A critical security flaw has been discovered in a widely used door access control system, allowing easy and remote access to door locks and elevator controls in dozens of buildings across North America.
The vulnerability stems from a default password that is shipped with the system. Despite security experts recommending against using default passwords, the manufacturer, Hirsch, maintains that the default password is not a security flaw but rather a design feature.
However, security researcher Eric Daigle has identified numerous exposed residential and office buildings that have not changed the default password. This means that anyone can potentially gain access to these buildings by simply using the default password.
The default password has been rated as a 10 out of 10 on the vulnerability severity scale, indicating a high risk of exploitation. Daigle has demonstrated that it is possible to break into affected buildings within minutes by connecting to the system’s internet-facing login page and entering the default password.
Despite the severity of the vulnerability, Hirsch has refused to fix it. The company has instead advised customers to follow its installation instructions and change the default password. However, this approach fails to address the fact that many customers may not be aware of the need to change the password.
The incident highlights the risks associated with relying on customers to secure their devices. Default passwords pose a significant security concern and should be eliminated from internet-connected devices.
Original source: Read the full article on TechCrunch
