DEF CON 22 – Deviant Ollam & Howard Payne – Elevator Hacking – From the Pit to the Penthouse



Elevator Hacking – From the Pit to the Penthouse
Deviant Ollam The CORE Group
Howard Payne The CORE Group

Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Deviant runs the Lockpicking Village with TOOOL at HOPE, DEFCON, ShmooCon, etc, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the United States Military Academy at West Point, and the United States Naval Academy at Annapolis. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Twitter: @deviantollam, @TCGsec

Howard Payne is an elevator consultant from New York specializing in code compliance and accident investigations. He has logged over 9,000 hours examining car-tops, motor rooms, and hoistways in cases ranging from minor injuries to highly-publicized fatalities, and has contributed to forensic investigations that have been recognized by local, State, and Federal courts. Howard has appeared on national broadcast television making elevators do things they never should. When he’s not riding up and down high-rise hoistways, he moonlights as a drum and bass DJ and semi-professional gambler. His favorite direction is Up and his favorite elevator feature is riot mode.

Twitter: @SgtHowardPayne

source

48 thoughts on “DEF CON 22 – Deviant Ollam & Howard Payne – Elevator Hacking – From the Pit to the Penthouse

  1. x9x9x9x9x9 November 10, 2018 at 4:38 am

    Occupy Tulsa was a real thing. I mean there was no riot that happened in 1921 and is called the Tulsa Race Riot but still I find it odd he chose Tulsa to be the City to mention.

  2. Kerry Kalls November 10, 2018 at 4:38 am

    I find these videos very informative and interesting; however, I find the idea that many criminals or corporate espionage individuals would have the PROPER FIRE keys for elevators to be very very slim to none

  3. Patar November 10, 2018 at 4:38 am

    Can't you just go to one of those sites that do custom design tshirts and buy your own elevator personnel shirt? it'd be chancey someone would notice or care, but do it anonymously and multiple times and it'd probably work

  4. Ryan The Leach November 10, 2018 at 4:38 am

    Close door hack has worked on exactly 1 elevator that I've tried in Adelaide Australia, I don't remember what type, but it had a custom animation on the digital display, that showed differently

  5. KanaalMTS November 10, 2018 at 4:38 am

    28:10 Schindler's Lift?

  6. dondemarco007 November 10, 2018 at 4:38 am

    One of the best talks I've seen

  7. John November 10, 2018 at 4:38 am

    Great Technology Connections video that explains why you get one beep for an up car, and two beeps for down:
    https://www.youtube.com/watch?v=48hW-K7fQTM

  8. sixstringedthing November 10, 2018 at 4:38 am

    90% of "elevator based security" relies on Joe Public looking at the keyswitches on the COP or a slightly-ajar push panel and thinking to themselves…
    "that looks important… better not touch it or I might get in trouble".
    The number of times I've opened emergency phone panels and found priority/maintenance/fire service keys just right there in the switches, waiting to be turned…

  9. Liam Mitchell November 10, 2018 at 4:38 am

    Great talk thanks 🙂

  10. Volvirth November 10, 2018 at 4:38 am

    "Never exit a mislevelled door…"
    Well… That is unless you want your body to be a sheet of paper, and the elevator cabin and the floor (or ceiling) to be the scissors.
    … In all seriousness, that IS a good way to lose weight, really, really quickly.

  11. Volvirth November 10, 2018 at 4:38 am

    About 13 minutes into this talk, i understood why this had to be the last talk at the last day of DEFCON.
    … Rule #1: Don't trust people to know what they're doing, people are idiots. You can invent better idiot proofing for anything, but the world will just invent a better idiot.

  12. Rudi Dower November 10, 2018 at 4:38 am

    Those old 70's safety ads are really scary. They used to be on late night in the UK.

  13. maneatingcheeze November 10, 2018 at 4:38 am

    The big thing I learned from this talk is that only professionals should work the shaft.

  14. Kevin Cyrus November 10, 2018 at 4:38 am

    China needs to learn this stuff, so many die

  15. Charles Inman November 10, 2018 at 4:38 am

    good talk, nearly all industries are as behind in this. That's the problem the current solution is security by ignorance. People are wising up slowly like routers get different default passwords when shipped. But there is alot of products and services that have very similar obvious security flaws. Generally only people in the industry are aware of them . There's loads of examples from tonnes of industries the scariest one is the nuclear football passcode was 8 0s for 20 years(go america). In some industries it is good enough, like electronic padlocks unless its common knowledge how to dissemble one, it is good enough as crime is often by opportunity. Thieves wont spend 100s of dollars to buy one to find its flaws, but people like' jerry rig everything' do videos on these supposed flaws. Ruins their product! If you buy cheap security, expect there to be an easy work around, it's fine if it's relatively unknown. Lifts on the other hand. They deserve proper security. I understand that without the right codes it could be impossible to modify or fix issues. In cases of people being trapped there should be a specific mode to secure escape. But beyond that it should be made impossible to do anything to the system unless with verified codes provided by the company who built it much like car keys and their remote unlock.

    A really good example(to scare people) i came across months back is that you can unlock pretty much and card secured door with relative ease. Meaning you could steal from the majority of hotels in the world. I believe the update went out a while back but the fix is to disconnect the door and update the firmware. To each one, separately(literally days of work for big hotels). How many hotels do you think really did that? Maybe only the high priced one.

  16. Matthew Shaw November 10, 2018 at 4:38 am

    that show with the guy cutting the elevator cable is called the secret life of machines

  17. INFERNOmunky November 10, 2018 at 4:38 am

    tubular elevator keys are what got me interested in the mechanics…

  18. adequateautocrat November 10, 2018 at 4:38 am

    4:46 "the highest I've ever seen is eight stories" I work a convention in green bay the Hyatt attached to the Ki Convention center is 8 or 9 stories(can't remember for sure off hand) they have a piston elevator and it is the slowest thing ever.

  19. Nithin Danday November 10, 2018 at 4:38 am

    032348

  20. unfa November 10, 2018 at 4:38 am

    43:47 – you can read the full bitting code: 0-3-2-3-4-8, why did they add this dark grey rectangle if it didn't blank out the code?

  21. xXTheBl4ckC4tXx November 10, 2018 at 4:38 am

    who the fuck would steal babies?

  22. S F November 10, 2018 at 4:38 am

    One thing I was hoping they would touch on, but didn't is how is it safe for a fireman to use an elevator, but not your average citizen? Think about it firemen still bleed and stuff. In the event of a fire I would rather use an elevator to get out than to have a fireman come in "rescue me" and then we ride down the elevator together. I don't need someone to hold my hand to motivate me to get out of a burning building.

  23. rmp5s November 10, 2018 at 4:38 am

    One of my all time top three favorite con talks…and it's about fucking elevators…go figure. lol

  24. John Early November 10, 2018 at 4:38 am

    Sabbath Mode: "It's kind of like hacking God […] I found a loophole in scripture so I'm smarter than you!"
    pretty much sums up the Jewish faith:)

  25. H A R November 10, 2018 at 4:38 am

    elevators were known for 2000yrs??!!! i… dont think thats right

  26. Ilya Panferov November 10, 2018 at 4:38 am

    One surprising thing is that door close hack actually worked for me, and bizarrely, it worked only at certain multi-story malls, but never in an apt. building or an office one. Only in the malls (and not in every mall).

  27. Rob Meekel November 10, 2018 at 4:38 am

    Cable is Steel Rope

  28. 77gravity November 10, 2018 at 4:38 am

    If the elevator kicks you out so some "important" person can use it, as you leave put something in the doors, so they don't close. Fuck you, important person, you're not special, just rich.

  29. CryptoDaddys November 10, 2018 at 4:38 am

    wrap this video in three words, 'you need keys."

  30. Levo75 November 10, 2018 at 4:38 am

    As an elevator mechanic: very good talk!

    Also: follow their advice on not entering the shaft if you don't know what you're doing, you will die.

  31. Peregrinus Oblivione November 10, 2018 at 4:38 am

    God damn this was interesting. Id love to be able to lockpick but I have dyspraxia and could never have the finesse of a true pro. Great talk. Never thought of elevators and pentesting lmao.

  32. Jason Henderson November 10, 2018 at 4:38 am

    Interesting you could 3d print these now a days based off of just the pictures

  33. Matthew Pike November 10, 2018 at 4:38 am

    I like the riot mode. Because rioters are going to wait at the ground floor.

  34. wellsandlava November 10, 2018 at 4:38 am

    24:00 North Korea….. 5th floor…..

  35. YouTube User November 10, 2018 at 4:38 am

    Stop cussing

  36. Phoenix November 10, 2018 at 4:38 am

    I want to find whoever did the captions for this video and bludgeon them with something heavy. If you can't be bothered to at least try to get it right, fuck off and stop wasting everyone's time.

  37. Admin-i strator November 10, 2018 at 4:38 am

    Hey, that's effing cool!

  38. Moon Moon November 10, 2018 at 4:38 am

    Anti nuisance mode works a little differently in quite a few lifts in Australia. If you press all the floor buttons, they will be registered, and the lift will make two stops. If it detects that no one has entered or exited for two stops, it deletes the rest of the calls and becomes idle/ready again, because the controller can reasonably assume that there is no one in it. I thought that implementation was quite clever, because it is possible that many legitimate calls may be punched in at the same time, for example a ton of people get on at one floor, you're standing next to the panel and you're kind enough to ask, "what floor do you guys need?" 4, 6, 8, 9, 10, 14, etc etc.

  39. retnikt November 10, 2018 at 4:38 am

    37:40 to skip new speaker ceremony.

  40. Phoebe Johnson Elevator Girl November 10, 2018 at 4:38 am

    Elevator motor I want elevator send it me

  41. Martin Jolicoeur November 10, 2018 at 4:38 am

    Anti nuisance ? If an elevator keeps me from wasting ppl's time I'll have no other choice than to turn it into my toilet.

  42. Stephen Owen November 10, 2018 at 4:38 am

    Great job soldiering on through the interruptions!

  43. Jami Susijärvi November 10, 2018 at 4:38 am

    Come to Finland, Otis and Kone (Kone is from Finland) are very common, but locks that we use here are very often Abloy locks

  44. aaa November 10, 2018 at 4:38 am

    hehe, we can still buy most of the elevator crews' uniforms in china. its kinda easy to get all the keys as well.

  45. Eoin November 10, 2018 at 4:38 am

    One of the most informative talks I've ever watched.

  46. tr233 November 10, 2018 at 4:38 am

    now only need a key to go vip!

  47. Tylor B. November 10, 2018 at 4:38 am

    My favorite talk.

  48. Ryz November 10, 2018 at 4:38 am

    Notice the fidget spinner logo at 0:30

Leave a Reply