I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.
The debate has long since been settled comprehensively in favor of openness.
I don't know why you picked a random date 2 weeks before publication instead of the relevant one:
2024-12-27: Current vendor of MESH identified as Hirsch (subsidiary of Vitaprotech Group) and contacted
They were contacted 7 weeks before publication
and
2025-01-11: Hirsch product security responds requesting details and are asked if they intend to alert clients
They responded 5 weeks before publication, and so were aware of the issue for at least 5 weeks before it was disclosed, during which time they did nothing about it
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
The information is already sitting on Google for anyone to find, vendor doesn't give a shit.
Best to get it out there, at least if you're stuck in one of these buildings you can log in and change the admin password yourself till your building management does something about it.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
If something bad happens because of this…