Fucking hell. The blog post for what the researcher found.
https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/
Default accounts on internet accessible building infrastructure.
Holy shit. This is one of the worst ones I’ve ever seen.
Want to get a list of insecure apartment buildings, with addresses, and a complete list of the residents, which rooms they’re in, and what their normal schedules are of using their fobs to get in and out? And then authorize yourself a fob that will work to get in the building and unlock their doors?
Go right ahead.
And then authorize yourself a fob that will work to get in the building and unlock their doors?
While electronic access is common for the main building doors; I don’t think I’ve ever seen the actual apartment units secured with electronic locks. That’s always been a physical key in my experience. (except; mo/hotels, or owned units where the owner can install whatever lock they choose)
They typically use cheap easily pickable locks inside though. The one on my door I can rake open in 2 seconds. (can’t change it due to the lease)
This. Apartment building doors being unlockable exposes you to the same risk as the extremely troubling technique of clicking every number and shouting “Amazon delivery!”.
Remote access to FOB logs is much worse, though. And somebody needs to explain to me how these installers managed to somehow enter all the real names of the building tenants into an online-facing listing but not change the default password.
I mean, granted, that also is the same level of exposure as with the “get in there and look at the mailbox” exploit, but at least you have to physically go to the place for that, you know?
I’m amazed that your LL is against you replacing it out of your own funds and providing them a key. That’s so dumb.
You could probably arrange that if you really tried, and it would be easier with an individual landlord; but barring the tenant from changing the locks (without express written consent) is a pretty standard lease clause. Building management companies don’t want to deal with swapping locks all the time and keeping track of changing keys, especially when there’s 200+ units on the property. They’re usually pretty rigid with the terms of the lease.
yea, for multi unit complexes like apartments, I assume that it could be in place cause the LL likely has a master key that works across all doors as well
Also possibly basement access or similar things that work with all the apartment keys.
JFC…
… Did… did you expect landlords, or building managers… to be competent at anything other than figuring out how to withhold your security deposit, and overcharge you for utilities?
No, but if I were a building manager I would expect the company I hire to install the system to at least change the fucking password.
I realize I am coming off a bit more aggressive than I mean to… very, very angry after watching the fascist goon squad in Idaho…
Bleck.
… Anyway.
I would not expect basically anyone at this point to be any kind of competent whatsoever with any kind of cybersecurity.
I worked in tech for a decade, database admin, backend stuff, handling PII, often having to teach front end web designers how to do anything more complex that building a CSS stylesheet or using Wix or something like that how to actually interface with an API… and my experience is that literally no one outside of a computer security minded role knows anything, at all, about cyber security.
Non tech managers and team leads are usually even worse. You have to basically baby talk them through everything, and they usually don’t learn anything anyway, and will then just use all the terms and concepts completely incorrectly and conclude they said or agreed to or told you to do almost the exact opposite of the meaning of the sentence they actually used.
The entire problem is that everyone just assumes that because they paid for something, it actually works as advertised.
Buzzword? Other Buzzword? Authoritative salespitch? Sold!
The vast, vast majority of people never do proactive due dilligence, only reactive finger pointing.
Leaving default passwords in critical hardware systems that are made by somebody else and sold to people or businesses is widespread and has been widespread for decades.
Here is basically a chatroullete of internet connected, public facing cameras that are basically all accessible, live, in realtime, because nobody bothered to change the default login/pws.
The whole point is to illustrate how common this is.
They used to have a lot, loooot more, but they had to start automatically delisting the absurd amount of cameras that were inside peoples houses, watching people fuck and have domestic disputes and such, and adopt a policy of ‘please email us if you see your own camera and we’ll take it off the site and also tell you how to fix the problem on your end.’
Just going through the US, the first one that’s popping up for me is an amalgamated view of what looks to be the entire security feed of an apartment complex in San Diego.
The vendor is also to blame, being able to use a default accounts after Initial provisioning is pretty bad.
Agreed, they’re part of the problem too.
Its a shit sandwich of incompetence and laziness, and everyone is chowing down, yum fucking yum.
So dumb. Holy shit.
“we use that password for ever and we have no problem”
As a cybersecurity professional I will not be installing a eletronic lock in my house for the same reason no army will store their lunch codes in a conected computer. If you want security keep it offline and physical.
Since an army marchs on its stomach, it makes sense they’d protect the lunch codes.
They even need multiple people to turn keys at the same time.
That is mainly so they don’t all get close enough to the broth at the same time to spoil it.
Realistically this doesn’t sound like it’ll actually lead to much (if any) increase in crimes against you. Most physical locks are just meant to be a mild deterrent, not actually be an impenetrable gate. They’re just there to prevent crimes of convenience. If someone really wants to get into a door then they’ll be able to get into the door regardless of how secure your lock is
It does increase the risk of opportunistic crime though. If someone just unlocked all the gates and doors of an entire apartment building for shits and giggles, and you’re in an area where there are people who go around apartment complexes randomly trying doors, there’s certainly an increased risk.
That’s a huge “if” for both those things to happen at the same time before a resident or staff noticed it happening
