A decade after first exposing critical flaws in door access controllers used by hospitals, schools, and government buildings, cybersecurity researcher Shawn Merdinger is sounding the alarm again — and this time, the silence is even louder.
Merdinger, once jailed during a mental health crisis, returned to the field with a mission of redemption through a project called Box of Rain. His aim: to highlight how thousands of organizations are still vulnerable to the same basic access control flaws he flagged back in 2010 — particularly in S2 Security systems, now under LenelS2.
What’s the Issue?
Many buildings — including healthcare facilities, courthouses, utilities, and even law enforcement — are running internet-exposed door controllers still using default login credentials like “admin/admin”. That means a hacker could:
- Open or schedule doors to unlock
- Track employee comings and goings
- Add unauthorized staff to systems
- Disrupt door operations or worse, gain a foothold into the broader network
Merdinger reported nearly 40 such vulnerable instances last year to CISA and other authorities, but his recent follow-up reveals disappointing results:
🔐 Only half of the systems are now offline or otherwise patched
🔑 A few have changed passwords but are still exposed
🚨 Ten organizations have taken no action at all
Why It Matters
The implications go beyond unlocked doors. These systems serve as digital gateways into sensitive infrastructure and networks. Worse, patching delays from vendors and sluggish response from agencies like CISA leave organizations — and the people they serve — wide open.
Merdinger suspects some medical facilities may have already been compromised based on abnormal system behavior, yet public response has been muted.
“I expected more urgency,” he says.
The Bigger Picture
Building security isn’t just about locks and alarms anymore. As buildings get smarter, the physical meets the digital, and vulnerabilities in access systems become potential cyberattack vectors.
This story is a reminder: cybersecurity isn’t just about firewalls and software — sometimes, it starts with the front door.
