We’ve all stared at that button in the elevator with the phone icon on it, supremely confident that if the cab came to a screeching halt while rocketing up to the 42nd floor, a simple button press would be your salvation. To be fair, that’s probably true. But the entire system is not nearly as robust as most people think.
Friday at DEF CON 27, [Will Caruana] took the stage to talk about phone phreaking on an elevator. The call buttons first appeared on elevators in 1968 as actual phone handsets, eventually becoming a mandated feature starting in 1976. Unfortunately, the technology they use hasn’t come all that far since. Phone modules on elevators did benefit when DTMF (touch tones) and voice menu systems rolled around. But for the most part, they are a plain old telephone service (POTS) frontend.
[Will] spends his spare time between floors pressing the call button and asking for the phone number. It’s the lowest bar of social engineering, by identifying yourself as an elevator service technician and asking for the number he is calling from. His experience has been that the person at the other end of the phone will give you that number no questions asked nearly every time. What can you do with a phone number? Turns out quite a bit.
The keys to the castle are literally in the elevator phone user manuals. The devices, shipped by multiple manufacturers, come with a default password and [Will’s] experience has been that nobody changes them. This means that once you have the phone number, you can dial in and use the default password to reprogram how the system works. This will not let you directly control the elevator, but it will let you speak to the people inside, and even change the call-out number so that the next time that little button is pressed it calls you, and not the phone service it’s intended to dial. That is, if the system was even correctly set up in the first place. He mentioned that it’s not too hard to find elevators that don’t have their location set up in the system — if you do need help, it may be hard to figure out which elevator you’re actually in. There have also been instances where these call the 24-hour maintenance staff for the building, a bewildering experience for sleepy personnel who didn’t sign up for this.
Want to go beyond the call button and dig deeper into the secrets of pwning elevators? [Will] suggests watching the HOPE X talk from [Deviant Ollam] and [Howard Payne] called Elevator Hacking: From the Pit to the Penthouse.
Yesterday we published a first look at the hardware found on the DEF CON 27 badge. Sporting a magnetically coupled wireless communications scheme rather than an RF-based one, and an interesting way to attach the lanyard both caught my attention right away. But the gemstone faceplate and LED diffuser has its own incredible backstory you don’t want to miss.
This morning Joe Grand — badge maker for this year and many of the glory years of hardware badges up through DC18 — took the stage to share his story of conceptualizing, prototyping, and shepherding the manufacturing process for 28,500 badges. Imagine the pressure of delivering a delightful concept, on-time, and on budget… well, almost on budget. During the talk he spilled the beans on the quartz crystal hanging off the front side of every PCB.
Continue reading “DEF CON 27: The Badge Talk; Or That One Time Joe Grand Sourced 30,000 Gemstones” →
The first big surprise Vegas had in store for everyone is that the DEF CON badge is an electronic badge this year. It’s traditionally been the DC practice to alternate years between electronic and non-electronic badges. Last year we had a fantastic electronic badge designed by the ToyMakers, so I had expected something more passive like the vinyl LP badge from a few years ago. What a pleasant surprise to learn otherwise!
Second up on the surprise list is the badge maker himself. The design is a throwback to days of yore as Joe Grand steps up to the plate once again. Veterans know him as Kingpin, and his badge-making legacy runs deep. Let’s jump in and take a look.
Continue reading “First Look At DEF CON 27 Official Badge; Kingpin Is Back!” →
Nurse your hangover with the Hackaday and Tindie crews as we host the 5th Annual Breakfast at DEF CON.
Everyone knows the days at DEF CON are long, and the nights are longer. Whether you’re just rolling out of bed, or walking straight in from the previous night of partying, we want to see you and your hardware show-and-tell projects this Sunday morning at 10:30 AM in Paris Hotel, Las Vegas.
We’re congregating at Le Cafe Ile St. Louis in the front part of Paris. Just walk through the doors coming off of Las Vega Boulevard and it’s in the big open area. A nice touch is that you don’t need to have a DEF CON badge to get in on the Hackaday breakfast.
Regular Breakfast at DEF CON attendees will remember that last year we were squatting in a restaurant space which isn’t open for breakfast. Thankful we’ve secured a location this year and you can score coffee and a pastry on us. We would like to have an idea of how many people to expect so please drop us an RSVP.
The newest offering from the AND!XOR team is out and it delivered exactly what hardware badges were missing: light pipes. No joke, the DEF CON 27 edition AND!XOR badge will be most recognizable because of two arcs of light pipe material blinging RGB goodness in three dimensions. But if you can peel your eyes away from that oddity there’s a lot to love about the new design.
Continue reading “Hands-On: AND!XOR DEF CON 27 Badge Ditches Bender, Adopts Light Pipes” →