Schneier on Security
A blog covering security and security technology.
« The Kindness of Strangers |
| Friday Squid Blogging: Build Your Own Virtual Squid »
March 13, 2009
The Doghouse: Sentex Keypads
Many can be opened with a default admin password:
Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:
The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)
Posted on March 13, 2009 at 1:46 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
When people building security systems do not even understand the elementary basics of security, then we are in trouble.
What is the key sequence to change the admin password? After I open the door, I may want to help them out.
Juergen, you are dead wrong, buddy.
The manufacturer should have designed the device so that an admin password must be set when it is first brought online. They failed to do so. They made false assumptions about their users (that they would read the documentation carefully and responsibly). They screwed up.
Juergen is partly right: it's unfair to put Sentex in the doghouse for a "master key" when the real problem is that they don't force the user to set one up. It's not a master key, at least not by design ("this code will always work" sort of thing).
I thought you are not keen on full disclosure?
@johns According to the manual as Juergen posted the sequence is:
09 (6 digit new password) #.
According to the manual it is "optional" to verify the new password. It looks like another improvement opportunity in the design of the system:
CHANGE THE PASSWORD
Changing the default password ensures no unauthorized entry. After changing the password, it is
imperative that you verify the new code before exiting the program mode, since a mistake will
prevent you from entering the program mode again.
Format 09 + new password (6 digits) + “#”
Example 09 + 123456 + #
2. VERIFY THE PASSWORD
You should perform this step after changing the access code, but before you exit the program
mode to ensure proper password setting.
Format 10 + password (6 digits) + “#”
Example 10 + 123456 + #
A. If a “0” is displayed on the 7-segment display, the password is correct.
B. If an "E1" error code is displayed, the password is incorrect, and you should
either re-verify the password or change it before you exit the program mode.
Still has fail.
RESTORE FACTORY SETTINGS
Use this step to restore the AUTOKEY to factory defaults (except step 6).
Format 20 + 101010 + “#”
09 Password 000000
I wonder what percentage of people that actually read the manual then promptly set the password to 123456?
@Jason You'll still have to enter in the current admin password in order to enter programming mode, which has to be done to reset the unit to factory settings. And if you have the current admin password anyway, you don't need to reset it back to 000000.
On the other hand, if you're the legitimate owner of the door and you *don't* know the password... such as if you forgot to reset the initial password and someone came along, reset the door, and 'helpfully' set an admin password... well, you're in trouble. You won't be able to get through your own door.
What's the betting that is a "feature" marketing or other non technical people at the manufacturer suggested to reduce costs on returns etc.
Or worse put in to appease locksmiths (as the short cut in those mechanical "computer" locks that are prevelant on server room doors).
Such are the economics of mass produced physical security...
I remember the electronic door key pads we used to have at my old job.
All you needed to reprogram them was a flat head screwdriver to pop the cover off and a 9-volt battery.
No fancy codes needed.
At my current office, when we had a locksmith install a keypad lock on a door, their solution was to change the master admin code, and then give it out to everyone as the entry code. Only later when I was put in charge of changing the code did I realize what they had done and modify the configuration appropriately.
They should have either forced the user to set the password the first time it is turned on, or else set each one to a different random starting code, or both.
Reading the manual isn't always the solution. We had a keypad solution installed as first access barrier to our computer room. The person installing it used the instruction in the manual to change the keycode and prompty used the random example as given in the manual!
@Fred P: Amazing! That's the same as the combination on my luggage!
As my father used to say, "Most locks are designed to keep the 'honest' thieves out; no one can deter a determined thief."
However, it appears that a highly flawed, default password policy and a simple Internet search has now flattened-out that curve to insignificance.
It is amazing how much effort people and corporations will expend to avoid due diligence. IMHO, the only true security measure in ANY field of endeavor...
Luckily, this would never happen with anything like ATMs.
i used to administer the sentex box where i lived. needless to say i changed everything. what intrigued me was how easy it was to get a key to open up the sentex box. sentex didn't verify who i was or even ask for money for a replacement key. when i asked how they knew which key to send me the told me "one key fits all" easy pickings for anyone with a sentex key.
Reading the manual Juergen posted, It seems as though there are 2 keypads, one external facing one, and an internal one for programming. Does anyone have experience with these locks. Is it setup like :
Keypad lock control mechanism
Where a person needs to enter the "secure" area before being able to reach this second keypad?
This seems to me to be an example similar to patch Tuesdays, A security trade-off made to make administration easier.
Has anyone used this exploit in the wild?
Bit more about this product. It is discontinued.
Also as I suspected, the keypad on which this default password can be entered is inside of the box, which should be placed securely INSIDE the premises.
Arguments about the key required to access this box seem to be a moot point, because this box should be placed in an already "secure" area, behind the doors and gates which this system controls. In this case, not changing the default password would only enable adversaries which already have knowledge of the system and access. Given an adversary who has this access and knowledge of your general site security, this is not the weakest point of the security system, and I believe that the reaction to this is entirely overblown and sensationalist journalism.
The way it is reported it sounds as though you can simply walk up to a keypad and enter your authorization code (which this system does not use, it uses the same technology as a garage door opener) and walk into a secure area without drawing any attention to yourself.
A picture of the box with the keypad in question is located at
Thanks for the link, Psudonym! It does look like correct install would keep the keypad behind a secure perimeter.
However, this reminds me of how sometimes I see a keypad on a door that has exposed hinges. An attacker can just remove the hinge pins! (I saw this in the movie Ever After).
The site appears down. It is giving 403 errors.
@Andre LePlume: NCR ATMs came from the factory with a vault combination of 0-50-0 and most of the ones I worked on still had it that way.
Oh, it isn't down, it is forbidding direct links now, so they're checking the "referring" page.
So to get there, you'll have to type in www.weebly.com, then manually edit the url to david.weebly.com. The parallax movement in the banner image is way cool.
Note that the post is about keypad access devices, not the "garage door opener" type system that both Juergen and Psudonym linked to.
this is true of most phone entry systems- doorking, sentex (SES) pach, etc. very few company's change the default settings- or the admin passcode is obvious such as 123456 or the numberical address of the business. Furthermore- if you have ever installed these- you are given a key for opening the box, which too is rarely changed. Nothing like impressing a date by having the keys to the city ;)
Juergen, practically nobody reads manuals for any appliance.
My apologies to everyone, I thought that was the correct manual
Moderator: Do you have a link to an example of this device or its manual?
The blog entry Bruce linked to -- which is back up now -- doesn't specify a model, but there are a couple of keypad units described on the site you linked to (click on "Standalone Keypads").
If anyone is interested, the manual to one of the keypads described is located at
And a picture of an installation
I am have to say I was wrong earlier. This does seem like a very serious security issue.
I tend to agree with Juergen. I am not familiar with this device and don't know if their is a design flaw. If there isn't and the end-user doesn't follow the directions for installation and operation, how is that the manufacturers fault? Why should the end user expect it to operate as designed if they don't use it properly?
One would hope that the purchaser and or installer understands the basic concept of the device and it's purpose. With that information and the user guide, its pretty easy to figure out that a default password isn't very secure.
I can't begin to count the number of "security" systems that I've seen in the field that are not used properly and as a result are ineffective in their mission.
Our building has a Sentex and the vendor did create a new password for us when it was installed. But I recently discovered that many of the Sentex systems also have a default 4-digit entry code that unlocks the door (such as when you forget your key, just type in the code). I won't post the code here. But when we got a new security vendor, the first thing the tech did was try this default code and it worked. You have to know the default code in order to tell the system to lock it out... and some installers don't know the code. We tried the code at two other buildings on our block that had identical systems installed around the same time and it worked. The vendor locked it out for us... if you've got a Sentex system you should have your vendor contact Sentex to learn the default code for that unit and purge it.
What can be done if programing password was lost?
Is there a way to clear the CMOS or ram to factory defaults?
What can be done if programing password was lost? To SPECTRUM -301
Unfortunately, we have a Sentex telephone entry system. We need to change access codes, but do not have a manual and I cannot locate the company. Any ideas?
Hot spot access points have the same problem. They do ship with a global default admin password. These kinds of security pitfalls can be broadly categorized under "role miss-appropriation". There are several ways to fix that. One of them is to have the admin password a function of the serial number or other unique characteristics of the device. Another is to ship the device with a unique sticker that had the admin password. These methods also have drawbacks, and cost money, so some manufacturers choose to make security "someone else's" headache, and ask them to RTFM. They don't realise that this will eventually be their headache. But legally, they are covered. Morally, I am not sure...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.