News Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google

[Admin]

A wide list of apartment complexes using IoT-connected intercoms still use the default logins from their manuals, making them easily accessible by bad actors.

Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google : Read more

 

[edzieba]

However, with no instructions listed in the manual on how to do this

I see Toms has copied this claim from similar articles without actually checking.
The Installation Manual for the door phones does not include the instructions for changing the server password, because it is a manual for installing the door phones. The setup guide for the access control server software (Identive Freedom) includes instructions for changing the password as part of the setup process, along with all the other setup steps required like linking phones to locks, setting up ACS rules, etc.

It's like an install manual for your GPU advising you to enter your Windows admin password at a UAC prompt but not instructing you on how to change it: of course it doesn't, that's not what that particular manual is for.

---

These sort of systems have a default 'interim' password rather than mandating a new password be set as part of the initial installation and setup process (as consumer goods - e.g. wifi-router combo boxes - are starting to do) because the system installer is generally not the end user. The customer providing the final admin password to the installer is never a good idea, so the usual process is for the installer to leave the default password in place for commissioning of the system, then the customer sets the password after handover and the system can go live. The customer never bothering to change the default is not easy to 'solve': even if you display a nag-screen on every single login with the default credentials with a big red "CHANGE PASSWORD NOW!!" warning, 99% of users will just close the window and leave the password as default. You can try and create a dynamic temporary password, but you'll find most of the time that will be lost by either the installer or by the customer as soon as the installer hands it to them, both resulting in a CS call and still not solving the problem of the end user still not changing that new default password anyway.

 

[SonoraTechnical]

I see Toms has copied this claim from similar articles without actually checking.

You mean they didn't conduct their own investigative reporting?

 

[helper800]

You mean they didn't conduct their own investigative reporting?

Nope, just more regurgitative slop saying the same things as other articles with enough different words to not be considered plagiarism.