These security products that provide a default username/password and Internet exposure deserve to be much more harshly regulated as this disclosure could quite literally cost someone their lives.
2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
Such a poor excuse from the vendor where their product can be used to grant physical access to people’s homes.
It’s one thing to do it at first and convince yourself that users will do the right thing.
It is another thing when you have evidence that it is being done wrong and continue to refuse to fix it.
I often see something similar in UX. My favourite was a site that put a placeholder in their chat box “This is a shout box not a search engine”. So they realized that users were looking for a search box and that the chat box was being mistaken. But instead of adding a search box or making the chat box look less like a search engine they just added text. “No, the users are wrong”
Security issues aside, electronic entry systems for apartments make me very uncomfortable. I don’t want my landlord to know when I’m home or at what time I left, and I especially don’t want them to be able to lock me out or let themselves in.
Where I live (.at), landlords are not allowed to enter a rented space except in very few circumstances (e.g. imminent danger) and tenants have the right to even change the locks to enforce that. That (and GDPR) would make abusing these features illegal here, but that doesn’t prevent such transgressions, only punishes them if found out.
Commonly (and based on the logs this appars to be the case) these will be used at the front entrance and maybe elevators but the unit door will be a “regular” key.
But even then I think almost all landlords will keep a copy of the key so really all this can do is let them lock you out without changing the locks.
So overall I don’t think it changes much here. If anything the logs would help you prove that they came in without permission.
These security products that provide a default username/password and Internet exposure deserve to be much more harshly regulated as this disclosure could quite literally cost someone their lives.
Such a poor excuse from the vendor where their product can be used to grant physical access to people’s homes.
It’s one thing to do it at first and convince yourself that users will do the right thing.
It is another thing when you have evidence that it is being done wrong and continue to refuse to fix it.
I often see something similar in UX. My favourite was a site that put a placeholder in their chat box “This is a shout box not a search engine”. So they realized that users were looking for a search box and that the chat box was being mistaken. But instead of adding a search box or making the chat box look less like a search engine they just added text. “No, the users are wrong”
Security issues aside, electronic entry systems for apartments make me very uncomfortable. I don’t want my landlord to know when I’m home or at what time I left, and I especially don’t want them to be able to lock me out or let themselves in.
Where I live (.at), landlords are not allowed to enter a rented space except in very few circumstances (e.g. imminent danger) and tenants have the right to even change the locks to enforce that. That (and GDPR) would make abusing these features illegal here, but that doesn’t prevent such transgressions, only punishes them if found out.
Commonly (and based on the logs this appars to be the case) these will be used at the front entrance and maybe elevators but the unit door will be a “regular” key.
But even then I think almost all landlords will keep a copy of the key so really all this can do is let them lock you out without changing the locks.
So overall I don’t think it changes much here. If anything the logs would help you prove that they came in without permission.
You’d think they would have tried to contact their customers.
Some people should not be selling equipment.
Sweet baby Jesus on a heavily modified 1000cc motorcycle, this is the most horrifying IoT story I’ve heard in years.
Now do it for ButterflyMX https://butterflymx.com/