Schneier on Security
A blog covering security and security technology.
« Cybercrime Hype Alert |
| Podcast Interview with Me »
December 15, 2006
Defeating Motion-Sensor Secured Doors with a Stick
An old trick, but a good story:
Everyone thought the doors were incredibly cool. Oh, and they were. Upon entering a secure area (that is, anywhere except the lobby), one simply waved his RFID-enabled access card across the sensor and the doors slid open almost instantly. When leaving an area, motion detectors automatically opened up the doors. The only thing that was missing was the cool "whoosh" noise and an access panel that could be shot with a phaser to permanently seal or, depending on the plot, automatically open the door. Despite that flaw, the doors just felt secure.
That is, until one of G.R.G.'s colleagues had an idea. He grabbed one of those bank-branded folding yardsticks from the freebie table and headed on over to one of the security doors. He slipped the yardstick right through where the sliding doors met and the motion detector promptly noticed the yardstick and opened the door. He had unfettered access to the entire building thanks to a free folding yardstick.
Posted on December 15, 2006 at 7:01 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
But he cheated!
In all seriousness, though, this reminds me of the episode of The Simpsons where Mr. Burns passes through about six levels of high tech security to get access to the main control room of the nuclear power plant, only to find that someone left the screen door to the room open and a stray dog had wandered in.
A good story indeed. And it's from The Daily WTF, which tends to place a higher priority on telling a good story than on factual accuracy. Just sayin'.
I've been at several places with those types of doors. A fedex envelope is considered traditional to open such doors.
The best story I heard was some guy hanging (using tape) a piece of rigid plastic on the outside of a door, in such a position that, when the door would be opened, the plastic would be pushed and fall in between the door and its enclosure. The door, closing automatically, would then be prevented to lock fully.
Placed on a late Friday evening, the trick was used after one of the last employees left the building. He unknowingly let the door unlocked ! The thieves went in the building fast enough so that the alarm wasn't raised (maybe there's a 60 sec. trigger is the door doesn't lock). They then cleaned 10 laptops in 5 minutes and left.
The trick was discovered reviewing the entrance video camera tapes.
We used to do this at Compaq many years ago. A thin notepad pushed under the door with enough force for it to slide 2-3 feet would be enough to trigger the motion detector on the other side.
Eventually they pointed the sensor a little higher.
My office has exterior doors that lock automatically after 6PM. The doors have touch-sensitive handles on the inside that open the locks after hours and a card reader on the outside for the same purpose. These doors, on a fairly new building, also have a considerable air gap into which a coat hanger may be inserted to touch the inside handle and release the lock - a solution often employed when an access card is forgotten or lost.
Not in a cartoon, but in real life I passed through multiple levels of a telephone "central office" to get to the actual 5ESS switch. The actual switch room had an outside door secured by a screen.
Somewhat related story.
The last job I worked we had our production servers secured behind cages. Well, we had an emergency and one of the computers was locked up. The only way to fix it was to reboot it, but the person that was on call didn't have a key. He called me to see if I could locate someone to unlock the cage.
He called me back a few minutes later. He had turned off the computer and rebooted it with a coat changer.
Simple idea. I'd always planned to inflate a balloon from the outside of the door and let it go, though. The sound it makes seemed kind of appropriate.
In my days as a security field supervisor, I carried the following essential entry tools in the truck:
-- multiple coat hangers
-- duct tape
-- broomstick (with detachable broom)
-- a car entry kit with wedges, slimjims and wire T-hook
-- doorstop (to prevent defeat from being snatched from the jaws of victory)
-- barrier tape (to keep employees out of the broken elevator, etc.)
-- chain and combination padlock (as a temporary fix)
Add the notepad, clipboard, papers and aluminum forms holder I carried for other reasons, and rare was the door that I couldn't defeat. The broomstick sometimes became (with some doubled wire) a hook, with which to grab a key ring, etc.
Once I had to pull the BP cuff from the trauma kit for additional room to work.
I did batter the forms holder finding out that a power loading dock door had no safety stop, though . . .
Hadn't thought of the FedEx envelope trick though. Niiiiice.
@Luke, surely a fellow employee is easier to locate than a coat hanger. . . . ;-)
I've seen a door's optical motion-sensor triggered from outside by a half-second squirt of CO2 from a fire-extinguisher under the door...
Whether or not security has been compromised depends very much on the purpose of these doors. If they are there to keep fellow employees out that don't have business behind them, they will be effective even if they can easily be defeated with all sorts of creative devices of opportunity. The employee who is not supposed to enter will know he could face disciplinary measures when he does (and can't say 'I did not know' because of the intentional defeat), while his colleagues that have authorization don't face overly strict security and the possiblity for work arounds. The threat of disciplinary actions is the real security measure, not the door.
If on the other hand the purpose of the door is to keep out malicious outsiders such as those praying on laptops, the security should be much stronger and these kinds of work arounds should not be possible.
Yep, at the place where I used to work, the first iteration of the motion sensor was triggered by sliding a sheet of 11x17 paper under the door.
The system also had a button that you could push from the inside to let someone in, with one major flaw in the design: standing in the natural place to look through the door and decide whether to push the button also triggered the outgoing motion sensor, unlocking the door automatically.
I audited an electrical power company with a nuclear plant. They had many remote power stations, all with security doors equipped with sensors that detected if the door was opened.
Every remote power station also had a wall-mounted air conditioner. Most of these did not even have to be unbolted before they could be pushed into the power station, allowing one to climb inside and then replace the air conditioner. One then had unfettered access to the entire data network, instruction manuals for all equipment, and of course, air-conditioned comfort.
I visited a large college dormitory a few years back, where after a certain time in the evenings an entry card was required. But should you misplace your card, no worries: the wheelchair-access button left the building quite "accessible".
@derob: " The employee who is not supposed to enter will know he could face disciplinary measures when he does (and can't say 'I did not know' because of the intentional defeat), (...) The threat of disciplinary actions is the real security measure, not the door. "
Quite right. If it was intended to provide actual security it shouldn't have any kind of automatic opener.
The same applies to DRM. "Raising the bar" is not enough, because exploits can be automated and packaged with a nice installer. Therfore all one can aim for is tamper-evidence. The real security is in the courts.
I apologize if I'm a little critical, but how is this newsworthy? That's a basic design premise of motion-detector activated doors. If you can physically access the other side - throw something or stick it through the door somehow - you can get in. So things worth securing should not be secured using this method (obviously).
The fact that people use security incorrectly is no real news, and this particular example is quite common.
"I apologize if I'm a little critical, but how is this newsworthy?"
Don't apologize. I never claimed it was newsworthy. I just thought it was a good story.
I thought it was a good story, too. Thanks for sharing it, Bruce. Such subversion of high-tech measures by low-tech counter measures are lessons we should learn (from Bruce or SOMEBODY) and pass along to our clients.
Easier-than-phishing-or-dumpster-diving story that really happened to me:
I asked a bank manager for the secure desposal bin when I only saw a regular trash can below the check-signing station in the bank's lobby. They hauled out the nicely locked bin from inside their vault and stated, "So THAT'S what this is good for!"
I did explain how easy it would be for someone to steal customer information from a trash can at a bank. The secure bin even had the bank's logo on it, lending a nice decorating touch to the lobby.
Working in a 10 person IT department...certainly not high security but we did (usually, try to, etc) take ordinary & prudent precautions.
We had a secondary door to the data center that wasn't on the key-card system. We asked Facilities to make the door always locked from the outside (which was a high-volume printer room that itself was accessed via an unlocked door in an office area). They did that, and us IT geeks didn't spend much time in the printer room.
Two years later we finally realize that yes, Facilities removed the tumbler so you couldn't unlock the door. But they had never put the metal plate in to cover up the hole in the handle. So all it took was a flat-head screwdriver to open it from the unsecured side. We had a collective departmental Du'oh slap that none of us had caught that problem.
Same employer also had the handicap button to enter the front foyer. Of course, once the doors swung open the wheelchair set would find a step...
I worked for a company once where the raised floor of the computer room extended into the hallway outside the room.
"he could face disciplinary measures"
ha! good one. i was just thinking it was a very "measured" attack...
Reminds me of the Monty Python "karate school" skit:
"What about a pointed stick?"
Thats why we went metric, imperial measures have too many vulnerabilities ...
When I was in Junior High School (Grade 8) one of my Industrial Arts (Shop) projects was to make a basic wooden pencil box with a sliding plastic lid (lid dimensions were about 6 inches by 10 inches by 1/16th inches).
My friends and I discovered that if you slid the plastic lid off of the pencil box and curved it slightly, you could 'jimmy' the locked doors of the school.
We set out to test our new tool, successfully getting into locked rooms from school hallways and classrooms during school hours. It became serious when we realized we could get into the gymnasium from outside... the gymnasium had security doors that locked on the outside but opened from within via push-bars in case of a fire. This means we had access to the whole school any time we wanted, not just from inside during school hours.
We only used our tool to get into the gym to get sports equipment to play with, like footballs and basketballs, during school lunch hours. We always put them back after, as a sort of group goal to remain totally undetected. But, we could have easily got into our teacher’s desks, our personal files in the administrative office, computer rooms, audio-visual rooms…
In addition to the motion-detector entrance doors, our server room features both a drop ceiling and a raised floor, both of which extend well outside the "secure" area. They should have saved the money and just put a sign-in sheet on the wall.
My professor did the same thing (more or less) in the new Engineering building at Concordia University. He took a sheet of paper and slid it under the door. The door unlocked and he opened it.
Now the university is spending a ton of money getting the motion detectors adjusted. The result? We get locked into the rooms. You have to dance around the door like an idiot if you want to get out of a badly adjusted room and put in a request to get it adjusted again if you simply can't stand spending sometimes a minute or two trying to get the sensor to recognize that someone is trying to get out.
Overall, it's just a huge mess.
1 Brand spanking new campus all using the same locking mechanisms for every door.
1 Plastic library card from said campus.
... got the t-shirt, hat, and matching headband.
A security system should be belt on several items and not only on the motion detectors. It is well known that all entries should be covered with surveillance cameras hidden and exposed.
This has also been known to work on lifts that have security locks on the buttons, such as in the car park. If the lift is at the floor with the lock, such as when someone leaves using the lift and locks it at night, you can usually stick something between the lift doors and the "don't close on me" sensor automatically opens the doors for you.
That only helps if someone actually looks at the imagery now and again.
All sites with cameras should have two camera systems, one covert. This way, you get a picture of the night security supervisor and the receiving manager shaking hands at 3 AM while the forklift is loading pallets of 21" monitors into the back of the U-Haul truck . . .
Yeah, the day after we got the new security cards in (this was about 8 years ago) with the motion detector to let you out, I was talking to one of the security guys, and I mentioned that I thought this would work. He said no. I went back to my desk, got a yardstick, taped something metal on the end (since I didn't know if it was an ultrasonic or RF motion detector) and waved myself in. He said "Yeah OK. Just don't spread it around."
Place where I used to work had one main front door, which had no physical lock at all, just a (very powerful) magnetic lock about 15 foot off the ground at the top, with a swipe card entry for out-of-hours use. (There were other fire doors that opened outwards in an emergency for safety, but there was only one way into the building.)
Unfortunately, they had only just moved into the building, and they hadn't had a chance to configure the swipe card system. This wasn't a problem because they had a security guard 24x7, so if somebody needed to come in out of hours they could just show him the pass through the glass door and he could buzz the door open for them.
One day the inevitable happened, the security guard went out to sign for something, and the door swung shut behind him...
There was *no* other way into the building! Doh!
He called the site manager and they didn't damage the door too badly, but it took them several hours to lever the door open enough to release the magnetic lock and get back into their own building!
Needless to say, the swipe system was up and running shortly afterwards...
We have a button several feet away from the door on the secure side which must be pushed in order to open the door. Seems to work fine. Handicap accessible and everything. It would be quite an engineering feat to wiggle something through the door and push that button.
The best story, I heard was some guy hanging (using tape) a piece of rigid plastic on the outside of a door. in such a position that, when the door would, be opened, the plastic would be pushed and fall in between the door and its enclosure.. The door closing automatically, would then be prevented to lock fully.
Place where I used to work had one main front door, which had no physical lock at all, just a (very powerful) magnetic lock about 15 foot off the ground at the top, with a swipe card entry for out-of-hours use. (There were other fire doors that opened outwards in an emergency for safety, but there was only one way into the building.)......
Atlanta mass transit's new fare gate system (called "Breeze") has a bi-directional gate that requires a card swipe to enter the station, but exiting has just a motion sensor. In the early days of the system, when it seldom worked for entering, I would lean around the gate and hold a magazine in front of the 'exit' sensor. The doors would open outward for me and I would pass through.
I noticed in the discussion on the original site people talking about using IR detectors instead of motion detectors. If the doors in question have large windows, could you not defeat this system by shining IR light through the window to illuminate an area in the detector's field of view?
(Of course, requiring a thief to have a suitable IR source is still superior to requiring a thief to have a yard stick.)
Why is it seen as necessary to place a motion sensor on these security doors. Doesn't it make much more sense to place an "unlock" button on the secure side?
Of course, it does help to make sure that the button can't be hit easily from the outside. I've seen a number of apartment complexes with security pedestrian gates, where the button can be reached through the closed gate...
Imagine the building is on fire, and the emergency power generator fails. Or you lost your id card over the trouble. The windows cannot be opened because the AC is ah so well designed, but who cares on 42nd floor anyway? Burn, baby, burn.
Some time ago the elevators in our building failed due to a software error. All elevators thought they were in fire brigade mode, so they refused to move unless you were in possession of a fire brigade key. That was quite a long lunch break for some.
Years ago, as a bicycle courier in Washington, DC, I frequently had to make deliveries to federal buildings that had this kind of "security" after hours.
What we'd do was take envelopes from our messenger bags and slip them through the crack and toss them to trigger the motion detector. I don't recall it ever not working.
A warm sheet of paper fresh out of a laser printer works on some IR sensors. Just tape it to something and shove it through the gap.
Folding yardsticks have been declared illegal on international flights, as a result.
Nothing new, firefighter's have been using the same trick for years to get into buildings that lack a Knox box in order to reset the fire alarm system. We have even taped a piece of paper to a slim jim in order to reach high enough to trip a motion sensor.
the doors at my highschool are a joke. spring megnetic lock swipe card. no motion sensors sadly. except that trip the alarm. there are alot of doors in that school. anyways with a pocket knife its as easy as turning a door nob. shove the tip against the locking mechanism and shove it sidways. i use it all the time to get in the gym (seperate building) at lunch if i need somthing. ive never had a chance to use it on the main building but its an identical door so chances are same thing. also every door in the school opens outwards. took my half an hour to make a tool to jimmy the locks. sadly after hours the alarm is really loud and it is everywhere.
heard a rumor that some motion sensors will fail to detect if the movement occurs behind glass... would be interested in knowing if this is so & would appreciate any related stories.
yes, hiding behind a pane of glass hides your IR signature from PIR (passive infared sensors) look at someone wearing glasses with heat vision. When white is hot the glasses will be extremely black (cold). Cover the PIR sensor with glass or else walk with a huge glass shield infront of you. The silver fire proximity suits for aircraft fires work also, mythbusters tested all these things a proved they work.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.