Default Password Vulnerability Unveiled in Widely Used Access Control Systems Across North America

Imagine a master key that unlocks the doors of several buildings in your city. Now imagine this key falling into the wrong hands. This narrative isn’t a figment of imagination but a daunting reality, that’s shaking the security landscape of residences and offices across North America. The culprit – a mundane default password in Enterphone MESH, a widely-used door access control system.

A security researcher, Eric Daigle has blown the whistle on this unsettling vulnerability which is built into the door access system developed by Hirsch, now its owner. The default password could potentially provide a malicious hacker with unrestricted access to building locks and elevator controls.

Findings have revealed, that the Enterphone MESH system neither prompts nor requires the users to change the default password during installation. In other words, the password shipped with the product is not confidential, but intended purely to facilitate customer login, a dangerous oversight from a security standpoint.

This vulnerability is not new to the world of Internet-connected devices. They have been a perennial problem, making devices an easy prey for hackers. Over the past few years, several governments have been pushing technology manufacturers to discard insecure default passwords considering the plethora of security risks posed.

Daigle has rated the Enterphone MESH system’s bug as 10 out of 10 on the vulnerability severity scale. Exploitanting the vulnerability is alarmingly straightforward - it is as simple as copying the default password from the installation guide on Hirsch’s website and pasting it into the internet-facing login page of an affected building’s system. Likened to leaving your doors open to strangers, this system vulnerability calls for an immediate solution.