A major security flaw has been uncovered in the Enterphone MESH door access system, manufactured by Hirsch, which could allow unauthorized remote access to door locks and elevator controls in buildings across the United States and Canada. Security researcher Eric Daigle discovered the vulnerability, revealing that it stems from the use of a default password that remains unchanged by many customers. Rated as a 10 out of 10 on the vulnerability severity scale, this flaw highlights critical security oversights in technology systems.
The Vulnerability and Its Impact
The security bug allows potential intruders to exploit the default password, which is publicly available in the installation guide on Hirsch’s website. By entering this password into the internet-facing login page of any affected building’s system, unauthorized access can be gained. Daigle’s investigation, using the internet scanning site ZoomEye, identified 71 systems that still operate with the default-shipped credentials. This oversight enables individuals to determine which building they have accessed, as each system displays the physical address.
Daigle emphasized the ease of exploiting this vulnerability, stating that one could effectively break into any of the dozens of affected buildings within minutes without drawing attention. Despite the severity of the issue, Hirsch has not committed to publicly disclosing details about the bug. However, they have reached out to their customers, advising them to follow the product’s instruction manual to change the default password. Notably, when installing the system, customers are neither prompted nor required to alter the default password.
This incident underscores how product development decisions from previous years can lead to significant real-world consequences over time. The continued use of insecure default passwords poses substantial security risks, prompting governments to encourage technology manufacturers to eliminate such practices.
What The Author Thinks
The vulnerability in the Enterphone MESH system highlights the ongoing risk of relying on default passwords for critical security systems. It is an example of how a simple oversight can lead to massive consequences for users, especially in a time when cybersecurity is paramount. Manufacturers like Hirsch must take responsibility for ensuring that systems are secure out of the box, with proper safeguards in place to protect users. The lack of prompt actions to address such vulnerabilities not only jeopardizes the safety of buildings and their occupants but also raises concerns about the broader implications for the security industry.
