this post was submitted on 24 Feb 2025
138 points (100.0% liked)
Cybersecurity
6359 readers
261 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Fucking hell. The blog post for what the researcher found.
https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/
Default accounts on internet accessible building infrastructure.
Holy shit. This is one of the worst ones I've ever seen.
Want to get a list of insecure apartment buildings, with addresses, and a complete list of the residents, which rooms they're in, and what their normal schedules are of using their fobs to get in and out? And then authorize yourself a fob that will work to get in the building and unlock their doors?
Go right ahead.
While electronic access is common for the main building doors; I don't think I've ever seen the actual apartment units secured with electronic locks. That's always been a physical key in my experience. (except; mo/hotels, or owned units where the owner can install whatever lock they choose)
They typically use cheap easily pickable locks inside though. The one on my door I can rake open in 2 seconds. (can't change it due to the lease)
This. Apartment building doors being unlockable exposes you to the same risk as the extremely troubling technique of clicking every number and shouting "Amazon delivery!".
Remote access to FOB logs is much worse, though. And somebody needs to explain to me how these installers managed to somehow enter all the real names of the building tenants into an online-facing listing but not change the default password.
I mean, granted, that also is the same level of exposure as with the "get in there and look at the mailbox" exploit, but at least you have to physically go to the place for that, you know?
I'm amazed that your LL is against you replacing it out of your own funds and providing them a key. That's so dumb.
You could probably arrange that if you really tried, and it would be easier with an individual landlord; but barring the tenant from changing the locks (without express written consent) is a pretty standard lease clause. Building management companies don't want to deal with swapping locks all the time and keeping track of changing keys, especially when there's 200+ units on the property. They're usually pretty rigid with the terms of the lease.
yea, for multi unit complexes like apartments, I assume that it could be in place cause the LL likely has a master key that works across all doors as well
Also possibly basement access or similar things that work with all the apartment keys.
JFC…
... Did... did you expect landlords, or building managers... to be competent at anything other than figuring out how to withhold your security deposit, and overcharge you for utilities?
No, but if I were a building manager I would expect the company I hire to install the system to at least change the fucking password.
I realize I am coming off a bit more aggressive than I mean to... very, very angry after watching the fascist goon squad in Idaho...
Bleck.
... Anyway.
I would not expect basically anyone at this point to be any kind of competent whatsoever with any kind of cybersecurity.
I worked in tech for a decade, database admin, backend stuff, handling PII, often having to teach front end web designers how to do anything more complex that building a CSS stylesheet or using Wix or something like that how to actually interface with an API... and my experience is that literally no one outside of a computer security minded role knows anything, at all, about cyber security.
Non tech managers and team leads are usually even worse. You have to basically baby talk them through everything, and they usually don't learn anything anyway, and will then just use all the terms and concepts completely incorrectly and conclude they said or agreed to or told you to do almost the exact opposite of the meaning of the sentence they actually used.
The entire problem is that everyone just assumes that because they paid for something, it actually works as advertised.
Buzzword? Other Buzzword? Authoritative salespitch? Sold!
The vast, vast majority of people never do proactive due dilligence, only reactive finger pointing.
Leaving default passwords in critical hardware systems that are made by somebody else and sold to people or businesses is widespread and has been widespread for decades.
Here is basically a chatroullete of internet connected, public facing cameras that are basically all accessible, live, in realtime, because nobody bothered to change the default login/pws.
The whole point is to illustrate how common this is.
http://insecam.org/
They used to have a lot, loooot more, but they had to start automatically delisting the absurd amount of cameras that were inside peoples houses, watching people fuck and have domestic disputes and such, and adopt a policy of 'please email us if you see your own camera and we'll take it off the site and also tell you how to fix the problem on your end.'
Just going through the US, the first one that's popping up for me is an amalgamated view of what looks to be the entire security feed of an apartment complex in San Diego.
The vendor is also to blame, being able to use a default accounts after Initial provisioning is pretty bad.
Agreed, they're part of the problem too.
Its a shit sandwich of incompetence and laziness, and everyone is chowing down, yum fucking yum.
So dumb. Holy shit.