Dozens of apartment buildings at risk due to a single default password

Shawn Knight · Monday at 12:44 PM

In a nutshell: Canadian security researcher Eric Daigle recently discovered a security deficiency associated with control panels used to restrict access to apartment buildings across the US and Canada. In short, some operators never bothered to change the system's default password, making it trivially easy to gain access, view activity logs, and more.

Daigle started digging into the system late last year after noticing an interesting looking access control panel while out and about one day. A quick Google search for "MESH by Viscount" led to a sales page advertising remote access capabilities, and another search turned up a .PDF installation guide.

As is somewhat common, the system ships with a default password that admins are encouraged to change (yet according to Daigle, the manual doesn't explain how to do so). Searching the UI's login page title surfaced several login pages, and he was able to log into the very first one using the default credentials. That is not a good sign.

Once inside the system, Daigle had the power to unlock any entrance, register new key fobs or delete existing ones, change the floor they are authorized for, and more. He also had access to a multi-year log showing all fob activity as well as residents' full names, unit numbers, and phone numbers. It doesn't take much poking around to pick up on residents' behavior, either. For example, you could easily determine that John Doe leaves for work at 8 am and gets home around 6 pm Monday through Friday.

In total, Daigle found 89 exposed systems in use by apartment buildings. Most of them – 71 – were in Canada, with the rest being in the US.

The researcher reached out to the system's vendor, who said that admins are not following the manufacturers' recommendations to change the default password. The issue has been designated as CVE-2025-26793, with a critical severity score of 10. A senior product manager told TechCrunch that it had reached out to customers about following the instruction manual.

Permalink to story:

Dozens of apartment buildings at risk due to a single default password

techstrike · Monday at 2:17 PM

You don't have to go far, same happening to the Airbnb apartments .. they don't cycle their PIN codes etc.

Cal Jeffrey · Monday at 3:42 PM

The biggest problem I've encountered with these entry systems is that a lot of them have an emergency code that EMS, Fire, or Police can use to gain entry. Everyone knew that code at the complex where I lived, so the gate was not secure at all. Fortunately, you still have your deadbolt to rely on. This system sounds a bit different as it apparently controls the locks of individual dwellings. That's kinda dumb from the gate if you ask me.

kiwigraeme · Monday at 4:32 PM

techstrike said:
You don't have to go far, same happening to the Airbnb apartments .. they don't cycle their PIN codes etc.

No excuse with newer systems, even older systems where a code can't be set more than single use or one day. Should be on cleaners list to remove that pin with master code . I mean cleaner would have a long use code anyway . Owner can set up 50 pins at once if lazy
Now it's WWW

may still be vulnerable to powerful magnets, LED glass removal and a surgical poke or whatever , but those thieves will get in anyway if that resourceful

p51d007 · Monday at 6:58 PM

Some of the equipment I deal with, when setting it up, REQUIRES you to change the default password.
Can't be that hard to code it to do that, but, I'm guessing most building managers would use the default anyway, or LOL, 123456

airbornex · Tuesday at 12:12 PM

Imagine breaking into an apartment complex, but instead of lockpicking, you just type “admin123” and the doors swing open like you’re in an RPG with maxed-out charisma.

AnilD · Tuesday at 12:15 PM

The real horror story here is that a critical vulnerability was assigned a CVE… and the response was basically “did you try reading the manual?”

NotYourITguy · Tuesday at 6:40 PM

At some point the world will have to transition away from passwords entirely because they will never overcome the human factor of people using terrible passwords if given the option to do so.

Forcing a randomly generated password at setup is better than nothing, but it's ultimately not useful if it makes staff resort to storing the passwords in plaintext somewhere easily accessible. Why on earth this system isn't using a hardware token given it's main purpose for existing is to manage hardware tokens is beyond me.

ZedRM · Tuesday at 7:34 PM

Shawn Knight said:
Who is to blame, admins or the manufacturer?

Both. The manufacturer for not implementing a secure setup and installation methodology and the admins for not using same. It's pathetic.

Cal Jeffrey said:
The biggest problem I've encountered with these entry systems is that a lot of them have an emergency code that EMS, Fire, or Police can use to gain entry. Everyone knew that code at the complex where I lived, so the gate was not secure at all. Fortunately, you still have your deadbolt to rely on. This system sounds a bit different as it apparently controls the locks of individual dwellings. That's kinda dumb from the gate if you ask me.

Then there's crap like this.

Dozens of apartment buildings at risk due to a single default password

Shawn Knight

Posts: 15,581 +197

techstrike

Posts: 91 +66

Cal Jeffrey

Posts: 4,380 +1,528

kiwigraeme

Posts: 2,609 +1,881

p51d007

Posts: 4,321 +4,341

airbornex

Posts: 198 +258

AnilD

Posts: 233 +332

NotYourITguy

Posts: 54 +138

ZedRM

Posts: 2,644 +1,750

Similar threads

Latest posts