A Few Minutes Idle Curiosity and a Couple of Web Searches Unlock a Series Door Entry Security Flaw

Computer science and economics student and self-described "security enthusiast" Eric Daigle's idle few minutes of curiosity while waiting for a ferry led to the discovery of hundreds of public web interfaces that let you see exactly who lives in an apartment block — and remotely unlock their doors on-demand.

"A few months ago I was on my way to catch the SeaBus when I walked by an apartment building with an interesting looking access control panel," Daigle explains. "I wrote down the 'MESH by Viscount' brand name and made a note to look into it when I had a chance. I ended up just missing my ferry (the 30 minute Sunday headways are brutal), so I decided to see if I could find anything promising on my phone while waiting at Waterfront for the next boat."

Searching for more information on the open web, Daigle discovered an installation guide for the entry system — which included instructions on logging into a web interface for configuration, monitoring, and control. A further search uncovered the fact that there are hundreds of these systems with their web interfaces exposed to the world — and many of which still use the default username and password, set by the manufacturer, shared across all models, and written in plain-text in the installation guide.

"Exposing the panel to the Internet is dumb, but fortunately none of these systems were accessible using the def — just kidding," Daigle writes. "The very first result happily lets me in with the freedom:viscount login. The first interesting thing here is the Users section. This maps residents' full names to their unit numbers. The building address is also used as the Site title. That's already not great, but it’s worse in conjunction with the Events section. This is a multi-year log of every time a fob associated with a certain suite number accessed an entrance or an elevator. So we can now easily determine that, say, Jon Snow of Unit 999, 123 Bear St Vancouver BC comes home every day at 6pm."

Having access to such personal information from nothing more than a couple of Google searches is bad, undeniably so, but the same login provides access to more: a control system that allows the user to register new access fobs, disable existing fobs, or change which floors fobs can access. "The system for this is somewhat convoluted," Daigle notes. "Fortunately I don’t need to understand it at all, because I can just unlock any entrance I want through an override function. So I can break into this building in about five minutes without attracting any attention whatsoever. Neat."

Daigle reached out to Hirsch, a Vitaprotech Group subsidiary and current vendor of the MESH door control system, with his findings, but was told that the company does not consider it a vulnerability as their own recommendations are to change the default username and password when a system is installed. Vitaprotech was contacted for comment, but had not replied to our questions by the time of publication.

More information is available in Daigle's write-up.