Physical Security of Lifts and Elevators

Mike Coles included in ideas
  About 500 words 2 minutes 
/posts/security-physical-elevators/featured-image.jpg

The original Idea

Shortly after joining the workforce for the first time, in an office building, the elevators became a delay. You must walk to the elevator, press the button, and wait. It should be possible to call the elevator shortly before you arrive. The idea was to have a keyfob RF transmitter that would have a button you could press to send a signal to the receiver within the elevator button panel which would mimic a button press by completing a circuit parallel to the call button. The work was more enjoyable than the elevator was frustrating so getting fired kept this idea in “cool ideas that will never see the light of day” folder.

Big Clive’s Kick

Big Clive posted a video to his Patreon feed tearing down an interface that is apparently from the Otis company. Clive wasn’t able to determine the communications protocol used by the interface to communicate with the elevator’s controller. One of his Paterons, Alwin Vestergaard or Muppetpaster, shared a patent document that was submitted before the date on Clive’s board, 2003. This document details a CAN network though it has not been determined if the interface in the video uses this communication protocol. Clive’s video started the wheels turning.

Add Samy Kamkar’s Spice

Samy Kamkar is, arguably, most noted for Poison Tap, a device to subvert locked computers. Samy has also done work with physical security and the electroniics used to bypass them. Could the RFID sometimes used to restrict floor access be bypassed entirely by going one step down in the system layers?

Hicks in the sticks

While life in the middle of nothingness is where I choose to roam, there aren’t many lifts or elevators nor the technicians and engineers that know the details. My current thought is take the original idea of a remote control, but rather than emulate a button press, signal a hidden controller such as in Clive’s video that has been configured to have the address of a different floor. You enter the elevator on the floor you have access to then activate the impostor controller so the car then goes to the restricted floor. Would a camera be able to be hidden in the car so the impostor can cycle through all available controller adddresses and snap a picture of the area outside of the elevator as the door opens? Can the communications bus be sniffed for intersting traffic or plot movement times within the building?

If anyone has access to such a building and tries out these techniques, I’m interested in hearing your story.

Updated on 2021-10-13 0e144e2
View sourceEdit this pageReport issue
physical securityelevatorslifts
Back | Home
0%