Breaking into apartment buildings in five minutes on my phone

Original Article ↗ Hacker News Discussion ↗

Default Passwords and “Secure by Default”

  • Strong agreement that “recommendations” to change default passwords are inadequate; systems should force unique, strong credentials before use.
  • Many note consumer routers already ship with per-device printed passwords or QR codes; there’s “no excuse” for static defaults on security products.
  • Some point out many “unique” Wi‑Fi passwords follow predictable patterns and can be brute‑forced; admin passwords are often weaker than Wi‑Fi passwords and more dangerous.
  • Several argue this class of issue is exactly what modern “secure by design/default” regulation (e.g., in the EU) is meant to fix.

Usability: Wi‑Fi Passwords, QR Codes, and OCR

  • Holiday rentals often expose the router’s default printed password, which is hard to type but still default.
  • Multiple people recommend QR codes and phone OCR as a practical way to share complex Wi‑Fi passwords; both iOS and Android workflows are described as easy.

Physical vs Digital Building Security

  • Many say breaking into buildings is already trivial: buzzing random units, claiming to be delivery, tailgating, or using obvious gate codes (repeated digits, 911 variants).
  • Others stress that IoT access systems add new risks: they centralize control, track every key-swipe, and when exposed online allow remote door control, stalking, and timing burglaries.
  • Some recall prior insecure systems (IR fobs like TV remotes) and anecdotes of mass router compromises via default credentials.

Responsible Disclosure Debate

  • One camp calls the public writeup “highly irresponsible” because residents never chose the system and may now be at greater risk; they argue more time or government/tenant outreach was needed.
  • Others say attackers could already trivially find and exploit these panels; secrecy only protects vendors. Public disclosure plus a ~7‑week vendor window is framed as responsible and necessary.
  • There’s explicit acknowledgment of a “trolley problem”: acting may enable some harm but inaction leaves everyone unknowingly exposed indefinitely.

Legal and Classification Questions

  • Some ask whether logging in with default creds violates computer crime laws; replies reference differing jurisdictions and argue blame should fall on negligent vendors.
  • A minority think issuing a CVE for “defaults not changed” is melodramatic; others counter that internet exposure plus vendor inaction justifies it.