Factory Default Enclosure Lock Vulnerability Examined
Access control systems are typically high security, but a serious, "industry wide" flaw —enclosures secured by default locks opened with common keys — has led to "hundreds of thousands of vulnerable systems," and sparked concern among security professionals.
In this report, we examine why using intercom enclosures with default locks is dangerous, and how this vulnerability makes it easy for intruders to enter buildings using inexpensive keys easily purchased online.
**********
******** ******** ************* ******* ***** **** a *********** ******** ************* — *** enclosure ****. ** ********** *** ** risk, ************ ***** **** ****** ** lock ******* ****** *** ******** ********. This ****** ********* ** ****** ***** and ****** **** ****** ******* *******.
*** '******* ******* ********* *****' ** many ********** *** *** **** ***, and *********** ****** *** ** ********* online. **** *********** ***** ************ ****** to ********* ** ***** ** ****** with * *** *******.
Factory ******* ********* **** ************* ****
******** ******** ****************************** **** ************* ** * ******** intercom *****:
** *** *****, *** ********* **** is ****** ***** **** ********* ******. Once *** **** ** ******, *** override ******** **** *** ******* *** locked ***** *** ******* ********** *** activated, ******** ************ ******.
Companies **** ******* ********* *************
******** ****** ******* / ******** ****** sells ***** **** **** **** ********. These ****** *******:
** ******* *** *** ********* ***** for ******** ** *** **** ******* this *************. ******** *** ****'* ********* are ******** *****.
********* **** **, *******, ********, ****, Commend, *********, *****, *********, *** ******* generally ** *** **** * ******** lock *** **** ****** **********/******, *** use ***** ** ********* ****** *** an *** *** **** *******.
Unsecure **. ******* *************
* ***** ************ ****** ** **** problem ** **** ******** ********** *** typically ********* ******* ** ****** *****/***** and *** ** ****** ******** ** potential *********.
**** ************* ******* ***** ** ** gained **** *** '*********' ( *.*., public) **** ** * ****** ****, which ** *** ******* ** ******* access ******* ****** ********** ** ***** in******** ****** ******* ************* ********.
***** *** ***** *** **** **** to ****** ******** ********** *** ******** when **** ** *** '*******' (*.*., protected) **** ** ******, **** *** too **** *** *** ***** ******** and ****** ******** ** ******, **** as ********-******** ******.
Keri ***: '****** ******** ** ********* ** ********** *******' ** **
**** ******** ********** **** ****** ********* the ******* ***** ****** *** ******** installed ** *** ********, ***** ******(~$*,*** ****** *****) *** **********.
****** *** **+ ***** ************** *******, *******, ** ********* ********* hardware ***** *** ***** ** * lock ************ **********.
** *** *******, ****** ****:
*** *********** ** * **** ****** lock, **** ******** ******, *** *** ability ** ****** **** **** ** these ******** ******** ******** ** ********* security *** ****. **creates *** ********** ** * ********* ****** *** to every location that has an intercom systemprotected ** * **** **** *** **** **** **** *** *******. [emphasis added]
******* **** ** *** **** ****** the ***** ***** ***** ******* ** the ******** ******, ******* ** "** industry-wide *******” ****** "***** *** ****** hundreds ** ********* ** ********** ******* out ***** ** *** *.*.”
Keri's ********: ******* *****
** ******** *** ****, **** *********** discontinued ***** *** ********** ******* ******* locks. *** ******* ***** ** * high ******** ******* *************** ************ *** ****** *********** *** ***** unit. *** ***** *** * ****** replacement *** **** **** **** **** ~$20, *** *** ******** ** ** resistant ******* ******* **** ** ******** and *******:
*** ********** ********* *****, ********* *** their **** ******* *** ***** ********/**** old ********** ***** *** *** ****. To *** *** ****, ********* **** work ******* * ******* ******* **** clearly *********** **** *** * ******** owner/manager ****** *** **** *** ******.
*******, **** ** *** ****** *** cost ** *** **** ** ******* call ** ******* ******** ******** *****.
******* **** **** *** ******* **** not ****** *** **** ** *** replacement ******** ** ** **** **** "a *** **** ** *******" *** lock. *** *** ***** **** **** dealers **** ******** **** *** ****** routine ******* ***** ** ***** ********** scheduled *********** *********.
DoorKing's ********
******** **** *** ***** **** **** taken ******* ******** **** **** **** factory ******* *** '*****' ****-******** *****, individual ****** **** ******** ****, *********** the ********* ****** ** *******/**** '********' contacts, *** ***** ********** ******* *** the *****.
*******, **** ** *** ***** ***** still ******* ********** ******* ** '***-**' to ******* ******** *** ***** ***** (the ******* ******* ****** **** **** be ******* ****** *******), ******** ********* units ****** **********, *** ****** ***** switches *** ***** *** *********.
Post ****** *********
** ** *** **** **Default ********* for network devices, factory default enclosure locks are typically used to address convenience and give the illusion of security, but little more.
**** *** ********, ******** ****** ***** are **** ** **** *********, *** example, **** **** ** ****** *** postal ******* ** **** ****, *** anyone **** *** ****** *** *** gain ******, ********** ** ***.
**** ************* ******** ******* ********* **** boxes ** ***** ** *** ********* example *****:
**** **** ** ***** ********* ** mitigated ** ********* *** ********** *********** locks ***/** ******** ********** '**** ****** keys' **** ** ****** ******** ** access ****** **** ************.
The *******: ******** *****
******* ****** ********* *****, ********* ***** are ********* ******** ***** ** ****** cost ****** **** ********, ** *** result ** **** ***** ***********, ***-******** locks *** **** ********* ** ******* BOMs *** *****, *********** ******* ******* security **** ************* ** *********** ****:
Default **** ************* ******* ********
*** **** **** ** **** ******* to **** **** ******** **********, *** also **** ***** ** ***** ******** as ****.
***-***** ******* '*********** ****' **** **** many ****** ******* ********* ****, ***********/**********, and **** ****** ******** *** ********* for ******** ******. ****** *** ******** ** ** ***** ***** ** keys *** ***** ~$**:
*** ***** ***** ************ *** * default *** ********* *** ******** ****** on * ****** ***** ** *********:
** **** **********, ******** *** **** use ********** ****** ***** **** **** been ******* **** **** ****** ******** in ***** ** ******** *** ***** of ******* **** ****.
DoorKing **** ********
********'* **** ***** ** ****** *****:
*** ***** **** **** **** ** these ******* *** ** **** *******, but *** **** ************* ** *** availability ** **** ** *** ******** as *** **** *****. **** ** an ***** **** *** **** ******** locks, *** **** ***** ********** ** well.
******* ************ ** **** ****** *********** want * ****** **** ****** *** servicing ********* ** ** ***** ** impractical *** **** ** ***** ******** of ********* **** *** *** ******* that **** ********.
******** **** *** **** ***** ** keys ******** ** ******** **-******* ** consumers. *** ******* *** *** ***** are ******* ** **** *** ******* and ************ *** **** ** ******* with **. *************, ** ****** ******* who *** ******* *** ************ **** locksets ** **** **, **** ** which *** *** ********* ****** *** the ****** *********.
**** *** *****, ** **** *********** the ********* ***** ** ** ******* to ******** **** *****:
- *** ******** ****** ******* *** ******* with * ******** ******** **** ******. Our ************ ****** *** *********/***** ** change *** ******* **** **** *** randomly ******** **** *** ***** ******** against ************ ****** **** *** ******.
- ** **** ********* ******* ********* ****** lock ******* **** ********** ** ****** can ***** ** ******* *** *******-******** lock ** **** ******.
- ** ***** *** ******** ** ***** keys ** *** ******* *** ************ to **.
- ******** *** ****** ******* ******** **** changed ** ********* ******* *** *** different **** *** ******* ******* **** in ***** ******* ***** ** ***********.
- *** *** ****** *** *** ******** we *** *** *** ******* ********* through ********** *** ** ** *** sell *** ****** (*** ****** *** only ** ********* **** *** ******).
- ******** ** *** **** ******* ******* were **-******** ** ******* ****** ******* mechanisms.
- ****** ******** *** ***** ***** ***** will ******* ** ***** *** **** the ******* **** ** ******.
** *** ********** ** ******* ********* methods ** ***** ****** ** **** via *** ******** **-*******. *** *********** department ** **** ********* ********* ******* to ****** *** ****** **** *** accessibility ** *** *******.
***********, ** ** **** *** **** whole ************ **** ** *** **** customer **** ******** **** ** ***** style ******** ** * ***** ***** (different ******). *** *** **** **** has *** ********* *********** ***** **** the ****, *** *** **** ********** and *** ***** *** ****. **** switches **** ******-******* **** *** **** of *** ******** *** *** **** used *** **** *** ********* *** strictly ********** ** *** **** ********** and **** ..... *** *** ***** (third) *** ******** *** *** ******** enclosure ****, **** **** ******, ******* free ****** ** *** ******* ****** of **** *** ** *** **** keyswitches. ** **** ***** *** ***** could ** ****** ****** ** ******** either *** ** ** **** ********* wiring ********.
*** **** ********* *** **** ****** on *** *** ******** (*** **** King) **** ****** *** *** **** King ******** *********.
*** ******** ** ****** ****** *** the ********* ****/*** ** * **** unique ****** ** ********** * **** one, *** **** ******** ******** ***** rather ****** **** *** *** * serious ***** *** *** **** ********* about *** ** *** **** **** (rightfully **) *******. ** ***** **** unless *** ***** ** ** * high-risk/high ***** ****, *** ********* ** someone ******* *** ********* *** ******** around **** *** ****** ** ******* a **** ** ********** *** ***********, and ** **** ** *** ********* don't ***** * *** *** **** access ** ********** *********** *****, **'* not ** **** **** ** ** appears.
*********** ** ***** *** ********* ** the ******* **** ****** *** *******. I ****** ** *** ************* **** pay *********.
* ***** **** **** **** ******** the **** ******/******** ******** ** * secured ***** ** *** ********* **** goes * **** ***.
*** *******, ******* **** **** ***********. From******* *** ******** ******:
**** * *******... *** ** ******** based ******** *************** **** ****** (** at ***** **** **** ****** ** than ******) ******* ****** ******* *********, wouldn't *** ******** ********** ** *** having ******* ******* ********* ***** **** sense? ***** ************ ************ ****, *****?
** ***** ***** *** ******** **** per **** *** ***** ********* ** the *****. ****, ** ***** **** the ************** ** ******** ******** *** enclosure ** *** ********** (*** ****** be *********** ** *** ***** *****). This ** * **** ***** **** might ** ****.
**********, ******, *** *********** *** *** enemies ** ******** *** ********* * factory ******* ***** *** **** ****** like * *********** ** **.
****** ****** **** ********** ****** ****.
** *** "*****************" (***) ***** *** "**** *** would ***** *** **** **** - ROFL"
***********@******** ** *** ** *** **** ever ***.
****** ****** *** ******* ***'* ******* at ********! **** ** ** *** it ** ***** ********:
** ************ *** *************** ** ******* locks *** **** ** ****** ************* about *** ***** *** *********** ** flawed **** ******* *** *******. ** admits **** ******* ****** ** **** enough ***** ***** ***** *** * huge ********.
* ********** *** *********** ** '******** through *********' *** *** **** ** such * ****** *******.
* ** *** ****** ***** ** this ***** *** * ***** ** needs ********* *** * **** ******* seen ** ********* *** **** ** the ***** ** *** ****** **** I *** **** * **** ****** existing ******** ** *** *****. * have ****** ******* ** **** ***** for **** ** ***** **** ** an ********** *** ** ** *********** manufacturers' **************. ** **** ******** **** I *** *** *** ***** ***, the ********** ***** *** ******* *********** passcode ** *** ******. *** *** readily **** ******* ****** **** **** these *********. ******, ******** ******** ***** on ********** *** ********, **** **** everyone *** **** ***** ****. **** is **** ******* **** *** ** be **** ********* *** ***'* **** to *** * ****** *** *****. I **** *** ****** *** *** time, ****** **** ***** ***** ** fobs. *****, ******** ******** ***'* ****** people ** **** ****. * **** seen ** ********* *** * ***** on *** ******. **** **** ********* the ****** **** **** *** *** instead ** ******** ******* **** *****.
*** ***** *** ****** *** ******* installing * *** **** ****** **** and **** * **** ******* ** the **** ** ***** **** ** simple ******** ** **** *** ********* and ***-**** *****. * ****** **** property ******** **** ** ****** ** a ******** ****** *** ** *** lease ********* **** *** ******** ***** you *** ****, ** *** ***** it **** *** *** $**.** *** a ***********.
* **** ******** ****** ******* **** no ********* *** * ***** *** my ******** *** **** *** * digit ***** **** *** ******* ** a ********* ****** **** ** *** unit ** *** ***** ** *** elevator ** ** ********* ****-*** ******** .
****...*** ****. ** ******** ** **** the ******** ****** *** **** **** for *** **** *** *** ********* the *** ******** ****** *******...****, ******* you ***'* *** ** ***** *** new *** ** *********! ** ***** this ***** ** ***** ********* ***** to *** *** ** *** *******/*******- we're **** ** ********* **** ** give ** * **** *** *** the ***, *** **** ****** ***** happens.
* *** ***** ******** *** ***** of ********* ******* ** ** **** the ****** ****** ********** **** ** the *********** ******** ***** ** **** testing *** **** ***** ****** **** I ******* ** **** *** **** for *** ( * *** ** the **** ***** ********-******-** *** ***** side ** *** ***** ****). **** he *** **, ** ******* ** down **** ********* **** "*'* **** the **** ****** *** ***'* ****!!" and ******* **** ** *** ********* in * ****. *** ********* *** minutes **** ****** *******. ****** ***** seem ** *** ** **** *** other ***** ** ****- *** ****** be ***** **** *** ******** *** isn't **** ******* ****** **-**** *** their **** ** *** ** ** I ****'* *****, * ****** ******...
* ***** **** ** **** ** we **** ** ***** ** ****** in * **** ** ****, ********** security... *********** ******* **** *** ************* and *********** **** ***-******** ********. ** I **** *********, *********** ** *** enemy ** ********.
* *** ** **** ** ******* sadly **** ** ***** ******** *******. As **** ** ** ***** ********* in *** ***** ** ***** ** provide, ********* ******* **** **** ** have *** ******** ********* *** **** so **** *** ***** **** **** done *** ********* *******.
>****** ******* ******* *** ********* **** security
***** ***** *****, * ******** **** the ******* *********. ****** ******* ** not * ******** ******, *** ***** be **** ** ***. * ***** deal ** *** **** **'* **** keeping ****** ****** ****** ** ********* 'pretty **** **********'. ** *** *** video *** *******, ******** ***** ** over **** **** *** **** ** from *** ****** ** **** ***** the **** **** ** ******* *** enclosure. *** ** ***** ** ** least ********** ***** **** ** * notification ** ** ***** * *** that *** ***** *** ******.
*****. **** *******.
**** ** * **** ******* ** multifamily ******* ********** ***** **** **** is *** *********** ***** ** ********* entry ****. **** ******* *** ****** these ********** **** * **** **** key ** ***** *** **** **** with * *********** ** **** ****** to *** ****** ****. **** ***** occurs ** **** **** ** * camera **** ***** ** * ********* of *** ******.
** * *******, ** ****** ********* upgrading *** *** **** ** * higher-security **** **** ** * ******. At ****** **** **********, ** *** be ********* ** ******* * ********** metal ****** **** ****** *** ****** front ** *** ****.
******* ******** ** ** ******* * tamper ****-*** ******* **** ********** *********** the **** ** ******** ****** **** the ***** ** *** **** ** opened. **** ******* *** ** *********** using * *** ****** **********. ****** ****** ******* *******-********* *****
*** **** * ****** **** *** circuit **** **** *** ** *** components ** **** ******* *** ******* by ****** ** *** **** ** the ****** ***** ****? *** *** doesn't *** *********** *** **** ** at *** **** **** ******* ** the ******** *****? ******'* **** ********** the **** ***** ** ***** *****?
****,
***** ** * ****** **** **** on *** *******. ********** ** *** right ** **** **** ** ******* on *** ****** **** ** *** door. *** *****, ***, *** ***** switch *** ********* ********* ** * metal ********* ******* ********* ****** *** building.
*********- * ****'* ****** *** **** to *** *******. * *** **** you're ***** ***** *** *** **** of ** ******** ******* *****-*** *****'* screwdriver *** **** ** ** *** main **** ********? ** **** **** a ***** ** ********** **** * B.S. ***** ***** ******* ****** *** in, **** * ****** *** ***?
******* **'* ************* ** *** *** telephone ***** **** ** ****** ** such * ********* **** **** ********** is *********** **** * ***********.
** *** ****** ***** ***** ** reinforce *** **** *** *****, **** as ********** ******** *********, ***** **************, etc. ******* ** *******, *** ****** a ****** ** ***** ** ****** protect *** ******** ****, ****, *****, and ***** *** **** ** ************ harder ** **** ****** *****.
**** **** **** **** * ******** relay ******* ** *** **** ***** Security *****?
** *** ***** ** *** ** our ******** *************.
******* ** ** ******** **** *******. Over *** ***** * **** **** so **** ********** ****** ***** **** the ******* **** ** ****. ** is ** * ***** ***** ** I *** *** ** ***** ***** I ****** ****** *** ********** ** see ** ** ** ** *******. I *** **** ***** ** * times ***** * **** ******** **** one **** *** *******. ***** *** common ** ************ ***** ***** ********* walls *** *******.
****** ******** *** *******!