Tech

Apartment Building Security Disaster: How Default Credentials Left Doors Wide Open

Feb 28th 2025 by Anthony Nielsen

AI-created, human-edited. 

When security researcher Eric Daigle walked past an apartment building with an interesting-looking access control panel, he couldn't have known he was about to uncover one of the most alarming physical security vulnerabilities in recent memory. What began as a casual curiosity while waiting for a ferry would reveal a security nightmare affecting hundreds of apartment buildings across North America.

The Discovery

In the latest episode of Security Now (#1014), Steve Gibson detailed this troubling discovery that began when Daigle noted the "MESH by Viscount" brand name on an apartment building's access control panel. With some time to kill before his ferry arrived, Daigle performed a quick Google search on his phone.

His search led to an installation guide that revealed something shocking: the system used default administrator credentials - username "freedom" and password "viscount" - for its web management interface. Even more concerning, the guide merely stated these "should be changed from the defaults during the software configuration process," with no enforcement mechanism.

From Bad to Worse

What makes this vulnerability (CVE-2025-26793) particularly dangerous is the perfect storm of security failures:

  1. Internet Exposure: The management interfaces for these building access systems were exposed directly to the public internet
  2. Default Credentials: The username "freedom" and password "viscount" remained unchanged in a startling number of installations
  3. Easy Discovery: The login page's title "FREEDOM Administration Login" made finding vulnerable systems trivial through a simple Google search
  4. Catastrophic Access: Once logged in, an attacker could unlock doors remotely and access detailed resident information

Gibson explained how Daigle's investigation revealed that of the 742 exposed systems he found, a shocking 43% still used the default credentials. This meant anyone could potentially access these apartment buildings with a few clicks.

A Privacy Nightmare

Beyond the physical security implications, the vulnerability exposed deeply personal information. Once logged in, an attacker could access:

  • Full names of residents mapped to their unit numbers
  • Complete building addresses
  • Detailed logs of residents' comings and goings
  • Residents' phone numbers

As Eric pointed out, "We can now easily determine that, say, Jon Snow of Unit 999, 123 Bear St Vancouver BC comes home every day at 6pm" - creating a significant privacy and safety risk.

Remote Door Control

Perhaps most alarming was the ability to remotely unlock doors. The FREEDOM system's web interface included an override function that allowed anyone with access to unlock entrances with a simple click. "So I can break into this building in about 5 minutes without attracting any attention whatsoever," Daigle noted in his findings.

Vendor Response

When Daigle responsibly disclosed the vulnerability to Hirsch (the current vendor of the MESH system), their response was disappointing. Rather than taking proactive measures to address the widespread security failure, they simply stated that "these vulnerable systems are not following manufacturers' recommendations to change the default password."

As Gibson pointed out, this response ignores fundamental security principles:

  1. Internet-facing security systems should not rely on users changing default credentials
  2. Building management systems should not be exposed to the public internet by default
  3. Critical security systems should generate unique credentials upon installation

The Larger Lesson

This case study highlights what Gibson called "a governing rule of computer abuse" - that "the easier it is to abuse, the more often and likely it is to happen."

The FREEDOM Administration Login vulnerability represents what Gibson described as "fruit [that] has fallen from the tree and is lying on the ground waiting to be picked up or kicked around." Unlike complex vulnerabilities like Log4J that require sophisticated exploitation, this issue requires no technical skill whatsoever.

"It's been a long time since we've encountered anything that's been begging this loudly to be abused," Gibson remarked.

What Could Have Been Done?

Gibson outlined several fundamental design improvements that could have prevented this security disaster:

  1. Web servers should only be bound to internal networks, not exposed to the internet
  2. There should be no default usernames and passwords - systems should generate unique credentials on first boot
  3. Modern password managers and browsers make managing complex credentials much easier than in the past
  4. Critical systems should enforce strong authentication practices

Listen to the Full Episode

To hear Steve Gibson and Leo Laporte's complete discussion of this alarming security failure, along with other major security stories including Apple's encryption standoff with the UK government, the record-breaking $1.5 billion cryptocurrency heist, rare OpenSSH vulnerabilities, and warnings from former NSA leadership about America's cybersecurity readiness, be sure to check out Security Now episode #1014. The episode provides valuable insights for both security professionals and anyone concerned about digital privacy and security in today's increasingly connected world.

Photograph of an open black laptop on a wooden desk. There is a caption with text "We have a new entry into the ever popular 'Where there's a will, there's a way' contest!" The image includes a caption at the bottom left: "Security Now" logo and text: "Apple UK Privacy Showdown, Crypto Heist." Security Now #1014
Feb 25 2025 - FREEDOM Administration Login
Apple's UK Privacy Showdown, …
All Tech posts