A number of apartment complexes using internet-connected intercom/entry systems still use their default credentials, which make them fully accessible to anyone savvy enough to Google their unit's manual. In fact, Programmer Eric Daigle easily broke into a building management system, enabling him to unlock any apartment door remotely. Daigle discovered this vulnerability in Hirsch Enterphone Mesh IoT security systems, a product line of secure access terminals for building safety largely used in Canada.
The Internet of Things has firmly rooted itself into modern building security systems, including modern apartment complexes looking to use something more secure or modern than phone lines to regulate access to secure entryways. In the case of Hirsch-made Mesh systems, an online portal monitors and records all key fob used across a building and can be used to access locked doors remotely.
Unfortunately, the same website and its default login are readily available in the instruction manual for the system, which is trivial to find with a Google search. Daigle, while waiting at a bus stop, was able to Google the product name of a nearby apartment security terminal, find its manual, and determine a means to break into the building within minutes.
Hirsch's user manual and official response to TechCrunch suggest that end users should change the default credentials of their systems after deployment. However, with no instructions listed in the manual on how to do this, end users are less than likely to follow this crucial security step, which has been the source of vulnerabilities since the dawn of internet security. Simply Googling the name of the admin login page used for all Identiv/Hirsch security systems and inputting the default login gives you a fair shake at getting into any Hirsch-made system.
Once inside the homepage of the internet-exposed security panel, one can see the full names of residents, their room numbers, and their phone numbers. Just for fun, you can also find a multi-year log of every key fob activation across the building, allowing malicious agents to find patterns of entry and exit for every member of a complex. If that information is not enough, one can unlock any connected door across the complex from the same web portal.
Through a quick ZoomEye query, Daigle reasons that just shy of 100 apartment complexes using the affected Hirsch system are vulnerable to this exploit, with most of these in Canada. Hirsch, in prior responses to the media, has clarified that it will not address this security vulnerability, rated 10/10 Critical on the National Vulnerability Database. Hirsch insists it is on the end user to change the default login on their end, while not providing details on how to do so in its instruction manual.
Hirsch has also stated that it will not inform affected users of its products of the flaw. Concerned people in workplaces, schools, or apartments using a Hirsch MESH security system (sometimes also labeled Viscount or Enterphone, depending on the model) can, therefore, reach out to building administrators to ensure that the default credentials have been changed in their unit. Thanks to the IoT, we can move on from physical keys and instead have our homes remotely accessible to anyone with a phone and the ability to Google.
