Many operators use elevators to control access to particular floors, whether it be the penthouse at a hotel or a server room in an office building. However, the law requires them all to have a fire service mode, which gives emergency access to restricted floors, and a hacker can use that to bypass security altogether.
Buildings use a variety of ways to integrate elevators into their access control system (ACS). Generally, these fall into two broad categories: call stops and specific floor stops.
A call stop is used to prevent the elevator from picking you up in the first place by placing a key card system on the elevator call button. These are common for employee-specific elevators such as for maids, garage access for VIPs, and so on.
The second type will allow you to call the elevator but prevent you from going to specific floors by requiring some sort of keycard, badge scan, or physical key to press that floor's button. This is most commonly seen on the main elevator bank at large office buildings where they want people to be able to access services such as Starbucks and meeting rooms in the lobby and lower levels and restrict access to upper floors.
By law, all the elevators in a building must have something called a fire service mode, essentially, "god mode" for firefighters. This lets them control elevators in the event of emergencies by driving the elevator to any floor regardless of security settings, as well as dictating when the doors open and close.
It doesn't take much imagination to see how a hacker could potentially use fire service mode. Surely it must be incredibly difficult to put elevators in this emergency mode? Nope, it's a simple as having the fire service key and turning two locks. Let's take a closer look at these keys and see just how easy it is to get one or bypass them all together.
If we want to know where to find a fire service key, first we must ask where the firefighter gets the fire service key. This can vary from jurisdiction to jurisdiction and state to state, but generally speaking, buildings either have a KnoxBox or the law dictates a certain key and bitting for an entire region.
KnoxBoxes, tiny lock boxes often placed outside for first responders, are used when the fire key is specific to that building. That will only be the case in older buildings with older elevators that haven't been recently updated. The vast majority will be keyed the same due to regulations on the state or federal level such as "ASME A17.1, Safety Code for Elevators and Escalators 2007," which created the FEO-K1 key on the federal level.
2.27.8 Switch Keys
The key switches required by 2.27.2 through 2.27.5 for all elevators in a building shall be operable by the same key. The keys shall be Group 3 Security (see 8.1). There shall be a key for each switch provided.
These keys shall be kept on the premises in a location readily accessible to firefighters and emergency personnel, but not where they are available to the public. This key shall be of a tubular, 7 pin, style 137 construction and shall have a bitting code of 6143521. The key shall be coded "FEOK1." The possession of the "FEO-K1" key shall be limited to elevator personnel, emergency personnel, and elevator equipment manufacturers.
Where provided, a lock box, including its lock and other components, shall conform to the requirements of UL 1037 (see Part 9).
These keys can be obtained online for as little as five dollars. This particular website does attempt to regulate it somewhat by requesting documents proving that you're in the elevator industry. However, social engineering could potentially circumvent that, or a hacker could find a less scrupulous seller in other places on the internet.
Don't forget that the contractors and installers must be able to get these locks in order to install them on the elevators so sometimes it can be easier to buy the lock, which just so happens to come with the keys, instead of just the keys themselves.
The FEO-K1 should be the most common key, particularly in newer buildings, however, it's also a good idea to Google around to look for the specific elevator laws in your area of operations. The 2012 NFPA-1 requires a new key standard, which not everyone has adapted yet.
Another example: There is the "2642" key for the city of New York, which is based on the unrestricted Yale Y1 key blank. This key caused quite the stir when people realized that a terrorist or hacker could use it. They're even kind enough to post pictures of the key. This makes it extremely easy to decode the bitting. If you couldn't guess it from the name, the bitting is "26420."
If a hacker can't just buy the key online, they already have the bitting from the law. This makes going to the local hardware store and having them make one a trivial task. On the off-chance that it's a restricted key blank, they can simply 3D print it.
The second more versatile option is to learn some lock-picking. These locks are not designed for security — they're designed to keep kids from accidentally putting an elevator in fire service mode. That means that, often times, even an amateur lock picker can successfully pick them, particularly the tubular ones like the FEO-K1. Tubular lock picks are incredibly easy to use — just push and twist.
However, this method is not ideal since it will be slower and more obvious, especially if you're new to lock-picking. It's far less suspicious-looking when a person walks up to a lock, puts the key in, and turns it, as opposed to huddling over the lock for 30 seconds to a minute.
The key option should always be the first choice. That might not be an option, though, for whatever reason, so invest in some good lockpicks and learn to use them. They'll be incredibly useful for more than just elevator hacking.
With the keys or lockpicks in hand, you're ready to start elevator hacking. The first thing to do is to put the elevator in what is called "phase 1." In an actual building fire, the elevators would enter phase 1 automatically when smoke or heat is detected.
Since there isn't actually a fire, we have to put the elevator in phase 1 manually. By activating phase 1, all of the elevators in the bank will return to the ground floor and open their doors. This is how you bypass any access control on actually calling the elevator.
Not all elevators return quietly or discreetly, which is the one main hindrance to using this technique. Some will make a loud buzzing sound as they return and open their doors, and none of the call buttons on any floor will work. This means that this tactic is best used on side elevators or when the elevator lobby is unoccupied, such as late at night.
On the ground floor, there will be fire service mode lock just above the regular elevator call button. Put the key in or pick the lock and turn it to "On." All the elevators in the bank will return and enter phase 1. If you have an accomplice, this is a good job to give them. It can expedite the process, and they can take the elevators out of fire service mode once you reach your target floor.
With phase 1 enabled, it's time to give yourself god mode by enabling Phase 2. This puts the individual elevator in fire service mode, and this is how you bypass individual floor security lockouts.
Enter the elevator, and look for the fire service panel. This might be right above or below the regular floor selection buttons (as seen above) or behind a small door (as seen below). There, you'll find a lock just like the one in the lobby, so same as before, turn it to "On."
Now it's in phase 2 and thinks you're a firefighter, so it's going to go wherever you tell it to. The doors are not going to automatically open and close as they normally would. Here, on the ground floor, they will default to open, so press and hold the door close button until the doors are completely closed.
The safety edge, the thing that prevents the doors from closing on people, is now disabled because, in a real fire, the sensors can't tell the difference between people and smoke. If you release the door close button early, it will return to fully opened.
Now it's just a matter of selecting the floor you want to go to like you normally would in an elevator, but this time without the normal floor restrictions. To deselect a floor, press "Call Cancel."
Once you get there, you're going to have to open the doors manually by pressing and holding the "door open" button. If you release the button early, the doors will close. For firefighters, this is intended to allow them to check and see if there's fire and close the door rapidly if there is. For hackers, this could be useful if there's people or security guards that are unexpected. They may not notice the elevator doors cracked open for a second.
Congratulations you're on the secure floor now! If there was a second person that activated phase 1, then the elevator can be taken out of phase 2, and the other person can disable phase 1 by turning the lock to "Bypass" or "Reset," and then "Off," returning all the elevators to normal operation.
You could then get the person still on the ground floor up to the secure floor by calling the elevator from the secure floor. Otherwise, if it's just you, then you want to return the elevator to normal service as quickly as possible before someone notices.
If your building is using elevators as part of its security, then you might be alarmed by this article, but there are simple solutions to patching this vulnerability — just not necessarily cheap ones.
You have to change the way you think of elevators. Think of them as stairways or holes on every floor. If you want a floor to be secure, then there should be a security door in the hallway or lobby just after you exit the elevator on that floor. There's no need to remove any access control systems already present on elevators, as they can still serve as a deterrent and will work against attackers unaware of fire service mode. However, they should never be the only security layer! Assume that an attacker can take it to any floor and plan accordingly.
Any elevator can be put in fire service mode, and it's an easy way to bypass any access control systems on it. However, many buildings either are unaware of or ignore this fact, creating an obvious and exploitable weak link in many buildings, and the law is not likely to change. This means that this will remain a vulnerability long into the future.
Thanks for reading! Have any questions? Ask me here or on Twitter @The_Hoid.
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.