Def Con 27: They’re in The Phreaking Elevators, Man!
Will Caruana’s Def Con 27 talk revealed a lot about elevators, their lack of security, and the things you can get up to by phreaking their phones.
This year’s Def Con was my first time attending the conference, and my first time in Vegas as well. Needless to say, it was a lot to take in. Once I figured out where to get my badge (which took longer than I’d like to admit), I set out to absorb and experience all that I could.
As part of this journey, I attended several talks over the course of the weekend, but the one that stood out the most for me was Will Caruana’s presentation on phreaking elevator phones. A unique concept to be sure, but as someone who finds elevators uncomfortable, it was also quite the eye-opening experience.
Elevators are More Hackable Than you Think
Right off the bat, Will busted a myth about elevators: you cannot control them through the phone. While the usual legal disclaimers were mentioned, a clever slide directly after earned a good laugh from the audience:
Elevator phone systems come in three forms: POTS, VOIP, and cellular, but the most common is the plain old telephone service (POTS). This system works by automatically dialing out when the phone is picked up,or the button is pushed.
Will went into a little history, showing some images of older elevator phones, including rotary ones still in use. The practice began in 1968, but by 1976 all elevators were required to have them.
Before he dove into the specifics of phreaking the phones, Will also showcased how an elevator’s independent service mode could be used to access restricted floors.
The gist is that the elevator will travel to restricted floors while in this mode, and if you turn it back off between one and a normal floor, the elevator levels out and the open door button lets you get into these places that are used for storage.
To start the phreaking process, Will broke down the information we need to gather. Part of this is done through social engineering where the person using the phone pretends to be an elevator tech and gathers information from the business or call centers like the direct number of the phone in the elevator.
In most cases, the person on the other end of the phone is more than happy to give you the number, which allows you to do a lot more than you would think. Not only has the technology barely moved forward since its inception, but the security is pretty bare bones.
Now it Gets Interesting (or Terrifying based on Your Perspective)
Before we get into the specifics of elevator security (or lack thereof), it all starts with the intercom outside the elevator. As it turns out, you can activate these and listen in to the people riding the elevator.
So long as you’re quiet on the outside, they won’t have any idea you’re listening in on them. This is important because it’s not the only way to achieve this result.
Throughout all of this, Will reminds everyone of a golden rule: RTFM, which of course stands for “Read The F**king Manual. These things are gold mines for information that really shouldn’t be so easily accessible.
In terms of programming, you have four options: key pad, switches, remotely, or with a programming cable. While Will explains the nuances of these methods, a majority of the information comes from, you guessed it, the manual.
Taking things one step further, a slide of his presentation provided to the audience a list of default passwords for a variety of manufacturers.
This wouldn’t normally be very useful if companies changed the passwords to something more secure, but the overwhelming majority don’t bother to change them, so a lot of these will work.
Once you have the number of the elevator’s phone, you can dial in and use these default passwords to reprogram how the system works. You can’t control the elevator directly, but you still have plenty of options:
- Speak to the people inside the elevator
- Change the call-out number so it calls someone besides the telephone service
- Simply listen to people without them knowing
In certain cases, these elevators are in need of programming. Will recalled cases where the phone is programmed to call someone on the maintenance staff, which would make for a rude awakening depending on the time of day.
What’s The Takeaway Here?
Will’s talk on phreaking elevators was my first talk at my first Def Con, so it makes for a great start to my journey into the world of this massively popular annual event.
In terms of elevators and their manufacturers. Will’s talk should be a major eye-opener. While there’s nothing inherently wrong with using POTS in elevators, the sheer lack of security needs to change.
According to Will, these same vulnerabilities apply to other call boxes as well, such as the ones in stairwells and pools. Will’s advice to manufacturers is to stop using the default passwords (which should have been obvious), and to not allow the 20 most common pins.
Other steps include removing the option for remote programming, and training call center employees for social engineering hacks. It shouldn’t be that easy to obtain information as a stranger on the phone.
Beyond these main takeaways, I reached out to Will to see if there was anything else he wanted to cover in his talk that didn’t make the cut. He told me he would have liked to add examples of programming steps from the manual.
Even without this element, his talk exposed a major security flaw with elevators all over the world. You can find the slides from his talk online if you want to dig deeper.
From my perspective, Will’s talk and my time at Def Con 27 as a whole showed me that, what outsiders may think of as a culture of malicious hacking is actually a community of digital crusaders.
They hack because they care, but more than anything, they are the only ones holding people accountable for the flaws in both their hardware and their software.
It’s a noble pursuit, and one that deserves more credit than it receives from the mainstream world. Suffice to say, for those about to hack, I salute you.
