Security researcher Eric Daigle discovered a significant vulnerability in several "smart" apartment intercom systems. By exploiting a poorly implemented API within these systems, he was able to remotely unlock building doors and individual apartment units using only his phone and publicly available information. He accomplished this by crafting specific HTTP requests that bypassed security measures, granting him unauthorized access. Daigle responsibly disclosed the vulnerability to the affected vendors, prompting them to address the issue and improve their security protocols. This highlighted the risk associated with insecure IoT devices and the importance of robust API security in connected building systems.
In a detailed blog post titled "Breaking into apartment buildings in five minutes on my phone," security researcher Eric Daigle meticulously documents a concerning vulnerability he discovered affecting numerous apartment buildings utilizing a specific access control system. Daigle commences by elucidating the prevalent adoption of smart access control systems in modern residential buildings, emphasizing the shift away from traditional physical keys towards digital solutions involving mobile applications and intercom systems integrated with internet-connected devices. He then proceeds to describe his methodical process of identifying and exploiting a security flaw within one such system, meticulously outlining each step of his research without divulging sensitive technical details that could be misused by malicious actors.
Daigle's investigation began with casual observation of the system in his own building. He noticed certain peculiarities in the system's behavior that piqued his interest, prompting further exploration. Through careful analysis and experimentation, using only his phone and publicly accessible information, he discovered a vulnerability that permitted unauthorized access to the building's directory – a digital repository containing tenant names and associated intercom codes. This directory, typically protected behind authentication mechanisms, became accessible due to an oversight in the system's design and implementation. Specifically, Daigle identified a logical flaw in the way the system handled user authentication and authorization, allowing him to circumvent these security measures and gain unauthorized access to the directory.
The implications of this vulnerability are substantial, as it potentially granted Daigle the ability to access not just his own building, but potentially dozens or even hundreds of other buildings employing the same vulnerable access control system. With access to the tenant directory, an individual could potentially impersonate a resident, gaining access to the building and potentially individual apartments. Daigle responsibly disclosed the vulnerability to the vendor responsible for the system, allowing them time to develop and deploy a patch before publicly disclosing the issue on his blog. He carefully details the responsible disclosure process, highlighting the communication exchanges with the vendor and the steps taken to ensure the vulnerability was addressed before being made public. He concludes by emphasizing the importance of robust security practices in the development and deployment of internet-connected devices, especially those related to physical security and access control. Furthermore, he encourages other security researchers to responsibly disclose vulnerabilities they discover to help improve the security posture of these increasingly ubiquitous systems.
Summary of Comments ( 24 )
https://news.ycombinator.com/item?id=43160884
HN commenters discuss the prevalence of easily-exploitable vulnerabilities in building access control systems. Several highlight the inherent insecurity of relying solely on cellular connections for such critical infrastructure, pointing out the ease with which cellular signals can be intercepted or spoofed. Others note the conflict between convenience and security, acknowledging that many residents prioritize ease of access over robust protection. Some commenters share anecdotal experiences with similar vulnerabilities in their own buildings, while others suggest potential solutions, such as requiring secondary authentication factors or utilizing more secure communication protocols. The ethical implications of publicly disclosing such vulnerabilities are also debated, with some arguing for responsible disclosure while others emphasize the urgent need for awareness and immediate action. A few commenters question the author's decision to reveal specific technical details, fearing it could empower malicious actors.
The Hacker News post "Breaking into apartment buildings in five minutes on my phone" (linking to an article detailing vulnerabilities in apartment building intercom systems) generated a robust discussion with over 100 comments. Many commenters focused on the widespread nature of this security flaw and the lack of incentive for property managers to address it.
Several commenters shared anecdotes of similar vulnerabilities they'd encountered or exploited, including using default passwords, easily guessable codes, or simply bypassing the systems altogether. One commenter described manipulating the intercom system of their own building to open the main door from anywhere in the world. These personal stories underscored the real-world implications of the article's findings.
A recurring theme was the inherent conflict of interest between security and cost for property management companies. Commenters pointed out that the cheapest systems are often the most vulnerable, and that property managers prioritize minimizing expenses over implementing robust security measures. This created a sense of resignation among some, suggesting that these issues would persist until either regulations changed or a significant security breach forced the industry's hand.
The discussion also delved into the technical aspects of the vulnerabilities, with some commenters speculating on the specific technologies used in these intercom systems and potential solutions. Some suggested implementing multi-factor authentication or using more secure communication protocols. Others noted the challenge of retrofitting older buildings with modern security systems.
Several comments highlighted the ethical considerations of vulnerability disclosure. While the original article author responsibly disclosed the vulnerabilities to the affected companies, commenters discussed the potential risks of publicly sharing this information, including the possibility of malicious actors exploiting these weaknesses. This sparked a debate about the balance between transparency and security.
Finally, a number of commenters expressed frustration and disappointment with the state of security in these systems. They criticized the manufacturers for producing insecure products and the property managers for deploying them. Some called for greater consumer awareness and advocacy to push for better security practices in the industry. Overall, the comments painted a picture of a widespread and persistent security problem with limited incentives for change.