This one literally hits close to home since our building uses them and has been dealing with break-ins recently. --I don't think the thieves around here are smart enough to figure out how to exploit this vulnerability vs just ringing numbers until somebody lets them in, but we can't know for sure yet.
Most people here don't have a screen to see who's at the door - it was a pretty significant cost to upgrade to that. As a result, not every floor even has the necessary hardware installed for people to install them after the fact.
It also seems incredibly incompetent to create a password system that doesn't have a rate limit as a basic precaution against brute force attacks to begin with.
This reminded me of a hack/cheat someone implemented for a video game called Rust (Rust is a multiplayer survival FPS where players can build bases). The game has code locks on doors, 0000-9999. What the person did was isolate the network packet sending one attempt at the code lock, and the using networking tools and a bit of automation, sent a stream of all possible permutations towards the server. Apparently people who were in the vicinity of a person employing this cheat heard a steady stream of beeps (each attempt did a short beep noise), and then inevitably the combination was found and the lock was cracked... if I recall correctly it took less than 6 minutes for it to go through all attempts and gain access to another player's base, and their treasures. After the developers heard of it, they implemented rate limiting and a small amount of 'shock' damage to the player to resolve the issue.
13 comments
[ 2.9 ms ] story [ 40.9 ms ] threadI can't believe Apple isn't suing them for similarity in name to iPhone.
It also seems incredibly incompetent to create a password system that doesn't have a rate limit as a basic precaution against brute force attacks to begin with.