Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!
You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.
Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.
To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
We’ve all stared at that button in the elevator with the phone icon on it, supremely confident that if the cab came to a screeching halt while rocketing up to the 42nd floor, a simple button press would be your salvation. To be fair, that’s probably true. But the entire system is not nearly as robust as most people think.
Friday at DEF CON 27, [Will Caruana] took the stage to talk about phone phreaking on an elevator. The call buttons first appeared on elevators in 1968 as actual phone handsets, eventually becoming a mandated feature starting in 1976. Unfortunately, the technology they use hasn’t come all that far since. Phone modules on elevators did benefit when DTMF (touch tones) and voice menu systems rolled around. But for the most part, they are a plain old telephone service (POTS) frontend.
[Will] spends his spare time between floors pressing the call button and asking for the phone number. It’s the lowest bar of social engineering, by identifying yourself as an elevator service technician and asking for the number he is calling from. His experience has been that the person at the other end of the phone will give you that number no questions asked nearly every time. What can you do with a phone number? Turns out quite a bit.
The keys to the castle are literally in the elevator phone user manuals. The devices, shipped by multiple manufacturers, come with a default password and [Will’s] experience has been that nobody changes them. This means that once you have the phone number, you can dial in and use the default password to reprogram how the system works. This will not let you directly control the elevator, but it will let you speak to the people inside, and even change the call-out number so that the next time that little button is pressed it calls you, and not the phone service it’s intended to dial. That is, if the system was even correctly set up in the first place. He mentioned that it’s not too hard to find elevators that don’t have their location set up in the system — if you do need help, it may be hard to figure out which elevator you’re actually in. There have also been instances where these call the 24-hour maintenance staff for the building, a bewildering experience for sleepy personnel who didn’t sign up for this.
Want to go beyond the call button and dig deeper into the secrets of pwning elevators? [Will] suggests watching the HOPE X talk from [Deviant Ollam] and [Howard Payne] called Elevator Hacking: From the Pit to the Penthouse.
The Amoreiras Tower, in Lisbon, Portugal, recently added a rooftop viewing area that is open to the public. The top of the tower is one of the highest spots in the city, and the viewing area gives an impressive 360º view of the surrounding area. However, the elevator to get to the top left a lot to be desired. It’s an interior elevator, and didn’t itself offer any view.
So, Artica, along with Schindler, were brought in to solve that problem. The solution was to mount displays on the interior of the elevator, in order to simulate a 360º panoramic view of the city outside. The video is synced up with the elevator, so the view changes as the elevator passengers move up and down between floors.
Artica, who was responsible for the concept, design, and electronics installation accomplished this by first building a prototype in their office building. This was a full-size elevator replica with which they could test the design and get it ready for installation. They then partnered with Schindler to actually install the system in the elevator of the Amoreiras Tower, which necessitated almost completely rebuilding the elevator. As you can see in the video, the resulting view and accompanying music (definitely not elevator music) are fantastic, and it was even done in time for the public opening of the rooftop viewing area.
Like us, you may be wondering where the video footage came from. The scene moves in apparent parallax so video was obviously captured with continuous motion and isn’t a scrolling image. This is the work of a camera toting drone.
Continue reading “A Windowless Elevator With A 360º Panoramic View”
The elevator at [Alex]’s office building has some quirks which make it very inconvenient to everyone in the building. The major problem was that the doors of the elevator at each floor stay locked until someone walks down the hall to hit a button. Obviously this was a hassle, so [Alex] built a controller that can remotely call and unlock the elevator. (Part 2 of the project is located on a separate page.)
The first step was to source the hardware and figure out exactly how the controls for the elevator worked. [Alex] decided to use an Electric Imp for this project, and after getting it connected to the Internet, he realized that he could power it directly off of the elevator’s 10V supply. From there, he used relays to interface the Electric Imp with the “elevator call” and “elevator unlock” buttons inside the elevator’s control panel.
Once the hardware side was completed, it was time to move on to the software side. [Alex] wrote a mobile app for a user interface that can be accessed from anywhere, and also wrote the code for the Electric Imp agent and the code that runs on the Electric Imp itself. Now, a simple tap of a button on a mobile device is enough to call the elevator or unlock it, rather than in the past where someone had to run down a hall to hit the button.
We hope there is some security on the mobile app, otherwise anyone in the world will be able to call the elevator and turn it into a passenger-less useless machine!
[Niklas Roy] calls it his Perpetual Energy Wasting Machine, but we know it for what it truly is: a building-sized most useless machine. You’ll remember that a most useless machine is a bobble that uses clever design to turn itself off once you have turned it on. This does the same thing with the elevator of the WRO Art Center in Wroclaw, Poland. The one difference is that it continually turns itself on and off.
He rigged up a pulley system that travels through the stairwell of the building. Whenever the elevator door on the top floor opens it causes the call button on the bottom floor to be pressed. The same thing happens when the elevator reaches the ground floor. But he didn’t stop there. Since the device is just wasting electricity whenever the elevator moves without passengers in it, he added a meter to track the loss. It’s the guts of a printing calculator strapped to the inside of the car. Every time the doors open it adds to the total.
You can see the installation in the video clip after the jump.
Continue reading “Most Useless Machine: Building Elevator Edition”
[Ben Peoples] works in theatrical electronics. Sounds like fun, and here’s an example of the kind of stuff he does. We’re not sure what event this installation was used for, but if the elevator ride needed something flashy just think of what the party room must have looked like. These HDTV screens on the ceiling of the elevator play different clips when the elevator is moving up or down. The challenge for [Ben] was to find a way to make it work without tapping into the elevator electronics or requiring any button presses.
The first attempt at sensing the elevator’s travel was done with an accelerometer. The problem with this approach is that an accelerometer only senses change in acceleration and this method proved to be fairly error prone. [Ben] switched over to a reflective sensor which performed quite well. Since most of these sensors will only work within about an eighth of an inch he ended up building his own with a LDR and a couple of amber LEDs.
[Michael Ruppe] was working one day when a man named [Kevin] approached him for a bit of help with a project. It just so happened that [Kevin] was in the middle of constructing a DIY residential elevator and he needed assistance putting a control board together.
[Kevin] had no problem casting a forklift ram into his basement slab, nor installing a submersible pump in a custom-made hydraulic pit, but wiring up the controls for the device was just not something he was comfortable with. [Michael] was more than happy to lend a hand, and over the next couple of months the pair got things running nicely.
Instead of relying on a microcontroller, [Michael] built a control board that uses little more than a handful of relays and microswitches to get the job done – It’s certainly not hard to appreciate the controller’s simplicity.
It’s stories like these that remind us just how much the hacker community is willing to help out complete strangers with any task, big or small – you guys rock!
Stick around to see a short demo video [Michael] shot, showing the elevator in action.
Continue reading “Build An Elevator Controller, Gain A Friend For Life”