>>All right. DEF CON 22,
elevator hacking. I'm blown away
people are in here right now listening to us. >> [Applause] >> We love
you too. And we love that DEF CON
allowed us to do this, even though we were told it had to be
the last talk on the last day.
'Cause you know, breaking things. So why are we here? What
are we talking about? Why do we
do this? Some of you know me. I'm deviant. I own a pen testing
FRM. We break into buildings. We
do the physical side, many buildings, leverage their
elevators as part of the
security model. They should not do that. >> My name's Howard.
I'm not here representing pain
elevators despite the name. And I do have an employer who's
views and opinions I do not
express. ‑ ‑ I drink bourbon, he drinks cheep beer. There are
a lot of thing that is can go
wrong with elevator hacking. >> Elevators are regarded as the
safest form of travel, based on
miles traveled. They virtually always work the way they're
expected to. Most people have
never been injured by an elevator. Probably entrapped but
not injured. Most injuries that
happen are people who are working in the mechanical
spaces such as the hoist way
or the shaftway, machine room. Pit. For guys like me. You can do
really bad things to yourself
with an elevator if you're a jack wagon. That leg was saved
though. >> Yeah this leg was
survived. Our concern is not that you're dumb enough to kill
yourselves, but that you're
going to break shit cause it's fun (Audio muffled) So yeah the
helicopter right? >> Escalator
helicopter, youtube. >> It's all fun until you cause a felony
criminal mischief. Thousands of
dollars in damage. Plus criminal penalties.
>> Don't do that. In
general, like you're going to look at elevators differently
after this talk. You're going to
spot little things in elevators. They'll tell you, if she doesn't
want to be touched don't touch
her. Leave it alone F. You don't know what something is, do not
turnkey, don't do it. We're
professionals. I'm just up here talking silly. The things you
see in this talk, we want you to
learn, we don't want you to try all of it unless you have a
really good scoping document
that legal prepared. >> So elevators broadly speaking fall
into two types of categories.
Some are hydraulic, piston driven from below. The other type
are traction. They are actually steel
cables. Traction elevator is usually propelled by a motor in the
motor room that's above the
cab and it's gaining traction on the ropes
and moving the cab and the
counterweight system. So elevators generally ride on two
rails with guide rollers like
this that you're seeing in this slide. They're not anchored in.
Sometimes you'll see shoes
instead of rollers like this but the principle is the
elevator is just guided up and
down on these rails. The lifting mechanism is just doing the
work, this is just the way it's
guided smoothly. Just think of it as sliding up and down a
track. Most people in this room,
their interaction to elevators is fixtures. Like you see here.
Left is a car operating
panel. When you push a button, you're doing what's registering
a cab call. You're telling the
elevator exactly where you want to go. Opposed to when
you're in a hallway, you press
the up and down button. You're registering a directional command
but you're not actually telling the
elevator where to go. That's called a hall call. There's
direction indicators that keep
you from being a jack wagon ‑ ‑ ‑ ‑ please don't do that.
>> But again, all the power is
coming from the motor room above or below. So what you're seeing
here is gear lifts tractions. I
believe these are DC powered. They are usually used in higher
rised buildings to achieve the
speed that's necessary to travel effectively inside a high‑ rise.
On the other end of a spectrum,
you'll see motors that look like this. This is hydraulic. This is
a very simple system. There's a
programmer on the right side and there's a hydraulic pump which
lift it is elevators, you're
never going to see hydros taller than eight stories. >> No that
was actually a Dover hydraulic
HIGH (indiscernible). >> So he mention it had controller on the
wall. This is the brain of the
entire unit. So what you're going to learn throughout this
talk is elevators have
varieties of sensors that ‑ ‑ provide input such as things
about its current velocity, current
position, doors open or closed. A myriad of things. Those inputs
all feedback to the controller
and the controller makes decisions-- should I be driving the door
motor. Should I be driving hoist
motor up and down. >> We know we're talking really fast and
we're better speakers than this
but we want to get to all this stuff we're chattering through. The if
you're (indiscernible) and you
want to learn this stuff, download the slides later. But
we want to show you keys and
stuff. So one. >> One of the most primitive forms of input is
the limit switch. That's the top
and bottom of the voice wagon. And they're there to indicate
when the elevator is reaching
the end of its rung. The fourth roller mounted on that. As the
elevator is approaching the |top
floor, it'll trip the first slow down ‑ ‑ ‑ ‑ the Ped speed of
the motor until it hit that is
third one, which is called the normal limit. When the
elevator's on the normal limit,
it's levelled on the |top floor. So now you're probably wondering
(speaking simultaneously).
>> That's to basically indicate when the elevator's about to run
off the rails. There's literally
New Orleans for it to go. >> Yeah if if the elevator hit
that, it's not an easy fix.
Although we saw people trying to do that in a mall. >> This is a
device that's called a motor
encoder. It also spins the indicator of the motor encoder
which allows the encoder to
revolutions it's made in a certain amount of time. It will
then be able to determine how
fast it should travel. It'll match it up with other types of
information. Such as. >> The
position indicator, the elevator on the hoist way is magnetically
or on the means actually telling
where it is on the hoist way. It's a really funny freak out of
where it happens. If the
elevator gets lost ‑ ‑ relearn where it went wrong so if you've
ever been in an elevator that
didn't go you were going. And went all the way up and down.
And you're like okay, it was
not, it didn't match up with what the controller thought. So
all these inputs come together
and if the inputs don't match, if the elevator panics, it'll
hit the breaks and all kinds of
things. So there are driving machine breaks which is sort of
the normal breaks that when the
elevator is at rest, the breaks will be applied. When the
elevator's moving, the breaks
will be dropped. There are other types of breaks. The safety.
People probably heard a elevator
can't free fall. That's generally true. Devices like
this on the left, it's something
called a governor. And it's a centrifugal device as the
elevator speeds up, that fly
wheel will spin faster and faster and eventually jaws will
fly out and trip and grab the
governor rope. That will stop the car. The device on the right is
called a rope gripper. It prevents
unexpected upward movement. People are afraid the elevator's
free fall you should be afraid
that it falls up. Because the counterweight ‑ ‑ >> And didn't
stop and it crashed into the
over head. >> Yes, I believe it was from Chile This would
have stopped that. Chile. >> Is
understand that these mechanisms are easy to really just figure
out. You can see how they work
and you can see that they're really safe. This is a demo of
one of the rail gripper safety
mechanism. This is what made Elijah Graves Otis famous. If the
ropes are cut the elevator won't
plummet into free fall and this not on an American show, on
British TV, this man is hoisted
very very high and cutting rope. This man doesn't fall. The cab is fine.
Yeah. And that was a demo that
Otis would do at world fairs. Because until he came along,
elevatorses were unsafe. But
nowadays they're very, very safe. >> The principle behind
the elevator existed the last
2000 years. But there was no way to be safe. >> Your modern
system that you saw earlier with
the governor and such is, there are separate ropes as we called
them. There are metal cables.
There are separate roping systems traveling with
the car at all times, if that
governor jams and grabs, it'll pull up on breaking gripper
levels and plant levers. There's
all kinds of break shoes that keep you from dying If all else
fails, the pit has buffers in it
too. And the breaks don't work, if you're sliding through the
breaks, the pit will have spring
or oil piston buffers designed to absorb the full weight of
the car at full travel speed.
>> You probably won't die, very seriously injured, but you won't
die. >> Yeah you'll be back next
year. So elevators do the job really well on that mode if
you're riding in the elevator.
If you're not, this is where elevators get unsafe. When
you're riding like a
(indiscernible) in the car. >> Turn that light on.
(Inaudible) (Tense music) People used to call it elevator
surfing. >> (Screaming, ringing bell) that is a way elevator
mechanics have been fatally
injured in the past. We're not kidding. Don't do this. >> But
in you're in the car on
automatic operation, the elevator's going to keep you
very safe. Would you like to
learn about nonautomatic application? >> (Applause.)
>> The most common thing I use
as a pen tester on jobs [S] flip an elevator out of group service
and into independent service.
When you register a hall call and you have a bank of
elevators, they don't all come
to your floor. The controller chooses one and dispatches that
to you because they're in group
operation. If you take that elevator up, the controller
knows I can't use that for a
while. An elevator in independent service as we see in
independent key switch here,
sometimes they're toggle switches hidden behind panels.
There's a lot of hidden panels.
If you flip to independent service mode, the elevator
becomes yours. It ignores all
the hall calls everything but what we're telling it. That
includes opening the doors if
you drive to a floor, you have to manually say, open door, or
close door. I have hidden in
target buildings for hours just on independent service because
it's not going anywhere. People
could call the elevators all day. No one ever notices how
come elevator passenger seven
hadn't been responding. No, you just get on the first one you
come to. If I wield an office
chair in an elevator once and sat there and waiting until
everybody went home. And we
rocked house all over data center. >> [Laugther] >> So yeah,
independent service is really useful if
you're a pen tester. Because it takes the elevator completely
out of the group and gives it
just to you. It becomes your elevator. So there's a
similar mode called
attendance service and it has its root in the history. Where
there actually was an attendant
who would drive the cab up or down using a hand crank like
here. So on an automatic system,
you'd see something like this behind a lock panel. There are
up and down controls to allow
the attendant to signal that the wants to reverse direction.
So they might have a cab full of
people or VIP and they decide let's stop collecting all the
calls in this direction and get
these people wherever they need to go. And then that bypass
button, sometimes it's called
the nonstop button, that allows the attendant to continue in the
same direction with the phone
car and skip all the calls. When he's done, all of those hall
calls are still registered. So
eventually it'll pick up those passengers that are waiting.
It's just a wait to signal that
the cab is full or whatever. >> It's like the close door hack
which doesn't fuck]ing work. So
everyone should stop repeating that all the time. >> Except
there's that one kind of. >>Ask
us about like, ask us about really logic controllers which
how. >> We think the origin of
that was independent. Somebody saw an elevator where the
operator was holding door close
to 'cause you have to on independent mode. And it's like
oh wow, you see what that guy
did? I'll do that later? No you won't. Unless you have a key
switch. What if you don't want
to have a high priority service but don't want to hire someone
to stand there >> So there are
two types of priority services. One is called express priority
mode, the other is executive
priority mode. We mentioned elevators will pick up calls
and demand in the same
direction it is already traveling. If there are passengers going
up they're going to collect every
up call on the way up as it goes. When it reaches the end it will
reverse direction. In this case
a user may have a key or badge to signal they are more important
than regular people. The difference
between the modes, one will actually reverse the direction the cab is
traveling to serve that person.
>> And what happens when VIP is served? >> In particular, it's
funny if you ever see this used
‑ ‑ going up going down. And if an executive puts their key in,
it says this elevator is needed
for other reasons. Please exit the door immediately upon
opening. And it kicks you out of
the elevator. >> Maybe if you're the type of person whose seen
interesting communities and
their beliefs and other things, your maybe familiar with Sabbath
mode. Or you saw a movie with
bill March religiously. It is for people who believe they're
not allowed to interact with
certain systems which toggles Sabbath mode let's people get
around the billing by driving
all the way to the top floor and platforming automatically on
every single floor on the way
down. It's kind of like hacking god I guess. Ah, I found a
loophole in scripture. So I'm
smarter than you. So that's Sabbath service. A lot of other
there's a Sabbath mode there.
Ask us later about why it doesn't exactly do what some
people think it does. And SAB
some religious colors need to double check their notes.
Collars. Load by pass. Holy
shit. Elevators know how heavy they are. You put too much shit
in the elevator once and they
beeped at you and got angry. They can use that data to say
hum, I'm collecting all these
calls and I'm pretty full. I should not fucking stop at a
bunch of other floors right now
because it's going to be a bunch of this. Sorry no room. Sorry no
room. For like five more floors.
Yeah. Hope if you come to like the hope in New York, why this
isn't enabled more often is
beyond me. Why antinuance is not enabled. If you're a frickin'
derby bush and like the press
all buttons ‑ ‑ >> More calls. Keep going. Wait hold on. Boom,
done. (Laughing) that's amazing
keep recording it. So we're going down, one to 23 and boom.
Out. It's like they know we're
here. >> Yeah that's called antinuance mode. There's peak
programming if you're a building
with workers come in the morning. Check out in a certain
hour. There's all kind of
optimization that you can do and that's something a confident
elevator consultant can do for
you. There's also if you want to have like extra special
considerations when people
shouldn't be coming and going. >> I saw a mode at museum and it
was called riot mode. I thought
what the heck is this. The building owners wanted a way,
they could lock the ground floor
out of the elevator system but still use it to access the other
floors. So again, somebody in
the security room would hit a button and say oh gosh, there's
a riot happening outside.
>> Occupy Tulsa. >> So it would just stop responding to
the ground floor because if
somebody was able to get in on the ground level, they could get
on an elevator and do bad
things. >> The basic part of the riot mode, the elevators keep,
WOG on the rest. Why can't the
99 percent be happy with the scraps we give them. You don't
care you just can't go to the
lobby. So also decide SIFK unrest there's also seismic
unrest. And you may never have
seen this. Or you might live in southern California where
there's a little jewel on the
elevator sometimes that says seismic. It's going to cause an
earthquake when you push it. No,
there's this indicator that in an earthquake you should exit the cab as
soon as possible. So a lot of
tiles it's very simple mechanical that might be a
ring on a string as
you call it. There's a [metal cable running up ask down. And
if the cab starts swinging side
to side, that ring might come in contact completing a circuit
indicating to the controller
that unexpected lateral movement is occurring. It's the one kind
of emergency mode that might
actually take you up. So it's a little counterintuitive. But if
you think about it, what can
happen, one of the risks during an earthquake, if the cab or the
counterweight actually becomes
displaced from the rail that is Supposed to guiding it.
You got a 2,500, 3,000‑ pound
>> (Inaudible) with you. >> Yeah, so it moves you away
from the counterweight. Even if
it moves you in the wrong direction. >> How many people maybe work in a
hospital or medical facility,
you may have seen code [blue service. Right on. That's
medical priority. Imagine the
highest VIP priority where a doctor or an emergency
personnel will use a key
and they will seize an elevator the closest one responds and it
becomes their elevator until the
key comes back down. Hospital also has code pink. It's baby
theft mode. If the baby gets moved
unauthorized, the elevators can basically turn into security
recall devices which is its own
mode that you can program independent of a hospital. It
turns the elevator into a man
trap. It'll deliver the person to a floor of your designation
And keep the doors
shut. Or it'll psych it will doors manually so they can't
hide. There's all kinds of
fascinating things you can do with elevator security and
there's other things people try
to do and we're going to shit all over that in a minute.
There's also just modes you see,
if you start looking into this, you'll see security service.
This is kind of a catch all key
switch. It doesn't always mean what you think. Like all the key
switches in this photo are
actually the same keyway. Look at one of them that the
security service looks beat to
hell. So I asked the desk at this hotel, hay, I work with
elevators, I'm curious, are you
having security incidents every frickin' day? And he's like no.
The maid use that to go to the
basement. Just 'cause use see something, it doesn't actually
do what you think it does. One
of the most misunderstood modes is firefighters emergency
operation. You're seeing here
two key switches that are instrumental in the use of an
elevator during a fire. When the
heat or smoke condition is detected by the buildings's fire
alarm system there are contact
that is ‑ ‑ ‑ ‑ controller which indicates that there is
such a condition and that it's
no longer safe to run the elevators. You've probably seen
signs. They're supposed to be at
every landing. That say ‑ ‑ >> You shouldn't be able to. The
elevator should go away from you
and sit] in the lobby. It should. >> But the smokes and
heats are near the landing so the
building can be in fire down there, and the elevator over there is still
working SDWL but if the elevator
has platformed in the lobby, the firefighter can take control of
it. And they can drive it in the
building and in a very powerful way. >> Just to be clear, phase
one is when the smoke and heat
detecters go off. It brings the elevators down to the lobby or
some other designated floor ‑ ‑
‑ ‑ once the car is on phase one, then they can go in and use
their key to activate phase two
which allows them to run the car. Over riding the fact that
this other is logged out.
>> Over riding is pretty much everything. You think
independent mode is powerful?
Firefighter phase is way more powerful. Fuck you, I'm a
firefighter. >> By code it has
to be disabling any security systems. So that firefighters
can get to the floor they need
to go to. So there's one more mode that's even more powerful
than this. In the elevator
world, who can ever be more important than a firefighter?
>> Us. (Laughing) . >> Yeah,
elevator guys right? . So hoistway inspection, if
you can take command of the
elevator and get into the hoist way, which is superfuck]ing
dangerous. If you don't know
what you're doing, don't god dam do this. If you do, there are
all kinds of controls in there,
you should not have anything to do with because you don't know
what they are. >> Exactly. >> Oh
my God, you'll see something about that later maybe. So
plenty of buildings, try to use
elevators adds part of their security model. Maybe you seen a
building where you can't
register a haul call. Or you have to use a key. Maybe there's
no haul buttons, there's only a
key switch. Maybe you've been in situations where a badge reader
is used or hotel key card is
used. So not being able to make the elevator come to you and you
can drive it layer, we'll show
you an interesting trick about that. Maybe there have been
situations where you can get in
the elevator and certain floors are locked out. What kind of locks
are these? Anybody who's been in
the lock (inaudible). (Indiscernible) locks are shit
ones. Those are valid answers.
all the elevator key switches, almost all of them are way for
lock. Some of them are harder I
think. But you can pick them later if you want. This is not a
way for lock. That is a medical
lock. I'm very interested on floor seven. But anything like
lock outs or badge systems,
these are common ways that people try to treat the elevator
as restricting your movement.
They try to say, oh you know, someone couldn't get to floor
seven or 20, or whatever unless
they have the right credential. Duck FAUK bunch of that. That's
not how you should think of your
elevator. You want to secure a elevator? This is what your
doing. What's going on here.
>> Sure. We had a job WOUN time in a facility and we came across
this. I said gee, THS a
interesting way to secure a hallway. (Indiscernible) this
key. Let's just show them. >> It
was a jail. It's a giant cage in front of the elevator. Unless
you're doing this, think of your
elevators as a stairwell. Think of them as a stair way where
lazy people don't use their
legs. Everything we just showed you we'll just shit all over it.
Remember there was no haul call
buttons, you can't get the elevator to show up, I use my
magic hack haxor
paper. Well what happened there? Well the elevator happened to be
at the floor, so somebody
tripped the safety inch. And it's a really smart idea to
stick things through the hoist
way doors. >> No it's not. >> And also to be clear, that's
not a universal trick. In fact
that's unusual it did work. Those sensors should have been
disabled when the doors were
closed. But this kid somewhere on YouTube happened to find out
that it worked. >> Most of what
we do most of what we're going to talk to you about over riding
systems just by using the key
SWECHs. There's key switches inside all ‑ ‑ how many people
have seen panels in elevators
that pop open. Some of those panels are locked. None of you
would have ever picked this.
Interesting point, there's something call add slam panel.
It's like a spring loaded latch.
You can just. (Making noise.) And it'll pop open. But inside
the panels, you'll see like look
independent service that we told you about. Hoist way service,
you shouldn't touch it. Card
reader disabled. Let me turn I don't have my key, let me turn
off my that function. The
industry is oh washed in different key SWIFs and
different keys that you'll start
to see in the industry they call it graffiti. In the motor rooms
and car panels, you'll see notes
from elevator guys and gals. You'll start to think that keys
are really different all over
the place. And yes, there's a lot of keys. If you're on a pen
test job, you might try to look
for the elevator keys. Sometimes you just find them. But if
you're on a legislate elevator
job, what this man has done for years now is catalog every key
he's ever seen on every job ever
ever. As far as I know, Howard's the only one that has a
collection of every elevator key
he's found SXN he knows what it does. This is not Howard's key
collection by the way. This is
Howard's key collection. >> [Applause] >> might notice this is actually an
old photo. Every elevator ‑ ‑
there's all different brands and fixtures. And you can just spot
them. >> So when you have the
experience to look at something and say ah, I've seen that on
another job or I've seen the
catalog or company's flyers and visited the trade shows. It's
all the same. They use the same
things everywhere. And that is one of the main points to take
away from this. If they sold you
a key switch, the buttons look alike and the key switches look
alike. The buttons looks alike,
hay my elevator uses Adams, guess what, your key probably
operates that other Adams
elevator. >> There's modernizing that happens. We're in the
Rio right? Dover impulsion. How
many people seen those buttons a million times. >> When I started
to try to learn this, I'm on
jobs, I'm like holy shit, I'm pretty sure I have ooh key for
this. What is it? I'm like I
don't know what it is. How thick is the halo. What font is ‑ ‑
they all look the same to you
until you start learning it. And you can type the fixtures just
by glancing at them and you know
what keys (indiscernible). >> That's totally hell vet KA.
>> Yeah, epiKA. >> And the other
is innovation. >> It says it on the slide. >> Like an article
narrow I think. >> I could do
this to him all day. Now if you want your own elevator keys,
like people sell them online.
Many people probably shouldn't be and you probably shouldn't
buy them because they're ripping
you off. Like this key set is almost $9 a key. >> And its
actually has to ship USB ground
because the smoke isn't the picture is included. So it's ‑
‑ I don't know what half these
things are to tell you the truth. They took an KOOEL guy
that retired 20 years ago and
copied every single one, because the fixtures these are used for
are completely dead and long
gone. >> These are the most popular ones you can find
online ‑ ‑ you can get 17 of
them in the set. >> Don't get me wrong though. The vendor did two
nice things, they took clear
straight on photos of the keys. With the labels visible. And
they really took care to make
sure this was going to be comprehensive. This was really
perfect for your fire department
as long as your fire department simultaneously the state of
Massachusetts ‑ ‑ ‑ ‑ South
Carolina and Arizona. So if. >> So if that's what your tricks
are rolling through, that's your
job. Rock out. >> What probably happened of course is the vendor
had a contact. And someone kept
handing them keys and say I've seen this work or this is a
buyer key and they've had, well
we better put it on our set. >> So when you buy keys online,
from shitty sources, you don't
know what you're getting exactly. You might be getting a
key that's speed run on a
duplicator that kind of has the right bittings vs. a coat cut
and original factory key ‑ ‑
and going on elevator keys.com. Is anyone going to sell them in
this room. How many people are
going to try to call elevator keys now? >> Don't bother, read
the verification requirements
they will not sell to you unless you are legitimate personnel >> The
guy AS I can D. I tried on the
phone a lot. (Laughing) . But in general, this a industry way
behind the times on security. So
WHOOND of key switch is this on the floor too? What kind is it?
you've been to the village.
>> Tubular. >> What'd the guy tell you. >> This is a true
story and I swear, it was a
casino, and the building's architect was present at a
meeting, he happened to mention
he had a personal investment in selecting the switches on the elevator.
And he made a comment to the
effect of no one would ever be able to pick that. >> That's a
tubular lock. >> Right. >>
(Laughing) so yeah, it's an industry where like someone says
so MEDCO is a great brand. We'll
get tons and tons of MEDCO key switches. I asked Howard and
said let me see those keys. And
then I grabbed bob ex. And I lined them all up. It's a
mastered system where half the
bittings aren't even mastered and the rest is just a huge
sample size I was able to
determine the master fitting. I had Howard once send me a
picture. And it's a Dover
system. Yeah, a Dover DEE R key, but look where I found it.
There's all kind of reuse in the
industry because you think your keys are unique, and it's just a
supplier calling a supplier
calling a warehouse and shipping them thousands of the same
cylinder. Stock locks.
Whatever's cheeper. You also have industries where they try
to start enable shit online. So
MCE, it's like, oh, our, we have this box that you're going to
see later. Yeah, it's hooked up
and you put it on your network make sure you can fix it. Add
an account called MCE support
make user account MCE support ‑ just make it all for the same
password everywhere. Because we
need to get in. This is the MCE system that they need to get
into remotely. This is supposed
to be forward facing from your net work. This is up here ‑ ‑
‑ ‑ attached to the controller
so you can do all kinds of remote management. Is this the
kind of thing you think is smart
to be publicly facing with a user and password on the router
of your building called MCE
support where you can access these features remotely? Raise
your hand if that's a good idea.
>> In this room a lot of hands are going up because we want
that to be a good idea. >> But
it's cool, they paid for extended support for X[P].
(Laughing) . >> There's also
things like Otis elite service. >> As your building requirements
change, you can customize your
elevator's operation, with a simple telephone call to our
elite engineers. >> It won't be
a problem. I'm going to take elevator number two from the
bank. >> JOU don't have the
independent key switch, just call the company up. I'm totally
bob Jones. This is my building.
On star for elevators. Bluff your way, and I'm sure you get
the elevator to do things. It's
all remote management. You have like this in the industry. This
fire keys we showed you. They
tried to push for a uniform fire key. >> Does anybody know what
[F]DOK is in. [F]DOK one was the
key that was adopteded in the 2007 of the ASME A17.1 Safety
Code for Elevators & Escalators ‑ ‑ they
wanted to eliminate firefighters
having to fire around keys that were over priced and weighed
pounds, they said let's just
make one standard key. Only you can have it. >> Yup, only
elevator and emergency personnel
can use this. >> So let's just publish the bitting. >> yeah
let's put that in the code right
there. Smart. >> [Applause] >> This is the
kind of thing you see in the
industry. It's a industry that hasn't had any security
background pushing on any of
these topics. Not to mention it's all circuits at the end of the
day. It's all naked on the inside.
If you pop open the panel or if the panels just aren't secured
why are you messing with key
switches? You could just bridge the contacts (multiple voices) swing panel opens up. It's
insane. It's not secure at all.
>> This is not secured either. What's happening? I'm not a
(indiscernible) speaker. This is
his first time on a stage at DEF CON. >> It's very, very quiet,
they're hunting newbs. How many
glasses are you (inaudible) oh why thank you. >> Who was here
at the handcuff talk where goons
raided the stage with ninja swords and piracy. And I think
we handcuffed DeCode to a railing
and Ray had to get him out of the cuffs. This is why ‑ ‑ people
have to bitch that DEF CON's
changing. It's BlackHat now. And BlackHat's RSA. This doesn't
happen at BlackHat >> To our
new speakers! >> [Applause] >> Thank you fellas. >> This is the final
the editions of shot the newb for
this year. So I'd like to thank my shot new colleagues. You guys
like this? Should we do it again
next year? (Applause.) >> Right on. >> (Inaudible) your timing.
>> There's no talk after us.
We'll just keep talking and answering questions all night if
we want. If you want to see fun
crazy, award ceremonies are happening right now where other
people are speaking for us. So
yeah, we'll hang out until hotel throws us out of here if you
have crazy elevator questions.
Badge systems AUSHLGS kind of the key cards right. People use
those in a lot of buildings.
There's a lot of attacks about key cards. That could be its own
entire talk. Cloning
credentials, fortunately it's already been another talk. Mad
STREK research and years ago ‑
‑ ‑ ‑ and educational where that look at mad STREK madness.
Look at a lot of his approximate
card stuff. If you want to be kind of that cloning. Or be like
us, turn off the card reader and
use independent mode. In general, that's what pen testers
do. If you're going to break
into a building and leverage the elevators what are you doing?
We're optimizing his giant key
ring and just using it for pen testing. His key ring's cool,
but I sat around with Howard and
I actually just took all of his key ‑ ‑ here's your giant
database and and here's your
list. I was like okay, screw lights and fans. I'm not going
to turn off the lights or make
out with someone. But I'm like, okay, give me independent
service and floor cut outs and
then we spread all these keys out. Group these into how common
they are. So we have collections
of keys that are like this is 70 percent of America. This is
the other like 20 percent. This
you'll basically never see. This, I wouldn't even buy. But
I'm crazy so I did. So yeah, we
grouped these up and if you are in the industry, maybe you speak
to us later if you want some
independent service keys and shit like that. Maybe you want
some fire keys. You can fuck
right off. Legal told us we could not give you those unless
we have J a special training
which maybe we'll write some day. I promise we're going to do
that at some point. But here,
you want an example, we have to show ‑ ‑ this is my favorite
client story ever regarding use
of key switches. There was a building, and this building
everyone went in through the
front and at the front there was a guard desk, they had to show
credentials and they had to badge
in blah blah blah. There was an elevator system and it
serviced the back entrance. They
said okay, this door, you'd need a badge or something to get in.
But no one really ‑ ‑ everyone
just used it to park their car out back. And this elevator,
even if you were in that lobby
that, rear lobby, the elevator wouldn't go anywhere because you
kneed a badge. If you didn't
have a badge, they said there's no reason to have a guard back
here. No one could take this
elevator somewhere else. If you seize control of this elevator and
drive it somewhere they didn't
expect and pop out on another floor ‑ ‑ the culture of this office
environment such no one
questioned us once we were in. And when when he showed what
you're about to see to the
building own, you'll love their reaction. It blew their mind. So
here we are in the parking deck
he's carrying a camera and got the security footage. The
door's locked. Not very well.
But now this elevator, we could call it, but we couldn't do
anything with it unless we had
our keys. >> On on. >> Phase one, phase two. >> Yeah, now, we
did that a little fast. The
elevator controller got a little mad at the order in which we did
that. >> Got very mad. We broke
the elevator. >> Yeah, we had to fuss with it for a while before
we got it working again. But you
know, we got upstairs, so there's that. And then there you
are. You're upstairs you're
outside. And we showed this footage. The client was like
holy crap, how'd you get in we
trained in engineering. And we were like I socialed your
elevator bro. And the response
literally, that can't happen. We were told that elevator can't go
up. >> (Laughing) >> we're like what'd
you just say? It's an elevator. It has one job. Elevators go up.
(Laughing). But yeah yeah, you
have keys, if you can take over the key switches, this is why it
was such a big to do in New York
when this gentleman on Ebay ‑ ‑ most of these keys are old and
dusted any way, but this guy was
selling keys and the New York Post wanted to make a sky is
falling out of it. And a geting
a camera shoved in his face. Like oh my God you're selling
keys to the terrorists and then
they print a you a fucking article sh\owing the keys. And we
were like no we were told you
can't copy those keys. >> (Inaudible) all of those.
Exactly. So but the, in general,
yeah, these are like shitty bullshit bad versions of the
photos. Here's a nice photo of
that key. And you'll learn why it was not a security breech
that this is the New York City
key. This is like thee can that got all the curfuffle. It's called
the 2642 key. It's a Yale. It's an
unrestricted blank. Do you know why it's called that? the bitting code
is 2642. >> [Laughter] >>
And it's not really, because the first position isn't
used. So yeah, like you saw this
and filed it in an office blank and we were able to do that in
New York and things. Now that's
just one city. It's not like an entire three state region
would use another key. That's
also an unrestricted blank. And that also has a really easy code
to decode. We're just going to
drop a lot of FRIKing keys on you right now. We're going to
get through these slides fast.
>> I'm going to take this slide because there's an amazing story
behind this. I was buying keys
to make my key ring as complete as possible. And I came across
something very unusual. I was
purchasing some time for locks with a key. I found that was
easier to do. Sometimes people
would ask questions a little bit less. Ordering one key in
general ‑ ‑ so I was sometimes
just buying the lock with the key. So in one case, I bought a
lock box. Like we're seeing right
here. One of these little red lock boxes. And the key ‑ ‑ the
cylinder on the front is
operated by this exact key that you're seeing here. And I
ordered another one, it was
state of Tennessee key. It was keyed to the state of Tennessee.
Except it didn't come with
the key. I looked at ate and said it's just a flat key. And
it's open. Right? So how old is
this key? >> Probably like a hundred‑ year‑ old. >> This is
made by a company called game
well that made those fire boxes that you pull on the
street before everybody had
telephones and the firefighters would come and reset the boxes.
Somebody somewhere said let's
reuse the key. Here's the story. I called up the company and who
sold me the key box. I said wait
a minute you sold my one with T the key and ‑ ‑ that's because
you asked for the Tennessee box.
They couldn't sell him ‑ ‑ if you called and said I need the
Tennessee key, sorry you're not
authorized. I'm sorry, I had something crazy in my ear, I
need the game well Christmas
tree key. No problem. How about if you live in Indiana show of
hands. Anybody? You have good
gun laws. You don't have good fire service keys though ‑ ‑
tubular keys. We couldn't buy
the key, we could pick the lock box that's siting up here after
we picked it. We measured the
bidding. Used a little HURDdy GURdy chop chop. We made a key.
It's open. There's your frickin'
Indiana key. Some states aren't using systems that are quite so
unrestricted. Kentucky. How many
people go to Derbycon. I should see more hands. Derbycon
is great event >> [Applause] >>
Kentucky. Their keyboxes use use a MEDCO key. It's a classic,
but it's a MEDCO cam lock. You
can buy that you can't buy the key, just the cam lock. What can
you do to buy the box because it
ships open. If you take the tail piece off oh a MEDCO cam lock.
The front slides out. What
happens then? You peel off the top plait and have an [extra one
with you if you're doing it
nefariously. There's bob here he's helping to get this thing
apart. Holy crap. It's that
easy. There's the pins, there's the springs, let's put them on a
MEDCO tray. Let's do some
measurements. Let's compare that from what we know from our code
books. Let's put it back
together under five minutes you put a new brass plait on the
top. You're supposed to stamp
that down with a stamp tool. The lock Smith we got that from ‑ ‑
‑ ‑ we had to stamp it down
with this. We just pounded on it with a (indiscernible) for a
while. But it's fine. And in the
end, there's your Cricken Kentucky key. >> [Applause] >> But
wait there's more. Florida divides
their states into zones. You can't buy the key, but you can
buy the lock. Little bit more
interesting, little bit harder to take apart. Not that hard. If
you have a pinning tray, it's
not a cam lock tray ‑ ‑ ‑ ‑ left right center. You can
completely check your code
books. Oh what's this? The zone four key. What's this? It's the
zone kick six key. So zone
seven. You want all of Florida K, seven keys instead of one.
And also we boughting the key
from Louisiana and decoded it. And we ‑ ‑ ... and you can also
by ‑ ‑ we could do this all
fucking day and we have all the god dam state keys in all the
states right now. (Applause.) So
we're not saying these are bad locks right? We're not
(indiscernible) up here. We're
not saying MEDCO is the worst cylinder ever and you should use
like get a (indiscernible) [F]
3D because you could try to take it apart it'll explode in your
face and you could never put it
together again. No we're saying you shouldn't think of your
mechanical key systems as a
single point of resistance. They're not going to
provide you ironclad security.
They can take it apart and measure the pins. Sure they
fucking can. >> Also there's
implementation. If you're floor with the Knox box type of system
it's implemented a little bit
better. You can't buy the lock and take it apart. The fire
department is authorizing to
purchase and possess a cylinder itself. But that doesn't mean
the fire righters don't just
lose these things in the hundred ‑ ‑ like really? Come
on. That was over like two or
three years too. >> And I'm talking like one a day. >> Now
this is all, again, this is fire
service operation. This is one of the most powerful modes. It's
actually not as hard as you
think to get the keys. No we won't just give them to you.
Maybe you'll like hack through
my laptop and get the biddings I redacted on the slides. But ‑ ‑
‑ ‑ there's what can you do in
the hoist way, the answer is everything. What if you have a
building that you ‑ ‑ you know
the fire key in the lobby that we used ‑ ‑ if you're not in
the lobby, what if you want to
move around the building. Well if you seized control of the
elevator and you get on the car
top, and I don't mean you because you shouldn't. You could
do this. On the lower right you
see where we are. The upper right is where we want to be.
This is an elevator that is
driving itself down the hoist way because we sent some calls
down that way. If [we want to,
we can seize the car in a way that's completely out of
standard. You're not supposed
to do it. I've learned from Howard, there's three ways to do
things. There's the right way,
the wrong way and the elevator person way. >> Which is like the
wrong way faster basically.
>> So here we are ‑ ‑ there's the car top, all right, we're on
a mode ‑ ‑ we're not really going
to talk about any of this right now. But if we take
control of this elevator and we
get on to the car top, my mom hated this video. She almost
smacked me when she saw it. What
are you doing. You shouldn't be there. You're an idiot. So once
you're in the hoist way, you can
drive this car anywhere. It literally doesn't matter if this
is a fed facility, this one wasn't, but
in the hoist way, your risk of life is so great that you have
utter absolute control. You can
drive any direction. You can go to any other floor. What kind of
security do you think the hoist
way doors have on the other side? (Inaudible) 0.
There we are, thank you good
night. You can just send it down. So how do we do that?
>> You've seen that little hole
right SNG. >> Real quick disclaimer, there's another
video, where we are completely
out of control and almost crashed in the over head. Down
down down in the black and
jumping down in the grease in the elevator car top. Sometimes
thing can be unpredictable.
Sometimes out of your control. So if you see that hole in the
door, that's call add
(indiscernible) hole. That is the hole through which elevator
personnel that will ‑ ‑ that
will usually flip a flag that release it is door interlock. It
does two things. It keeps the
doors mechanically closed and it also electrically signals to the
controller that the doors are
closed. So when an elevator mechanic sticks it key in and
turn it. It unlock it is door
and sends a signal to the controller that the door is
open, stop the cab. With that
being said, there's a million different kinds of key, but
there's a key for every door at
the end of the the day ‑ ‑ ‑ ‑ sometimes it doesn't have a
hole, there are often ways of
interacting with the interlock that you might not expect. >> I
know how uber this talk is, I
really do. Unfortunately, you're trying to set up for final
ceremonies, and this track has
to end. Now I have a problem with usually we shot this
SPAEKers, that's nice for them.
But we have little tricks up our sleeves to lure the speakers off
stage. So I brought with me some
bait. Come on, come on speakers. >> I'm literally not going. Because
it is not the top of the hour.
We have seven minutes and we're going to use all seven minutes.
(Applause.) (Indiscernible)
really fast. You know people used to stash drugs in hoist
ways because they could pop
hole. They made a lock for it. The lock was interesting, it
would plug up the hole. The lock
had a problem in the way it was assembled. The lock screwed
together. So if the lock screws
together and you can just unscrew the collar, you don't
need the real key, what you can
do is say that's the speedy key. That it's fast key. If you don't
have that key, well what if you
had any other possible key ever? Yeah. Put a little torque on
that. Push a little harder. Oh
my, what happened there? Yeah just unscrew the (indiscernible)
lock. Pull it apart, whatever.
Fine. Come talk to us ‑ ‑ there's so ‑ ‑ we're going to
skip a few slides. We're going
to show you some others. In the end, there are some really
common guidelines we can give
you right? >> First thing if you have an emergency phone in
the elevator that's answered by
your your security desk. This is a case where a guy got stuck in
an elevator for over 48 hours
because the phone didn't work. There ended up being a lawsuit.
Test your alarm bell. Make sure
it works too. >> (Speaking simultaneously) the hoist way
should never be accessible. No
one should be in there and ride the fucking counterweight. >> If
anybody recognizes this photo,
I'll buy you a drink at the bar. Your motor room, should be self‑
closing self‑ locking. This is
not self‑ closing or self‑ locking and B is being operated
by a frickin' mall security
guard who shouldn't be in there because it's dangerous. Only
elevator people should be in
there. Because you know these guys are elevator guys. >> [Applause] >>
Know who your elevator staff is.
They are not your maintenance crew. They are very nice sir.
Know who your people are that
provide your maintenance vs. consulting. Know who your people
are and what they're doing. If
you have bullshit jobs and paperwork that's not being
filled out if you have
collusion or inspection that is don't make any sense,
what is this? There are test
tabs. It's a permanently affixed tab that after, every year,
every five years there is
performed they fill it out indicating the elevator passed
hopefully and it's left there so
if somebody ever has to come in and take a look and say when the
test was done and ‑ ‑ let us
know that OETS performed the test, because that makes sense.
Unless the guy's name was Otis.
Elevator tests are important. Here's a final readiness
test. (machine noise.) Yeah
and the client didn't, no it's fine right? To be fair, the
elevator mechanic said there's
no way this is going to work. And he made his supervisor come
down he was the one recording
it. You want to run the test, you run the test, I'll record
it. So yeah, follow all of your
building procedures. How many times we've coasted in on oh I'm
the elevator guy I BLONG here. I
have a shirt I bought which you can't anymore. You can no longer
buy the uniforms forms we're
wearing right now. Pretty much thanks (inaudible). >> I believe
they did. >> So what do you do
now? If your elevators are maybe part of your security models and
you're like oh my God, what if
people are going to attack the elevators because they're not
actually doing what they think,
there is a difference between your parts oil and grease tech
at a security consultant. There
are people that do this. Not like a lot of them. He's kind of
the only ones we've ever Maine
but your elevator controller can actually do monitoring without
installing a fucking windows box
in the motor room. Your elevator controller can open or close
contacts if it gets flipped on
independent mode or inspection mode or fire mode. You could be
logging this with your access
control system or alarm system. There are add on boards, extra
modules that you can use to make
your system better. We're going to wrap it up in one minute with
some final tips they're useful
if you're a jackass and get stuck. First tip, don't panic.
You're not going to run out of
air. There's a fan. And just in general, there's oxygen. So just
relax. The second thing is, if
you're on a red team, you don't want to use the emergency phone.
But if the main light in the cab
are off, the power's out. There's nothing you can do. If
the cab lights are still on, you
might have a few options. . Let's just run through a few
scripts. They're going to tell
you to hit door open. Would you believe that happens all the
time. Someone's just siting
there. The cab is parked and they just don't think to hit
door open. They might tell you
to hit door close and then hit door open. This sometimes when
the door operator hadn't fully
closed the doors allows it to fully close and signalling to
the elevator that it's safe
run. Another option would be make sure you can register a
call to another floor. If you're
sitting there and staring at it and it's stuck, you're stuck.
But maybe you're stuck at a
floor you don't have access to. Badge in, etc. >> If you have a
badge, make sure it's in before
you're placing the callsment Ma. Maybe your a authorized user and
your key switches. >> Or e‑
mailed me and bought some keys. >> You could try the key switches
I've been stuck in elevators
where it didn't matter. And of course, the last thing is, keep
in mind the number one cause of
encrapments is that the doors have opened somewhere. It might
not be where you are, but it
might be. So I very hesitantly say this you can kind of
troubleshoot the doors in a safe
way. Don't stick your hand in the gap between the doors. Just
very gently put your palm on the
door, see if it's jiggling and try to close them with the flat
part of your hand somewhere
square on the door. And if all else fails, call for help.
>> I'll help you. >> Never ever
ever try to leave through the top hatch. It doesn't lead you
anywhere and it'll fuck other
shit up. Never ever exit a missed level car. If
you have to jump it's too far,
stay in the elevator. It's the safest place to be, the elevator
wants to keep you alive. We
wanted to keep you alive. We hope you learned something
today. Thank you for letting us
talk at DEF CON. (Applause.)
Classic. I haven't looked at an elevator the same way since watching this.