We’ve all stared at that button in the elevator with the phone icon on it, supremely confident that if the cab came to a screeching halt while rocketing up to the 42nd floor, a simple button press would be your salvation. To be fair, that’s probably true. But the entire system is not nearly as robust as most people think.
Friday at DEF CON 27, [Will Caruana] took the stage to talk about phone phreaking on an elevator. The call buttons first appeared on elevators in 1968 as actual phone handsets, eventually becoming a mandated feature starting in 1976. Unfortunately, the technology they use hasn’t come all that far since. Phone modules on elevators did benefit when DTMF (touch tones) and voice menu systems rolled around. But for the most part, they are a plain old telephone service (POTS) frontend.
[Will] spends his spare time between floors pressing the call button and asking for the phone number. It’s the lowest bar of social engineering, by identifying yourself as an elevator service technician and asking for the number he is calling from. His experience has been that the person at the other end of the phone will give you that number no questions asked nearly every time. What can you do with a phone number? Turns out quite a bit.
The keys to the castle are literally in the elevator phone user manuals. The devices, shipped by multiple manufacturers, come with a default password and [Will’s] experience has been that nobody changes them. This means that once you have the phone number, you can dial in and use the default password to reprogram how the system works. This will not let you directly control the elevator, but it will let you speak to the people inside, and even change the call-out number so that the next time that little button is pressed it calls you, and not the phone service it’s intended to dial. That is, if the system was even correctly set up in the first place. He mentioned that it’s not too hard to find elevators that don’t have their location set up in the system — if you do need help, it may be hard to figure out which elevator you’re actually in. There have also been instances where these call the 24-hour maintenance staff for the building, a bewildering experience for sleepy personnel who didn’t sign up for this.
Want to go beyond the call button and dig deeper into the secrets of pwning elevators? [Will] suggests watching the HOPE X talk from [Deviant Ollam] and [Howard Payne] called Elevator Hacking: From the Pit to the Penthouse.
As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.
History Repeats Itself
Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.
How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational. Continue reading “Social Engineering Is On The Rise: Protect Yourself Now”
Remember when you used to have to dial into a Bulletin Board System to connect with others through computers? How about those fond memories of phone phreaking? If you find that the details are fading in your mind you’ll be happy to know that [Jason Scott] is making sure they’ll never be forgotten. And now he’s landed a new job that will make this mission even easier.
We’re most familiar with [Jason’s] film, BBS: The Documentary. This five-hour epic traverses the oft-forgotten world of the BBS. It pays attention to things like the formation of ASCII art groups, the elite control of the Sysop before the Internet decentralized access to information, and quirky technological limitations like what happened as FIDOnet ran out of addresses for new nodes.
In short, [Jason Scott] is a technological historian. He gives speeches, makes movies, and finds information stashes that history shouldn’t forget. He’s done this outside the tradition of finding a Professorship or Curator position for a major institution. Instead he asked for sabbatical funding through Kickstart, and now he’s found his way to a position that seems like it’s made just for him; Archivist for the Internet Archive. Go get ’em [Jason].
[Jason Scott] curated a nice collection of links related to [Phil Lapsley]’s work on phone phreaking. [Lapsley]’s book, The History of Phone Phreaking, will be released in 2009. Meanwhile phone phreak enthusiasts can peruse his site and bone up on some interesting material, including documents that revealed the inner workings of the telephone switchboard(PDF), and the Youth International Party Line (YIPL)/Technological American Party (TAP) FBI files(PDF), which is really intriguing for the various doodles and conversations that were documented. If you have some spare time, we definitely recommend sifting through it.