, and determine a means to break into the building within minutes.

Hirsch's user manual and official response to TechCrunch suggest that end users should change the default credentials of their systems after deployment. However, with no instructions listed in the manual on how to do this, end users are less than likely to follow this crucial security step, which has been the source of vulnerabilities since the dawn of internet security. Simply Googling the name of the admin login page used for all Identiv/Hirsch security systems and inputting the default login gives you a fair shake at getting into any Hirsch-made system.

Once inside the homepage of the internet-exposed security panel, one can see the full names of residents, their room numbers, and their phone numbers. Just for fun, you can also find a multi-year log of every key fob activation across the building, allowing malicious agents to find patterns of entry and exit for every member of a complex. If that information is not enough, one can unlock any connected door across the complex from the same web portal.

Through a quick ZoomEye query, Daigle reasons that just shy of 100 apartment complexes using the affected Hirsch system are vulnerable to this exploit, with most of these in Canada. Hirsch, in prior responses to the media, has clarified that it will not address this security vulnerability, rated 10/10 Critical on the National Vulnerability Database. Hirsch insists it is on the end user to change the default login on their end, while not providing details on how to do so in its instruction manual.

Hirsch has also stated that it will not inform affected users of its products of the flaw. Concerned people in workplaces, schools, or apartments using a Hirsch MESH security system (sometimes also labeled Viscount or Enterphone, depending on the model) can, therefore, reach out to building administrators to ensure that the default credentials have been changed in their unit. Thanks to the IoT, we can move on from physical keys and instead have our homes remotely accessible to anyone with a phone and the ability to Google.

TOPICS
Dallin Grimm
Contributing Writer

Dallin Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Dallin has a handle on all the latest tech news. 

Read more
Eight Sleep's Pod 4 Ultra Smart Bed
Security researcher finds vulnerability in internet-connected bed, could allow access to all devices on network
Contec CMS-8000
Backdoor uncovered in China-made patient monitors — Contec CMS8000 raises questions about healthcare device security
Windows 11
Hacker demonstrates the supposedly-patched Windows 11 BitLocker is still vulnerable to hackers — default encryption can be overcome with network access
Electricity transmission towers
AI data centers reportedly cause power problems in residential areas — decreased power quality in homes near data centers causes reduced lifespan for electrical appliances
GeForce RTX 3090
Akira ransomware can be cracked with 16 RTX 4090 GPUs in around ten hours — new counterattack breaks encryption
US Capitol Building
Significant U.S. Treasury cybersecurity breach is the latest in string of China hack attacks claims U.S. officials
Latest in Cyber Security
GeForce RTX 3090
Akira ransomware can be cracked with 16 RTX 4090 GPUs in around ten hours — new counterattack breaks encryption
Crypto Hacker
FBI identifies North Korea as source of $1.5 billion ByBit hack
A broken lock on a PCB.
Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google
Streamjackers want your digital treasures
CS2 fans targeted by Streamjackers — viewers swindled out of crypto and Steam valuables
Eight Sleep's Pod 4 Ultra Smart Bed
Security researcher finds vulnerability in internet-connected bed, could allow access to all devices on network
13th Generation Intel CPU
Intel roasts AMD and Nvidia in its latest product security report, claiming AMD has vulnerabilities with no fix planned, Nvidia has only high-severity security bugs [Updated]
Latest in News
ReFS in Windows 11 preview build installer
New Windows file system option supports up to 35 petabyte volumes — ReFS appears in latest Insider build
New Windows 11 Game Bar Update
Microsoft updates the Windows Game Bar to be more user friendly with PC Handhelds
Raspberry Pi
Raspberry Pi Pico fightstick randomly mashes buttons for fighting game combos
The world's first color e-paper display over 30-inches
Mass production of 'world's first' color e-paper display over 30-inches begins
RTX 4090 48GB
Blower-style RTX 4090 48GB teardown reveals dual-sided memory configuration — PCB design echoes the RTX 3090
GlobalFoundries
China's SiCarrier challenges U.S. and EU with full-spectrum of chipmaking equipment — Huawei-linked firm makes an impressive debut
  • edzieba
    However, with no instructions listed in the manual on how to do this
    I see Toms has copied this claim from similar articles without actually checking.
    The Installation Manual for the door phones does not include the instructions for changing the server password, because it is a manual for installing the door phones. The setup guide for the access control server software (Identive Freedom) includes instructions for changing the password as part of the setup process, along with all the other setup steps required like linking phones to locks, setting up ACS rules, etc.

    It's like an install manual for your GPU advising you to enter your Windows admin password at a UAC prompt but not instructing you on how to change it: of course it doesn't, that's not what that particular manual is for.

    ---

    These sort of systems have a default 'interim' password rather than mandating a new password be set as part of the initial installation and setup process (as consumer goods - e.g. wifi-router combo boxes - are starting to do) because the system installer is generally not the end user. The customer providing the final admin password to the installer is never a good idea, so the usual process is for the installer to leave the default password in place for commissioning of the system, then the customer sets the password after handover and the system can go live. The customer never bothering to change the default is not easy to 'solve': even if you display a nag-screen on every single login with the default credentials with a big red "CHANGE PASSWORD NOW!!" warning, 99% of users will just close the window and leave the password as default. You can try and create a dynamic temporary password, but you'll find most of the time that will be lost by either the installer or by the customer as soon as the installer hands it to them, both resulting in a CS call and still not solving the problem of the end user still not changing that new default password anyway.
    Reply
  • SonoraTechnical
    edzieba said:
    I see Toms has copied this claim from similar articles without actually checking.

    You mean they didn't conduct their own investigative reporting?
    Reply
  • helper800
    SonoraTechnical said:
    You mean they didn't conduct their own investigative reporting?
    Nope, just more regurgitative slop saying the same things as other articles with enough different words to not be considered plagiarism.
    Reply