The Doghouse: Sentex Keypads

Many can be opened with a default admin password:

Here’s a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:

***00000099#*

The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)

Tags: , , , , ,

Posted on March 13, 2009 at 1:46 PM47 Comments

Comments

Gweihir March 13, 2009 2:41 PM

When people building security systems do not even understand the elementary basics of security, then we are in trouble.

johns March 13, 2009 3:24 PM

What is the key sequence to change the admin password? After I open the door, I may want to help them out.

nick March 13, 2009 3:53 PM

Juergen, you are dead wrong, buddy.

The manufacturer should have designed the device so that an admin password must be set when it is first brought online. They failed to do so. They made false assumptions about their users (that they would read the documentation carefully and responsibly). They screwed up.

Kyle Maxwell March 13, 2009 4:03 PM

Juergen is partly right: it’s unfair to put Sentex in the doghouse for a “master key” when the real problem is that they don’t force the user to set one up. It’s not a master key, at least not by design (“this code will always work” sort of thing).

Fridz March 13, 2009 4:16 PM

@johns According to the manual as Juergen posted the sequence is:
09 (6 digit new password) #.

According to the manual it is “optional” to verify the new password. It looks like another improvement opportunity in the design of the system:

CHANGE THE PASSWORD
Changing the default password ensures no unauthorized entry. After changing the password, it is
imperative that you verify the new code before exiting the program mode, since a mistake will
prevent you from entering the program mode again.
Format 09 + new password (6 digits) + “#”
Example 09 + 123456 + #

  1. VERIFY THE PASSWORD
    You should perform this step after changing the access code, but before you exit the program
    mode to ensure proper password setting.
    Format 10 + password (6 digits) + “#”
    Example 10 + 123456 + #
    A. If a “0” is displayed on the 7-segment display, the password is correct.
    B. If an “E1” error code is displayed, the password is incorrect, and you should
    either re-verify the password or change it before you exit the program mode.

Jason March 13, 2009 4:49 PM

Still has fail.

RESTORE FACTORY SETTINGS
Use this step to restore the AUTOKEY to factory defaults (except step 6).
Format 20 + 101010 + “#”

Includes
09 Password 000000

Fred P March 13, 2009 5:00 PM

@Fridz-

I wonder what percentage of people that actually read the manual then promptly set the password to 123456?

crickel March 13, 2009 5:04 PM

@Jason You’ll still have to enter in the current admin password in order to enter programming mode, which has to be done to reset the unit to factory settings. And if you have the current admin password anyway, you don’t need to reset it back to 000000.

On the other hand, if you’re the legitimate owner of the door and you don’t know the password… such as if you forgot to reset the initial password and someone came along, reset the door, and ‘helpfully’ set an admin password… well, you’re in trouble. You won’t be able to get through your own door.

Clive Robinson March 13, 2009 5:09 PM

What’s the betting that is a “feature” marketing or other non technical people at the manufacturer suggested to reduce costs on returns etc.

Or worse put in to appease locksmiths (as the short cut in those mechanical “computer” locks that are prevelant on server room doors).

Such are the economics of mass produced physical security…

Jason March 13, 2009 5:13 PM

I remember the electronic door key pads we used to have at my old job.

All you needed to reprogram them was a flat head screwdriver to pop the cover off and a 9-volt battery.

No fancy codes needed.

Jon March 13, 2009 6:33 PM

At my current office, when we had a locksmith install a keypad lock on a door, their solution was to change the master admin code, and then give it out to everyone as the entry code. Only later when I was put in charge of changing the code did I realize what they had done and modify the configuration appropriately.

Devin March 13, 2009 7:23 PM

They should have either forced the user to set the password the first time it is turned on, or else set each one to a different random starting code, or both.

Carl March 14, 2009 2:17 AM

Reading the manual isn’t always the solution. We had a keypad solution installed as first access barrier to our computer room. The person installing it used the instruction in the manual to change the keycode and prompty used the random example as given in the manual!

Frank March 15, 2009 10:02 AM

As my father used to say, “Most locks are designed to keep the ‘honest’ thieves out; no one can deter a determined thief.”

However, it appears that a highly flawed, default password policy and a simple Internet search has now flattened-out that curve to insignificance.

It is amazing how much effort people and corporations will expend to avoid due diligence. IMHO, the only true security measure in ANY field of endeavor…

Robyn March 15, 2009 10:04 PM

i used to administer the sentex box where i lived. needless to say i changed everything. what intrigued me was how easy it was to get a key to open up the sentex box. sentex didn’t verify who i was or even ask for money for a replacement key. when i asked how they knew which key to send me the told me “one key fits all” easy pickings for anyone with a sentex key.

Psudonym March 16, 2009 10:33 AM

Reading the manual Juergen posted, It seems as though there are 2 keypads, one external facing one, and an internal one for programming. Does anyone have experience with these locks. Is it setup like :

Keypad lock control mechanism

Where a person needs to enter the “secure” area before being able to reach this second keypad?

This seems to me to be an example similar to patch Tuesdays, A security trade-off made to make administration easier.

Has anyone used this exploit in the wild?

Psudonym March 16, 2009 10:54 AM

Bit more about this product. It is discontinued.

Also as I suspected, the keypad on which this default password can be entered is inside of the box, which should be placed securely INSIDE the premises.

Arguments about the key required to access this box seem to be a moot point, because this box should be placed in an already “secure” area, behind the doors and gates which this system controls. In this case, not changing the default password would only enable adversaries which already have knowledge of the system and access. Given an adversary who has this access and knowledge of your general site security, this is not the weakest point of the security system, and I believe that the reaction to this is entirely overblown and sensationalist journalism.

The way it is reported it sounds as though you can simply walk up to a keypad and enter your authorization code (which this system does not use, it uses the same technology as a garage door opener) and walk into a secure area without drawing any attention to yourself.

A picture of the box with the keypad in question is located at
https://www.upswung.com/Sentex_Systems/AutoKey.htm

Damon March 16, 2009 12:01 PM

Thanks for the link, Psudonym! It does look like correct install would keep the keypad behind a secure perimeter.

However, this reminds me of how sometimes I see a keypad on a door that has exposed hinges. An attacker can just remove the hinge pins! (I saw this in the movie Ever After).

bob March 16, 2009 1:26 PM

@Andre LePlume: NCR ATMs came from the factory with a vault combination of 0-50-0 and most of the ones I worked on still had it that way.

Peter March 16, 2009 1:48 PM

Oh, it isn’t down, it is forbidding direct links now, so they’re checking the “referring” page.
So to get there, you’ll have to type in http://www.weebly.com, then manually edit the url to david.weebly.com. The parallax movement in the banner image is way cool.

Moderator March 16, 2009 3:23 PM

Note that the post is about keypad access devices, not the “garage door opener” type system that both Juergen and Psudonym linked to.

cmos March 16, 2009 3:30 PM

this is true of most phone entry systems- doorking, sentex (SES) pach, etc. very few company’s change the default settings- or the admin passcode is obvious such as 123456 or the numberical address of the business. Furthermore- if you have ever installed these- you are given a key for opening the box, which too is rarely changed. Nothing like impressing a date by having the keys to the city 😉

Psudonym March 17, 2009 12:04 PM

My apologies to everyone, I thought that was the correct manual

Moderator: Do you have a link to an example of this device or its manual?

Moderator March 17, 2009 3:55 PM

Psudonym,

The blog entry Bruce linked to — which is back up now — doesn’t specify a model, but there are a couple of keypad units described on the site you linked to (click on “Standalone Keypads”).

duff March 20, 2009 7:00 AM

I tend to agree with Juergen. I am not familiar with this device and don’t know if their is a design flaw. If there isn’t and the end-user doesn’t follow the directions for installation and operation, how is that the manufacturers fault? Why should the end user expect it to operate as designed if they don’t use it properly?

One would hope that the purchaser and or installer understands the basic concept of the device and it’s purpose. With that information and the user guide, its pretty easy to figure out that a default password isn’t very secure.

I can’t begin to count the number of “security” systems that I’ve seen in the field that are not used properly and as a result are ineffective in their mission.

S.W. January 2, 2010 2:19 AM

Our building has a Sentex and the vendor did create a new password for us when it was installed. But I recently discovered that many of the Sentex systems also have a default 4-digit entry code that unlocks the door (such as when you forget your key, just type in the code). I won’t post the code here. But when we got a new security vendor, the first thing the tech did was try this default code and it worked. You have to know the default code in order to tell the system to lock it out… and some installers don’t know the code. We tried the code at two other buildings on our block that had identical systems installed around the same time and it worked. The vendor locked it out for us… if you’ve got a Sentex system you should have your vendor contact Sentex to learn the default code for that unit and purge it.

Franko September 12, 2011 12:02 PM

Unfortunately, we have a Sentex telephone entry system. We need to change access codes, but do not have a manual and I cannot locate the company. Any ideas?

Wael June 2, 2012 11:17 PM

Hot spot access points have the same problem. They do ship with a global default admin password. These kinds of security pitfalls can be broadly categorized under “role miss-appropriation”. There are several ways to fix that. One of them is to have the admin password a function of the serial number or other unique characteristics of the device. Another is to ship the device with a unique sticker that had the admin password. These methods also have drawbacks, and cost money, so some manufacturers choose to make security “someone else’s” headache, and ask them to RTFM. They don’t realise that this will eventually be their headache. But legally, they are covered. Morally, I am not sure…

Alex Vaynberg August 17, 2014 5:33 PM

Hi All,

Have a Sentex Horizon. Admin password was lost and I need to change the tenant phone # on the box. Is there a way to reset to factory default. Any info would be helpful.

Thanks,

AV

Martin October 31, 2014 6:48 PM

I’m in the same boat. Our building has a Sentex Horizon H system and the installer is long gone and there’s no one in our area to support it. I’m using the SPSWin software but it hangs up if I try to enter the default password. I have keys for the unit and can gain access to the circuit board. I see a jumper j9 called “Setup” and I’m wondering if that can be used for a full reset? Any help would be great. Thanks!

Lori S Campbell June 7, 2016 3:35 PM

I have a Sentex spectrum di system and all of a sudden we can’t enter the program mode to change a tenants phone #. Is there a reset inside that will let us reset the “enter Program mode’? I’ve been all through both the install manual and the program manual.

Thanks

Steve Wilkins August 1, 2017 9:08 PM

Hi. Looking for a list of the codes for keypad programming of the Sentex, I’ve done it on the L but now the TIB board has quit on one of the units I care for and customer doesn’t want to replace. Can I program an S from keypad ? If you can please email me back ?

Thanks Steve

Mark Greenspun May 19, 2020 1:28 AM

Sentex Vista
301 Board
***000000 no longer puts system into program mode.
Logical possible reasons…
Bad 0 key
Someone changed it.
Board malfunction.
My research has not found a reset pin short solution to revert system to 000000 by shorting 2 pins on the circuit board.

My question to you?
Any solutions?
Thanks,
Mark

don May 22, 2020 12:10 AM

If you can get into the box (not too hard), you can pop the EEPROM out, load it into a reader and get or reset the password. I figured out where it was in a few minutes on our community’s unit. You can stick a blank EEPROM in too I think and the unit will write default data to it (including the all-0s password).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.