[HN Gopher] Breaking into apartment buildings in five minutes on...
___________________________________________________________________
Breaking into apartment buildings in five minutes on my phone
Author : ChrisArchitect
Score : 228 points
Date : 2025-02-24 15:48 UTC (7 hours ago)
(HTM) web link (www.ericdaigle.ca)
(TXT) w3m dump (www.ericdaigle.ca)
| bgirard wrote:
| > Hirsch replies stating that these vulnerable systems are not
| following manufacturers' recommendations to change the default
| password
|
| These manufacturers' recommendations are not acceptable. They
| should mandate a non-default secure password before allowing the
| system to be used.
| pavel_lishin wrote:
| Even my parents & grandparents modems/routers each have a
| unique password printed on the bottom! There's just no excuse
| for this.
| nottorp wrote:
| Oh speaking of which. A lot of places i rented on holidays
| had internet access with that default unique password. Which
| is a pain to type on your phone and laptop when you get
| there.
|
| Did anyone think to at least try to add OCR-ing those labels
| on our phones to automatically enter the wifi password?
| ghaff wrote:
| A lot of inns and B&Bs in tiny towns etc. have these
| complicated passwords that seem like overkill. You're
| probably right that they're some sort of default. Even if
| they're not 12345, it seems as if they could be something
| pretty simple and that would be fine.
| axus wrote:
| QR codes?
| nottorp wrote:
| > QR codes?
|
| How do you change the label on the router that got
| installed 8 years ago and is working fine? Especially
| since the owner of the cabin in the woods that you just
| rented for the weekend is into ... renting cabins in the
| woods, not geekery.
|
| > have these complicated passwords that seem like
| overkill. You're probably right that they're some sort of
| default.
|
| It is the default. If you find their router you'll find
| that overkill password printed on a label on the bottom.
| More enlightened ISPs give you extra stickers with the
| same info that you can put on the fridge or somewhere
| like that.
| wrs wrote:
| We used this for our guests at home.
|
| https://qifi.org/
| nottorp wrote:
| Oh pretty. Now I just need to tell all the hosts in my
| future holidays about those :)
| dghlsakjg wrote:
| There is a wifi credentials QR code standard that can be
| used to pass the network name, and authentication
| details. Anyone can generate one, here's a generator app:
| https://www.qr-code-generator.com/solutions/wifi-qr-code/
|
| Most modern phones recognize the standard and can be used
| through the native camera app.
| jajko wrote:
| Yes I saw it literally few days ago when visiting
| relative (not even airbnb just her home), so easy to do
| yet it never occured to me.
| datadrivenangel wrote:
| I have a framed wifi QR code in my house. It's great.
| Looks like a photo on the wall.
| pavel_lishin wrote:
| I should cross-stitch one.
| happyopossum wrote:
| >Did anyone think to at least try to add OCR-ing those
| labels on our phones to automatically enter the wifi
| password?
|
| You can do that easily on iOS, I'd be surprised if Android
| didn't allow it as well...
|
| Tap in the password field, tap Autofill from the popup, and
| tap Scan Text.
| lostlogin wrote:
| Slightly off topic, but sharing WiFi passwords on iOS is
| so very user friendly.
| bildung wrote:
| How does it work in iOS?
|
| On Android User A taps on the wifi they are connected to
| and gets a QR code, and User B taps on the icon for
| scanning wifi QR codes, so one tap each once you are in
| your wifi settings.
| arjie wrote:
| On iOS, the guest attempts to connect and anyone with
| them in their contacts list is prompted to share. The
| common use case of a friend visiting is very simple. If
| you want to share a different network, there's a similar
| flow to the Android one:
|
| * Go to Wi-Fi in the Passwords app
|
| * Select the Wi-Fi network you want to share
|
| * Share Network QR Code
| HeatrayEnjoyer wrote:
| So they know when you're trying to access a wifi network?
| mcculley wrote:
| If you are near them, yes.
| gryn wrote:
| google lenses works for this as an OCR copy & paste
| rbalicki wrote:
| You can generate and print a QR code. It's quite a nice
| solution
| prophesi wrote:
| Oddly enough, these default unique passwords usually are in
| the format of word+word+digit+digit+digit. If you look up the
| model, it won't take long to find the word list they use and
| can trivially bruteforce it.
|
| So even then, I'd recommend changing it, or push for these
| companies to provide generated passwords with a much larger
| key space.
| jack_pp wrote:
| Idk in Romania routers come with random passwords.
|
| https://imgur.com/a/x915ZfO
| yesthis wrote:
| function generatePassword() { // comply with Romanian
| regulations return "gaGc52eP" }
| rad_gruchalski wrote:
| This function doesn't evaluate, something something
| expected expression of }, premature end of file.
| pc86 wrote:
| I know you're making a joke but it's just HN formatting
| not respecting single line breaks in comments.
| Semaphor wrote:
| German fritzbox routers (the most common non-isp routers
| here, and actually very capable) have a fully random
| password
| bongodongobob wrote:
| That's usually the wifi password, not the admin password.
| robbiewxyz wrote:
| Their routers only have this feature because the internet
| providers who sell those routers pay for bandwidth themselves
| lol. If residential internet plans sold on a pay-per-byte
| basis you can bet routers'd still ship with non-unique
| passwords.
| psobot wrote:
| Viscount has hilariously bad security. I used to live in a
| building in Toronto that used Viscount infrared fobs for access
| control. They were no more secure than TV remotes; no rolling
| codes, no encryption, nothing. An attacker could easily sit
| nearby with an IR receiver and collect everyone's fob codes at a
| distance, allowing access to all floors.
|
| Needless to say, I moved.
| ghaff wrote:
| I'm not going to especially defend but you have a way more
| sophisticated model of how most burglars work than is almost
| certainly the case.
| reaperducer wrote:
| Exactly. This article should be titled "I figured out a
| really obtuse way to break into apartment buildings."
|
| A rock will get the job done in a fraction of the time.
|
| It's like all those nobodies on HN who go through all kinds
| of software gymnastics to secure their phone against
| imaginary "threat actors," when a mugger is just going to
| keep twisting their arm behind their back until they enter
| their PIN.
| badgersnake wrote:
| This is way better than a rock. It raises no suspicion and
| leaves no trace. Maybe it doesn't matter for burglary, as
| you're probably going to take things anyway, but if you
| want access anyone knowing you were there this is gold.
| Neonlicht wrote:
| In fairness I think that these "locked doors" are to keep
| the homeless/drug users out or kids starting fires not
| really burglars.
| stevage wrote:
| They unlocked a lot more power than simply getting into
| buildings.
| prometheus76 wrote:
| This was 30 years ago, so I'm sure a lot has changed since
| then. I was a missionary and the way we got into buildings in
| Toronto to knock on doors was to just pick the last name with
| the most letters from the directory, buzz them, and when they
| answered, we would just say "pizza delivery" and 95% of the
| time they buzzed the door open.
| withinboredom wrote:
| What's does the letters in their name have to do with it?
| prometheus76 wrote:
| Less likely to speak English in my experience.
| nosioptar wrote:
| It'd be nice if missionaries weren't such hypocrites.
| Claiming to be the pizza guy when you're actually selling
| magic underwear is bearing false witness.
| knowitnone wrote:
| devil worship is a hell of a drug
| roguecoder wrote:
| Technically it depends on the interpretation of "`ed" and
| "b@re`aka" whether that commandment is admonishing against
| telling any lie, just lies in court when making a legal
| accusation against another person, or somewhere in between.
|
| Even if we accepted the premise that one book should be the
| basis of all morality, this one contains within itself
| contradictions, satire, sarcasm, and a community context we
| no longer have: with individual quotes I can make anyone
| look like a hypocrite.
|
| To my mind the more interesting question is, does a
| singular community condemn a behavior in out-group members
| that they tolerate or even praise in in-group members?
| reaperman wrote:
| Leviticus 19:11 bypasses the whole "`ed" vs. "b@re`aka"
| shenanigans.
|
| New International Version (NIV): "Do not steal. Do not
| lie. Do not deceive one another"
|
| King James: "Ye shall not steal, neither deal falsely,
| neither lie one to another."
|
| New Living Translation (NLT): "Do not steal. Do not
| deceive or cheat one another"
|
| New Century Version (NCV): "You must not steal. You must
| not cheat people, and you must not lie to each other"
|
| The Holman Christian Standard Bible (HCSB): "You must not
| steal. You must not act deceptively or lie to one
| another"
| lostlogin wrote:
| Does anyone ever actually get converted by a door knocking
| missionary?
| pavel_lishin wrote:
| It's not for the benefit of the potential convertees, it's
| for the benefit of the ones doing the converting.
| spankalee wrote:
| Yes. The inevitable rejection is the point. It reinforces
| the otherness of the outside world, creating more
| separation from non-believers and stronger connection and
| devotion to the cult.
| prometheus76 wrote:
| Yes. I'm no longer a Mormon, but I baptized around a dozen
| people on my mission and they were all found from knocking
| on doors. But this was also thirty years ago, before the
| internet was a thing for most people.
| Frederation wrote:
| I hope you are doing better!
| happyopossum wrote:
| > infrared fobs
|
| Wait, what? You have to point a powered device at an IR
| receiver and press a button like a TV remote? I've never seen a
| building entry system like that!
| __MatrixMan__ wrote:
| That's probably because it's not so good as a building non-
| entry system.
| psobot wrote:
| Exactly that, yes! IR receivers outside every exterior door
| to the building, and IR receivers in the elevators to control
| access on a floor-by-floor basis.
|
| The fobs were visible by an IR camera (including the average
| smartphone) and could trivially be decoded as a short bit
| sequence with an IR sensor wired into a microphone jack, as
| the bit pattern was transmitted at ~audio rates.
| pavel_lishin wrote:
| > _2025-01-29: Hirsch replies stating that these vulnerable
| systems are not following manufacturers' recommendations to
| change the default password_
|
| Ah, yes. It's the children who are wrong.
| ihaveone wrote:
| Holy freaking crap. ALL OF THESE ARE ONLINE. "It's possible" to
| log in to the first result with the default password.
|
| If anyone wants, perhaps login, change the password and make a
| new client as the password or something. This is going to get bad
| FAST.
| azinman2 wrote:
| I would say this is highly irresponsible of the researcher to
| expose this publicly. These are people's homes, along with
| their PII and locations. The residents didn't choose this
| system, their building just uses it. They don't even know that
| their info is being leaked, nor that the doors to their places
| were just rendered neutered.
|
| If something bad happens because of this...
| smallerfish wrote:
| I flagged it for this reason.
| tiborsaas wrote:
| I second this. Just because it feels right to them as "I've
| reported it, It's not on me anymore...", doesn't mean he
| should enable bored people to revoke access cards, jam
| elevators, etc.
| Freak_NL wrote:
| That depends on the individual's weighing of the various
| factors and their personal moral position. If someone wants
| to prevent a bunch of easy break-ins where the method of
| entry won't get noticed in most cases, and they feel that
| the discomfort of denying access for a bit (impacting
| hundreds of people perhaps) outweighs the trauma of being
| robbed (maybe impacting just a few), than doing that might
| be the only morally defensible position to take. For all we
| know they actually are planning to hammer the open
| installations until they get fixed to prevent the bigger
| harm.
|
| Other people will shrug and move on after trying everything
| they can via the proper channels.
|
| And then of course there are the assholes who will just do
| it because it entertains them.
| tiborsaas wrote:
| It's all very educative and makes a point until you read
| a news story about someone dying because ER couldn't get
| there in time. The road to hell is paved with good
| intentions hits hard here.
| Freak_NL wrote:
| That too has a chance of happening associated with it.
| Lacking a convenient table to look up the chance of that
| happening (and its impact), and the chance of a break-in
| caused by an open admin panel causing irreparable harm,
| there is nothing left to do but weigh the chances as best
| as one can.
|
| Many people will choose to do nothing in that case, but
| not everyone will accept that inaction which might lead
| to bigger harm is preferable to action which might lead
| to another possible negative outcome, but at a much
| smaller chance.
|
| (It's basically that dumb trolley meme, but with
| undetermined outcomes.)
|
| Every choice we make can have an adverse effect on
| others. Take the car today instead of walking? You just
| might cause an ambulance to be delayed leading to an
| unfortunate death. The chance of that happening is
| negligible of course, but not absent (it never is).
| roguecoder wrote:
| Criminals were already enabled to do that, and the people
| in those buildings had no way to know.
|
| The more-responsible thing might have been to also reach
| out to residents of individual buildings & give them time
| to correct the situation, rather than relying on the
| company (which has a vested interest in ignoring the
| problem) to do the right thing. But security through
| obscurity is not a solution.
| sjducb wrote:
| Reaching out to the residents leaves you open to legal
| risks. You processed their data without any kind of opt
| in.
| asynchronousx wrote:
| This is the only recourse left when the vendor kicks and
| screams at the CVE disclosure process.
| azinman2 wrote:
| I strongly disagree. You're literally putting people's
| lives and possessions at risk who have no knowledge of
| this. There are many alternative methods, from getting the
| government involved to giving a a very long lead time to
| the vendor before you disclose this, to sitting on it and
| never disclosing.
| megous wrote:
| Software vendor and building manager are putting people's
| lives at risk.
|
| Can't software coders ever take responsibility? And this
| is on the programmer who implemented this, too. You just
| not let your product manager do this, ever. It's 2025
| already.
|
| And this is a security product, wtf? Residents should be
| suing individual programmers here. OWASP was created 24
| years ago. Default credentials is like number 1 on their
| IoT app security list. Only a moron would not defend
| against this. If your manager requires this, you just
| send him:
|
| https://wiki.owasp.org/index.php/OWASP_Internet_of_Things
| _Pr...
|
| And tell him no. If he still wants it, you just report
| him to Reddit or whatever. :D
| neilv wrote:
| The only recourse for what problem? Aren't there other
| plausible creative ways to apply pressure and get it fixed,
| with less risk to the people unwittingly at mercy of this
| vendor's negligence?
|
| Or are you speaking of the transactional convention, in
| which people can break into systems, and then are entitled
| to publicity for that, so long as they give the vendor
| advance notice?
|
| The whole responsible disclosure convention seems an
| imperfect compromise, among various imperfect actors. On
| occasion, individuals might decide that other options are
| more appropriate to the specific situation, and to Perfect
| Tommy it.
|
| https://www.youtube.com/watch?v=fKHaNIEa6kA
| LeifCarrotson wrote:
| If something bad is done by a bad actor because of this
| vulnerability being discussed in public, that's no worse than
| something bad happening because this vulnerability exists but
| is only discussed in secret.
|
| This is not some highly-technical vulnerability only
| accessible to nation-states with genius engineers and
| million-dollar labs with exotic instrumentation and brute-
| force supercomputers compute pulling down many megawatts of
| power. The OP literally logged into an open Wifi SSID,
| searched for the text on the page, and scrolled to the
| default password. None of those steps are hard to do, any
| jealous ex or disgruntled employee or divorced parent fuming
| in the parking lot for 5 minutes could effortlessly
| accomplish the same thing.
|
| I honestly think it's _likely_ that bad things have already
| happened due to this vulnerability - but not due to this
| disclosure.
|
| But because it was only discussed in secret, no one ever got
| to the root cause of the issue and the hazard continued to be
| out there. Now that it's public, hopefully something will be
| done, and relatively quickly.
| azinman2 wrote:
| Shining a spotlight on an issue is completely different
| than the issue already existing.
| Synthetic7346 wrote:
| I think this falls under responsible disclosure guidelines. A
| lot of times companies refuse to fix misconfiguration issues
| like these, and users/customers deserve to know. Not
| publishing it is security by obscurity, you're just hoping
| that a bad actor doesn't figure this out (or hasn't already
| figured this out).
| michaelt wrote:
| _> Default credentials that "should" be changed, with no
| requirement or explanation of how to do so. Surely no building
| managers ever leave the defaults, right? And even if they did,
| they'd surely have no reason to expose this thing to the
| Internet, right?_
|
| My theory is this is one of the reasons so many internet-of-
| things devices nowerdays omit any sort of offline/local network
| control.
|
| No default passwords, no ports you can forward without knowing
| what you're doing, all the credentials sorted out on a cloud
| server.
| craftkiller wrote:
| Consumer routers have had this issue solved for ages: you
| generate a random password and put it physically on the device.
| ghaff wrote:
| I don't want some complicated random password. At least where
| I live, my router password is a _very_ modest security shim
| to protect against very random casual access. If I have a
| visitor who needs WiFi access, I want to give them an easy
| password to type in.
| craftkiller wrote:
| You can always change the passwords. I was bringing this up
| as a solution to the default passwords issue. You don't
| want to have a static default password used by everyone, so
| you need the initial password to be randomized. People are
| dumb so you need to print it on the device. There is no
| need to default to cloud-based authentication to close the
| default password security hole.
| barbazoo wrote:
| Wifi password != admin password. The admin password should
| be random and then you can change it when you take
| ownership of the device.
| marsovo wrote:
| So change it afterwards. Good defaults are important. If
| someone doesn't change it, it's important that they be on
| the right path instead of...this one.
|
| (See also: opt-in versus opt-out for retirement plans,
| organ donation...heck, even this from yesterday:
| https://news.ycombinator.com/item?id=43144611)
| wlesieutre wrote:
| If it's too hard for a guest to type in a password, you can
| also have them join by scanning a QR code. Obviously this
| works better for phones and tablets with QR scanning built
| into the camera, but that's what guests are frequently
| using.
|
| https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91
| F...
| huang_chung wrote:
| OpenWRT, the crown jewel of open source firmwares for
| "insecure" consumer routers, uses a blank (null) password by
| default with full root access.
| dylan604 wrote:
| No device comes off the shelf with OpenWRT. If you're the
| type of person that's aware of OpenWRT and then install it,
| it's not that far of a stretch to think you'd also be the
| type to know to check the password.
| huang_chung wrote:
| Your logic is poor.
|
| If you assume this, you have to assume door access device
| is installed by trained technician.
| dylan604 wrote:
| Your assumption is large.
|
| I am only thinking of a router with OpenWRT installed.
| Nothing about a wifi router with OpenWRT has anything to
| do with a door access device installed by a trained
| technician or not. The conversation only pertains to the
| words used, not the unwritten ones you're trying to
| insert in between the lines of my comment to make a
| totally unrelated point
| myself248 wrote:
| GL-inet devices come off the shelf with OpenWRT. They
| don't have a blank password. Every single one ships with
| 'goodlife' as the default password, as printed on the
| label on the back.
|
| (But remote ssh login is disabled by default.)
| dylan604 wrote:
| Thanks. I was unaware of that company.
| thomasjudge wrote:
| Isn't logging into any system unauthorized - in practice - a
| violation of the Computer Fraud & Abuse Act?
| roguecoder wrote:
| The EFF has a good guide about the relevant laws:
| https://clinic.cyber.harvard.edu/wp-content/uploads/2020/10/...
| mihaaly wrote:
| It is, like getting into a home with open doors without the
| consent of the inhabitants.
|
| Which is keeping away only the honest and polite persons.
| INGSOCIALITE wrote:
| i worked as an engineer in an industry that required on-site
| access to buildings all over manhattan, some residential. all you
| have to do is hit a couple random buttons on the intercom and
| 100% of the time one of them would just buzz the lock
| mvandermeulen wrote:
| This is pretty much all it takes in any western country. Some
| areas might require a little more effort but nothing
| substantial.
|
| In fairness, the blame for this kind of enabling attitude is
| mostly attributable to me locking myself out of the building
| and having to buzz my long suffering neighbours at all kinds of
| ungodly hours. Proud moments.
| megous wrote:
| Could you also lock out specific residents? Or get their daily
| home arrival patterns for the last few years? Or find unused
| flats to squat in? IoT still wins. :)
| ecshafer wrote:
| Many many many years ago I worked at basically an MSP for telcos
| on the helpdesk. So customers would call their telco or isp for
| help and that would be routed to us. Anyways this one small isp
| with idk 10k customers had deployed their routers to customers
| with the default username/password and remote authentication
| enabled. A single script from a bad actor logged into all of the
| routers, changed credentials, and iirc updated dns settings so
| they lost internet, phone, tv. Cue 10k people calling as we had
| to basically walk through everyone one by one on changing the
| credentials and updating their config.
| myself248 wrote:
| Was that enough pain to force some sort of change in how the
| things were deployed thereafter?
| Agingcoder wrote:
| After watching a lot of tv series, my non techie wife has come to
| the conclusion that real life systems are trivial to hack : just
| click 'skip password', or 'password override', or just use
| 'password' as a password.
|
| It seems she's almost right !
| assimpleaspossi wrote:
| Road with a guy to visit a friend in a gated community. We didn't
| know the access code for the gate but the guy I was with is an
| Amazon delivery driver.
|
| "Let's see if I can't get us in," he said. He got out of the car,
| walked over to the access panel and looked on top, bottom and
| sides. Then he punched in some numbers and the gate opened.
|
| Turns out, so many people in gated communities and apartment
| complexes order things from Amazon, and other delivery services,
| and want front door delivery but don't give them any way to get
| in. Eventually, some frustrated driver who gets the code will
| write it on the side of the access panel to help everyone out.
|
| "Apartments are awful," he said. "College campuses are the bane
| of our existence. You would think that college kids would be
| smart about these things but they are the absolute worst."
| _fat_santa wrote:
| My parents live in a very upscale country club community down
| in Florida and their gate security is laughable. They assign
| every household a 4 digit code to enter the community. Given
| how many homes are in this community, entering any 4 digit code
| > 1000 and < 2000 will work.
| jimt1234 wrote:
| My girlfriend lives in an upscale, gated community. Her HOA
| has done the exact opposite. They change the gate code weekly
| as way to "protect" themselves from this situation. However,
| it's kinda had the opposite effect - tailgating has become
| totally acceptable, even the norm, as people can't keep up
| with the gate code changes. Amazon drivers usually just sit
| outside for a minute or two, then tailgate into the
| neighborhood.
| reaperman wrote:
| The only gated community / apartment complex's I've ever
| seen where that was not normal are a subset of the ones
| that have an on-duty guard - specifically the subset with
| guards who recognize all the occupants and take the
| information of anyone they don't recognize.
| jimt1234 wrote:
| Her community is not guard-gated, but it's extremely
| snooty/snobby. A number of years ago, before the weekly
| gate-code changes, the HOA started doing _annual_ code
| changes on Halloween. Why Halloween, you might ask?
| Because the service staff of the community (landscapers,
| house cleaners, etc.) had the audacity to bring their
| children /grand-children to the neighborhood to trick-or-
| treat. Residents felt the service staff was just trying
| to guilt them into giving candy. Keep in mind, all these
| residents are multi-millionaires, mostly retirees, and
| they were bitching about having to spend 5 bucks in candy
| to make children happy.
| doubled112 wrote:
| Isn't that usually how the rich stay rich? Does this
| really seem to surprising?
|
| In my experience, and I'm generalizing a lot, the less
| people have the more generous they tend to be.
| bell-cot wrote:
| They're doing a great job of "protecting" themselves from
| feeling anxious about Bad Things somehow happening.
|
| For an all-too-large fraction of humanity, that's the
| "protection" which actually matters.
| wildzzz wrote:
| There's a door at work I regularly need to access. It used to
| be used for another purpose but now is just an extension of the
| work area. It's got a badge reader and simplex lock but I can't
| get badge access because I don't actually belong to that work
| area yet I'm there everyday anyway. However, someone wrote the
| simplex lock code on a sign in very small numbers for this
| exact purpose. Other simplex locks in the building use the
| default code you can find online. The whole building is secure
| so you'd never be able to walk up to these doors without proper
| credentials, they are mostly just there to keep out the curious
| or someone looking to borrow tools that they shouldnt.
| atlanticaccent wrote:
| > The whole building is secure
|
| Given what you just said and the article you're commenting
| under, are you sure?
| organsnyder wrote:
| Anyone wearing a maintenance uniform and carrying a step-
| ladder could surely find a way in via an overly helpful
| victim.
| EvanAnderson wrote:
| Look like you belong and act confident and you can get
| nearly anywhere. Props help-- wear a high-vis vest and a
| hard hat, carry a tablet / folio / clipboard around an
| office, etc.
|
| Confidence is the key, though.
| organsnyder wrote:
| You also have to fit a certain expected demographic.
| EvanAnderson wrote:
| Sadly, yes-- that's true. It's a game of playing to
| stereotypes, for sure.
| sidewndr46 wrote:
| It's far simpler than that. Ever gated community I've ever
| visited, press any digit 4 times. You're in. The only exception
| is community with a security guard. The guy obviously isn't
| just going to let some guy not on the guest list in
| adamanonymous wrote:
| Gated communities around me have 2 lanes, one with a sensor
| activated gate for residents and a guest lane next to the
| guard hut
|
| If it's busy and you pull up in a nice enough car and just
| wait in front of the sensor gate looking annoyed, the guard
| will eventually just let you in
| AutistiCoder wrote:
| I was under the impression that delivery drivers had a book or
| something with these codes.
|
| Like, the HOA just like calls the delivery companies and says
| "hey, here's a code to get in"
| DANmode wrote:
| Missed the stories about these guys shitting in the backs of
| the trucks and vans for lack of time to do their jobs, eh?!
| WalterBright wrote:
| I bet you could examine the keypad for wear. The worn keys (or
| the shiny ones) are the ones for the code.
|
| In the days before cell phones, a burglar alarm would dial the
| alarm company. The phone company likes to install the phone box
| on the outside of the building. The alarm is defeated by an axe
| to the cable going in the box.
|
| I had a fight with the phone company at my house, as I wanted
| the box on the inside rather than the outside. They finally
| agreed on the condition that I maintain the wire to the box.
|
| These days, of course, the alarms use wifi or a cell phone to
| call the alarm company.
| bell-cot wrote:
| > These days, of course, the alarms use...
|
| And the crooks use RF jammers instead of axes.
| blacksmith_tb wrote:
| That only works if there's a single code? I would think many
| keypad systems assign a code to each apartment (so the one
| written on the side is not a master key, just Joe in #303).
| dmurray wrote:
| I've definitely worked somewhere they tell all the users
| they have individual codes, not to share them, and if there
| is unauthorized access it can be traced who leaked their
| code. Everyone gets told the same story and given the same
| code.
| jeffwask wrote:
| > "College campuses are the bane of our existence. You would
| think that college kids would be smart about these things but
| they are the absolute worst."
|
| This is a huge misconception about GenZ. Unlike Millennials and
| GenX who had to hack around on PC's to figure out how to
| torrent, run games, build our own lans for local multiplayer,
| and generally avoid our parent's prying eyes. GenZ has grown up
| on devices. You don't modify the OS on devices. You don't hack
| around on devices; Apps tend to just work with little
| configuration. GenZ is entering the workforce with lower
| baseline computer / computer security skills than people think
| they have.
| RajT88 wrote:
| Well - kind of. PC gaming is bigger than ever before, and PC
| gaming was how a lot of my generation got into computers.
|
| My nephew for a while was very much one of those "grew up on
| devices" kind of kids - until he got off of gaming on phones
| and tablets, and got a gaming PC. Now he's reading about
| technology and tinkering and stuff.
| blueflow wrote:
| Its not the same. Nowadays you press a button in steam and
| the game is installed for you and just works. It does not
| provide an entrance into technical layers like configuring
| the soundblaster irq in config.sys did.
| mardef wrote:
| It's not the same, but I don't know if it's worse.
|
| My IRQ conflict resolution skills or knowledge about
| himem.sys aren't really useful these days.
|
| But I've seen genz kids do incredible things with
| Minecraft mods and the like that make me reminisce about
| quake modding.
|
| The masses are just blindly using devices, but the masses
| didn't even have a PC at home 30 years ago.
| neuralRiot wrote:
| It used to be that if you wanted to do gaming on a PC you
| started by building the PC.
| dingnuts wrote:
| That hasn't changed. Of course there are pre builts but
| there were twenty years ago, too. I should know -- I had
| one. I built my third gaming PC myself.
| amatecha wrote:
| Yeah, I know someone who works in a high school and the
| average skill level is "struggles to figure out how to save a
| document on a USB stick". Kids know how to press the power
| button on an Xbox or tap an icon on their iPhone. The staff
| member I know is aware of ONE kid in the entire school who
| has used Linux. When I was a kid, basically every single kid
| who had a computer at home (and actually used it) knew how to
| defrag the hard drive (and probably install Windows lol), set
| IRQ values for their sound card, all that kind of stuff --
| because you had to know this to even use it. My friends and I
| went on BBSes and later stuff like IRC and Hotline, ran Linux
| or pre-release versions of our respective OSes, set up our
| own bedroom LANs and personal game/web servers, etc. etc..
|
| Indeed, as you say, I learned a lot about computers simply by
| wanting to circumvent the limitations that school admins put
| on the computers (especially as I wanted to utilize the full
| power the computers provided, as opposed to some
| sheltered/limited experience -- "At Ease" -- surprisingly
| reminiscent of smartphones/tablets today)... I went to great
| lengths to regain net access when my parents repeatedly
| revoked my access, again another huge learning opportunity.
| bombcar wrote:
| I don't know if it's a "uses tech" issue or just not
| realizing the steps needed. Even we knew you had to go to the
| campus gate to meet Dominos after dark (when the gate would
| be automatically closed).
|
| There was no fancy intercom ability to remotely open it.
| ericmcer wrote:
| Same I just was talking with my daughter (16) about this
| because she hated her intro programming class in high school.
| No biggie if it isn't for her, slightly disappointing that I
| can't share knowledge, but she should pursue what she enjoys.
|
| What irked me was she claimed "I just hate being on the
| computer", but her screen time on the phone easily crests 8
| hours daily. Maybe we are just entering a similar phase to
| auto mechanics. In the 1950s anyone who owned a car was at
| least somewhat proficient in its inner workings, now many
| people need to consult the manual to figure out how to pop
| their hood.
| lynx97 wrote:
| Ahh, the modern verson of the written note under the
| keyboard...
|
| In my area, there is a universal access key (physical) for
| postal service and newspaper delivery people. So if you want
| access to a random building, all you need to do is apply as a
| newspaper delivery guy, or, find one that is willing to give
| you that master key. To add insult to injury, that type of job
| is extremely low paying, so much room for abuse.
|
| Fact is, locks and closed doors are there to make the _owners_
| _feel_ cozy and safe. If you ever needed a locksmith service
| and watched them do their job, you _know_ your appartment door
| is just a prop.
| tecoholic wrote:
| Modern apartment building. Low rise. Full visibility of
| courtyard. Cycle gone missing with a baby seat attached.
| Nothing anyone can do about it. How did they get the key, who
| let them in, how did they manage to pry open the lock in full
| visibility? I was seething for a week. But somehow I knew
| this wasn't really that big a security challenge for the
| thief.
| fortran77 wrote:
| I just tried it (via Tor) and was able to get into the first 5
| that duckduckgo found. Someone had been there before me and
| (apparently) changed names of things. (I looked but didn't
| touch.)
| huang_chung wrote:
| Interesting story but a CVE for this is a bit melodramatic and
| why no one takes security folk seriously (cry wolf too many
| times).
|
| OpenWRT ships with no password at all (!) with full root access
| on default install. The situation is the same: they politely
| suggest you change it from the default (blank) password but do
| not force you to do so.
|
| By this logic every OpenWRT install (and many other softwares)
| dating back many years should be subject to CVE.
| NRv9tR wrote:
| I assume you have to be on that network to access the login.
| I'm 95% sure it the UI/admin is not accessible to the internet
| by default... but also, yes that shit should be way better.
| Even Comcast and other ISPs have done better than this for a
| decade or more now.
| huang_chung wrote:
| If you believe you need to be on same network to compromise
| internal interface web application you are gravely mistaken.
| Neonlicht wrote:
| You can get in the building with a bit of social engineering. I
| live in an apartment complex. Put on a DHL or Dominos cap and
| nobody cares. It's your front door lock that is the real barrier.
| stevage wrote:
| Jesus. The whole system seems to have been designed to maximise
| the damage that can be caused with minimal effort.
|
| Why are these admin pages web findable? Why is there a public
| database of them? Why have they tried so hard to make it so
| accessible? Why is there no security? Arrrrrgggh.
| bluedino wrote:
| Love this stuff, reminds me of old 2600 articles
| kingkulk wrote:
| Exposing a loophole in the best way. Great job
| malaya_zemlya wrote:
| There was a time where somebody in SF has figured admin access
| code to older apartment intercoms (I believe they were
| manufactured by Linear and maybe other companies too). These
| intercoms would call the programmed in phone number whenever you
| type in the apartment access code at the door.
|
| So what they did is add a new fake tenant with a premium 1-900
| number and used the intercom to call it, earning themseleves a
| bit of cash. Naturally, landlords had to foot the bill.
| teddyh wrote:
| That sounds complicated and too much work. I'd prefer
| <https://www.youtube.com/watch?v=Rctzi66kCX4>
| MBCook wrote:
| I've always wondered: how do all these things end up in Google?
| What's submitting the link, or public thing links to it?
___________________________________________________________________
(page generated 2025-02-24 23:00 UTC)