Apartment Building Security Breach: Single Password Exposed

Security Flaw Found in Door Access Control Systems

A security vulnerability has been identified in a prevalent door access control system, potentially granting unauthorized remote access to door locks and elevator controls. This affects numerous buildings throughout the United States and Canada.

Researcher Eric Daigle discovered that many residential and commercial properties have not altered the system’s default password, or were simply unaware of the need to do so.

System Affected: Enterphone MESH

The affected system is the Enterphone MESH door access system, currently owned by Hirsch. The company acknowledges the security flaw and is preparing a patch to address it.

This patch will necessitate users to change the default password, a crucial step in securing the system.

The Risk of Default Passwords

While default passwords are frequently included with internet-connected devices for ease of initial access, their continued use presents a significant security risk.

These passwords, often documented in instruction manuals, are intended for temporary convenience. However, depending on a customer to proactively change them is considered a product vulnerability.

Hirsch System Lacked Password Change Prompt

Specifically, customers who installed Hirsch’s door entry products were not given any prompts or requirements to modify the default password during setup.

This oversight allowed for the vulnerability to persist across numerous installations.

CVE Designation

Eric Daigle has been formally credited with the discovery of this security issue, which has been assigned the identifier CVE-2025-26793.

This designation provides a standardized reference for the vulnerability within security communities.

Security Flaws in Door Access and Elevator Systems

The utilization of default passwords on internet-connected devices has consistently posed a security challenge. This vulnerability enables unauthorized access for malicious actors, allowing them to impersonate legitimate users, compromise data, and even commandeer device resources for distributed cyberattacks.

Recognizing these risks, governmental bodies have increasingly encouraged technology manufacturers to move away from the practice of employing easily guessable default passwords.

The vulnerability identified in Hirsch’s door entry system has been assigned a severity rating of 10 out of 10, reflecting the simplicity with which it can be exploited.

The exploitation process is remarkably straightforward. The default password, openly published in the system’s installation manual on Hirsch’s official website, can be directly entered into the publicly accessible login interface of any susceptible building’s system.

According to a blog post by researcher Daigle, the discovery occurred in 2024, beginning with an Enterphone MESH door entry panel located in Vancouver. Utilizing the internet scanning platform ZoomEye, Daigle identified 71 systems still operating with the manufacturer-supplied default credentials.

Access granted via this default password extends to the MESH system’s web-based administrative interface. This interface is used by building management to control access to crucial areas, including elevators, shared spaces, and individual office and residential door locks.

Importantly, each system displays the physical location of the building where it is installed, providing immediate knowledge of the compromised location to anyone successfully logging in.

Daigle asserts that gaining unauthorized entry into any of the identified buildings could be achieved within minutes, and without raising any immediate alarms.

Potential Impacts of the Vulnerability

• Data Breach: Unauthorized access to building systems could lead to the compromise of sensitive resident or employee information.
• Physical Security Compromise: Malicious actors could gain physical access to restricted areas within buildings.
• System Disruption: The system could be hijacked to disrupt normal building operations.
• Cyberattacks: Compromised systems could be used as launchpads for broader cyberattacks.

Elevator access and door locks are both directly controllable through the compromised system, presenting a significant risk to building security.

Security Update Scheduled for March

The intervention of TechCrunch was prompted by a lack of established channels for public security flaw reporting to Hirsch, as experienced by researcher Daigle.

Mark Allen, CEO of Hirsch, initially did not directly address TechCrunch’s inquiry, instead directing them to senior personnel. However, subsequent to the report’s publication, Hirsch has affirmed the deployment of a security patch in mid-March.

This patch will mandate a password change for the default administrator account upon system activation.

Hirsch also stated that shipments of new Enterphone units will be paused until the patch is fully implemented, resolving the identified vulnerability.

Furthermore, existing customers have been contacted with notifications urging them to update their Enterphone web consoles with strong, unique passwords.

The company expressed gratitude for the efforts of security researchers in pinpointing potential risks and bolstering overall cybersecurity.

Future Security Reporting

Hirsch intends to establish a dedicated security reporting page on its website, enabling members of the public to directly submit reports concerning security vulnerabilities.

This article was updated to provide clarification regarding the second paragraph, and on February 28th to reflect Hirsch’s acknowledgement of the impending security fix.