Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
> "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
Same I just was talking with my daughter (16) about this because she hated her intro programming class in high school. No biggie if it isn't for her, slightly disappointing that I can't share knowledge, but she should pursue what she enjoys.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
I saw someone joke that there's only one generation in the history of mankind that knows how to set the time on a microwave. Our parents couldn't do it. And now our children can't do it.
[Millennial take] When older generations say "the kids these days are so good with computers", it's because they are incorrectly inferring competence from confidence. In a way, the kids are more capable, but mainly because of attitudes rather than knowledge.
The devices the (grand-)kids are using are much more explorable and idiot-proofed. Nobody is going to make a single "dd" typo and erase their drive.
Definitely. I recently taught a class with a practical computer component and many undergraduates seemed to have a hard time understanding where their files were saved -- even at a GUI level, not talking about the command line. But it makes sense if their primary tech experience was with phones and tablets. The idea of a file system may never have occurred to them (even if most phones and tablets really run a UNIX-derived OS behind the scenes).
GenZ also grew up in an era where doing anything mildly interesting on a computer risks getting expelled and having the feds called. The shit I did to learn my trade as a kid would absolutely not fly today.
Well - kind of. PC gaming is bigger than ever before, and PC gaming was how a lot of my generation got into computers.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
I don't know if it's a "uses tech" issue or just not realizing the steps needed. Even we knew you had to go to the campus gate to meet Dominos after dark (when the gate would be automatically closed).
There was no fancy intercom ability to remotely open it.
I realized this while working as a tutor for programming students at my college back in 2013... When people would ask or say they didn't know or understand really basic computer things (I can't remember what it was) I still showed them what they were, but I realized, not everyone grew up with computers the way I did. Some explore, but most people don't necessarily explore.
I think people who grow up with computer games have a lot more exposure than normal users. Smartphones somewhat made computers irrelevant for most people.
I noticed that even the generation that came after me (I was born in the 70s) produced IT engineers with a bit less skills because they've never had to mess stuff. People these days are afraid to mess with the windows registry even. I used to manually patch blocks together when I deleted a file by mistake.
These skills are getting less and less useful though now that everyone is happy to give up their privacy to big tech in return for something that 'just works' :(
"with lower baseline computer / computer security skills than people think they have."
I fear this is true with most life skills. Things are easier and it seems kids today are just handed more stuff. The freedoms and expectations in many areas are lower. Kids don't grow up due to age, they grow up due to experience. It seems we are pushing that farther down the road with each generation.
Yeah, I know someone who works in a high school and the average skill level is "struggles to figure out how to save a document on a USB stick". Kids know how to press the power button on an Xbox or tap an icon on their iPhone. The staff member I know is aware of ONE kid in the entire school who has used Linux. When I was a kid, basically every single kid who had a computer at home (and actually used it) knew how to defrag the hard drive (and probably install Windows lol), set IRQ values for their sound card, all that kind of stuff -- because you had to know this to even use it. My friends and I went on BBSes and later stuff like IRC and Hotline, ran Linux or pre-release versions of our respective OSes, set up our own bedroom LANs and personal game/web servers, etc. etc..
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
Ahh, the modern verson of the written note under the keyboard...
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the ownersfeel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
You can just go over to Amazon, search for "pentesting keys" and for a the price of a decent dinner you can order oodles of master keys for most everything out in public. Elevators, police and fleet cars, mailboxes, file cabinents, RV external storage compartments, lift gates, tractors, electrical panels, toiler paper dispensers, etc.
When I lived in town, on a street that was somewhat common for people to walk down, twice (that I know of) someone had walked up, tried to open my door, then walked off after finding it locked. The amount of work to break into that house was quite minimal, but apparently a locked door did help.
That's not true. They raise the bar above the bare minimum. Lots of crimes are ones of opportunity. A gate is the difference between 0 effort and some effort. It makes it a bit harder for a petty thief to cruise through and find low hanging fruit.
Modern apartment building. Low rise. Full visibility of courtyard. Cycle gone missing with a baby seat attached. Nothing anyone can do about it. How did they get the key, who let them in, how did they manage to pry open the lock in full visibility? I was seething for a week. But somehow I knew this wasn’t really that big a security challenge for the thief.
I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
That only works if there's a single code? I would think many keypad systems assign a code to each apartment (so the one written on the side is not a master key, just Joe in #303).
Do your alarms not have an actual - you know - alarm? Or won't the alarm go off if it can't phone home first?!
Here in the UK the alarms make a noise as the absolute minimum. Getting one that is "monitored" by a call center is not standard, especially one that calls the cops if it goes off or a panic button is pressed.
You can get those of course, but it costs extra. I pay something like £40-50 a month for the panic button service that will summon the police, but even then the police won't be summoned if just the alarm goes off without a panic button getting pressed (you can get that, but it is even more expensive)
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
The point isn't really for these communities to be Fort Knox. It is understood that if someone really wants to get in they will get in, similar to how if someone really wants to break into your house they will do it regardless of what brand of lock you have on your front door.
People live in gated communities because of what the gate represents – a very clear sign telling you and everyone else passing by that you don't belong here.
In a similar vein, 0911 or 9111 will often work too for communities in the US. EMS and other first responders run into the same issue with automated calls or panicked people, so they’ll try that first while waiting for dispatch.
That code was also used at our (EMS) depots to secure the controlled drugs as well, as if none of us could have guessed it.
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
Why are College campuses the bane of existence for your friend?
Because college kids write codes on the site of access panels? Wouldn't that make life easier for your friend as a delivery driver?
Because college kids don't write codes on the side of access panels? If so, why does your friend describe them as not smart? Isn't it smart to avoid writing codes?
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
The manual clearly says you need to press the "do not explode" button if you don't want the car to explode. It is conveniently located under the rear seats.
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
There was a time where somebody in SF has figured admin access code to older apartment intercoms (I believe they were manufactured by Linear and maybe other companies too). These intercoms would call the programmed in phone number whenever you type in the apartment access code at the door.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
That sounds like a fairly open/shut case of fraud/abuse if it can be proven.
At my last apartment my LL would only allow a single number per apartment... well I was sharing the apartment with someone else and I was sick of being the only person to get called. 30 seconds of Googling revealed the user manual for the intercom, and of course the default password of "5555" was still set on it...
I programmed both our lastnames and phone numbers to our apartment unit number. I did that in 2014 and I moved out in 2016.
To this day -- NINE YEARS AFTER MOVING OUT -- I am still getting calls whenever someone hits #25 on that intercom.
I did something similar to my highschool in the 90s. They had a free student phone in the office. It had long distance blocked on it, but I learned you could circumvent the block using those 1010-321 and other long distance prefixes. Some of them had $5 access fees, billed once, in addition to the per minute rate. I called several of these and prided myself on getting the phone removed from the office for a few months.
Can you elaborate on why having the phone removed was itself a source of pride?
I do appreciate the hacking around aspect, particularly with respect to old phone systems, but having a free student phone removed seems like it would be a bad thing for everyone, no?
The Polish spin on this were unsecured office landlines that used radio for some reason, I don't remember if that was for cordless handsets or just an access technology.
People would walk around big cities, usually on Friday evenings, radio scanner out, trying to find one of these. They would then dial a premium-rate number, preferably on more than one line. In most cases nobody would realize that something was up until Monday morning, and if they had a way to disconnect the calls before then, not until the bill came.
You could do similar shenanigans with unsecured PBXs or insecure answering machines that had a "call my mobile if somebody leaves a message" feature.
This is the kind of thing where responsible disclosure is really very important.
Let's say you're a woman. A woman who lives in one of these apartment complexes. A woman with a stalker. A stalker who has threatened to kill you, multiple times. Who has shown up at your apartment, but was rebuffed by the building security.
One day you wake up and find out that a "security researcher" found a way that anyone in the world can get into the building at any time, in addition to looking up who lives at each address. And it turns out the security researcher waited only two months (including over christmas break) to try to resolve the issue in a way that would not leave the existing buildings exposed.
If I were that woman, and something happened to me as a result of this disclosure, and assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
Tbh if someone's determined to kill you, enough to look up CVEs and so on on your security system, they might as well wait by the door to brick you in the head when you inevitably come out. It's even better for them since you're bound to be less armed than at home surrounded by kitchen knives, tools, chairs, etc.
> assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
If you wanted to stay alive you'd be wise to think twice about going after people who go out of their way to inform you that the security you are dependent on is not doing its job. You'd be much better off instead going after the company who was negligent enough to create the system with such obvious flaws or the landlord who subjected you to it without even bothering to read the manual.
The alternative is that researches will stop telling the public when they aren't safe and you stay ignorant while some attacker spends the 15 minutes it takes to find and try the default password.
The person who disclosed this was right to get the information out as widely as possible as quickly as possible because, as you said, some people are likely depending on those locks for their safety. Thankfully everyone who learns that this product has made them vulnerable can now take measures to protect themselves accordingly.
We'd probably agree that there could have been better ways to disclose this, ways that made it instantly clear that this product was putting people in danger, while also not making quite as easy for others to repeat the attack, but in this case you can bet that trying the default password was going to be high on the list of things people would try anyway. I think it's extremely unlikely that this security researcher was the first it.
The most important thing is letting as many people as possible learn about their risk so that vulnerable people can protect themselves ASAP and so that the negligent company/landlord feels a lot of pressure to fix the situation as quickly as possible. If you make security researchers think twice about doing that you'll only allow yourself/others to come to harm. Ignorance really isn't always bliss.
I'm disappointed you're downvoted. I know a woman who is the exact situation you describe (sans hacker); their ex-husband has made threats to her life and has made attempts to act on those threats. She's extremely privacy sensitive as a result.
You are right. But remember you can be sued for anything, and further remember that suing someone doesn't mean you have good cause to win.
So it stands to reason that a white hat hacker who, in good faith, publicly releases information in an attempt to get things fixed shouldn't face negative repercussion.
But they should face consequences if they were irresponsible, regardless of intention.
If you found the nuclear launch codes, and you're pretty sure nobody else has found them, should you wait a week and then release them, because you had a good faith interest in exposing this hole? No, of course not, that'd be insane. What one should do in that situation is wait, and try to get the codes changed. You shouldn't wait forever, because someone else might find them. But you also should wait for as long as you reasonably can, because of how severe the risk of releasing is.
This risk analysis is the calculus of responsible disclosure. Any ethical security researcher should err on the side of avoiding harm, making every effort to ensure the disclosure doesn't harm unnecessarily. For most researchers, that means waiting more than 2 months over a holiday season, even if it was just a bug in a javascript library or something. Knowingly exposing the privacy and security of thousands of people is pretty fucked up, imo. I'm pretty sure they could have come up with a half dozen different ways to try and get the issue resolved, if not through the company directly, then through individual apartment complexes, law enforcement, etc.
Looking at this closer, it's actually worse than I originally thought. You can see what time everyone comes home every day, what their weekly routines are. So you know when they're gone, so you can rob their house. Or you know when they come home, so you know when you can attack them. This is fucking chilling.
I downvoted, because they wanted to create sympathy with a victim, and to achieve that, they made it a woman. What is the takeaway from that? I'm out of charitable explanations.
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
Sort of, they changed it to a different username password that was the same on every box. So it wasn't easily findable from the internet but the same issue could have potentially happened again.
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
Readit News
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
The devices the (grand-)kids are using are much more explorable and idiot-proofed. Nobody is going to make a single "dd" typo and erase their drive.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
There was no fancy intercom ability to remotely open it.
I think people who grow up with computer games have a lot more exposure than normal users. Smartphones somewhat made computers irrelevant for most people.
I noticed that even the generation that came after me (I was born in the 70s) produced IT engineers with a bit less skills because they've never had to mess stuff. People these days are afraid to mess with the windows registry even. I used to manually patch blocks together when I deleted a file by mistake.
These skills are getting less and less useful though now that everyone is happy to give up their privacy to big tech in return for something that 'just works' :(
I fear this is true with most life skills. Things are easier and it seems kids today are just handed more stuff. The freedoms and expectations in many areas are lower. Kids don't grow up due to age, they grow up due to experience. It seems we are pushing that farther down the road with each generation.
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the owners feel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
It doesn't matter if it took a guy 10 seconds to break your lock, if you didn't lock your house, chances are your insurance won't pay.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
Here in the UK the alarms make a noise as the absolute minimum. Getting one that is "monitored" by a call center is not standard, especially one that calls the cops if it goes off or a panic button is pressed.
You can get those of course, but it costs extra. I pay something like £40-50 a month for the panic button service that will summon the police, but even then the police won't be summoned if just the alarm goes off without a panic button getting pressed (you can get that, but it is even more expensive)
And the crooks use RF jammers instead of axes.
That still doesn't give you the order of the key strokes.
If it's busy and you pull up in a nice enough car and just wait in front of the sensor gate looking annoyed, the guard will eventually just let you in
Given what you just said and the article you're commenting under, are you sure?
People live in gated communities because of what the gate represents – a very clear sign telling you and everyone else passing by that you don't belong here.
Deleted Comment
That code was also used at our (EMS) depots to secure the controlled drugs as well, as if none of us could have guessed it.
Like, the HOA just like calls the delivery companies and says "hey, here's a code to get in"
Because college kids write codes on the site of access panels? Wouldn't that make life easier for your friend as a delivery driver?
Because college kids don't write codes on the side of access panels? If so, why does your friend describe them as not smart? Isn't it smart to avoid writing codes?
Unfortunately that caused several burglaries too including in my flat :( my alarm scared them off but still..
These manufacturers’ recommendations are not acceptable. They should mandate a non-default secure password before allowing the system to be used.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
Needless to say, I moved.
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
At my last apartment my LL would only allow a single number per apartment... well I was sharing the apartment with someone else and I was sick of being the only person to get called. 30 seconds of Googling revealed the user manual for the intercom, and of course the default password of "5555" was still set on it...
I programmed both our lastnames and phone numbers to our apartment unit number. I did that in 2014 and I moved out in 2016.
To this day -- NINE YEARS AFTER MOVING OUT -- I am still getting calls whenever someone hits #25 on that intercom.
I should have done the 1-900 thing :D
I do appreciate the hacking around aspect, particularly with respect to old phone systems, but having a free student phone removed seems like it would be a bad thing for everyone, no?
People would walk around big cities, usually on Friday evenings, radio scanner out, trying to find one of these. They would then dial a premium-rate number, preferably on more than one line. In most cases nobody would realize that something was up until Monday morning, and if they had a way to disconnect the calls before then, not until the bill came.
You could do similar shenanigans with unsecured PBXs or insecure answering machines that had a "call my mobile if somebody leaves a message" feature.
Ah, yes. It's the children who are wrong.
Let's say you're a woman. A woman who lives in one of these apartment complexes. A woman with a stalker. A stalker who has threatened to kill you, multiple times. Who has shown up at your apartment, but was rebuffed by the building security.
One day you wake up and find out that a "security researcher" found a way that anyone in the world can get into the building at any time, in addition to looking up who lives at each address. And it turns out the security researcher waited only two months (including over christmas break) to try to resolve the issue in a way that would not leave the existing buildings exposed.
If I were that woman, and something happened to me as a result of this disclosure, and assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
If you wanted to stay alive you'd be wise to think twice about going after people who go out of their way to inform you that the security you are dependent on is not doing its job. You'd be much better off instead going after the company who was negligent enough to create the system with such obvious flaws or the landlord who subjected you to it without even bothering to read the manual.
The alternative is that researches will stop telling the public when they aren't safe and you stay ignorant while some attacker spends the 15 minutes it takes to find and try the default password.
The person who disclosed this was right to get the information out as widely as possible as quickly as possible because, as you said, some people are likely depending on those locks for their safety. Thankfully everyone who learns that this product has made them vulnerable can now take measures to protect themselves accordingly.
We'd probably agree that there could have been better ways to disclose this, ways that made it instantly clear that this product was putting people in danger, while also not making quite as easy for others to repeat the attack, but in this case you can bet that trying the default password was going to be high on the list of things people would try anyway. I think it's extremely unlikely that this security researcher was the first it.
The most important thing is letting as many people as possible learn about their risk so that vulnerable people can protect themselves ASAP and so that the negligent company/landlord feels a lot of pressure to fix the situation as quickly as possible. If you make security researchers think twice about doing that you'll only allow yourself/others to come to harm. Ignorance really isn't always bliss.
Secondly, if a person is determined enough to look for vulnerabilities in the access control system, they are determined to do much more.
Thirdly, public disclosure more often than not leads to enhanced security down the line, protecting both men and women alike.
You are right. But remember you can be sued for anything, and further remember that suing someone doesn't mean you have good cause to win.
For corollaries, see good samaritan laws
[0]: (specifically about Texas) https://www.uslawshield.com/can-get-sued-good-samaritan-laws...
[1]: https://www.themirror.com/news/weird-news/i-cpr-crash-victim...
[2]: (More generally) https://en.wikipedia.org/wiki/Good_Samaritan_law
So it stands to reason that a white hat hacker who, in good faith, publicly releases information in an attempt to get things fixed shouldn't face negative repercussion.
If you found the nuclear launch codes, and you're pretty sure nobody else has found them, should you wait a week and then release them, because you had a good faith interest in exposing this hole? No, of course not, that'd be insane. What one should do in that situation is wait, and try to get the codes changed. You shouldn't wait forever, because someone else might find them. But you also should wait for as long as you reasonably can, because of how severe the risk of releasing is.
This risk analysis is the calculus of responsible disclosure. Any ethical security researcher should err on the side of avoiding harm, making every effort to ensure the disclosure doesn't harm unnecessarily. For most researchers, that means waiting more than 2 months over a holiday season, even if it was just a bug in a javascript library or something. Knowingly exposing the privacy and security of thousands of people is pretty fucked up, imo. I'm pretty sure they could have come up with a half dozen different ways to try and get the issue resolved, if not through the company directly, then through individual apartment complexes, law enforcement, etc.
Looking at this closer, it's actually worse than I originally thought. You can see what time everyone comes home every day, what their weekly routines are. So you know when they're gone, so you can rob their house. Or you know when they come home, so you know when you can attack them. This is fucking chilling.
It seems she’s almost right !