Breaking into apartment buildings in five minutes on my phone
84 comments
·February 24, 2025bgirard
pavel_lishin
Even my parents & grandparents modems/routers each have a unique password printed on the bottom! There's just no excuse for this.
robbiewxyz
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
nottorp
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
happyopossum
>Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
You can do that easily on iOS, I'd be surprised if Android didn't allow it as well...
Tap in the password field, tap Autofill from the popup, and tap Scan Text.
ghaff
A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.
axus
QR codes?
prophesi
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
Semaphor
German fritzbox routers (the most common non-isp routers here, and actually very capable) have a fully random password
jack_pp
Idk in Romania routers come with random passwords.
assimpleaspossi
Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
sidewndr46
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
wildzzz
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
atlanticaccent
> The whole building is secure
Given what you just said and the article you're commenting under, are you sure?
_fat_santa
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
jimt1234
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
psobot
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
Needless to say, I moved.
prometheus76
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
nosioptar
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
roguecoder
Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.
Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.
To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?
knowitnone
devil worship is a hell of a drug
Frederation
I hope you are doing better!
withinboredom
What’s does the letters in their name have to do with it?
prometheus76
Less likely to speak English in my experience.
lostlogin
Does anyone ever actually get converted by a door knocking missionary?
pavel_lishin
It's not for the benefit of the potential convertees, it's for the benefit of the ones doing the converting.
ghaff
I'm not going to especially defend but you have a way more sophisticated model of how most burglars work than is almost certainly the case.
reaperducer
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
null
badgersnake
This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.
happyopossum
> infrared fobs
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
psobot
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
__MatrixMan__
That's probably because it's not so good as a building non-entry system.
pavel_lishin
> 2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
Ah, yes. It's the children who are wrong.
Agingcoder
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
It seems she’s almost right !
ecshafer
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
thomasjudge
Isn't logging into any system unauthorized - in practice - a violation of the Computer Fraud & Abuse Act?
roguecoder
The EFF has a good guide about the relevant laws: https://clinic.cyber.harvard.edu/wp-content/uploads/2020/10/...
michaelt
> Default credentials that “should” be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they’d surely have no reason to expose this thing to the Internet, right?
My theory is this is one of the reasons so many internet-of-things devices nowerdays omit any sort of offline/local network control.
No default passwords, no ports you can forward without knowing what you're doing, all the credentials sorted out on a cloud server.
craftkiller
Consumer routers have had this issue solved for ages: you generate a random password and put it physically on the device.
ghaff
I don't want some complicated random password. At least where I live, my router password is a very modest security shim to protect against very random casual access. If I have a visitor who needs WiFi access, I want to give them an easy password to type in.
wlesieutre
If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.
https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...
marsovo
So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.
(See also: opt-in versus opt-out for retirement plans, organ donation...heck, even this from yesterday: https://news.ycombinator.com/item?id=43144611)
craftkiller
You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.
barbazoo
Wifi password != admin password. The admin password should be random and then you can change it when you take ownership of the device.
huang_chung
OpenWRT, the crown jewel of open source firmwares for "insecure" consumer routers, uses a blank (null) password by default with full root access.
dylan604
No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.
INGSOCIALITE
i worked as an engineer in an industry that required on-site access to buildings all over manhattan, some residential. all you have to do is hit a couple random buttons on the intercom and 100% of the time one of them would just buzz the lock
mvandermeulen
This is pretty much all it takes in any western country. Some areas might require a little more effort but nothing substantial.
In fairness, the blame for this kind of enabling attitude is mostly attributable to me locking myself out of the building and having to buzz my long suffering neighbours at all kinds of ungodly hours. Proud moments.
megous
Could you also lock out specific residents? Or get their daily home arrival patterns for the last few years? Or find unused flats to squat in? IoT still wins. :)
ihaveone
Holy freaking crap. ALL OF THESE ARE ONLINE. "It's possible" to log in to the first result with the default password.
If anyone wants, perhaps login, change the password and make a new client as the password or something. This is going to get bad FAST.
azinman2
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
If something bad happens because of this…
Synthetic7346
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
LeifCarrotson
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
azinman2
Shining a spotlight on an issue is completely different than the issue already existing.
asynchronousx
This is the only recourse left when the vendor kicks and screams at the CVE disclosure process.
neilv
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
azinman2
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
tiborsaas
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
roguecoder
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
Freak_NL
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
smallerfish
I flagged it for this reason.
fortran77
I just tried it (via Tor) and was able to get into the first 5 that duckduckgo found. Someone had been there before me and (apparently) changed names of things. (I looked but didn't touch.)
huang_chung
Interesting story but a CVE for this is a bit melodramatic and why no one takes security folk seriously (cry wolf too many times).
OpenWRT ships with no password at all (!) with full root access on default install. The situation is the same: they politely suggest you change it from the default (blank) password but do not force you to do so.
By this logic every OpenWRT install (and many other softwares) dating back many years should be subject to CVE.
NRv9tR
I assume you have to be on that network to access the login. I'm 95% sure it the UI/admin is not accessible to the internet by default... but also, yes that shit should be way better. Even Comcast and other ISPs have done better than this for a decade or more now.
> Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
These manufacturers’ recommendations are not acceptable. They should mandate a non-default secure password before allowing the system to be used.