Exploiting Elevator Security Weaknesses - Deviant Ollam, The CORE Group

Video Statistics and Information

Video

Captions Word Cloud

Captions

thank you Malo so yeah this is this is the elevator hacking talk and hopefully even if some things are a little over your head in different topic areas because we get some really heavy hitters here at Chaka Khan everyone rides elevators more or less except Mouse because she's super fit and always takes the stairs makes me look bad but elevators this thing that everyone can kind of grok like every building in a big city you'll find them you use them a lot of people misuse them for trying to do security things with them you try to do defender e things and attackers be doing attacker e things really elevators are not part of your security model so I'm going to dispel a bunch of myths and then hopefully give you some tips to to do better so who talks about this stuff well it's usually me and a buddy of mine named Howard if you don't know me I run a pen testing firm that does everything from training to on-site red teaming Howard was a guy we picked up from the elevator industry so you know he is a consultant and inspector he is the guy who climbs around inside of elevator shafts and he met me when he saw me giving a talk that I briefly touched on elevator stuff at Hope one year he's like oh my god no one in the industry talks about this stuff so I'd love to work with you and I'm thrilled to work with him and this is the result you should understand along with many things when you start doing kinetic stuff with big machines it can be dangerous elevators themselves are not that dangerous most elevators are monstrously safe there are tons and tons of people who ride elevators every year very often there's never an incident the few incidents that there are even the fatalities tend to be people working on elevators so as long as you're not a dummy don't do things that will in a nut nut there are certain failure modes that can occur as you can see right here this is a leg in between the door sill and the landing sill now this leg was saved but you don't want to be that person you also don't want to be the person who's like well I'm I'm not some dumb ass like that I'm smart I can play with this stuff damage is still a bad time because if you damaged things on elevators or escalators you can wind up causing way more dollar signs and damage than you thought and facing let's say a felony criminal mischief charge so this I don't if we have sound on the laptop here this is the famous escalator helicopter like hahaha you know you're doing this at like your local mall or something this is a guy who tried to do the L of the escalator helicopter and he did not do it well yeah that was like 15,000 and damage felony criminal mischief charge like you're gonna have a bad time if you don't know what you're doing with this stuff leave it to the experts please and that's what I usually do I mean Howard my expert guy he's the one I send into the elevators first half the time when I don't know what I'm doing if you're not familiar with elevator systems I'm going to give you a really quick primer there are two variants of motivepower for elevators when you are in the cab the actual cab that travels up and down that you that enclosure doesn't have its own machine driving things it's not like the cab is on a you know hoist that it itself is powering you're either being driven up from below or being pulled from above so you have overhead traction that's you know cable and rope systems or you have hydraulics you have Pistons pushing up from underneath now whether you're talking about a piston driven system or a rope system the power is actually being you know driven from a motor room you're not seeing that you're interacting with the motor room you're interacting with the system via the fixtures we'll get to them we'll talk about them in a bit but that's you know the car itself has no power other than the electricity you know powering the lights the power the hoist the thrust all of that is coming from a room somewhere else and that has a controller in it this is a typical elevator controller cabinet not a lot of you know advanced circuitry going on in there we'll talk about that in greater detail am I am i off what's happening okay I don't know this is the question just the elevator Bluetooth they're getting there they're there the industry is really in this weird space of if it isn't broke fix it so you'll see a lot of bad ideas coming out of the elevator industry trying to modernize and it needs to modernize in a lot of ways believe me but normally when you are interacting with an elevator you are interacting either with an overhead drum system or a pump in the basement and you are talking remotely you are talking to this controller and the controller is doing all the logic the controller is servicing demand based on what is called automatic mode so it's collecting all the hall calls it's dispatching based upon passenger use of the car operating panel normally you don't have to think very much about what's happening you tell the elevator I want to go somewhere and it goes there now again that's automatic mode there are a whole lot of special modes of operation that we can talk about now for example there's attendant service attendant service which you don't see in many cities anymore is when there's an actual person in the elevator maybe in a super posh building attendant mode involves a few extra controls that are enabled sometimes behind a hidden panel sometimes they're right on the panel but if you key into attendant mode you can do things like reverse direction if you're on an elevator you get on on the fifth floor have you ever been trying to go to the lobby and then you're like oh oh shoot this is going up you know I got to wait for it to go up to 7:00 and then back down intendent mode you could flip direction you can also bypass certain floors you can ignore Hall demand now this isn't major for security implications but it's just you know understand there are hidden features that will change the priority and change the dispatch logic in an elevator if you're in a building that doesn't hire a person to be an attendant but you want to give people special privileges there are executive modes or VIP modes this is just someone who is super important it has a key it's really funny depending on how this is configured some controllers and some actual elevator cabs they will Gong or they will voice they'll be like boo this elevator is needed for priority service please exit at the next landing and it'll be good you know it'll like kick everyone out of the elevator then serve the floor with the VIP and then ignore all the hall demand again so there are a lot of different things you can do to make moving around the building more efficient for example why is this not more common if you just own a building do you understand there's something called load bypass how many people have put too much stuff or people in an elevator and it like got angry beeped right but how many times have you been in an elevator where you're trying to like get down from floor 25 and it's full right like it's literally full of you and everyone else in it but it keeps platforming on it's like you're trying to check out and everyone's trying to check out and you just got to watch the door cycle you're like sorry we're full elevators know how heavy they are you can configure in the controller if this elevator is at 70 to 80% of its weight load stop trying to collect calls just go to the freaking lobby and get people out of that cab why this isn't turned on more often is beyond me anti nuisance modes you can again this is just basic management stuff in your building if people are being a jerk and pressing all the buttons you can dump out those calls it also you can base it around how often the scanner edge detects people getting on or off so here's a bunch of us just hammering the panel but you can only get a few floor calls in before it's like come on what are you guys you're a bunch of hackers you're not really going these places and it just dumps out you can do this in a building to make your elevators more efficient your stock elevator config probably doesn't have this enabled yeah peak operation again same thing why if everyone in your building is trying to come up from the ground floor in the morning why are your elevators idling and parking at like high floors after they service demand you can have them park down at the bottom and likewise at the end of the day you can have your elevators park at the top floors because everyone's trying to get the held down configuring all this is totally possible for simple basic efficiency you can also configure a lot of interesting modes for safety there's something called seismic mode that is literally if the building starts shaking there are sensors depending on what zone you live in that will immediately stop the elevator at a nearby floor announce hey get out there's a problem and tell people to leave the elevator in the case of emergency maybe you've seen like a little you know seismic sensor a little a little lamp they're called jewels on the our operating panel that is a mode enabled in a lot of places like California if he came here from the mainland you probably have seismic mode in your elevators whether you realize it or not now we're getting into some security stuff instead of you know seismic unrest is Howard likes to make the joke how about civil unrest riot mode is something that really expensive places sometimes museums will have enabled riot mode is if there is a massive disturbance outside a building you can kill ground-floor access and only ground-floor access the rest of the building can still service normal demand but the elevator literally won't go to the lobby and won't collect calls from the lobby but the rest of the building is just fine have you ever been in a medical facility maybe you've seen code blue switches medical priority service it's like that executive service but on steroids the idea is an elevator will immediately the nearest elevator in the bank will stop in reverse direction even if it's mid floor and kick everyone out and say oh my god someone you know we need to get this medical gurney in this elevator go go go and you're noticing a theme with some of these pictures a lot of these special modes are triggered by key switches we're going to keep coming back to that because it's going to become very interesting how they work another thing in buildings another thing also tied to security Bob medical buildings you'll have code pink which is baby theft mode if the little baby like LoJack in the hospital you know how modern hospitals if you move a baby and you're not authorized to a lot of happens in a hospital doors lock pa announcements happen elevators can lock down they can refuse to go somewhere or they can be flipped into something called a security recall where either to an automated condition or through someone triggering it from a security office an elevator can work like a man trap an elevator can deliver someone to a destination of that your determination like let's say the Security floor where the guards are like right there and then I'll either hold them in the cab and not open its doors or it will force cycle the doors so they can't you know hide in the cab all these are possible in most elevator controllers but depending on the nature of the building the elevators in you may not ever see them they should exist though and if you need to speak to someone about this understand there are people's not your parts oil and grease tech who knows this but there are people in the industry who could do all this and more the big one for us as independent as a you know saris pen testers is independent service independent service mode far and away the most useful thing you can use if you're trying to do and do something in a building with an elevator you shouldn't what is independent service it's like having local admin on that elevator it takes the elevator out of group operation so it will ignore all the hall demand and it gives you depending on how its configured usually complete override authority on the entire panel sometimes it's a key switch sometimes it's just a toggle switch but imagine being able to like oh this floor like oh I can't go to this floor it's locked out independent service usually will drive to that floor just fine and when you get to that floor it's not going to open the doors because again it until you tell it to open the doors it'll just sit there I've used independent service to hide in buildings on pen tests like all social engineer my way in key switch and you've got a bank of like eight elevators no one is you know hey Frank so funny I've been going outside to smoke every two hours have you noticed elevator six hasn't been responding to any hall demand today no one notices that they just get on the first elevator that shows up and like I'm hiding in an elevator for four hours plugged into it like you know like they have a little GFCI and some of them just plug my phone in one time I rolled an office chair into an elevator I was like aw it's broken it's wobbly I'll see you later servicing this and I just stayed in the elevator till 6:45 then drove it down to the lobby let everyone else in from the team then we went up to the top level the biggest override however is not every elevator has independent service every elevator by code has fire service fire service is not something I'm encouraging you to just play with because you think you know how it works you don't things can go pretty wrong but fire service by code overrides almost every other element of the elevators operation and if you have floors that are locked out if you have a badge reader in your elevator that you need to latch a call to another floor all of that gets thrown out the window if the elevator is running on fire operation so you could have you know big boss so and so who's like no one should come up to the c-level on this building I you know after your badge and you code in you punched it buh bah bah this guy doesn't care fire code states that in an emergency condition the firefighters do not have to mess around with credentials and badges and everything else they don't have to mess around with which floors are cut on and cut out firefighters can drive an elevator anywhere they need to go now not every elevator is running on the same fire service config this is where I get into like don't mess with this if you don't know what you're doing here you have two different elevators in the same building one of them seems to have a key switch on the panel the other one doesn't if you turn slightly you'll see this was a modernized retrofit and they had to throw on a key switch in the cab on a different side panel on the side of the wainscoting here there are different fire codes there are different years that fire codes have been adopted and every different jurisdiction enforces and adopts and chooses to roll out different codes at different times they all should operate roughly the same way but weirdness can ensue if you don't know what you're doing one other type of mode and we won't talk too much about it who could possibly be more important than a firefighter if we're talking about you know firefighter operation overrides most elevator security who's more important than the fire crew elevator people of course you know elevator guys want to be able to do anything they want to do and we'll talk about the hoist way a little bit we'll talk about what's called hoist way inspection mode or hoist way access mode do not frig around in the hoist way like it is not a safe place to be there are plenty of people who do Abin exploring and they say oh man it's so cool to let you know like mi t--'s campus this is you know I think at 50 stephensi someone had to write do not open this door it will shut down elevator because you should not be in the hoist way you should not be in the shaft there are a lot of safety sensors in there and if you trip them the elevator should just turn off doesn't always happen there's also a lot of fancy run controls in the hoist way on the car top you should not be using them they exist and I'm going to talk about them for security reasons but just realize this is a weird industry this is an industry where if you're not in the industry you might think something makes sense and it doesn't here is a shutdown key switch for the motor generator for this system how do you think you shut down or turn on the elevator you turn shut down to on to shut down the elevator system so that you get a lot of this stuff in the industry be aware of that don't just start messing around with things because you bought a key on eBay let's talk a little bit about trying to use an elevator for security and stuff that you do tend to see and then we're going to show you how it all doesn't work so disabling the hall call buttons not being able to just you know get an elevator to show up when you want it to either using key switches or lock outs at the hall stations here you have you know just an elevator that you would need to key it for up operation down up where you can this is weird hacky stuff right like you can latch a call I'm sure this was some weird bolt on mod that's probably not even you know compliant because how is a firefighter going to be able to call this elevator this was in a school and I wonder if I might have a video in a little bit you're going to see the same school you'll see what a kid figured out to be able to call this elevator here is another elevator that even though it has a what looks like a button it's not actually a button you can't press it the only way to latch this call again is to use your room key and then all of a sudden all the way I just placed a hall call again weird things that somebody probably modded on themselves but you'll see people try to do that to try to just disable your interaction with the buttons you'll see that on the car operating panel you see floor floor cutouts here's a bunch of floor call buttons and here's a bunch of key switches next to them that can turn on or turn off floor access have you ever seen that many of you might not realize this is not like a serial circuit where you are breaking the connection with that key switch because what would happen again if a firefighter gets in that elevator needs to go to four they don't have to worry about is this switch turned on or off these are logic gates these are logic conditions so these key switches turning on or off are telling the controller you're supposed to ignore this in the controller still sees that input and you can override these key switches either with independent mode or with fire service mode or other special modes again you've seen these in hotels right card readers you use I need my key card so I can get up to this floor down to that floor plenty of buildings either they will only check that it's a valid card for that building or they will check that it's valid within a certain date range there's plenty of hotels where even if your key card is expired for your room it'll still work in the elevator I've seen that happen it's bizarre but it totally works this is probably the only way I've ever seen proper security of an elevator and you can see there's like the hall call button there's this big lock right next to it well that's not locking out the hall call button this is a giant cage in front of the elevator doors and this is it a corrections facility now it's funny that we like oh look at that as flow the hell is going on there I really want you to think though of your elevators as though they are just a giant open stairway running through your building treat your elevators as though there is no security based on what person can go up or down one floor two floors or any floors and you'll see why let's go ahead and look at some of those lockout systems again and see how they fail well there was that one you know can't call the elevator because there's no real buttons right well here's the switch some kid went oh my god what did he just do let's let's play that again maybe with something this time all right so here we go all right whoa what what was that okay I get to class on time well what this person did is they just broke the scanner edge the the elevator happened to be parked at that floor and they trick the doors into thinking all the doors have to bounce open I'm not saying this will work all the time I'm also not saying stick weird through and elevators hallway like hoist doors when you don't know what's on the other side but I'm just saying weird things will happen in elevator systems and just because you think it's secure it may not be by the way that you know accessing high floors in like a nice posh building or something a simp this is like super low-budget hacking right the easiest way ever to get to the top floor if someone's having a party up there just keep placing up calls and social engineer or tailgate you're way up in a building if you're placing and registering up demand and every time you get in an elevator just try to go as high as you can or tailgate behind someone the elevator has got to be going higher than you if it opens for you so if you get if you're on seven from a place an UP call just wait someone's going up beyond seven you ride with them maybe they get you to 11 place another up call it's never going to like come up from the lobby and sit there and wait for you if you're not you know there's usually someone in it so over and over this is just us at some you know con hotel trying to get up to the top floor and none of us had Hilton gold status at the time so it's okay let's place up demand now this is a car this is the other thing if an empty car does show up just send it down to the lobby so we sent that one down and oh don't do that to door's ever by the way so we place another up call place another up and we eventually just piggybacked our way up a few times and I think the last stage of it it's actually like a hotel employee just takes us up to the top floor because he was going up there with a luggage cart there we go so again like I'm not dropping crazy oday on you with this one but just because you think oh the parties on the top floor of the hotel can't get up there you totally can't just keep try it's like you know leapfrogging you're tailgating in and then I think we were showing this to the management at the company we're like oh now you realize that we did because they're cold man we didn't realize that was so easy to get to the top floor and we said well I mean it's a little easier than that like here you have the the top floor with a nice bar and everything in it but at the very end of this hallway because it wouldn't be a physical security talk of mine if I didn't remind people to not do dumb things with their other doors this door on each end of their building was horribly secured as well see you later see ya yeah so like door fitment little traveler hook slipped latch attack keep all that stuff in mind you know it wouldn't be a diva talk if I didn't talk about crazy things but all of these modes all of these different trickery and different hidden modes by the way there are usually panels in the cab somewhere that you can pop open maybe they're locked maybe they're just you know behind the wainscot and you might not realize that but look for hidden panels in your elevators if you're interested in accessing a lot of this many times these are going to not just give you toggle switches they're going to present you with key switches and you think oh my god there's so many like there's keys here keys there which keys could you ever use and you'll often see this in the industry this is called elevator graffiti where various Tech's don't know like which key do I use for which things you can see run stop is connais one independent scone a four hoist away the light and fan is connais too so like people are writing notes to themselves because they think oh there's just so many keys at every building I never would remember which ones to use Howard is a very interesting mind my buddy Howard who works on the stuff with me and in the industry he does start noticing keys and he does start thinking about keys and he starts taking notes about keys and then Howard started collecting keys now that looks like a lot of keys but that works that manufacture default key switch in virtually every elevator you will ever find because there's a lot of different brands of elevator and there's third market you know like third party fixture manufacturers that you can do modernization and retrofitting but that's not that's a finite list these are basically every this is really obscure stuff at the end like praise the Lord and mad elevator and stuff you're never going to see those the big the big for in elevators plus maybe up go and innovation that is almost every elevator you will ever see and they all can be identified like I do this to Howard all the time on jobs I send him pictures I'm like dude I'm totally going to get in this thing which which Keys do I use he's like you know that it's a square button it's a little bit rounded it's a Schindler you know this D views this key use the L 204 key this is thyssen krupp these are brands that you know how often do you pay attention to this stuff when you get into your elevator you can spot instantly if you know what to look for you can spot what brand the panel is and you can know it's like one of two keys half the time it's one of one key because it's all a default keying and if you have the keys which you know we do you canyou tallit you can usually just flip things open and run whatever you want in that elevator you might have said to this to me I will get these questions sometimes do they say I've been in really cutting-edge systems I've seen these you know there are no buttons like it's just it's this is called destination dispatch I've seen these in Hawaii they're getting popular in modern hotels yeah what's a firefighter going to do stand there with a plastic keycard no a firefighter is going to drive to the floor they need to go to there's always a hidden panel there's always regular car operating panel demand somewhere in that elevator you can find it but let's forget about the new systems right please understand that this is an industry stuck in the past really hard these are not like screenshots of old applications from history these are modern versions that are shipping now of elevator management software these are what who can identify this which windows version this is running under yeah the bottom one is literally like partly running under Windows 95 but yeah XP virtual if you find a computer running in an elevate machine room it is running XP this is the you know the control system like his is from these are screenshots from manuals right here is your default credential right because this is this is important you want your lift net to be one two three password four five six but that's this is the basic user password they have an admin account the admin account by default is always a b c d e f this is rit this is not a joke and do you think like people are changing these default passwords they are usually not this is literally the owners manual for MC e that has may make a certain type of elevator controller it it seriously says in your linear router create a new account for remote access called MC e support please set that password to MC e support by the way find your router's admin account go ahead and change the add to MC e support just just make it all MC e support so that we can always get in and remotely service things for you this is great we'll talk about this a lot if you want to ask me questions about municipal code because i said by code right your fire service has to be enabled in bypassing security by code they started pushing for a single fire key back in oh seven it was going to be it's not going to be it is it's called the efi okay one because they were like oh we can't have this brand to fire key and thyssen krupp and the otis fire key we need one fire key so this big push for the efi okay one which is a very secure lock it's a tubular lock because no one has ever seen us picking tubular locks right over there in the lock pick village tubular locks are about 25 years old at this point now if you think that's good enough what else did they do they put the direct bidding code of the efi okay one in the fire code like that's a document you can download right now and read the PDF it's there on the internet so what do we do as pen testers well you've heard some of these stories right usually it's us using the keys to do weird things if you don't believe it here are some fun examples there was a secured building one time that they had you know you come in through the front desk and everyone was supposed to go by the front desk and get a badge in and sign in etcetera cetera they did have a back door the back door you weren't supposed to be able to get in easily it was like their parking deck right and then there was an elevator but you weren't supposed to be able to drive that elevator because you needed your badge and no one ever expected that someone could go up the back of the building and like get in but because of corporate culture in this building if you were walking around upstairs and you had anything that look like a badge peoples are all they must have come in through the front desk that's the only way and no one questioned you this is what we showed the client we going to have some volume again there so this is the back door the parking deck that's locked like not well but it was locked and we actually you know we had to pull footage for them because they said this is impossible you couldn't have come up that elevator now again don't do this if you don't know what you're doing we had to coordinate our key switching phase one phase two and you shouldn't do things that quickly and you shouldn't do it out of order because the elevator got angry at us for doing this but you can see the fire jewel is lit this elevator with no alarm is on fire service right now this elevator is overriding any security and we can drive it or ever you want upstairs and sure enough you know you have to manually open the door you have to treat you have to do everything manually you have to hold door open to operate it there's reasons for that you can ask me later but when we showed this to the client they were flabbergasted their actual reaction was I wouldn't have believed that if I didn't see it myself we were explicitly told this elevator doesn't go up okay say that again and listen to yourself saying that again yeah man fire keys fire keys and other special keys and there was a big kerfuffle about this a few years back there was an article in fact in the New York Post where they put this this lovely picture and they said the post has been informed it's okay to show you these keys because no one could ever copy these keys if they only saw a picture of them in the New York Post but this poor like retired locksmith was selling keys to collectors on eBay and they dragged this guy over the coals they said oh my god can you believe you're selling the the New York key which by the way here's a way better picture of the New York key and it like this is funny I mean this is the key to every single elevator cab in the city of New York every elevator in the five boroughs is a 26:42 key it's a Yale which is an unrestricted blank and it's not a huge breach of security that I'm telling you what this key is because the bidding code literally is 2 6 4 to 0 like it's in the name how did you not know that was the key people crazier that the nut is like let's talk about this key the 3502 key it is the entire key for Maine my home state of New Jersey New Hampshire and Massachusetts again unrestricted blank not hard to decode this not hard to cut this these are keys that you're going to see more and more I'll just walk you through some states states have adopted a single key in some of their jurisdictions the Tennessee key Tennessee uses an old-style lever lockbox and the funny story thing the thing is this is called the Christmas tree key as you can tell by the shape of it right this is actually a repurposed old key game well is a company that used to make these pole stations that would be around city streets they were they were like a wind-up drum that would actually bang out a signal if you if you broke the you know the crank and would call the fire to you would crank this back open it you would crank it to reset it with the Gamewell key now if you call up like Vader or Adams and you're like I would like to order the Tennessee key they'll be like you're not authorized get the F out of here but if you're like oh I need the Gamewell key they're like sure how many do you want we'll send those to you it's the same key and it's the freaking Tennessee key box let's get something like another tubular okay in dianna the state of Indiana has a standard key box because instead why why make all the elevators get retrofit when you can just bolt a little key box on the door next to the elevator Indiana's a tubular key you can't buy that key you can buy the box what does that mean that means you can pick the box then measure the cuts on your pick then use a little Hardy gertie or an HPC hand grinder and cut yourself a perfectly working Indiana key that works just fine every elevator and not just not just every elevator in Indiana you're going to see people put a lot of stuff in that key box that they shouldn't be putting in the key box there's the Indiana key Minnesota same idea Minnesota has a key box yes we were able to manipulate it yes we were able to pick it that's the Minnesota key let's talk about Kentucky medico key harder to work with right like medico is this real advanced lock if you you're here in the service or if you do any government work you've seen medical systems restricted keys you're not supposed to be able to get the blanks if you know what an easy entry machine is you can cut the blanks but you're not picking this easily I mean maybe if John King were up here and he was doing a medic odor attack he could try to pick it open but that doesn't you know picking a Medeco doesn't really get you anything because then it's just the lot the box is open but you still can't see inside the thing is though to mount this they ship it to you unlocked because you need to have unit of the holes in the back right well if anybody knows anything about cam locks you can take this lock apart and if you're really careful you can just dump those pins out then measure them then look at the cuts bang there's your medico key with your main bidding and the sidebar bidding oh and by the way Florida uses a Medeco key in different zones oh and of course we also decoded the Medeco m3 key this is zone 4 I think that's Orlando this no I'm sorry this is Orlando this is owned 6 this is Miami this is zone 7 all of these keys that people are relying on and saying no one could ever get this key it since oh my god it's the it's by code we have to adopt this very secure key they treat it like a single point of failure and guess what like failures here oh and by the way we also did Louisiana oh and by the way we also did Virginia oh and by the way these states all have adopted certain keys by code that you can order from suppliers or you can figure them out and cut your own this is not the right way to treat the security of your building I'm not saying this is a bad solution for fire and first responders you don't want them to be like trying to call somebody at the front desk to get an elevator key and run around like if the buildings on fire shit's got to get out like you've got to get people safe but don't think that your elevators are somehow magically amyot like no one could ever get our fire key I was told it's very restricted know what freaking isn't owned by the way what is how I do most y'all are on Effie ok 1 most elevators I've seen in this area are Effie ok 1 let's talk a little more about Effie ok 1 and a bit because boy the ways you see it used very bad so these key sets I mean this is what I'll just pull some out and pass them around later like I brought my key set with me this is what we take on jobs with us and yes they're expensive and yes they're hard to source but it's not impossible right if someone has literally the keys to your building or to your elevator nothing in that elevator is stopping them very much from running around your space now where might they find these keys if they're not like us they're not ordering from the industry I have seen key boxes around places I should never see key boxes I have seen elevator motor rooms and other rooms where like what's this little thing on the wall oh it's a key box these key boxes not only are they usually easy to open because they're all like this little one right here you can order this one custom key door you can order it default keyed the lockbox system like you just ordered out of a catalog with the default key it's not hard to do inside these key boxes with like let's talk about the FE ok one because I love this example people there's a lot of hooks in there you never know how many Co which keys do you need technically it should just be one thing it should be the firefighters elevator key maybe the motor room key if they need to get in the motor room and help somebody who's entrapped right this is a situation where man like let's just watch okay here's an elevator and some people on a job are going to say ok there's a key box up here try the FE ok one key not sure what it is maybe it's gonna yeah look at that totally work with the FE ok one okay let's take some things out of there there's a lot of things in this box what's going on in there okay later on simple and easy breezy right let's get into the machine room and it's not just the elevator machine room this was I don't if you can see if that was a network or a stack that was their security system all their cameras but behind that was the machine room of course and in the machine room there was another box on the wall which was very easy to pick because again tubular locks just because some of the industry loves tubular locks they think they're the most secure modern thing ever they're not so we pop that open what's in there it's the drop key if we want to get into the hoistway doors we'll show you some exploits with that later but all of this all like here is your fire service key that we pulled out of that box here is the alarm panel key like do you want to just pop the alarm panel disable some how about your sprinkler lockouts the sprinkler valves like why is this key in there I understand it's related to fire but all of this stuff all of getting into all of this based on one key that you can buy literally on eBay the EFI okay one you'll hear a lot of people in the elevator world think that it was the greatest thing that ever happened because it simplified the problem and a lot of people in the security world are begging anyone to listen especially if you're on the EFI okay one standard and that's the most popular fire case it's what people are buying on eBay and right now like this this I don't whatever I'm just gonna say this girl Lauren she works for one of the biggest manufacturers of key switches in the industry she works for northeast elevator like she works one with his lock I'm sorry and they're just they have another company that we're not going to call them out and say their name because I don't want them to get more business they are Hawking these keys to anyone who will buy them on eBay and on other side sites and the FE okay one far and away their best seller and what was it on eBay was it like 13 bucks 14 books SEP I'm sorry 7 8 dollars for the first one on top seller now if you think that's fine maybe you're just like from a place like in Europe where literally the fire key is behind glass in every elevator but I don't think that's fine you know I don't think that it's smart that one key not only gets you into the elevator but like that key box that had everything else in the building behind it you might not realize that how often are you like auditing this stuff in your building how often are you checking out what key boxes are holding what nobody checks this stuff nobody thinks about this stuff but the industry can tell you most buildings is very easy to get around places one other thing the industry could tell you and again do not do this in the hoistway itself the hoistway doors at every floor it's not easy to like open those if you're standing in the hallway right if you're on the inside if you're in the shaft do you think there's any security on those doors no this is us on one floor my mom hated this video this is us on a lower floor trying to go to a higher floor now we're not doing anything that's actually to code here with like this is not the right way to seize a car top and such but we are waiting for the elevator to pass us by happening to catch it in the hoistway because if you break the safety string circuit like by popping those doors which I'm not going to tell you how we did that by popping those doors the elevator stops the motor just stops running it sparks the elevator temporarily we are now do we have sound by the way we are now in the hand in the shaft ear so now this elevator which all have a light on top if you ever see that in movies it's you know not that dark in there if you have the light turned on they have a car top run box we can now take over this because if you are on top of the elevator you don't want it to do something you're not expecting so there are car top run controls and we are now able to drive this elevator anywhere in this building secured environment you shouldn't be able to move the elevator at all but from the car top there is no security there is by code and by design no security so let's go ahead and go up a few floors here all right coming by again and you should be able to see as we start to get out just all it is to pop these doors there's the interlock clack no log event no badge event no audit trail because the elevator was on inspection service you send it down and there we are in the next floor up crazy crazy stuff and by the way did I tell you not to do that because I'm telling you not to do that this is my don't do that face if you can get into the machine room itself a nefarious party someone who is accessing the controller directly you can completely change parameters you can change settings you can change lock outs change access hours you can sometimes just direct drive and say no this elevator goes to this floor now because I tell it to you can remake the universe so to speak from a machine room you can use what are called jumpers jumpers are just you know little alligator clips of wire that you can actually bridge certain interlock circuits this is how elevator tests are performed elevators every five years like your semiannual and your annuals the five-year test you literally crash an elevator down into its pit buffer to see if the pit buffer is working correctly and the elevators supposed to withstand that impact an elevator is never supposed to over speed it's never so the governor should stop it it should never hit go past it's finals in the low landing how do you do that by literally jump ring out those contacts any semi-competent elevator tech if they're in the machine room can make an elevator do that with no difficulty do you think when the president like gets on an elevator he just walks onto an elevator no there are elevator techs and Secret Service in the motor room anytime the president is getting on an elevator because if somebody you know sticks their hand in the door or somebody tries to kill the powered I broke this something somebody pulls a door open like on another floor to stop the president's elevator from moving they can jump her out all of those safety interlocks just get that elevator where it needs to go immediately there was a famous case and you're about to see something some footage here an elevator that was jumpered incorrectly and it was able to move and leave the floor with the door still open so this was a hospital thank goodness it was a hospital where someone got hurt she survived because she was in an elevator that did that and she was pinned you know she was dragged a little bit in the hoistway that was at the Deborah Jordan case if you're from New York and that was all because of incorrect jump ring now is there a big leap from like incorrect jump ring to malicious jump ring I don't know but I bet you might consider putting a camera or a door sensor on your freaking motor room door very quickly if you want to just keep this in mind many elevators have phones what can you do with phones and phone lines you can do a lot of interesting things with phones and phone lines these are standard pots lines these are regular plain you know silver satin copper just come in all the way through the traveller cable into the elevator cab if you can get to that phone line well I mean there's you know like high school 2600 style fun you can do the bigger implication is not dialing out on those phones but dialing in on those phones if you can figure out the phone number to an elevators emergency phone many times like why would that be posted I really have no idea but the thing is most elevator phones they are configured to on inbound calls to pick up silently at one ring and then just be you're just on the call so I mean you could be some kind of jerk and like I'm watching you I'm in the elevator like you could try to freak people out in an elevator but the bigger security implicit in flick implication and this has happened in DC I'm told when certain delegations are in town they monitor felt like why is there activity on that phone line that's an elevator phone the bigger thing is calling an elevator phone and not saying anything just listening people have interesting chatter and elevators because they think they're alone you may not be alone in an elevator because again by code your elevators should have a phone in it and if it's a modernised elevator it's a phone that anyone can call in on if they know the number and it'll just pick up silently and now you are on a call maybe without realizing you're on a call if you are a building owner building manager building anything with some juice in that building please understand there are really common violations that the industry is tired of seeing entrapments being high on the list if you have an elevator that is getting people stuck in it and it's stuck in all that happens sometimes and we just have to talk to them and then five minutes later the system resets that's wrong right like you get that that's wrong people show us on Twitter funny photos all the time of elevators that say things like sometimes elevator stalls out in between second and third floor wait five minutes I promise you everything is fine do not press alarm bell that's wrong that's like driving your car with you know the engine light on and you're like oh my god I only drove it that way for two months and all of a sudden the car blew up what happened while you had that engine light on minor is the warning sign before big stuff happens don't have complete hacky repairs like look at the halo around this fire switch that somebody took like red sharpie I guess just marked on off bypass that's a violation dumb violations are not something you're always going to get ticketed for immediately like by the way what's wrong here this is not a button this is a key switch because they didn't want someone going to the train platform all well and good except when a fire responder needs to get to that train platform what are they going to do you are not in trouble just because you've kind of done something stupid many times you'll get like come on you really got a good fix Joe it's not that you're worried about the municipal violation and the write-up worried about the incident when it happens because if an incident majorly happens and we are a litigious society if stuff was in violation in that cab someone's going to find it and you are going to pay for it if you don't have a proper emergency phone like we see emergency speaker like hope someone's at the desk shout that's not how it's supposed to work the alarm bell how many times is the alarm bell disabled in an elevator really common stuff the assaults which is we like to call it many modernised elevators do not have a toggle switch for the run/stop anymore because it's why people in elevators have flipped it and then being like hey give me your money hey I want your this I want your that and what's the other person who's now in the 'overall side of the panel gonna do if you saw that one video who was the the Raps it was it was it Kanye got in a fight with his girlfriend or something in an elevator who was it Ray Rice if you actually see that video what happened is they smacked the run stop button which was a push button they someone else I think the bodyguards trying to pull that button back out and the fights going on because the elevator stopped dead and in the hustle and bustle it's not easy to get it running again if it's a regular toggle switch modernize that the actual elevator code for motor rooms said the doors must be self closing self locking you know heavy-duty doors does this look self closing and self locking to you this is a chain pulled through the hole where the deadbolt used to be and you know does this look like a competent qualified elevator tech going to try to fix a broken elevator in a mall the elevator had shot had overshot its top landing it was on its final limits which and they basically were like hey security guard turn it off and on again so of course that didn't work but like what is this guy doing in there why does someone have a key to that master lock the the motor room is not a place that you should be sending any kind of employees if they don't belong in there I love this too like clearly someone didn't read enough time hatch access do not touch clearly someone touched do not touch like that why is this being written so much you are literally sending people in the room we don't belong in that room know who your contractor is have oversight of your mCP your maintenance control program like this is not a default document this is not a template right this is literally blank this was an incident that Howard was called to and they're like okay let's pull your em they didn't even try to fake it they just literally had just not been doing inspections not been doing maintenance nothing written up they got bang for that pretty hard this is another job like why does this motor room on a hydraulic elevator have two giant sacks of oil dry what's going on what's this let's pull the panel off look how much hydro oil this thing is spraying it's filled its hits hit the silk pad it's filled this up so much that the last inspection tag is literally soaked in hydro oil that should not be happening and if you have any sway in your building incorporate elevators into your into your routine checks know what's going on with your elevators know who's servicing them there's a lot of collusion that can happen in the wrong kind of place people saying work has been done and then if you actually check the tag likely this isn't a service tag performed by Otis unless the guy's name was Otis that's wrong who the hell did this test this was a roping like cable setup that was replaced after only a few year all your cables are going bad I got about $27,000 somebody got into was actually Howard he's shimmied into a sub-basement found the original test tag from the 70s and these cables had never been replaced and this building owner was just being slammed for money if you wind up red-tagged you are doing a lot wrong not just one or two little things wrong most elevator inspectors will try to work with you and its major things that are you work really liable for if you're getting things this bad in your system this is my favorite video of an elevator test this was an attack who didn't think it would work and he insisted on filming this final readiness test and you saw the entire motor generate just freakin pulled off its moorings so that's I mean that's the the hardware side of the house as far as back to security please follow your building procedures please badge people incorrectly and verify their story I've pretended to be the elevator tech or the fire inspector in various places if your security guard is just an elevator you're doing security wrong now what do I mean by that well like look at this nice little thing it's a keypad and a contactless card and some biometric this is like three different factor authentication right what is it doing it's in an elevator it's in an elevator that has fire service mode there is the Joule lit up right there this was an Fe okay one key where was this elevator and what was it trying to prevent people from doing this is in an airport this is literally going from the in secured area up to the sterile area up to the screened area now you could imagine a test case where someone's like look what I could do or you could imagine someone going on ebay spending $13 and being able to get anything they want from the ground level up to the sterile zone look around places look around your airports look around your buildings you're going to see key boxes where you didn't think you saw them before look in your elevators and look on your panels you're going to see key switches that you never noticed before there is a difference between your parts oil and grease tech and an elevator security consultant if you have real questions about this ask me ask Howard ask somebody because there's a lot in this industry that nobody's talking about very very quickly I know I'm right at the end I got like one minute to go there are ways to do things securely we get this question I want my elevator to be monitored but I don't on the internet you can do that right like you don't have to be using software like this there these are all just dry contacts these are all just basic loops of copper right there are add-on boards that you can taught you can plug in and alert your you and alert your building system you can alert your access control system just like if the server room door opened and there was no badge event associated with it why is this elevator going on independent service and there was no like is that it's 2:00 in the morning why is that happening you can do logging and monitoring without screwing things up and without being on the Internet it's not that hard you just have to speak to the right people very last couple of tips because even if you didn't listen to me before I want you to be safe if you are ever stuck in an elevator a don't panic it's not going to kill you you're not gonna run out of air are the main lights off the power is probably out the e lights on then you know wait if the main lights are on press door open sometimes that'll just pop the doors open if it's not running press door close and then press door open again plus police calls to other floors if it's a weird badging glitch or something try the lobby because usually the lobbies not locked out make sure you're badged in with your hotel key car to your employee badge try again sometimes it timed out weird if you have keys you know use the key switches if you're authorized last thing be very careful verify the doors are closed with the flat of your hand not don't grab into the gap try to verify the door interlock is fully shut and then try all these steps again if nothing worked then you call for help what do you never do you never go Hollywood out the top hatch there's nothing up there that you need to be messing with it's just going to make things harder because then if you pop the top hatch the safety strings broken and then the elevator won't run again when somebody comes to fix it don't exit a miss leveled car if you have to jump that is too far we have literally seen building owners been like oh yeah does that sometimes here I'll let you down no tell them to eff off say get the police here like look this is a this is a janitor helping people out of a car that's halfway between floors I would stand to the guy and is given the finger but like nope I'm comfy get the cops and write it up wait for it proper responders to show up the safest place to be is in the cab itself if something is wrong and then you write it up you ticket it and you make sure that someone in this building tries to pay attention to something and hopefully in the end we all wind up a little more safe and a little more secure and I went over by a minute but I thank you very much thank you for listening I don't know if there's no questions or okay I do can oh all right I can do a couple questions or everyone just wants lunch the pair oh there's not a hand in the back the question was is it really true that you can use sim tower to tell how many elevators are needed that is actually a fun fact that was in the longer version of this and we talked about it at Hope sim tower was not originally a game by Maxis it was an elevator simulator like it was a simulating software written I think in Japan and then Maxis like bought it so yeah I mean Howard he has the original before they you know were taken from us he has the original Twin Towers like Mott he mocked it all up in sim tower with the actual elevators running and maybe he even tuned it to be more efficient any other questions as anyone noticed you know some some things in an elevator that they you may be seen that you don't talk about how many people maybe want to take a better look at your elevator now how many people wish you had some elevator Keys yeah legal told us we can't sell them unless you've been in a one day safety training so no question right here yes very good question and I like you that you saw is it illegal to you will even extend it is it illegal to buy sell use possess elevator keys is the answer so most for the most part no they are not treated as like a restricted device under the law but most elevator fire code states keys shall only be possessed by an authorized party and many municipalities have adopted code by statute saying the latest revision of fire code shall now be law violation is a violation of blah now the most fire code I've ever seen always uses vague terms like authorized party they don't say fire fighter they don't say emerge response personnel they just say authorized party if you are like on a fully scoped documented pen test I would consider that to be you're an authorized party if you said I'm going to be interacting with your elevators because that's what you're paying me to do among other things you are authorized in the sense of that building now did the building owner give you authorization or just like a leasing client gave you authorization gray area talk to legal but yeah for the most part like you're not committing a crime probably selling those keys on eBay other than a local misdemeanor like up some municipal violation but yes if you are just banging around with elevator keys where you shouldn't be using them it's probably I'm not a lawyer it's probably very akin to any kind of be any or attempted trespass things like that any other questions over here sir yes thank you mm-hmm mm-hmm so the question is is a presentation like this likely to be knowledge already possessed by people who do high detail PPD work personal protection Secret Service my bet is that your government site like Secret Service is kind of you know your top tier big bicep Bills Rapstar protection services like your low tier probably your top tier people yes I mean obviously Secret Service there are there people in the industry who've met them when they've been putting on jobs like your and your in the motor room with me today your basic personal protection type bodyguard type people no they probably just presume they think they see the rooms from the choke points and you know exit vectors so they look an elevator is just never wise if you're worried about somebody you know coming in like just stabbing you because you wrote a book or something I guess but I don't think that a lot of people are talking about exploiting but god that was really racist to me sorry um then I don't think people are like talking about exploiting the special modes of operation yeah I don't think this is the kind of content that gets talked about enough which is you know why I'm super thrilled that you were gracious enough to listen to me throw a lot of different things at you all at once yes anything else was there no there was no hand that was just somebody yelling at me for being rude anyone else all right I guess that's that I guess you're having lunch

Info

Channel: Shakacon LLC

Views: 143,095

Rating: 4.5515308 out of 5

Keywords:

Id: JBERTNSuZR8

Channel Id: undefined

Length: 58min 18sec (3498 seconds)

Published: Tue Sep 22 2015

Reddit Comments