Schneier on Security

A blog covering security and security technology.

« The Kindness of Strangers | Main | Friday Squid Blogging: Build Your Own Virtual Squid »

March 13, 2009

The Doghouse: Sentex Keypads

Many can be opened with a default admin password:

Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:
***00000099#*

The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)

Posted on March 13, 2009 at 1:46 PM • 40 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Gweihir • March 13, 2009 2:41 PM

When people building security systems do not even understand the elementary basics of security, then we are in trouble.

Thomas Damgaard • March 13, 2009 2:58 PM

Nice :)

spaceman spiff • March 13, 2009 3:07 PM

Open sesame!

johns • March 13, 2009 3:24 PM

What is the key sequence to change the admin password? After I open the door, I may want to help them out.

Juergen • March 13, 2009 3:39 PM

It's a bit unfair to put the manufacturer into the doghouse just because the users neglect to change the default password.

Plausible user manual:
http://lib.store.yahoo.net/lib/aaaremotes/...

nick • March 13, 2009 3:53 PM

Juergen, you are dead wrong, buddy.

The manufacturer should have designed the device so that an admin password must be set when it is first brought online. They failed to do so. They made false assumptions about their users (that they would read the documentation carefully and responsibly). They screwed up.

Kyle Maxwell • March 13, 2009 4:03 PM

Juergen is partly right: it's unfair to put Sentex in the doghouse for a "master key" when the real problem is that they don't force the user to set one up. It's not a master key, at least not by design ("this code will always work" sort of thing).

al • March 13, 2009 4:05 PM

I thought you are not keen on full disclosure?

Fridz • March 13, 2009 4:16 PM

@johns According to the manual as Juergen posted the sequence is:
09 (6 digit new password) #.

According to the manual it is "optional" to verify the new password. It looks like another improvement opportunity in the design of the system:

CHANGE THE PASSWORD
Changing the default password ensures no unauthorized entry. After changing the password, it is
imperative that you verify the new code before exiting the program mode, since a mistake will
prevent you from entering the program mode again.
Format 09 + new password (6 digits) + “#”
Example 09 + 123456 + #

2. VERIFY THE PASSWORD
You should perform this step after changing the access code, but before you exit the program
mode to ensure proper password setting.
Format 10 + password (6 digits) + “#”
Example 10 + 123456 + #
A. If a “0” is displayed on the 7-segment display, the password is correct.
B. If an "E1" error code is displayed, the password is incorrect, and you should
either re-verify the password or change it before you exit the program mode.

Jason • March 13, 2009 4:49 PM

Still has fail.

RESTORE FACTORY SETTINGS
Use this step to restore the AUTOKEY to factory defaults (except step 6).
Format 20 + 101010 + “#”

Includes
09 Password 000000

Fred P • March 13, 2009 5:00 PM

@Fridz-

I wonder what percentage of people that actually read the manual then promptly set the password to 123456?

crickel • March 13, 2009 5:04 PM

@Jason You'll still have to enter in the current admin password in order to enter programming mode, which has to be done to reset the unit to factory settings. And if you have the current admin password anyway, you don't need to reset it back to 000000.

On the other hand, if you're the legitimate owner of the door and you *don't* know the password... such as if you forgot to reset the initial password and someone came along, reset the door, and 'helpfully' set an admin password... well, you're in trouble. You won't be able to get through your own door.

Clive Robinson • March 13, 2009 5:09 PM

What's the betting that is a "feature" marketing or other non technical people at the manufacturer suggested to reduce costs on returns etc.

Or worse put in to appease locksmiths (as the short cut in those mechanical "computer" locks that are prevelant on server room doors).

Such are the economics of mass produced physical security...

Jason • March 13, 2009 5:13 PM

I remember the electronic door key pads we used to have at my old job.

All you needed to reprogram them was a flat head screwdriver to pop the cover off and a 9-volt battery.

No fancy codes needed.

Jon • March 13, 2009 6:33 PM

At my current office, when we had a locksmith install a keypad lock on a door, their solution was to change the master admin code, and then give it out to everyone as the entry code. Only later when I was put in charge of changing the code did I realize what they had done and modify the configuration appropriately.

Devin • March 13, 2009 7:23 PM

They should have either forced the user to set the password the first time it is turned on, or else set each one to a different random starting code, or both.

Carl • March 14, 2009 2:17 AM

Reading the manual isn't always the solution. We had a keypad solution installed as first access barrier to our computer room. The person installing it used the instruction in the manual to change the keycode and prompty used the random example as given in the manual!

Rob • March 14, 2009 3:22 AM

@Fred P: Amazing! That's the same as the combination on my luggage!

Frank • March 15, 2009 10:02 AM

As my father used to say, "Most locks are designed to keep the 'honest' thieves out; no one can deter a determined thief."

However, it appears that a highly flawed, default password policy and a simple Internet search has now flattened-out that curve to insignificance.

It is amazing how much effort people and corporations will expend to avoid due diligence. IMHO, the only true security measure in ANY field of endeavor...

Andre LePlume • March 15, 2009 5:24 PM

Luckily, this would never happen with anything like ATMs.

(chortle)

Robyn • March 15, 2009 10:04 PM

i used to administer the sentex box where i lived. needless to say i changed everything. what intrigued me was how easy it was to get a key to open up the sentex box. sentex didn't verify who i was or even ask for money for a replacement key. when i asked how they knew which key to send me the told me "one key fits all" easy pickings for anyone with a sentex key.

Psudonym • March 16, 2009 10:33 AM

Reading the manual Juergen posted, It seems as though there are 2 keypads, one external facing one, and an internal one for programming. Does anyone have experience with these locks. Is it setup like :

Keypad lock control mechanism

Where a person needs to enter the "secure" area before being able to reach this second keypad?

This seems to me to be an example similar to patch Tuesdays, A security trade-off made to make administration easier.

Has anyone used this exploit in the wild?

Psudonym • March 16, 2009 10:54 AM

Bit more about this product. It is discontinued.

Also as I suspected, the keypad on which this default password can be entered is inside of the box, which should be placed securely INSIDE the premises.

Arguments about the key required to access this box seem to be a moot point, because this box should be placed in an already "secure" area, behind the doors and gates which this system controls. In this case, not changing the default password would only enable adversaries which already have knowledge of the system and access. Given an adversary who has this access and knowledge of your general site security, this is not the weakest point of the security system, and I believe that the reaction to this is entirely overblown and sensationalist journalism.

The way it is reported it sounds as though you can simply walk up to a keypad and enter your authorization code (which this system does not use, it uses the same technology as a garage door opener) and walk into a secure area without drawing any attention to yourself.

A picture of the box with the keypad in question is located at
https://www.upswung.com/Sentex_Systems/AutoKey.htm

Damon • March 16, 2009 12:01 PM

Thanks for the link, Psudonym! It does look like correct install would keep the keypad behind a secure perimeter.

However, this reminds me of how sometimes I see a keypad on a door that has exposed hinges. An attacker can just remove the hinge pins! (I saw this in the movie Ever After).

Peter • March 16, 2009 12:29 PM

The site appears down. It is giving 403 errors.

bob • March 16, 2009 1:26 PM

@Andre LePlume: NCR ATMs came from the factory with a vault combination of 0-50-0 and most of the ones I worked on still had it that way.

Peter • March 16, 2009 1:48 PM

Oh, it isn't down, it is forbidding direct links now, so they're checking the "referring" page.
So to get there, you'll have to type in www.weebly.com, then manually edit the url to david.weebly.com. The parallax movement in the banner image is way cool.

Moderator • March 16, 2009 3:23 PM

Note that the post is about keypad access devices, not the "garage door opener" type system that both Juergen and Psudonym linked to.

cmos • March 16, 2009 3:30 PM

this is true of most phone entry systems- doorking, sentex (SES) pach, etc. very few company's change the default settings- or the admin passcode is obvious such as 123456 or the numberical address of the business. Furthermore- if you have ever installed these- you are given a key for opening the box, which too is rarely changed. Nothing like impressing a date by having the keys to the city ;)

Nostromo • March 17, 2009 3:38 AM

Juergen, practically nobody reads manuals for any appliance.

Psudonym • March 17, 2009 12:04 PM

My apologies to everyone, I thought that was the correct manual

Moderator: Do you have a link to an example of this device or its manual?

Moderator • March 17, 2009 3:55 PM

Psudonym,

The blog entry Bruce linked to -- which is back up now -- doesn't specify a model, but there are a couple of keypad units described on the site you linked to (click on "Standalone Keypads").

Psudonym • March 17, 2009 9:33 PM

If anyone is interested, the manual to one of the keypads described is located at
www.automatedgatestore.com/manuals/SentexMiniKey_MANUAL.pdf

And a picture of an installation

http://www.liftmaster-elite.com/Sentex_Systems/...

I am have to say I was wrong earlier. This does seem like a very serious security issue.

duff • March 20, 2009 7:00 AM

I tend to agree with Juergen. I am not familiar with this device and don't know if their is a design flaw. If there isn't and the end-user doesn't follow the directions for installation and operation, how is that the manufacturers fault? Why should the end user expect it to operate as designed if they don't use it properly?

One would hope that the purchaser and or installer understands the basic concept of the device and it's purpose. With that information and the user guide, its pretty easy to figure out that a default password isn't very secure.

I can't begin to count the number of "security" systems that I've seen in the field that are not used properly and as a result are ineffective in their mission.

S.W. • January 2, 2010 2:19 AM

Our building has a Sentex and the vendor did create a new password for us when it was installed. But I recently discovered that many of the Sentex systems also have a default 4-digit entry code that unlocks the door (such as when you forget your key, just type in the code). I won't post the code here. But when we got a new security vendor, the first thing the tech did was try this default code and it worked. You have to know the default code in order to tell the system to lock it out... and some installers don't know the code. We tried the code at two other buildings on our block that had identical systems installed around the same time and it worked. The vendor locked it out for us... if you've got a Sentex system you should have your vendor contact Sentex to learn the default code for that unit and purge it.

Eyal • September 6, 2010 1:00 PM

What can be done if programing password was lost?

RJ • December 19, 2010 1:10 AM

Is there a way to clear the CMOS or ram to factory defaults?

Carlos R • January 24, 2011 9:41 AM

What can be done if programing password was lost? To SPECTRUM -301

Franko • September 12, 2011 12:02 PM

Unfortunately, we have a Sentex telephone entry system. We need to change access codes, but do not have a manual and I cannot locate the company. Any ideas?

Wael • June 2, 2012 11:17 PM

Hot spot access points have the same problem. They do ship with a global default admin password. These kinds of security pitfalls can be broadly categorized under "role miss-appropriation". There are several ways to fix that. One of them is to have the admin password a function of the serial number or other unique characteristics of the device. Another is to ship the device with a unique sticker that had the admin password. These methods also have drawbacks, and cost money, so some manufacturers choose to make security "someone else's" headache, and ask them to RTFM. They don't realise that this will eventually be their headache. But legally, they are covered. Morally, I am not sure...

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D