Full Report
An unchanged credential allows anyone to virtually control door locks and elevators at dozens of apartment buildings across North America, a security researcher found. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Vulnerability: Default Password on Enterphone MESH Door Access Systems
## CVE Details
- CVE ID: CVE-2025-26793
- CVSS Score: Information not explicitly provided in the text. (Implied High due to physical access potential)
- CWE: CWE-798: Use of Hard-coded Credentials (Often associated with default passwords where the user is not forced to change them)
## Affected Systems
- Products: Enterphone MESH door access control system (Now owned by Hirsch)
- Versions: Unknown, applies to instances where the default password was not changed upon installation.
- Configurations: Systems left with the factory-shipped default password, where the installer was not prompted or required to change it.
## Vulnerability Description
The vulnerability stems from the use of a single, default administrative password shipped with the Hirsch Enterphone MESH door access control systems. This default password grants remote access to door lock and elevator controls in affected buildings. The vendor, Hirsch, claims this is "by design" and places responsibility on the customer for not changing the password during setup, classifying it as a product flaw under relevant security standards (CWE-1392 reference noted in source).
## Exploitation
- Status: PoC available (Researcher Eric Daigle demonstrated the ease of access to dozens of buildings).
- Complexity: Low (Relies on a publicly known/easily discoverable default credential).
- Attack Vector: Network (Implied, as access is remote over the network connection of the device).
## Impact
- Confidentiality: Potentially High (Gaining access to secure areas, elevator control).
- Integrity: Potentially High (Ability to manipulate access logs or system settings).
- Availability: Medium to High (Ability to lock/unlock doors, potentially disrupting building access control).
## Remediation
### Patches
- **No planned fix.** Hirsch will not issue a patch, stating the vulnerability is by design and requires customer action.
### Workarounds
- **Mandatory Password Change:** Customers must manually change the factory default password immediately upon installation and configuration.
- **Configuration Audit:** Building administrators must audit all deployed MESH systems to confirm the default password has been replaced with a unique, strong credential.
## Detection
- **Indicators of Compromise (IoCs):** An unexpected change in door access logs or successful login attempts originating from unauthorized IP addresses after initial installation.
- **Detection Methods and Tools:** Network monitoring tools capable of identifying the device footprint and connection attempts associated with the MESH system. Auditing access configuration management systems.
## References
- Researcher Disclosure: ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/
- Vendor/Product Context: Hirsch (Owner of Enterphone MESH)
- Related Standard: cwe.mitre.org/data/definitions/1392.html