 So I, I prepared a couple words just to make sure I, I got everything right here. Um, so uh, Will's hacking addiction started back about three years ago-ish. Um, he somehow found out about a hacker camp on an island in Washington and decided to volunteer. Uh, with his neon sign transformer and sewing machine pedal all packed, he hit it off to camp and ended up having a jolly old time teaching people how to burn shit with high voltage. For some reason he decided he needed more hacker con after that experience. And like any good addict proceeded to volunteer and, and attend more than 20 cons a year since then? Uh, 25 last year. 25 last year. So, uh, if there's any records for attending hacker cons in a short period, uh, I think that Will probably tops that. Um, and so, uh, he's been known to occasionally abduct random con organizers and force them into playing elevator and rooftop cat and mouse with hotel security at some of these events that he goes to. And occasionally hacks the said elevators, um, as you'll soon find out in this talk. He also knows a thing or two about hacking cars and other stuff. Um, anyway, without further ado, I give you the one and only Rockstar hacker con addict extraordinaire. We'll see. Thank you, Hikari. Alright guys, welcome to freaking elevators. So who am I? As Hikari's wonderful intro can attest, uh, I do high voltage projects. I'm also part of the car hacking village. Come stop by, hack on some scooters with me. Uh, I did win the lifetime badge at Cyphercon for their CTF. InfoSec is a hobby and we might be looking for a job in it. Um, I'm new to the InfoSec world. I got that noob coin by pretending to know the prices of old Defcon badges. Alright, so let's jump right in. First of all, a myth. I'm sorry to disappoint you guys, but you can't control an elevator through its phone system. I know, everyone's really bummed out now. Alright, if you want to learn how to hack elevator systems, there's these two awesome people, Deviant and Sergeant Howard. So if you want to know more about elevators and elevator systems, watch their talk from Hope. It's two hours long. If you need a shorter version, watch the Defcon talk. The two hour long talk, they had three minutes of elevator phone systems. We're also going to be having more from Deviant later on in this talk. So, some topics, we're going to be covering elevator phone basics. Who here is using elevator phone? Wow, that's not a lot of people. Come on, I call these phones all the time. Alright, so we're going to be discussing some of the history. I'm going to teach all of you guys how to use elevator phones. Um, we're going to go over information gathering, tools I like to use, you know, it's going to be a really fun talk. Legal disclaimer, I am not a lawyer. I don't even play one on TV. None of these talks that are recorded, uh, involve a live human talking on the other end, but it will get interesting and fun. Also, don't interfere with emergency communication systems. Uh, they're in place for a reason. So, like I said, please don't hack things in the wild. Yeah. I want to stress a very good point here. Do not hack the elevators here, please. Uh, I don't know if anyone's staying there. I mean, I don't want you to, I don't want to tell you where to hack. Alright, so let's get into the basics of elevator phone systems. It's that easy button. Here are some elevator phones. If you take a look, uh, one of these is a freight elevator with a little swinging door there. It's not like ADA compliant anymore. All of these have something in common. It's pushing that little button. What that button's going to do is it's going to connect you out to a pre-programmed phone number. Here's some more photos. So this is, uh, China and Japan. Take a look. You can still see little phone logos. Um, you can see an actual handset just strapped to the wall there. That one was in China. I did not mess with any of the phones in China. I'm a little scared of it, like. So I just took some photos. Here we see, um, some from Dubai and New Zealand. Now what's interesting about these, and I really wanted to touch on this for any international people, there's no elevator phone button. One of everyone notices that there's just those emergency ring buttons. Those buttons, what they'll do is they'll sound an alarm. That alarm is local to where you are. So what ends up happening is that, and there's deviant. Uh, so what ends up happening is you have to hold that button in or press it like a number of times in and then it will place that call. So it's just something to be aware of if you're brave enough to do this internationally. So how do phones connect to the outside world? They have their POTS lines, VoIP, cell phone. Uh, we're going to be really covering just the POTS phone system. It's the plain old telephone system. So the device you use when the handset is picked up, you'll notice that in a lot of older elevators. That's called a ring down system. We're going to be covering that in the history portion. Uh, the ADA and the ASME. So those are the two things that cover inside elevators what needs to be there, how it needs to be there. So in our history here, elevator phones started and 68. We still found rotary phones. Uh, just about every single photo in my slides are ones I've found in the wild. So this ring down system, you pick up that line, it automatically dials the number for you. Just something to be aware of. So if you're just deciding that I want to place a call, it doesn't really work like that. So there got required in elevators in 70, 76 there. So we see this is a really good example of a ring down. And we see a rotary phone. That rotary phone again, another ring down phone. So when you're going to start hacking elevator phone systems, first thing you should always do is OSINT. You want to know who that phone dials to. Some phones will dial 911. They should not dial 911. Um, some phones will dial maintenance workers. They shouldn't dial maintenance workers. But if you're inside of an elevator and you place a phone call at two in the morning, you're going to get a groggy guy that says like, what do you want? Who is this? And why do you need my number? Um, it's something to be aware of. So if you're trying to get information for a building, you can use that phone system to acquire other phone numbers. Building information. If you're trying to do social engineering, you want to know your building information. Phone system information, that's one of the most critical things. Phone number information is also rather critical. What ends up happening is you can find these phone numbers out on the internet. You can use Google. And you can just Google for elevator phone numbers. People have published them. There is an elevator phone list published. So here we see a certificate that showing an elevator out of compliance. That's a perfect pretext for why you're there. Also, there's a notice. Truck just roaming around one in the morning. I took that blurry photo, uh, down in San Diego at Torcon. Just something to be aware of. So you know who's servicing your elevators? Otis is one of the world's biggest companies. So if you're going to be doing some social engineering, do you want to know how you can pretend to be an elevator tech? Say things like, hi, this is Deviant. I'm doing a test on the elevator phone system. I need to know the number I'm calling from. And they'll read you back the number. Then you forget to write it down properly. Then you ask again, can you repeat that number again for me? Because sometimes they'll say it quite fast. Um, you want to be remotely targeting companies. This is a little bit more difficult. So when you're doing these social engineering attacks, you're inside that elevator. And that's the easiest way to get these numbers. You're inside, you push that button, you pretend to be that elevator tech. And then there's like, yeah, here you go. Here's the number. Enjoy. But if you want to call a business, most businesses won't know what their elevator phone number is. They'll have to look it up. So understand that, have a good pretext. Call centers, uh, that's the easiest way to get a number out. You can call into a call center. So knowing where that elevator dials into, if they have a record of who their customers are. And then you can social engineer your way back from there. There's a lot of possibilities. Social engineering is a very valid attack method. And I think it applies to just about everything we do here. So, let's get physical. How to control the elevator with independent service mode? And what to look for? So let's say you decided, alright, I'm going to hop in this elevator and I'm going to place that phone call. You want to take control of this elevator. So here we see some key switches. Those arrows point to the independent service mode and how to activate it. Again, you shouldn't do this unless you have proper training. Um, the, I believe the core group actually offers elevator training. Flip a switch. I don't work there. You do. So what ends up happening here is once you flip it into independent service mode, you have control when those hall calls are placed. No one's going to be able to get that elevator down to your floor. So you drive it up, say the top floor. Now all you have to worry about is who's in that floor area. You can hold that door closed button, keep the door closed. Now no one's able to see you. Maybe they can hear you, maybe they can't. If they can hear you, go to a restricted floor. Inside the restricted floors. Now, the way I got this photo, I never, I never exited the elevator. Uh, I had complete permission to do this, don't worry. So, if you're in independent service mode, you're actively going, say from floor 20 down to floor 1. As you're passing by floors 11, 10 and 9, you take it out of independent service mode because those floors were still locked even with that mode engaged. Now what you want to do, you want to basically, as it's being taken out of independent service mode, it levels off at whatever the nearest floor is. And then it just stays there. Now if someone calls it, it'll go to them. Otherwise the door will be closed and you're like, uh-oh, did I break this elevator? Press the door open button. Easiest way to escape an elevator, press the door open button. If you're worried, you're stuck. And then the door's open. And now you're on a restricted floor. So you can flip it back into independent service mode. Now it won't go anywhere. You can place those calls with ease and not have to worry. Some more things we should touch on though, there's other ways to get it. You have an elevator in intercom, there in a machine room. All the way to your right there. You'll see the, um, the patch down panel. We're going to be showing you the tool to be able to tap into that. Use a butt set. Tap in, up and down on the lines. You can dial a 1-800 number like 1-800-444-4444. Uh, pretty easy number to remember. It'll read you back the number you're dialing from. So that's when you're using this tool. You can also tap into those phone lines, just listen in general to what's going on. Um, multi meter. Um, multi tools. The linemen set, landline phones. I really enjoy landline phones. I don't know if you guys knew I like phones. Um, you can literally just plug a landline into an elevator phone line and it will work. It's a POTS line. It's a plain old telephone system line. That's what's the beauty of this. There's, there's no real protections. There's, there's nothing going on besides that copper pair and then that phone. You want to do some remote programming? Or actually some local programming? What you'll need is those batteries. So 9 volt, double I. So now let's, let's start getting into the, the programming of elevator phones, right? Everyone wants to program an elevator phone? I got one right here. We're going to be able to program this. Uh, come by the car hacking village. We can have a lot of fun with this. If anyone has my phone number they can dial into this and start messing around. So, site ID. When you press a site ID, press number 2 on your keypad. Most of the time, once you've dialed in the elevator, you've got that phone number. You have seen that, that call center staff. Now you want to know, okay well what, what are they saying when there's an emergency? Just curiosity. Maybe they haven't programmed it. Once you place that call, you press number 2. You'll hear a prompt of where you're dialing into. If say someone has taken an elevator phone connected it to a phone conference and then they themselves have exited the conference. What do you do? You're now having a phone conversation inside of an elevator with everyone else on this conference. This signs hypothetical. It's definitely happened before. So if this happens to you, press star pound, pound, star zero, zero. All these systems are unique and we're going to be getting into a little bit of how they're unique and what they apply to. They're also on PBX's and line concentrators. So the PBX, the private branch exchange, elevators can have their own. They can also be on say the normal business or hotel line. So just be aware of that. So you're inside that elevator, you press that button and they tell you, oh you're calling from 4356. That's it. Like can you repeat that? 4356? We're like oh that's not enough digits. You're on a PBX. You can also take the voltage of the line if it's a really low voltage. That can sometimes show you older PBX equipment. There's some more fun phone things you can do in there. Line concentrators. Now these are really unique to emergency phone systems. What ends up happening is they don't actually think that multiples of these are going to go off at the same time. So easy way to save money is press the, you have all of these, these boxes, I think I literally have that box that's in that photo right here. You have all of these connected to one system. They end up dialing all out the same line. Now you might be thinking oh what happens when they're busy? You get a busy signal. Can only use it one at a time. Inbound calls, they pick up with a double beep and then you're pressing one, two, or three to enter into an elevator. So you need to know am I dealing with line concentrator or not? And that's sometimes kind of difficult to know until you've actively dialed into the system. Another easy way to do that though is if you've dialed the call center once, you know you push this emergency button, got the phone number, go to the other side of the elevators. Push that button, see where that number is calling from. It's the same number, you're on a PBX or a line concentrator. Just group things to understand. And when the power fails, it's a party. It's an active party line. I don't know if people are familiar with party lines, but everyone jumps on and you're all connected together. It's a really good time. So elevator intercoms, they're located outside the elevator, normally in the hallway, hoistway, machine room. So these are so that you can talk to them. This is a photo I took just right there. Like next to the elevator, you can flip a switch, turn it on, push the button and listen. We actually have a video. Hopefully the quality is good. So here we are. You see me sometimes. You see, I've seen elevator intercoms. I've seen them in a motor room more than anything else. But what we're going to do is we're going to try what happens if people are in the elevator and you press this and you don't say a word. So let me get in here. And I'm just a guy in an elevator talking. So like, could you hear me? I didn't think you could. Let's give it up for Davion. Thank you for letting me use that video. So that's just something to be aware of an easy way to be able to talk into that elevator, to listen into that elevator. I don't know, is anyone here familiar with the fireman phone? Anyone? So this is a system that I have really, oh, we have one person. That's awesome. So you probably know more than me about this. I have not found a lot of information on these systems. I have talked to firefighters about them because I didn't know a lot of information. The system looks for open lines. If it's open, if it's shorted, if there's ground faults, so if one of the lines is run to ground, they have two different styles of wiring. I'm not going to be getting into it. I just wanted people to be aware that this is a phone system inside of an elevator. So understand that if you're going to plug into this, it will sound an alert. It'll be at whatever their command center or like alarm panel. So just understand that. These are the phones. It's a quarter inch plug. So you plug in, you're talking. These are used by firefighters if the radios aren't going to work inside that elevator. They're being used less and less. You can also find them outside the elevators. So again, when you're, when you're going through, you can see them sometimes even in these hotels. Look for that little panel and that jack. So line detection. When your elevator phone is connected, now they're mandating that you have this device. This was taken on an airport. That senses is the line active, is this, is this okay? Is everything all right? And it checks maybe once every ten minutes. But inside that checking, all it's going to do is sound like a buzzer, a little alarm. It's not, it's not actively going to call someone else because that line is now defunct. Easy way to bypass it, cut the power to it. You can also buy the system itself, get the key for it. You can control the volume, you can reset the device, you can say hey, don't worry about if there's no phone line connected to that elevator for like twenty-four hours. And read the manual. So now we're getting like the little later half of my talk, RT FM. Reading that manual is the easiest way to hack an elevator. I literally just walk around with elevator phone manuals. They're not that big. They're fun to read. I hope everyone like picks one up. So who wants to like dial into an elevator and like listen to what goes on? There we go, someone. Wonderful. Hopefully everyone heard that. So what we had there, and I personally, I am not a fan of recording other people. I did not want to record the conversations that can ensue from doing this. So after you've heard that noise, you're inside the elevator. You'll hear a weird echo and you can mute your phone. Just hit the mute and now you can just listen to them and listen to whoever's inside the elevator. You have a few problems with this. If you don't say anything and they don't say anything, it'll time out. If they're saying things and you're just listening, like here, what's going on. What ends up happening is there's a connection time limit. And again, it's all listed in your manual. If you want to reprogram that connection time limit, you just go oh, there it is. You set it to like nine, the max it can go. Really zero through nine or one through nine are your ranges for these systems. So this is just another example of a different system that we dialed into. Instead of dropping straight into the elevator, you now have to hit one to be able to talk to those people. Hit two to be able to program and star zero disconnect. It just tells you I did not prompt that message at all. I don't know if you guys can notice a pattern here. So again, different phone system, different menu set up, just something to be aware of. I didn't take out the located app. I would have tried to beep it out or something like that. It just didn't have it. When you start getting into this and you're dialing in the elevators, you're hitting number two to prompt that site ID. Sometimes you won't get a site ID back. And that means that elevators not up to code compliance. That's a problem. I have not done this personally, but I've definitely been on calls where like a phone freaking party line and someone dials into an elevator, prompts the site ID and nothing happens and they go, okay, well let's reprogram this and put in the site ID. I know where this building is. We brought elevators up to code that way. I do not encourage any of you to do this that's hacking and you need passwords to get into these systems anyway, so good luck. So let's go. Four ways to program an elevator. Keypad, switches remotely and program cable. The programming cable is mainly with RAF phones. I won't be getting into that. This whole topic can get delved into way deeper and heavier if you want to like dive into one phone versus another. This is really just that broad overview to get everyone here started in hacking elevators or at least looking at these systems, understanding them. So if we're going to use the keypad, these buttons don't work like you think they do. The way to deal with this kind of phone, you see that nine volt connector right there. You look up your handy-dandy manual. This is just the printed out version. But there will be manuals online. So I know Gall Viking, a whole bunch of different elevator manufacturers have their manuals all online, free to download, PDFs. You're going to be doing switches. So the interesting thing about switches is that they all follow a common type. So one generally sees, and this is like a cross-brands, to be that connect disconnect. So what that means is that when you push that elevator phone button, you end up being able to place the call to connect it. You can also press it again to disconnect it. So if someone's dialed in an elevator you're in, just press the button again if you don't want to talk to them. Don't deal with that. Position three, learn mode or programming mode. So for some reason they allow this to be engaged. When number two is on, allow incoming calls. This is how it's set up by default. This is a brand new elevator phone. I have all three engaged and I didn't flip a switch. They're actively just selling these units. Brand new from the factory. We have the position one on, position three on, position two on. But you might be thinking, well they got passwords. All right. How can you get past the passwords, the past codes? Well there you go. Here you go guys. Everyone should take a picture of this. So what I did was I read so many elevator phone manuals. It's crazy. Viking looked like they had a really secure like default code. Up until you realize it spells Viking. The T-R-E communications. I have no idea what's going on with their number. It's a five digit number. The only one I've ever seen. It's a very like odd system. The pound nine thousand. I've seen that before in the only text file that ever read about elevator phones. Because I did a lot of research on this. There's not a lot of information on these elevator phone systems. Which is why I want to give this talk in general. So enjoy the default passwords. I see a trend with this one, two, three, four, five, six though. What happens if they reprogram the password? So we break it down. Here one, two, three, four, five, and one, two, three, four, five, six. Most common. They also top the charts. This person did some really cool research on PIN numbers and PIG codes and one of the most commonly ones that are used. He made a top 20 list. So let's say for example we have a four PIN code. You have a 26.83% chance of getting it. That drops right down if that default password does not work. So now 16.12%. It doesn't seem like a lot. But if you have a random, an absolute random code, you have a 0.02% chance of getting it right. So you've really increased your chances just by using that default or the most common top 20 lists. So now that we have the phone number, we have the password. It's because no one ever changes the password. No one. Options. We have some really fun options. So the phone number you dial out to, you can put a few of these in. I believe this one here has the option for five different numbers. When you dial a number, if it's busy, if that person doesn't answer, it then switches to the next number and the next number. Your connection time. So the default connection time for most phones is about three minutes. After three minutes you get a prompt that says hey, would you like to stay connected? Press three to stay connected. And you get that every 30 seconds. Really difficult to have a conversation with someone for more than three minutes. So you go through your manual. You have to figure out where in that position you're going to be. So slot one is going to be filled up with the phone number. Slot two is going to be your connection time, your tone or pulse, silence in and out. So you're going to dial these numbers. So connection time, hit nine. Your pulse or tone? Probably one for tone. Silence time out. So figure out, you know, if after 30 seconds and no one's speaking, it will drop that call. Set that to its maximum. You can go in, you go on and on and on. There are so many options. There's no way to tell. I can't tell you to say, hey, dial into this phone, try all the default passwords, and then just keep hitting nine. Doesn't work like that. I am sorry. But if you happen to know the phone because you push that button, you've got that phone number, you download that manual right off the internet. You can then reprogram it to whatever you want. You can call a rick roll line. So let's do some practical attacks. Let's take a look at what's going on here. Denial of service, you can make sure that line no longer functions, no longer calls the correct number. You can have it call you instead. So if you plan on trapping someone inside of an elevator, I don't recommend that. You can have it call you and then you can play some games of them. You can bypass line detection. So turning the elevator into a covert listening device, you have some problems with this. Your LED will light up. It will be blinking when it's making that connection. It will stay solid when you're connected. Your connection time as I was talking about earlier, and that weird like tone noise you heard. That's all going to be playing and seeing inside that elevator. Again, if you guys experience this and you don't want to talk to whoever is on that other end, just hit that button. It will hang up on them. So you have an open phone line. You can exfiltrate data. Has anyone ever used a dial-up modem before? Oh, great. A few people. Excellent. You can register services like Google Voice. And now dialing some numbers. Who thinks this is the worst attack possible you can do? You can call other phone numbers from an elevator. Anyone? All right. Well, it is the worst, I think. And this is why. So there are 60 elevators at Ann University. I took out the university name because someone told me to. Each one of those elevators has their own phone line. A billing cycle, say 30 days at 24 hours, 720 hours. Times that by 60 minutes, 4,000 or 43,200 minutes. Times that by the 60 elevators, you have like 2.5 million elevator minutes, I call them. Times that by the 2.55 that you charge for dialing a 900 number. So you set up your own 900 number. You have all these elevators, call it. You can make $6.6 million right there. This is the only time I ever thought about not giving this talk because like, man, I could be a millionaire? Yeah. I really think this is kind of crazy because there are still 900 numbers around. And if you were to be malicious, there's nothing stopping this. It's a POTS line. It's a plain old telephone system line. Just understand that that that is a crazy thing. I've never heard of anyone even trying this kind of thing. So I like to think it's it is entirely theoretical. I've never done it. So are we all doomed? No, no, we're not. So get monitoring. So why are we having an hour long phone call? Why are there, you know, 30 people calling into the same elevator every day? That's a problem. Alerting like if there's really an emergency, someone should deal with that emergency. All of these things, these are these are supposed to be outliers. These are things that are like, what in the world is going on here? Someone should investigate this stuff. No one ever does because no one ever ends up understanding and knowing that, hey, someone is calling into the elevator. But before people get in, they've, you know, extended that connection time, they made it so nothing's happening. No, no one ever looks little button. And when you are looking, you can say, hey, you pushed that button. And they'll tell you, no, I didn't. And you say, yes, you did. That's how I'm talking to you. It's a really interesting conversation you can have with someone. Not saying I've definitely done this. So if any manufacturers are out there, props to Otis for reaching out to me. No default passwords don't allow the most common top 20 pins. Like we don't allow password as a password anymore, right? Why should we allow 123456? Like that just seems crazy to me. Don't allow remote programming. I know elevator technicians. And when they're reprogramming a phone, they're there on site. They're working on the elevator anyways. They've just installed that phone. They have access to it. I understand, like, especially you see here for this one, there's no easy way to, to allow that remote programming or to have that local programming. You need to dial into it. I get that. I understand that's okay. After you're done, it should have to then be put back into a no programming mode. Some of the Viking systems, the newer ones are doing that. The only issue is, is that you push that button again, if they left it in a programming mode, it's going to call the Viking center instead. It's, it's not going to just not work. So you are going to get someone eventually. Like, it's crazy to me. You should have that understanding of what happens when, when these phones are left in to a programming mode. Understand that they shouldn't be able to be remotely programmed. Train your call centers. Understand that social engineering tax happen. Be aware and be ready for them. So let's go further. Now everyone doesn't want to take an elevator over again. Go to pools, university campuses, meeting areas. So this is a photo I took in Seattle of a meeting area inside of a business. And I asked the shop owner, like, why, why is this here? And he's like, well, they made me put it in. You know, there's, there's building codes now that are mandating these emergency phones to be inside your businesses. So everything I just talked about with the elevators relates right there to the wall, right onto the stairs and to walkways. So when you're walking around, start noticing, hey, why is that box on the wall say emergency? And like, there's a little button, someone could just dial into that and listen to you as you walk along your path. Like I used to, I was on a campus, I could see people walk down this bike lane. And all along the bike lane, there's these little, little posts. And yeah, you could, you could listen in right like to each post, just dial to the next one before they got there. And so you can listen to their conversation all along the walkway. Again, do not do this, people, please. Enjoy people's privacies. So just understand these systems are outside the elevator. If you want to learn more, these are some really good resources, watch the tele-challenge, pitch penthouse, reading manuals, man, just pick up any old manual. If you want to read this one, let me know. I'll be happy to give that to you. Sina and Binderev, those are two really good resources to understand phone systems. Not a lot of people are familiar with them. A lot of phone freakers like to hang out there and discuss these systems, just starting to play around. You want to play at home? Here you go. $50 to $100. Slightly broken elevator phone. I have definitely gotten them in a $50 range that work. So just be aware of that. New phones, it costs $100 to $300. I have no idea why they cost so much. They're simple systems. So if you want to play around, one of you knows my shirt. FUTO, they're a fun phone call. They're a non-profit phone company I'm an operator for. PLA, they put up some fun systems. Phone sex, fun house, there's more. Just be aware. So dialing into these, what you can do is you can hack the, like PLA has a bunch of answering machine set up. Start playing around with these systems again. I feel like this community has forgotten about phone freaking as an active attack. And that's one of the reasons why I really wanted to get this talk out there, to understand that these things are still happening today. So thank you guys. Thank you all to my InfoSec friends. Plug, wire, plug and wire goal really helped me out making this talk. Sergeant Howard and Deviant were wonderful resources and the EFF is amazing. Please donate to them. Thank you guys. If you want to give me a call, there's my phone number. It is actually my phone number. It will call this phone. So if you want to copy that number, spread it around, let anyone call me, it'll be in the Carnegie Village. This is set up with the default password. So give me a call. Thank you guys.