A single default password exposes access to dozens of apartment buildings – TechCrunch
Latest
AI
Amazon
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
Events
Startup Battlefield
StrictlyVC
Newsletters
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A security researcher says the default password shipped in a widely used door access control system allows anyone to easily and remotely access door locks and elevator controls in dozens of buildings across the U.S. and Canada.Hirsch, the company that now owns the Enterphone MESH door access system, won’t fix the vulnerability, saying that the bug is by design and that customers should have followed the company’s setup instructions and changed the default password. That leaves dozens of exposed residential and office buildings across North America that have not yet changed their access control system’s default password or are unaware that they should, according to Eric Daigle, who found the dozens of exposed buildings.Default passwords are not uncommon nor necessarily a secret in internet-connected devices; passwords shipped with products are typically designed to simplify login access for the customer and are often found in their instruction manual. But relying on a customer to change a default password to prevent any future malicious access still classifies as a security vulnerability within the product itself.In the case of Hirsch’s door entry products, customers installing the system are not prompted or required to change the default password.As such, Daigle was credited with the discovery of the security bug, formally designated as CVE-2025-26793.Default passwords have long been a problem for internet-connected devices, allowing malicious hackers to use the passwords to log in as if they were the rightful owner and steal data, or hijack the devices to harness their bandwidth for launching cyberattacks. In recent years, governments have sought to nudge technology makers away from using insecure default passwords given the security risks they present.In the case of Hirsch’s door entry system, the bug is rated as a 10 out of 10 on the vulnerability severity scale, thanks to the ease with which anyone can exploit it. Practically speaking, exploiting the bug is as simple as taking the default password from the system’s installation guide on Hirsch’s website and plugging the password into the internet-facing login page on any affected building’s system.In a blog post, Daigle said he found the vulnerability last year after discovering one of the Hirsch-made Enterphone MESH door entry panels on a building in his hometown of Vancouver. Daigle used internet scanning site ZoomEye to look for Enterphone MESH systems that were connected to the internet, and found 71 systems that still relied on the default-shipped credentials.Daigle said the default password allows access to MESH’s web-based back-end system, which building managers use to manage access to elevators, common areas, and office and residential door locks. Each system displays the physical address of the building with the MESH system installed, allowing anyone logging in to know which building they had access to.Daigle said it was possible to effectively break into any of the dozens of affected buildings in minutes without attracting any attention. TechCrunch intervened because Hirsch does not have the means, such as a vulnerability disclosure page, for members of the public like Daigle to report a security flaw to the company. Hirsch CEO Mark Allen did not respond to TechCrunch’s request for comment but instead deferred to a senior Hirsch product manager, who told TechCrunch that the company’s use of default passwords is “outdated” (without saying how). The product manager said it was “equally concerning” that there are customers that “installed systems and are not following the manufacturers’ recommendations,” referring to Hirsch’s own installation instructions.Hirsch would not commit to publicly disclosing details about the bug, but said it had contacted its customers about following the product’s instruction manual.With Hirsch unwilling to fix the bug, some buildings — and their occupants — are likely to remain exposed. The bug shows that product development choices from yesteryear can come back to have real-world implications years later.Topics
Security Editor
Google launches a free AI coding assistant with very high usage caps
Even Elon Musk forgets that X isn’t Twitter sometimes
DOGE’s HR email is getting the ‘Bee Movie’ spam treatment
Anthropic used Pokémon to benchmark its newest AI model
SpaceX says Starship self-destructed after propellant leaks caused fires and comms blackout
Anthropic launches a new AI model that ‘thinks’ as long as you want
Perplexity teases a web browser called Comet
Subscribe for the industry’s biggest tech newsEvery weekday and Sunday, you can get the best of TechCrunch’s coverage.TechCrunch’s AI experts cover the latest news in the fast-moving field.Every Monday, gets you up to speed on the latest advances in aerospace.Startups are the core of TechCrunch, so get our best coverage delivered weekly.By submitting your email, you agree to our Terms and Privacy Notice.© 2024 Yahoo.
