Doors Open to Phreaking Elevators: Lessons from DefCon 27
Written by: Carmen Silva, Analyst Team Manager
Phreaking is a slang term for hacking into secure telecommunication networks or using a computer or other device to trick a phone system. The term phreaking originally referred to exploring and exploiting the phone networks by mimicking dialing tones to trigger the automatic switches using whistles or custom blue boxes designed for that purpose. Phreaking has become synonymous with hacking now that networks have gone cellular and cracking them requires more clearly illegal methods.
A Little History
Telephones are available in all elevators in case of emergency and are typically installed during construction or renovation. Generally, the telephone is provided by the elevator manufacturer, although some companies can assist in the selection of instruments. Installation of the “jack” for elevator service requires collaboration with the elevator installation crew. Because the elevator rides up and down within a shaft, there is special wiring required to accommodate this movement. Elevator telephones are emergency devices and generally do not have keypads. They are programmed within the telephone switch to automatically be connected to a pre-determined telephone number – usually at a security or building engineering area… or are they?
If stranded in an elevator, do we trust that pressing the emergency button will be our salvation? Most likely that will be the case. However, an elevator’s phone system may not be nearly as robust as most of us think.
On Friday, August 9, 2019, during DefCon 27, Will Caruana presented a comprehensive dive into the current emergency phones with an in-depth look at the phones used in elevators, their vulnerabilities, and ways they can be exploited.
Can someone hack into an elevator’s emergency phone system? The answer is YES!
According to Caruana, an elevator phone system works by dialing out via a system called POTS (Plain Old Telephone Service). The device will then dial when the handset is picked up or when the button is pushed. Our elevator phones use this system based on requirements set out by the Americans with Disabilities Act (ADA), elevator safety standards like ASME A17, and additional building codes.
But what can be done once someone has compromised the elevator’s phone system? A hacker can dial into an elevator phone, listen in on private conversations, reprogram the phone so the “help” or “call” button instead calls the phreaker’s cell phone or a pizza delivery place, or reprogram the phone to change its location ID, among others. The options are limitless.
Caruana goes on to explain how someone can know if their elevator phone has been “phreaked”. Saying that elevator phones typically emit audible beeps in the elevator when they connect. But if someone has dialed into the elevator’s phone you’re riding before you enter it, your conversation can be listened to and you will most likely have no idea about what’s taking place. The only indication you might have to detect this type of behavior is by a red light on the phone’s panel. It’s hard to notice unless you are looking for it. Another indication would be to listen to an incoming call while you are heading to your desired floor, music playing, or being redirected to a non-related person or place after pressing the emergency button.
These systems, like anything else, come with exploitable vulnerabilities that should be noted. Unchanged default passwords are an easy fix but are typically overlooked. Phone installers and building managers not changing configuration access codes go along the same line. And as always, a lack of monitoring and phone auditing from building management and/or the service provider’s team.
Common methods used by hackers
Public Lists – One way is simple enough, they look it up. Public lists of elevator phone numbers do exist. Some of the lists are not just created to foster more elevator phone phreaking, but also to draw attention to the possibility that elevator phones could be abused for serious privacy invasion and even sabotage. The same tactic can be used for public elevator phone manuals and public default elevator passwords.
Default Remote Access Codes – Some emergency phones still use their default remote access code, having never changed it after install.
Social Engineering – The ever-popular option is the manipulation of our weakest point of access…us.
Phone Reprogramming – With everything being so interconnected these days, you can find almost anything online. Just googling “documentation related to reprogramming phone systems” can be enough to find a way inside.
Online Purchases – Hackers can just as easily buy one online from sites like eBay, reprogram it and plug it in.
But it’s not all doom and gloom
There are some simple ways to defend against these types of attacks. So how can this type of activity be prevented? Follow some simple, yet universal, steps:
- Don’t use default passwords
- Don’t allow the most common PINs
- Don’t allow remote reprogramming
- Train call centers for social engineering
- Regularly monitor your systems & audit your installed phones
If you would like to go beyond the call button and dig deeper into the secrets of phreaking elevators, Will Caruana suggests watching the HOPE X talk from Deviant Ollam and Howard Payne, called ‘Elevator Hacking: From the Pit to the Penthouse’ can be a great resource – https://www.youtube.com/watch?v=rOzrJjdZDRQ
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.