قالب وردپرس درنا توس
Home / Tips and Tricks / How To Avoid Access Control Systems To Visit Locked Floors & Restricted Levels In Every Building «Null Byte :: WonderHowTo

How To Avoid Access Control Systems To Visit Locked Floors & Restricted Levels In Every Building «Null Byte :: WonderHowTo



Many operators use elevators to control access to specific floors, be it the penthouse in a hotel or a server room in an office building. However, the law requires everyone to have a fire department mode that allows access to restricted floors, and a hacker can bypass security.

Buildings use different ways to integrate elevators into their access control system (ACS). Generally, these fall into two broad categories: Call Stops and Certain Ground Stops

Call Stops

A call stop is used to prevent the elevator from picking you up in the first place by placing a key card system on the elevator call button. These are common for employee-specific elevators such as maids, garage access for VIPs, etc.

Specific Ground Stops

The second type allows you to call the elevator, but prevent you from going to specific ones Floors by using a kind of keycard, badge scan, or physical key to push the button of that floor. This is most commonly observed in large main building office buildings where people are supposed to have access to services such as Starbucks and meeting rooms in the lobby and lower floors and access to the upper floors is restricted.

Fire Service Mode

By law, all elevators in a building must have a so-called fire department mode, essentially "god mode" for firefighters. They can control elevators in emergencies by driving and dictating the elevator to any floor, regardless of the security settings, as the doors open and close.

A fire department training video shows fire department mode in action.

Abuse of Fire Mode

It does not take much imagination to see how a hacker could use fire mode. Surely it must be incredibly difficult to put elevators in this emergency mode? No, it's easy to have the fireman's key and turn two locks. Let's take a closer look at these keys and see how easy it is to get one or handle it all together.

Option 1: Get a firefighter key

If we want to know where to find a firefighter key, first we have to ask where the firefighter gets the firefighter key. This may vary from jurisdiction to jurisdiction and from state to state, but in general, buildings have either one [KnoxBox] or the law dictates a particular key and bitting for an entire region.

KnoxBoxes, small lockboxes that are often placed outside first responders are used when the fire key is specific to that building. This will only be the case in older buildings with older elevators that have not recently been updated. The vast majority equate to federal and state regulations such as "ASME A17.1, Security Code for Elevators and Escalators 2007", which created the FEO-K1 key at federal level.

2.27 .8 Key-operated switch

The key-operated switches to 2.27.2 up to and including 2.27.5 for all elevators in a building must be able to be operated with the same key. The keys must be the security of group 3 (see 8.1). There must be a key for each switch provided

These keys must be stored in a location that is easily accessible to firefighters and rescue workers, but not where they are open to the public. This key must have a tubular, 7-pin, Art 137 design and must have a bitting code of 6143521. The key must be encoded with "FEOK1". The possession of the key "FEO-K1" is limited to the elevator personnel, the emergency personnel and the manufacturers of elevator installations.

If provided, a lock case, including its lock and other components, must meet the requirements of UL 1037 (see Part 9)

These keys can be purchased online for only five dollars. This particular website tries to regulate it by requesting documents proving that you are in the elevator industry. However, social engineering might be able to avoid this, or a hacker might find a less conscientious seller elsewhere on the Internet.

Do not forget that the contractors and installers need to be able to get these locks to install the elevators, so it can sometimes be easier to buy the lock that comes with the keys, rather than just the keys themselves .

The FEO-K1 should be the most common key, however, especially in newer buildings. It's also a good idea to search Google for the specific elevator laws in your area of ​​activity. The 2012 NFPA-1 requires a new key standard that not everyone has yet adapted.

As an example, the state of Arizona uses an AZFS key for all its firefighter modes, and this key can go online for less than $ 8.

Another example: There is the "2642" key for the city of New York, located on the Yale Y1 unrestricted key empty. This key caused a stir when people realized that a terrorist or hacker could use it. They are even nice enough to post pictures of the key. This makes it extremely easy to decode the bitting. If you can not guess from the name, bitting is "26420".

If a hacker can not easily buy the key online, they already have the law bitting. This makes the way to the local hardware store and makes it a trivial task. In the case of a limited key blank, you can easily print it in 3D.

Option 2: Learn Locks

The second versatile option is to learn some lock-picking. These locks are not designed for safety – they are designed to prevent children accidentally putting a lift in fire mode. This means that often even an amateur lock picker can pick them successfully, especially the tubular ones like the FEO-K1. Tubular Lock Picks are incredibly easy to use – just push and turn.

On Amazon: 14 Transparent Locks with Key & Lock Pick Set for Beginners

However, this method is not ideal as it is slower and more obvious, especially if you are new to lock-picking. It looks much less suspect when a person goes to a lock, inserts the key, and turns it instead of bending over the lock for 30 seconds to a minute.

The key option should always be your first choice. That may not be an option, but for whatever reason, invest in some good lockpicks and learn to use them. They will be incredibly useful for more than just picking up elevators.

Step 1: Retrieve the Lifts

With the keys or lockpicks in your hand, you can start with the hoist. The first thing to do is to place the elevator in the so-called "Phase 1". In an actual building fire, the elevators would automatically enter Phase 1 if smoke or heat is detected.

Since there is no fire, we have to manually move the elevator to Phase 1. With the activation of Phase 1, all elevators of the bank return to the ground floor and open their doors. This will bypass the access control when you actually call the elevator.

Not all elevators return calmly or discreetly, which is the main obstacle to using this technique. Some will hear a loud hum when they return and open their doors, and none of the call buttons on any floor will work. This means that this tactic is best for side elevators or when the elevator is not occupied, such as. B. late at night, is used.

Image of TJElevatorfan / YouTube

On the ground floor, just above the normal call button of the elevator Firemen castle. Insert the key or select the lock and set it to "On". All elevators in the bank return and enter Phase 1. If you have an accomplice, that's a good job to give. It can speed up the process and you can take the elevators out of the fire department mode as soon as you reach your destination floor.

MiamiDadeFireRescue / YouTube image

Step 2: Put one in Fire Mode

When Phase 1 is activated , it's time to give yourself to God by activating Phase 2. As a result, the individual elevator is put into fire mode. You bypass individual safety barriers for the ground.

Picture by Kristina DC Hoeppner / Flickr

Enter the elevator and search for the fire department panel. This may be just above or below the normal ground selection buttons (as shown above) or behind a small door (as shown below). There you will find a castle, just like in the lobby, as before, switch it to "On".

MiamiDadeFireRescue / YouTube

Now it's in Phase 2 and thinks you're a fireman, so will to go where you say it. The doors do not open and close automatically, as would normally be the case. Here on the ground floor they will open by default, so push and hold the door lock button until the doors are completely closed.

The safety edge that prevents the doors from closing on people is now disabled In a real fire, the sensors can not tell the difference between people and smoke. If you release the key to close the door prematurely, it will be fully opened again.

Step 3: Go to the safe floor

Now all you have to do is select the floor to which you want to go elevator, but this time without the normal floor restrictions. To cancel the selection of a floor, press "Call Cancel".

Image of ElementElevators / YouTube

Once arrived there, you need to manually open the doors by holding the Press the "door open" key and keep it pressed. If you release the button early, the doors close. This is to allow the firefighters to check and see if there is a fire and to close the door quickly if this is the case. For hackers, this could be useful if there are unexpected people or security people. You may not notice that the elevator doors jump open for a second.

Step 4: Return everything to its normal state

Congratulations, you are now safe! If a second person has activated Phase 1, the elevator can be taken out of Phase 2 and the other person can deactivate Phase 1 by switching the lock to "Bypass" or "Reset" and then to "Off" and returning all Lifts to Normal Operation

Image by MiamiDadeFireRescue / YouTube

They then could get the person on the floor upstairs To the safe floor, call the elevator from the safe floor. Otherwise, if it is just you, you want to get the elevator back to normal service as soon as possible before anyone notices.

How To Protect Your Building From Hackers

If your building uses elevators as part of its security, then you might be alerted by this article, but there are simple solutions to patch this vulnerability – just not necessarily cheap.

You must change the way you think about elevators. Imagine stairs or holes on each floor. If you want a floor to be safe then there should be a security door in the hallway or in the lobby shortly after you leave the elevator on this floor. It is not necessary to remove existing access control systems in elevators, as these can still serve as a deterrent and work against attackers who are unfamiliar with the fire department mode. But they should never be the only layer of security! Suppose an attacker can take him to each floor and plan accordingly.

Every elevator can be put in fire mode, and it is an easy way to bypass all access control systems. However, many buildings do not know or ignore this fact, leading to an obvious and exploitable vulnerability in many buildings, and the law is unlikely to change. This means that this will remain a weak point in the future.

Thank you for reading! Do You Have Questions? Ask me here or on Twitter @The_Hoid .

Do not Miss: How to Copy MagSpoof Hacking into Mr. Robot's Room Security Cards

Cover Picture by Gideon Tsang / Flickr; Screenshots of Hoid / Null Byte


Source link