It would be beneficial for you to read this important information, mentioned by Senior Cyber Security Engineer Onur Oktay and included with his permission.
We conveyed it in the same way without touching his narration.
Let’s listen to Onur Oktay’s experience and his own words:
“First of all, this incident has nothing to do with the manufacturer. So think independently of the brand. The incident is completely MISSING / FAULTY configuration. It is the type we encounter in most hacking cases.
It all started when thieves tried to enter the site next to our site on our street, which we brag about as being very safe (security is relative!). At 22 o’clock, when everyone was in the park, in front of their house, thieves tried to break in.
They entered the building like everyone else, but could not enter through the apartment doors, that is a separate issue. Here, we will focus on how they can easily enter apartments, buildings or sites. First of all, everyone knows the passwords of this type of intercom systems, such as water carriers and courier companies.”
“Based on this, I decided to take a simple but effective measure, such as changing the default password of the doorphone, with the approval of everyone in the WhatsApp group of the site. I quickly discovered how the doorphone system works by doing a small search for the brand/model number.
Things changed for me from then on. My professional instincts came into play and I started to fiddle around with something called the administrator password and the master key code. I tried different combinations and saw that the master key code can be entered without PASSWORD by default.
With the administrator password, I could change the number and key combinations of the flats, and the passwords for opening the outer doors. On the master key code screen, I had to enter the password of the administrator operations, which was necessary for me to make all these changes. But it didn’t want a password. 🙂
So let me explain in a language you can understand, “I was under the authority of admin”. After that minute, I could change the password of any apartment, the key combination for ringing, and moreover, the password for the outer door, at my own discretion. And that’s what I did, I changed it.”
“When I did this on our site, I realized that the contractors who gave the electrical work to the people who built the buildings did not know about these works, that is, I discovered a security vulnerability caused by the MISSING configuration. I started to try the same on other sites. Bingo! It happened to all of them.
In Bolu, in the city where I live, I started to fiddle with the intercom system that came before me in different streets, neighborhoods and even public institutions, starting with my own street. The brand and model were changing, but the result did not. I could change the passwords as I wanted.
The worst thing is; only flats, sites etc. not the same systems that open garage doors. In short, I realized that there is a security weakness in the whole city, maybe even in most cities, due to the same configuration deficiencies.
The solution and security measure is very simple. PASSWORD is requested when entering the master key, that is, the screen where administrative operations are performed. Of course, there are different ways to pass it, of course, but this is not so simple at least. After all that, I went and assigned an administrator password to the master side, of course. :)”
Based on the experience of Senior Cyber Security Engineer Onur Oktay, let us recommend that everyone reading this content take precautions. You can follow him on Twitter or YouTube.