Phreaking Elevators
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48422 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Hacker (term)Sinc functionSign (mathematics)Row (database)Multiplication signInformation securityEvent horizonVirtual machineRight angleComputer-assisted translationWordTransformation (genetics)Self-organizationRandomizationSet (mathematics)
01:33
Information securityHacker (term)Control flowHacker (term)Right angleInformation securityHydraulic jumpMereologyProjective planePhysical systemComputer animation
02:12
System programmingInformationHacker (term)Physical systemRevision controlMultiplication signMeeting/InterviewComputer animation
02:51
System programmingInformationHacker (term)InformationTelecommunicationComputer animation
03:27
Stress (mechanics)Point (geometry)Physical systemComputer animation
03:58
NumberDigital photographyComputer animation
04:41
Ring (mathematics)Multiplication signNumberTouch typingComputer animation
05:21
Codierung <Programmierung>System programmingDialectPhysical systemRing (mathematics)Computer animation
06:00
Physical systemRing (mathematics)1 (number)DialectLine (geometry)Ring (mathematics)Slide ruleDigital photographyComputer animation
06:30
DialectBuildingInformationPhysical systemInterior (topology)GoogolRing (mathematics)InformationSoftware maintenanceBuildingPhysical systemDialectNumberInternetworkingPublic key certificateElectronic mailing listSystem callSocial engineering (security)Computer animation
07:50
InformationSocial engineering (security)Mathematical singularityDigital photographySocial engineering (security)CausalityNumberRow (database)System callSoftware testingBitValidity (statistics)Physical systemCall centreDialectMedizinische InformatikComputer animation
09:40
Asynchronous Transfer ModeInformationIndependence (probability theory)Control flowIndependence (probability theory)Service (economics)System callAsynchronous Transfer ModePoint (geometry)Arrow of timeGame controller1 (number)AreaClosed setGroup actionWave packetCore dumpComputer animation
10:47
System callIndependence (probability theory)Asynchronous Transfer ModeService (economics)Open setDigital photographyCausalityUsabilityMessage passingLevel (video gaming)Computer animation
12:01
Cellular automatonVoltmeterMultiplicationVirtual machineTap (transformer)Right anglePatch (Unix)Line (geometry)NumberComputer programmingPhysical systemVoltmeterMultiplicationReal numberComputer animation
13:21
Point (geometry)WebsiteNumberWebsiteRight angleSystem callConcentricComputer programmingLine (geometry)Multiplication signPhysical systemBranch (computer science)Data conversionCall centreBitComputer animation
14:46
Line (geometry)Branch (computer science)ConcentricDigitizingNormal (geometry)Computer animation
15:28
Standard deviationoutputPower (physics)Virtual machineView (database)Drop (liquid)Line (geometry)BEEPSystem callLine (geometry)MultiplicationDigital photographyRight angleMultiplication signCuboidPhysical systemCall centreNumberConcentricPower (physics)Hydraulic jumpBEEPSystem callProgram flowchartComputer animation
16:54
Virtual machineVideoconferencingVirtual machineVideoconferencingDigital photographyComputer animation
18:20
Physical systemSocial classPhysical systemInformationLine (geometry)Different (Kate Ryan album)Computer animation
19:10
Physical systemSocial classLine (geometry)Control flowVolumeLine (geometry)DialectPower (physics)Film editingKey (cryptography)Reading (process)CausalitySystem callComputer animation
20:59
Limit (category theory)Menu (computing)TelecommunicationNoise (electronics)Connected spaceLimit (category theory)Hand fanRow (database)Multiplication signMaxima and minimaComputer programmingPhysical systemRange (statistics)TelecommunicationMenu (computing)Different (Kate Ryan album)Data conversionPattern languageComputer animation
23:07
DialectWebsiteBuildingMenu (computing)System callPasswordPattern languageNumberPhysical systemDifferent (Kate Ryan album)BEEPComputer animation
24:32
Computer programmingKey (cryptography)Computer animation
25:08
Computer programmingRight angleDifferent (Kate Ryan album)VoltmeterLine (geometry)Computer animation
25:41
Asynchronous Transfer ModeFactory (trading post)System callComputer programmingPosition operatorSystem callPosition operatorType theoryComputer programmingAsynchronous Transfer ModeNumberDefault (computer science)Connected spaceComputer animation
26:51
NumberCodeMountain passComputer configurationComputer programmingCodierung <Programmierung>PasswordProduct (business)Default (computer science)Computer fileTwitterCausalityInformationDigitizingDefault (computer science)Physical systemPasswordNumberOptical disc driveComputer animation
27:58
Price indexNatural languageCodeDrop (liquid)PasswordElectronic mailing listDefault (computer science)Password1 (number)Personal identification numberCodeMathematicsComputer animation
28:52
NumberComputer configurationMountain passCodeComputer programmingPulse (signal processing)DialectCausalityPasswordRight angleDialectConnected spaceMaxima and minimaDrop (liquid)Multiplication signPosition operator2 (number)Default (computer science)Figurate numberData conversionComputer configuration1 (number)System callNumberRow (database)Pulse (signal processing)Computer animation
30:49
Line (geometry)Function (mathematics)System callNoiseGoogolNumberDialectProxy serverDialectSystem callKonturfindungService (economics)NumberOpen setConnected spaceNoise (electronics)ModemLine (geometry)Multiplication signSynchronizationGoogolComputer animation
32:20
Multiplication signSystem callUniverse (mathematics)Physical systemCausalityMetropolitan area networkCycle (graph theory)Computer animation
33:35
PasswordDefault (computer science)Computer programmingWave packetSocial engineering (security)Remote procedure callPasswordComputer programmingData conversionConnected spaceSystem callDefault (computer science)Wave packetAsynchronous Transfer ModeCausalityPersonal identification number1 (number)Computer animation
36:11
Universe (mathematics)Physical systemLattice (order)Right angleCodeData conversionCuboidDigital photographyInformation privacyAreaUniverse (mathematics)Computer animation
37:33
Goodness of fitReading (process)Physical system1 (number)Radio-frequency identificationBinary fileComputer animation
38:05
Perturbation theoryRange (statistics)Physical systemSystem callVirtual machineOperator (mathematics)Information securityComputer animation
39:13
Information securitySystem callSystem callDefault (computer science)PasswordNumberComputer animation
Transcript: English(auto-generated)
00:00
prepared a couple words just to make sure I, I got everything right here. Um, so, uh, Will's hacking addiction started back about 3 years ago-ish. Um, he somehow found out about a hacker camp on an island in Washington and decided to volunteer. Uh, with his neon sign
00:21
transformer and sewing machine pedal all packed, he headed off to camp and ended up having a jolly old time teaching people how to burn shit with high voltage. For some reason, he decided he needed more hacker con after that experience. And like any good addict, proceeded to volunteer and, and attend more than 20 cons a year since then? 25 last year. 25 last year.
00:43
So, I, if there's any records for attending hacker cons in a short period, uh, I think that Will probably tops that. Um, and so, uh, he's been known to occasionally abduct random con organizers and force them into playing elevator and rooftop cat and mouse with hotel security
01:01
at some of these events that he goes to. And occasionally hacks the said elevators, um, as you'll soon find out in this talk. He also knows a thing or two about hacking cars and other stuff. Um, anyway, without further ado, I give you the one and only Rockstar Hacker con addict extraordinaire. We'll see. Thank you Hakari. Alright guys, welcome to freaking
01:31
elevators. So, who am I? As Hakari's wonderful intro can attest, uh, I do high voltage projects. I'm also part of the car hacking village. Come stop by, hack on some
01:44
scooters with me. Uh, I did win the lifetime badge at CypherCon for their CTF. Infosec is a hobby. We might be looking for a job in it. Um, I'm new to the noob coin by pretending to know the prices of old Defcon badges. Alright, so let's jump
02:02
right in. First of all, a myth. I'm sorry to disappoint you guys, but you can't control an elevator through its phone system. I know, everyone's really bummed out now. Alright, if you want to learn how to hack elevator systems, there's these two awesome people, Deviant and Sergeant Howard. So, if you want to know more about elevators and elevator
02:23
systems, watch their talk from Hope. It's two hours long. If you need a shorter version, watch the Defcon talk. The two hour long talk, they had three minutes in it of elevator phone systems. We're also going to be having more from Deviant later on in this talk. So,
02:40
some topics, we're going to be covering elevator phone basics. Who here has used an elevator phone? Wow, that's not a lot of people. Come on, I call these phones all the time. Alright, so we're going to be discussing some of the history. I'm going to teach all of you guys how to use elevator phones. Um, we're going to go over information
03:00
gathering, tools I like to use. You know, it's going to be a really fun talk. Legal disclaimer, I am not a lawyer. I don't even play one on TV. None of these talks that are recorded, uh, involve a live human talking on the other end, but it will get interesting and fun. Also, don't interfere with emergency communication systems. Uh,
03:23
they're in place for a reason. So, like I said, please don't hack things in the wild. Yeah, I, I want to stress a, a very good point here. Do not hack the elevators here,
03:43
please. Uh, I don't know if anyone's staying there. I mean, I don't want you to, I don't want to tell you where to hack. Alright, so let's get into the basics of elevator phone systems. It's that easy button. Here are some elevator phones. If you take a look, uh, one of
04:02
these is a freight elevator with a little swinging door there. It's not like ADA compliant anymore. All of these have something in common. It's pushing that little button. What that button's going to do is it's going to connect you out to a pre-programmed phone number. Here's some more photos. So, this is, uh, China and Japan. Take a look, you
04:25
can still see little phone logos. Um, you can see an actual handset just strapped to the wall there. That one was in China. I did not mess with any of the phones in China. I'm a little scared of it. So, I just took some photos. Here we see, um, some from Dubai and
04:47
New Zealand. Now, what's interesting about these, and I really wanted to touch on this for any international people. There's no elevator phone button. I don't know if everyone notices that there's just those emergency ring buttons. Those buttons, what they'll do is
05:01
they'll sound an alarm. That alarm is local to where you are. So, what ends up happening is that, oh there's Deviant. Uh, so what ends up happening is you have to hold that button in or press it like a number of times in and then it will place that call. So, it's just something to be aware of if you're brave enough to do this internationally. So, how do phones connect to the outside world? They have their POTS
05:25
lines, VoIP, cell phone. Uh, we're going to be really covering just the POTS phone system. It's the plain old telephone system. So, the device you use when the handset is
05:40
picked up, you'll notice that in a lot of older elevators. That's called a ring down system. We're going to be covering that in the history portion. Uh, the ADA and the ASME. So, those are the two things that cover inside elevators, what needs to be there, how it needs to be there. So, in our history here, elevator phones started in 68. We still
06:04
found, uh, rotary phones. Uh, just about every single photo in my slides are ones I found in the wild. So, this ring down system, you pick up that line, it automatically dials the number for you. Just something to be aware of. So, if you're just deciding that I want to
06:21
place a call, it doesn't really work like that. So, they got required in elevators in 70, 76 there. So, we see, this is a really good example of a ring down and we see a rotary phone. That rotary phone, again, another ring down phone. So, uh, we
06:43
when you're going to start hacking elevator phone systems, first thing you should always do is OSINT. You want to know who that phone dials to. Some phones will dial 911. They should not dial 911. Um, some phones will dial maintenance workers. They shouldn't dial
07:01
maintenance workers. But, if you're inside an elevator and you place a phone call at 2 in the morning, you're going to get a groggy guy that says like, what do you want? Who is this? And why do you need my number? Um, it's something to be aware of. So, if you're trying to get information for a building, you can use that phone system to acquire
07:21
other phone numbers. Building information. If you're trying to, to do social engineering, you want to know your building information. Phone system information, that's one of the most critical things. Phone number information is also rather critical. What ends up happening is you can find these phone numbers out on the internet. You can use Google. And you can just Google for elevator phone numbers. People have published
07:43
them. There is a elevator phone list published. So, here we see a certificate that's showing an elevator out of compliance. That's a perfect pretext for why you're there. Also,
08:01
there's a notice. Truck just roaming around, 1 in the morning. I took that blurry photo, uh, down in San Diego at Torcon. Just something to be aware of, you know, who's servicing your elevators. Otis is one of the world's biggest companies. So, if you're going to be doing some social engineering, you want to know how you can pretend to be an
08:23
elevator tech. Say things like, hi, this is Deviant. I'm doing a test on the elevator phone system. I need to know the number I'm calling from. And they'll read you back the number. Then you forget to write it down properly. Then you ask again, can you repeat that number again for me? Cause sometimes I'll say it quite fast. Um, you want to be
08:46
remotely targeting companies. This is a little bit more difficult. So, when you're doing these social engineering attacks, you're inside that elevator. And that's the easiest way to get these numbers. You're inside, you push that button, you're pretending to be that
09:01
elevator tech. And then there's like, yeah, here you go. Here's the number. Enjoy. But, if you want to call a business, most businesses won't know what their elevator phone number is. They'll have to look it up. So, understand that, have a good pretext. Call centers, uh, that's the easiest way to get a number out. You can call into a call center, so knowing
09:24
where that elevator goes into, if they have a record of who their customers are. And then you can social engineer your way back from there. There's a lot of possibilities. Social engineering is a much, very valid attack method. I think it applies to just about everything we do here. So, let's get physical. How to control the elevator with
09:46
independent service mode and what to look for. So, let's say you decided, alright, I'm gonna hop in this elevator and I'm gonna place that phone call. You want to take control of this elevator. So, here we see some key switches. Those arrows point to the
10:01
independent service mode and how to activate it. Again, you shouldn't do this unless you've had proper training. Um, the, I believe the core group actually offers elevator training. Flip a switch. I don't work there, you do. So, what ends up happening here is,
10:22
once you've flipped it into independent service mode, you have control when those call calls are placed. No one's gonna be able to get that elevator down to your floor. So, you drive it up to say the top floor. Now, all you have to worry about is who's in that floor area. You can hold that door close button, keep the door closed. Now, no one's
10:41
able to see you. Maybe they can hear you, maybe they can't. If they can hear you, go to a restricted floor. Inside the restricted floors. Now, the way I got this photo, I had complete com- permission to do this, don't worry. So, if you're in independent service
11:03
mode, you're actively going, say, from floor 20 down to floor 1. As you're passing by floors 11, 10 and 9, you take it out of independent service mode, cause those floors were still locked, even with that mode engaged. Now what you wanna do, you wanna
11:24
basically, as it's being taken out of independent service mode, it levels off at whatever the nearest floor is. And then it just stays there. Now, if someone calls it, it'll go to them. Otherwise, the door will be closed and you're like, uh oh, did I break this elevator? Press the door open button. Easiest way to escape an elevator,
11:44
press the door open button. If you're worried, you're stuck. And then, the door's open. And now you're on a restricted floor. So, you can flip it back into independent service mode, now it won't go anywhere. You can place those calls with ease and not have to worry. Some more things we should touch on though, there's other ways to get
12:04
it. You have an elevator intercom, there in a machine room. All the way to your right there, you'll see the um, the little patch down panel. We're gonna be showing you the tool. To be able to tap into that, use a butt set. Tap in, up and down on the lines. You
12:25
can dial a 1-800 number like 1-800-444-4444. Uh, pretty easy number to remember. It'll read you back the number you're dialing from. So, that's when you're using this tool. You can also tap into those phone lines, just listen in general to what's going on. Um,
12:46
multi-tools, the alignment set, landline phones. I really enjoy landline phones. I don't know if you guys knew I like phones. Um, you can literally just plug a landline into an elevator, phone line, and it will work. It's a POTS line, it's a plain old telephone
13:04
system line. That's what's the beauty of this. There's, there's no real protections. There's, there's nothing going on besides that copper pair and then that phone. You wanna do some remote programming, or actually some local programming. What you'll need is those batteries. So, 9 volt AA. So, now let's, let's start getting into the, the programming
13:25
of elevator phones, right? Everyone wants to program an elevator phone? I got one right here. We're gonna be able to program this. Uh, come by the car hogging village. We can have a lot of fun with this. If anyone has my phone number, they can dial into this and start messing around. So, site ID. When you press a site ID, press number 2 on your
13:45
keypad, most of the time, once you've dialed in the elevator, you've got that phone number, you SC'd that, that call center staff. Now, you wanna know, ok, well what, what are they saying when there's an emergency? Just curiosity. Maybe they haven't programmed
14:01
it. Once you place that call, you press number 2, you'll hear a prompt of where you're dialing into. If, say someone has taken an elevator phone, connected it to a phone conference, and then they themselves have, have exited the conference, what do you do?
14:20
You're now having a phone conversation inside of an elevator with everyone else on this conference. This sign's hypothetical, it's definitely happened before. So, if this happens to you, press star pound, pound, star zero, zero. All these systems are unique, and we're gonna be getting into a little bit of how they're unique and what they apply to. They're also on PBX's and line concentrators. So, the PBX, the private
14:48
branch exchange, elevators can have their own. They can also be on, say this, the normal business or hotel line. So, just be aware of that. So, you're inside that
15:05
line, calling from 4356. That's it. Like, can you repeat that? 4356? Like, oh, that's not enough digits. You're on a PBX. You can also take the voltage of the line if it's
15:21
a really low voltage. That can sometimes show you older PBX equipment. There's some more fun phone things you can do in there. Line concentrators. Now, these are really unique to emergency phone systems. What ends up happening is, they don't actually think that multiples of these are gonna go off at the same time. So, easy way to
15:41
save money is, press the, you have all of these, these boxes, I think I literally have that box that's in that photo right here. You have all of these connected to one system, they end up dialing all out the same line. Now, you might be thinking, well, what happens when they're busy? You get a busy signal. You can only use it one at a
16:03
time. Inbound calls, they pick up with a double beep, and then you're pressing 1, 2, or 3 to enter into an elevator. So, you need to know, am I dealing with a line concentrator or not? And that's sometimes kind of difficult to know until you've actively dialed into the
16:22
system. Another easy way to do that, though, is if you've dialed the call center once, you go to the other side of the elevators. Push that button, see where that number's calling from. It's the same number, you're on a PBX or a line concentrator. Just good things to
16:43
understand. And when the power fails, it's a party. It's an active party line, I don't know if people are familiar with party lines, but everyone jumps on, and you're all connected together. It's a really good time. So, elevator intercoms. They're from the AAA. They're located outside the elevator, normally in the hallway, hoist way, machine
17:03
room. So, these are so that you can talk to them. This is a photo I took, just right there, like, next to the elevator. You can flip a switch, turn it on, push the button, and listen. We actually have a video. Hopefully, the quality is good. So, here we are. You see
17:24
these sometimes. You see, I've seen elevator intercoms, I've seen them in a motor room more than anything else. But what we're gonna do is we're gonna try, what happens if people are in the elevator, and you press this, and you don't say a word? So, let me get in here, and I'm just a guy in an elevator talking. I'm just talking.
18:05
Alright, let's give it up for Davian. Thank you for letting me use that video. So, that's just something to be aware of. An easy way to be able to talk into that elevator, to listen into that elevator. I don't know, is anyone here familiar with the fireman
18:23
phone? Anyone? So, this is a system that I have really, oh, we got one person. That's probably no more than me about this. Um, I have not found a lot of information on these systems. I have talked to firefighters about them because I didn't know a lot of
18:41
information. The system looks for opens, uh, if it's open, if it's shorted, if there's ground faults, so if one of the lines is run to ground, they have two different styles of wiring. I'm not gonna be getting into it. I just wanted people to be aware that this is a phone system inside of an elevator. So, understand that if you're gonna plug into this, it
19:02
will sound an alert. It'll be at whatever their command center or like alarm panel. So, just understand that. These are the phones, it's a quarter inch plug. So, you plug in, you're talking. These are used by firefighters if the radios aren't gonna work inside that elevator. They're being used less and less. Um, you can also find them outside the
19:25
elevators. So, again, when you're, when you're going through, you can see them sometimes even in these hotels. Look for that little panel and that jack. So, line detection. When your
19:40
elevator phone is connected, now they're mandating that you have this device. This was taken out of the airport. That senses, is the line active? Is this, is this okay? Is this okay? But inside that checking, all it's gonna do is sound like a buzzer or a little
20:03
alarm. It's not, it's not actively going, uh, to call someone else cause that line is now defunct. Easy way to bypass it, cut the power to it. You can also buy the system itself, get the key for it. You can control the volume, you can reset the device, you
20:21
can say, hey, don't worry about if there's no phone line connected to that elevator for like 24 hours. And read the manual. So, now we're getting to like the little later half of my talk. RTFM. Reading that manual is the easiest way to hack an elevator. I, I literally just
20:41
walk around with elevator phone manuals. They're not that big. They're fun to read. I hope everyone, like, picks one up. So, who wants to, like, dial into an elevator and, like, listen to what goes on? There we go, someone. Wonderful. Hopefully everyone heard that.
21:11
So, what we had there, and I, I personally, I'm not a fan of recording other people. Uh, I did not want to record the conversations that can ensue from doing this. Um, so, after
21:27
you've heard that noise, you're inside the elevator. You'll hear a weird echo, and you can mute your phone. Just hit the mute, and now you can just listen to them. You listen to whoever's inside the elevator. You have a few problems with this. If you don't say
21:44
anything and they don't say anything, it'll time out. If they're saying things and you're just listening, like hearing what's going on, um, what ends up happening is there's a connection time limit. And again, it's all listed in your manual. If you want to reprogram
22:03
that connection time limit, you just go, oh, there it is. You set it to, like, 9, the max, it can go. Really 0 through 9 or 1 through 9 are your ranges for these systems. So, uh,
22:46
this is just another example of a different system that we dialed into. Instead of dropping straight into the elevator, you now have to hit 1 to be able to talk to those people. Hit 2 to be able to program, and star 0, disconnect. It just tells you, I did not prompt that
23:04
message at all. I don't know if you guys can notice a pattern here. So, again, different
23:31
phone system, different menu setup, just something to be aware of. I didn't take out the located app, I would have tried to beep it out or something like that. It just
23:42
didn't have it. When you start getting into this and you're dialing in the elevators, you're hitting number 2 to prompt that site ID, sometimes you won't get a site ID back. And that means that elevator's not up to code compliance, and that's a problem. Um, I have
24:01
not done this personally, but I've definitely been on calls where, like, a, a phone freaking party line, and someone dials into an elevator, prompts a site ID back, and nothing happens, and they go, okay, well, let's, let's reprogram this and put in a site ID. I know where this building is, and we brought elevators up to code that way. I do not
24:24
encourage any of you to do this, that's hacking, and you need passwords to get into these systems anyway, so, good luck. So let's go, 4 ways to program an elevator. Keypad, switches, remotely, and programming cable. The programming cable's mainly with RAF,
24:43
phones, I won't be getting into that, um, this, this whole topic can get delved into way deeper and heavier, um, if you wanna, like, dive into one phone versus another. This is really just that broad overview to get everyone here started in hacking elevators, or at
25:04
least looking at these systems, understanding them. So, if you're gonna use the keypad, these buttons don't work like you think they do. The way to deal with this kind of phone, you see that 9 volt connector right there, you look up your handy dandy manual, this is just
25:24
the printed out version, um, but there will be manuals online, so, I know Gal, Viking, a whole bunch of different elevator manufacturers have their manuals all online, free to download, PDFs, you're gonna be doing switches. So the interesting thing about switches is
25:45
that they, they all follow a common type. So one generally sees, and this is like a cross brands, to be that connect, disconnect, so what that means is that when you push that elevator phone button, you end up being able to place the call to connect it, you can also
26:03
press it again to disconnect it. So if someone's dialed into an elevator you're in, just press the button again if you don't want to talk to them, don't deal with that. Uh, position 3, learn mode or programming mode, so, for some reason they allow this to be engaged, when number 2 is on, allow incoming calls, this is how it's set up by default.
26:29
This, this is a brand new elevator phone, I have all 3 engaged, and I didn't flip a
26:40
brand new from the factory, we have the position 1 on, position 3 on, position 2 on, but you might be thinking well, they got passwords, alright, how can you get past the passwords, the passcodes, well there you go, here you go guys, uh, everyone should take a
27:02
picture of this. So, what I did was I read so many elevator phone manuals, it was crazy, uh, Viking looked like they had a really secure, like, default code, up until you
27:21
realize it spells Viking. Um, the TRE communications, I have no idea what's going on with their number, it's a 5 digit number, the only one I've ever seen, it's a very, like, odd system, the pound 9000, uh, I've seen that before, and the only text file that ever
27:43
read about elevator phones, cause I did a lot of research on this, there's not a lot of information on these elevator phone systems, which is why I wanted to give this talk in general. So, enjoy the default passwords, I, I see a trend with this 1 2 3 4 5 6 though, what happens if they reprogram the password? So, we break it down, here 1 2 3 4 5 and
28:07
1 2 3 4 5 6, most common, they also top the charts, um, this person did some really cool research on pin numbers and pig codes, and one of the most commonly ones that are used, we made a top 20 list, so let's say for example, we have a 4 pin code, you have a
28:25
26.83% chance of getting it, that drops right down if that default password does not work, so now 16.12%, it doesn't seem like a lot, but if you have a random, an absolute random code, you have a .02% chance of getting it right, so you've really increased your
28:45
chances just by using that default, or the most common top 20 lists. So, now that we have the phone number, we have the passwords, cause no one ever changes the password, no one.
29:02
Options, we have some really fun options. So, the phone number, we have some really fun options, the phone number, you dial out 2, you put a few of these in, I believe this, this one here has the option for 5 different numbers, when you dial a number, if it's busy, if
29:22
that person doesn't answer, it then switches to the next number, and the next number. Your connection time, so the default connection time for most phones is about 3 minutes, after 3 minutes, you get a prompt that says, hey, would you like to stay connected? Press 3 to stay connected, and you get that every 30 seconds. Really difficult to
29:42
have a conversation with someone for more than 3 minutes. So, you go through your manual, you have to figure out where in that position you're going to be, so slot 1 is gonna be filled up with the phone number, slot 2 is gonna be your connection time, your
30:04
dial these numbers, so, connection time, hit 9, your pulse or tone, probably 1, for tone. Silence time out, so, figure out, you know, is it, after 30 seconds, and no one's speaking, it'll drop that call, set that to its maximum. You can go in, you go on and on
30:24
and on, there are so many options, there's no way to tell, I can't tell you to say, hey, dial into this phone, try all the default passwords, and then just keep hitting 9. Doesn't work like that, I am sorry, but, if you happen to know the phone, cause you push that button,
30:42
you got that phone number, you download that manual right off the internet, you can then reprogram it to whatever you want, you can call Rick Roll line. So, let's do some practical attacks, let's take a look at what's going on here. Denial of service, you can make sure that line no longer functions, no longer calls the correct number, you can
31:00
have it call you instead. So, if you plan on trapping someone inside of an elevator, I don't recommend that, you can have it call you, and then you can play some games with them. Uh, you can bypass line detection. So, turning the elevator into a covert listening device, you have some problems with this. Your LED will light up, it'll be blinking when it's
31:25
making that connection, it'll stay solid when you're connected, your connection time, as I was talking about earlier, and that weird, like, tone noise you heard, that's all gonna be playing and seen inside that elevator. Again, if you guys experience this, and you don't, you
31:45
don't wanna talk to whoever's on that other end, just hit that button, it'll hang up on them. So, you have an open phone line, you can exfiltrate data, I don't know, has anyone ever used a dial up modem before? Oh great, a few people, excellent. You can register services
32:04
like Google Voice, and now, dialing some numbers, who thinks this is the worst attack possible you can do? You can call other phone numbers from an elevator. Anyone? Alright, well, it is the worst, I think, and this is why. So, there's 60 elevators at an
32:24
university, I took out the university name because someone told me to. Each one of those elevators has their own phone line. A billing cycle, say 30 days, at 24 hours, 720 hours, times that by 60 minutes, 43,200 minutes, times that by the 60 elevators, you have like
32:44
2.5 million elevator minutes, I call them, times that by the 2.55 that you charge for dialing a 900 number. So, you set up your own 900 number, you have all these elevators, call it, you make 6.6 million dollars, right there. This is the only time I ever thought
33:04
about not giving this talk, cause like, man, I can be a millionaire? Yeah, um, I really think this is kind of crazy, cause there are still 900 numbers around, and if you were to be malicious, there's nothing stopping this. It's a POTS line, it's a plain old
33:21
telephone system line. Just understand that, that, that is a crazy thing, I've never heard of anyone even trying this kind of thing, so, I like to think it's, it's, it is entirely theoretical, I've never done it. So, are we all doomed? No, no we're not. So, look at
33:42
monitoring. So, why are we having an hour long phone call? Why are there, you know, 30 people calling into the same elevator every day? That's a problem. Alerting, like, if there's really an emergency, someone should deal with that emergency. All of these things, these are, these are supposed to be outliers, these are things that are like,
34:04
what, what in the world is going on here? Someone should investigate this stuff. No one ever does, cause no one ever ends up understanding and knowing that hey, someone is calling into the elevator, but before people get in, they've, you know, extended that connection time, they've made it so nothing's happening. No one ever looks at the
34:23
little button, and when you are looking, you can say hey, you pushed that button, and they'll tell you no I didn't, and you say yes you did, that's how I'm talking to you. It's a really interesting conversation you can have with someone, not saying I've definitely done this. So, if any manufacturers are out there, uh, props to Otis for
34:44
reaching out to me, uh, no default passwords, don't allow the most common top 20 pins, like, we don't allow password as a password anymore, right? Why should we allow 123456? Like, that just seems crazy to me. Don't allow remote programming, um, I know
35:03
elevator technicians, and when they're reprogramming a phone, they're there on site, they're working on the elevator anyways, they've just installed that phone, they have access to it. I understand, like, especially you see here, for this one, there's no easy way to, to allow that remote programming, or to have that local programming, you need to
35:24
dial into it. I get that, I understand that, that's okay. After you're done, it should have to then be put back into a no programming mode. Some of the viking systems, the newer ones, are doing that, the only issue is, is that you pushed that button again, and
35:42
they left it in a programming mode, it's gonna call the viking center instead. It's, it's not gonna just not work. So you are gonna get someone eventually, like, it's crazy to me, you should have that understanding of what happens when, when these phones are left in two way programming mode. Understand that they shouldn't be able to be remotely
36:03
programmed. Train your call centers, understand that social engineering attacks happen, be aware, be ready for them. So let's go further. Uh, now that everyone doesn't want to take an elevator ever again. Go to pools, university campuses, meeting areas. So this is a photo I took in Seattle of a meeting area inside of a business, and I
36:26
asked the shop owner, like, why, why is this here? And he's like, well they made me put it in. You know, there's, there's building codes now that are mandating these emergency phones to be inside your businesses. So everything I just talked about
36:41
with the elevators relates right there to the wall, right onto the stairs, into walkways. So when you're walking around, start noticing, hey, why does that box on the wall say emergency and like there's a little button? Someone could just dial into that and listen to you as you walk along your path. Like I used to, I was on a campus, I could see
37:05
people walk down this bike lane, and all along the bike lane there's these little, little posts. And yeah, you could, you could listen in and write, like, to each post, just dial to the next one before they got there so you could listen to their conversation all along the walkway. And again, do not do this people. Please enjoy people's privacy's. So,
37:30
just understand these systems are outside the elevator. If you want to learn more, these are some really good ones. Uh, resources, watch the tele-challenge, pitch to
37:40
penthouse, reading manuals man, just pick up any old manual. If you want to read this one, let me know, I'll be happy to give that to you. Um, CNET and Binrev, those are two really good resources, uh, to understand phone systems. Not a lot of people are familiar with them, but a lot of phone freakers like to hang out there and discuss these
38:03
systems. Just starting to, to play around. You want to play at home? Here you go. $50 to $100, yeah, you know, slightly broken elevator phone. Uh, I have definitely gotten them in like a $50 range that work. So just be aware of that. New phones, they cost, you know, $100 to $300.
38:25
I have no idea why they cost so much. Like, you know, they're simple systems. Um, so, if you want to play around, one of you knows my shirt. Futo, they're a fun phone call. Uh, they're a non-profit phone company I'm an operator for. PLA, they put up some fun
38:43
systems. Phone sex, fun house, there's more. Um, just be aware. So, dialing into these, what you can do is you can hack the um, like PLA has a bunch of answering machines set up. Start playing around with these systems again. I, I feel like this community has
39:01
forgotten about phone phreaking as an active attack. And that's one of the reasons why I really wanted to get, get this talk out there to understand that these things are still happening today. So, thank you guys. Thank you all to my infosec friends. Plug, wire,
39:24
plug and wire goal really helped me out, um, making this talk. Uh, Sergeant Howard and Deviant were wonderful resources and the EFF is amazing. Please donate to them. Thank you guys. If you want to give me a call, there's my phone number. It is actually my phone number. It will call this phone. Uh, so if you want to copy that number, spread it
39:45
around, let anyone call me. It'll be in the Carnegie Village. You, this is set up with the default password. So, give me a call. Thank you guys.