SlideShare a Scribd company logo

DSEF CON 27 - WILL C - phreaking elevators

Felipe Prado
Felipe Prado

DSEF CON 27 - WILL C - phreaking elevators

Technology
1 of 57
Download to read offline
Phreaking Elevators
Who am I? ● Car hacking things ● High voltage projects ● CTFs (lifetime badge winner for Cyphercon) ● Infosec is a hobby ( I might be looking for a job) ● I am new to the infosec world (3 years) ● Car hacking things ● High voltage projects ● CTFs (lifetime badge winner for Cyphercon) ● Infosec is a hobby ( I might be looking for a job) ● I am new to the infosec world (3 years)
You can not control an elevator though the phone. You can not control an elevator though the phone.
Who am I not?
Want to know more on elevators? ● Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse (Watch the talk they did at HOPE) (We will have more from Deviant later on that guy is awesome.) ● Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse (Watch the talk they did at HOPE) (We will have more from Deviant later on that guy is awesome.)
Topics we are going to be covering: ● Elevator phone systems basics ● History (not a lot of this since its 2019 I want about things that you can do TODAY) ● Information gathering ● Tools I like to use ● Elevator phone systems more advanced (you better be ready) ● Thinking out side the elevator ● Conclusion ● Elevator phone systems basics ● History (not a lot of this since its 2019 I want about things that you can do TODAY) ● Information gathering ● Tools I like to use ● Elevator phone systems more advanced (you better be ready) ● Thinking out side the elevator ● Conclusion
Legal disclaimer ● I am not a lawyer please don’t hack things you don't own. ● None of the recordings involve a live human talking on the other end. ● Don't interfere with emergency communications these systems are in place for a good reason. ● I am not a lawyer please don’t hack things you don't own. ● None of the recordings involve a live human talking on the other end. ● Don't interfere with emergency communications these systems are in place for a good reason.
Please don’t do this in the wild...
Elevator phone systems basics
PHONE PHOTO
To the outside world ● POTS ● VOIP ● Cell ● POTS ● VOIP ● Cell
Elevator phone systems basics ● POTS (plain old telephone service) this is in most elevators it's how a phone will dial out. ● The device will dial when the hand set is picked up or when the button is pushed. ● ADA/ASME A17 is the reason we have changes in our elevator phones. Also there are building codes that need to be followed. ● POTS (plain old telephone service) this is in most elevators it's how a phone will dial out. ● The device will dial when the hand set is picked up or when the button is pushed. ● ADA/ASME A17 is the reason we have changes in our elevator phones. Also there are building codes that need to be followed.
History time! ● When elevators phones started in 1968. ● We still find rotary phones! ● Ring down system. ● It was required for all elevators in 1976. ● When elevators phones started in 1968. ● We still find rotary phones! ● Ring down system. ● It was required for all elevators in 1976.
Information gathering OSINT ● Who the phone dials to ● Building information ● Phone system information ● Phone number information (OpenCNAM) ● Google OSINT ● Who the phone dials to ● Building information ● Phone system information ● Phone number information (OpenCNAM) ● Google
Information gathering Social engineering ● Pretend to be an elevator tech ● Remotely gathering target information by SEing the business and call centers Social engineering ● Pretend to be an elevator tech ● Remotely gathering target information by SEing the business and call centers
Information gathering Physical ● How to control an elevator with independent service mode ● Where to go and what to look for Physical ● How to control an elevator with independent service mode ● Where to go and what to look for
TOOLS ● Cell Phone ● Multi tool ● Land line phone ● Linesmen handset ● 9volt battery (some times a AA) ● Cell Phone ● Multi tool ● Land line phone ● Linesmen handset ● 9volt battery (some times a AA)
Few good points ● Site ID 2 ● Hang up *# or # or *0 or 0 or (press the button again) ● PBX and line concentrators ● Site ID 2 ● Hang up *# or # or *0 or 0 or (press the button again) ● PBX and line concentrators
PBX ● Private branch exchange ● Elevators can be on their own PBX ● Older PBXs you can find from a low voltage (24Volts) ● Private branch exchange ● Elevators can be on their own PBX ● Older PBXs you can find from a low voltage (24Volts)
Line concentator
Line Concentrator ● Outbound one call at a time the other get a busy signal ● Inbound Call the LC pick up with a double beep ● With in 4 seconds enter “1”, “2” or “3” before it drops the line. ● When the power fails its a party! ● Outbound one call at a time the other get a busy signal ● Inbound Call the LC pick up with a double beep ● With in 4 seconds enter “1”, “2” or “3” before it drops the line. ● When the power fails its a party!
Intercom ● Operated from outside the elevator ● Located in hall way, hostway or machine room ● Video time! ● Operated from outside the elevator ● Located in hall way, hostway or machine room ● Video time!
Video!
Fire Fighters Phone ● The system looks for opens, shorts, or ground faults. ● Class A and Class B wiring ● Sounds an alert at fire command center until answered. ● The system looks for opens, shorts, or ground faults. ● Class A and Class B wiring ● Sounds an alert at fire command center until answered.
Line detection ● Checking on the phone line ● The key can reset the device for 24 hours ● The key can control volume ● RTFM ● Checking on the phone line ● The key can reset the device for 24 hours ● The key can control volume ● RTFM
The song of my people….
The song of my people…. This an emergency telephone located at. This is elevator emergency inside car one at ________ main st please wait for two way communication thank you. Main menu press 1 to talk 2 to program or *0 to disconnect.
The song of my people... This the automated emergency telephone located at Press 1 to talk to the party 2 to program 0 to disconnect Press 1 to talk to the party 2 to program 0 to disconnect
Four ways to program ● Key pad ● Switches ● Remote ● Programming cable ● Key pad ● Switches ● Remote ● Programming cable
Programming ● RTFM ● Use the key pad you You will need the battery ● Those buttons don’t work the way you think they do. ● RTFM ● Use the key pad you You will need the battery ● Those buttons don’t work the way you think they do.
Programming ● RTFM ● Position 1 connects / disconnects ● Position 3 is programming or “Learn mode” ● Position 2 switch ON-Incoming calls are answered (factory setting) ● RTFM ● Position 1 connects / disconnects ● Position 3 is programming or “Learn mode” ● Position 2 switch ON-Incoming calls are answered (factory setting)
Programming Number * Passcode * options *#Number * Passcode * options *#
Default elevator passwords: ● 123456 GAL ● 123456 Lincoln ● 845464 (V-I-K-I-N-G) *some viking products don't even have a password* ● 123456 Viking access password ● 1234 K-Tech ● 35842 T.R.E. Communications ● # 94851 or # 9000000 Janus ● *3*12345678* Master Access Code to change all other codes (Talkaphone) ● *4** guard access (Talkaphone) ● 123456 GAL ● 123456 Lincoln ● 845464 (V-I-K-I-N-G) *some viking products don't even have a password* ● 123456 Viking access password ● 1234 K-Tech ● 35842 T.R.E. Communications ● # 94851 or # 9000000 Janus ● *3*12345678* Master Access Code to change all other codes (Talkaphone) ● *4** guard access (Talkaphone)
HARDER PASSWORDS ● http://www.datagenetics.com/blog/september32012/index.html ● 1234 and 123456 are both at the top of the charts for the most common pins. ● The 4 pin code you have a 26.83% chance of getting it right this drops down to 16.12% if 1234 doesn’t work. ● A 6 pin code you have a 20.21% chance of getting it right with the top 20 pins though if its not 123456 it drops to 8.53%. ● http://www.datagenetics.com/blog/september32012/index.html ● 1234 and 123456 are both at the top of the charts for the most common pins. ● The 4 pin code you have a 26.83% chance of getting it right this drops down to 16.12% if 1234 doesn’t work. ● A 6 pin code you have a 20.21% chance of getting it right with the top 20 pins though if its not 123456 it drops to 8.53%.
Programming Number * Passcode * options *#Number * Passcode * options *#
Options? ● Phone number ● Connection time ● Tone or Pulse ● Silence time out ● Dial next number (no answer) ● Dial next number (busy) ● Mute dialing ● Auto talk on ring ● Phone number ● Connection time ● Tone or Pulse ● Silence time out ● Dial next number (no answer) ● Dial next number (busy) ● Mute dialing ● Auto talk on ring
Attack!!!!!! ● Denial of service - Line no longer functions - Phone no longer calls the correct number ● Bypassing line detection ● Denial of service - Line no longer functions - Phone no longer calls the correct number ● Bypassing line detection
Attack!!!!!! ● Turning the elevator into a covert listening device ● LED problem ● Connection time ● Noise when it picks up ● Turning the elevator into a covert listening device ● LED problem ● Connection time ● Noise when it picks up
Attack!!!!!! ● You have an open telephone line! - Exifltrate data - register the line to a service like google voice - Dial some numbers… ● You have an open telephone line! - Exifltrate data - register the line to a service like google voice - Dial some numbers…
900-$$$-$$$$ ● 60 elevators at Brown University ● Each of those elevators has their own telephone line. ● 30 days x 24 hours = 720 hours ● 720 hours x 60 minutes = 43,200 minute in a month ● 43,200 x 60 elevators = 2,592,000 elevator minutes ● 2,592,000 x $2.55 per minute = $6,609,600 ● 60 elevators at Brown University ● Each of those elevators has their own telephone line. ● 30 days x 24 hours = 720 hours ● 720 hours x 60 minutes = 43,200 minute in a month ● 43,200 x 60 elevators = 2,592,000 elevator minutes ● 2,592,000 x $2.55 per minute = $6,609,600
Are we all doomed?!?
Look at: ● Monitoring (Why are we having an hour long call?) ● Logging (Why do 30 people call the elevator a day?) ● Alerting (Is there really an emergency?... We should deal with that) ● Monitoring (Why are we having an hour long call?) ● Logging (Why do 30 people call the elevator a day?) ● Alerting (Is there really an emergency?... We should deal with that)
Manufactures ● NO DEFAULT PASSWORDS... Don’t allow the most common top 20 pins ● Don’t allow remote programming ● Train your call centers for SE attacks ● NO DEFAULT PASSWORDS... Don’t allow the most common top 20 pins ● Don’t allow remote programming ● Train your call centers for SE attacks
Lets go further! ● Pools ● University campus ● Meeting areas ● THE STAIRS!!!! ● Pools ● University campus ● Meeting areas ● THE STAIRS!!!!
Want to learn more? ● Watch TeleChallenge 2018 Walkthrough ● Watch Pit to Penthouse ● RTFM ● C*net ● Bin Rev ● Watch TeleChallenge 2018 Walkthrough ● Watch Pit to Penthouse ● RTFM ● C*net ● Bin Rev
If you want to play at home... ● Buy elevator phones on ebay ● Used ones will most likely be broken $50 - $100 ● New phones cost $100 - $300 ● Buy elevator phones on ebay ● Used ones will most likely be broken $50 - $100 ● New phones cost $100 - $300
Want to play around? ● PLA: 914-296-1862 ● FUTELL: 503-HOT-1337 ● ClownSec Phunhouse: 1-914-495-1365 ● PLA: 914-296-1862 ● FUTELL: 503-HOT-1337 ● ClownSec Phunhouse: 1-914-495-1365
Thank you ● All of my wonderful infosec friends. ● @plugxor ● @wireghoul ● @SgtHowardPayne ● @deviantollam ● All of my wonderful infosec friends. ● @plugxor ● @wireghoul ● @SgtHowardPayne ● @deviantollam
Thank you ● @willcaruana ● Call me 617-440-8667 (prank calls only) ● hvwill@protonmail.com ● @willcaruana ● Call me 617-440-8667 (prank calls only) ● hvwill@protonmail.com

Recommended

Gto access systems gto openers - gto wireless keypad
Gto access systems gto openers - gto wireless keypadGto access systems gto openers - gto wireless keypad
Gto access systems gto openers - gto wireless keypadMark Jim
 
Choose your dev platform
Choose your dev platformChoose your dev platform
Choose your dev platformMarian Marinov
 
Fanuc 16i 18i alarms
Fanuc 16i 18i alarmsFanuc 16i 18i alarms
Fanuc 16i 18i alarmsSoekarno Revolusi
 
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Philip Polstra
 
GSM controlled robot with obstacle avoidance using IR sensors
GSM controlled robot with obstacle avoidance using IR sensorsGSM controlled robot with obstacle avoidance using IR sensors
GSM controlled robot with obstacle avoidance using IR sensorsRahul Sidhu
 
telecom communication ppt
telecom communication ppttelecom communication ppt
telecom communication pptpavan kumar
 
Defcon 22-phil-polstra-am-i-being-spied-on
Defcon 22-phil-polstra-am-i-being-spied-onDefcon 22-phil-polstra-am-i-being-spied-on
Defcon 22-phil-polstra-am-i-being-spied-onPriyanka Aash
 
Arrow Revolution - Touch Screen Lock
Arrow Revolution - Touch Screen LockArrow Revolution - Touch Screen Lock
Arrow Revolution - Touch Screen LockDale Bowman, CPP, PSP, CML, CJIL
 

Recommended

Gto access systems gto openers - gto wireless keypad
Gto access systems gto openers - gto wireless keypadGto access systems gto openers - gto wireless keypad
Gto access systems gto openers - gto wireless keypadMark Jim
 
Choose your dev platform
Choose your dev platformChoose your dev platform
Choose your dev platformMarian Marinov
 
Fanuc 16i 18i alarms
Fanuc 16i 18i alarmsFanuc 16i 18i alarms
Fanuc 16i 18i alarmsSoekarno Revolusi
 
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Philip Polstra
 
GSM controlled robot with obstacle avoidance using IR sensors
GSM controlled robot with obstacle avoidance using IR sensorsGSM controlled robot with obstacle avoidance using IR sensors
GSM controlled robot with obstacle avoidance using IR sensorsRahul Sidhu
 
telecom communication ppt
telecom communication ppttelecom communication ppt
telecom communication pptpavan kumar
 
Defcon 22-phil-polstra-am-i-being-spied-on
Defcon 22-phil-polstra-am-i-being-spied-onDefcon 22-phil-polstra-am-i-being-spied-on
Defcon 22-phil-polstra-am-i-being-spied-onPriyanka Aash
 
Arrow Revolution - Touch Screen Lock
Arrow Revolution - Touch Screen LockArrow Revolution - Touch Screen Lock
Arrow Revolution - Touch Screen LockDale Bowman, CPP, PSP, CML, CJIL
 
Car automation OHM2013
Car automation OHM2013Car automation OHM2013
Car automation OHM2013Marian Marinov
 
Dtmf robot
Dtmf robot Dtmf robot
Dtmf robot Jeevan M
 
Voice controlled home automation.pptx
Voice controlled home automation.pptxVoice controlled home automation.pptx
Voice controlled home automation.pptxTamil964528
 
Introduciendo Wombat 2.0`
Introduciendo Wombat 2.0`Introduciendo Wombat 2.0`
Introduciendo Wombat 2.0`OpenDireito
 
Discover finite state machines with gen_statem in Erlang /Elixir
Discover finite state machines with gen_statem in Erlang /ElixirDiscover finite state machines with gen_statem in Erlang /Elixir
Discover finite state machines with gen_statem in Erlang /ElixirAntoine REYT
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
final ppt2.pptx
final ppt2.pptxfinal ppt2.pptx
final ppt2.pptxAnshuAgarwal48
 
Introduction to Building Envelope in Safety- the different application for Co...
Introduction to Building Envelope in Safety- the different application for Co...Introduction to Building Envelope in Safety- the different application for Co...
Introduction to Building Envelope in Safety- the different application for Co...Simon M.K Leung DipGAI, RegAI, MInstAI
 
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750praszx
 
PLC Troubleshooting & Maintenance.pdf
PLC Troubleshooting & Maintenance.pdfPLC Troubleshooting & Maintenance.pdf
PLC Troubleshooting & Maintenance.pdfUmutERGENE
 
King Pigeon Product Catalog
King Pigeon Product CatalogKing Pigeon Product Catalog
King Pigeon Product CatalogkingpigeonM2M
 
SpeedStile FLs DS Series
SpeedStile FLs DS SeriesSpeedStile FLs DS Series
SpeedStile FLs DS SeriesGunnebo UK
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
Quick reference-guide-hosted-voice-17
Quick reference-guide-hosted-voice-17Quick reference-guide-hosted-voice-17
Quick reference-guide-hosted-voice-17Cory Price
 
SpeedStile FLs BA EV
SpeedStile FLs BA EVSpeedStile FLs BA EV
SpeedStile FLs BA EVGunnebo UK
 
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...Vietnam Open Infrastructure User Group
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101Robert Rowley
 
Stewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerStewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerREVULN
 
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017VOIP2DAY
 
Luggage Tracker - Travel Tension Free!
Luggage Tracker - Travel Tension Free! Luggage Tracker - Travel Tension Free!
Luggage Tracker - Travel Tension Free!bhanu2095
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 

More Related Content

Similar to DSEF CON 27 - WILL C - phreaking elevators

Car automation OHM2013
Car automation OHM2013Car automation OHM2013
Car automation OHM2013Marian Marinov
 
Dtmf robot
Dtmf robot Dtmf robot
Dtmf robot Jeevan M
 
Voice controlled home automation.pptx
Voice controlled home automation.pptxVoice controlled home automation.pptx
Voice controlled home automation.pptxTamil964528
 
Introduciendo Wombat 2.0`
Introduciendo Wombat 2.0`Introduciendo Wombat 2.0`
Introduciendo Wombat 2.0`OpenDireito
 
Discover finite state machines with gen_statem in Erlang /Elixir
Discover finite state machines with gen_statem in Erlang /ElixirDiscover finite state machines with gen_statem in Erlang /Elixir
Discover finite state machines with gen_statem in Erlang /ElixirAntoine REYT
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Introduction to Building Envelope in Safety- the different application for Co...
Introduction to Building Envelope in Safety- the different application for Co...Introduction to Building Envelope in Safety- the different application for Co...
Introduction to Building Envelope in Safety- the different application for Co...Simon M.K Leung DipGAI, RegAI, MInstAI
 
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750praszx
 
PLC Troubleshooting & Maintenance.pdf
PLC Troubleshooting & Maintenance.pdfPLC Troubleshooting & Maintenance.pdf
PLC Troubleshooting & Maintenance.pdfUmutERGENE
 
King Pigeon Product Catalog
King Pigeon Product CatalogKing Pigeon Product Catalog
King Pigeon Product CatalogkingpigeonM2M
 
SpeedStile FLs DS Series
SpeedStile FLs DS SeriesSpeedStile FLs DS Series
SpeedStile FLs DS SeriesGunnebo UK
 
Quick reference-guide-hosted-voice-17
Quick reference-guide-hosted-voice-17Quick reference-guide-hosted-voice-17
Quick reference-guide-hosted-voice-17Cory Price
 
SpeedStile FLs BA EV
SpeedStile FLs BA EVSpeedStile FLs BA EV
SpeedStile FLs BA EVGunnebo UK
 
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...Vietnam Open Infrastructure User Group
 
Stewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerStewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerREVULN
 
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017VOIP2DAY
 
Luggage Tracker - Travel Tension Free!
Luggage Tracker - Travel Tension Free! Luggage Tracker - Travel Tension Free!
Luggage Tracker - Travel Tension Free!bhanu2095
 

Similar to DSEF CON 27 - WILL C - phreaking elevators (20)

Car automation OHM2013
Car automation OHM2013Car automation OHM2013
Car automation OHM2013
 
Dtmf robot
Dtmf robot Dtmf robot
Dtmf robot
 
Voice controlled home automation.pptx
Voice controlled home automation.pptxVoice controlled home automation.pptx
Voice controlled home automation.pptx
 
Introduciendo Wombat 2.0`
Introduciendo Wombat 2.0`Introduciendo Wombat 2.0`
Introduciendo Wombat 2.0`
 
Discover finite state machines with gen_statem in Erlang /Elixir
Discover finite state machines with gen_statem in Erlang /ElixirDiscover finite state machines with gen_statem in Erlang /Elixir
Discover finite state machines with gen_statem in Erlang /Elixir
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
final ppt2.pptx
final ppt2.pptxfinal ppt2.pptx
final ppt2.pptx
 
Introduction to Building Envelope in Safety- the different application for Co...
Introduction to Building Envelope in Safety- the different application for Co...Introduction to Building Envelope in Safety- the different application for Co...
Introduction to Building Envelope in Safety- the different application for Co...
 
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
Quick Reference Guide KX-T7720/KX-T7730 KX-T7731/KX-T7735 KX-T7736/KX-T7750
 
PLC Troubleshooting & Maintenance.pdf
PLC Troubleshooting & Maintenance.pdfPLC Troubleshooting & Maintenance.pdf
PLC Troubleshooting & Maintenance.pdf
 
King Pigeon Product Catalog
King Pigeon Product CatalogKing Pigeon Product Catalog
King Pigeon Product Catalog
 
SpeedStile FLs DS Series
SpeedStile FLs DS SeriesSpeedStile FLs DS Series
SpeedStile FLs DS Series
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private Phone
 
Quick reference-guide-hosted-voice-17
Quick reference-guide-hosted-voice-17Quick reference-guide-hosted-voice-17
Quick reference-guide-hosted-voice-17
 
SpeedStile FLs BA EV
SpeedStile FLs BA EVSpeedStile FLs BA EV
SpeedStile FLs BA EV
 
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
Stewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerStewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the center
 
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
Voz digital tres años después | PEDRO ÁLVAREZ Y PABLO GONZÁLEZ - VoIP2DAY 2017
 
Luggage Tracker - Travel Tension Free!
Luggage Tracker - Travel Tension Free! Luggage Tracker - Travel Tension Free!
Luggage Tracker - Travel Tension Free!
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

DSEF CON 27 - WILL C - phreaking elevators

  • 2. Who am I? ● Car hacking things ● High voltage projects ● CTFs (lifetime badge winner for Cyphercon) ● Infosec is a hobby ( I might be looking for a job) ● I am new to the infosec world (3 years) ● Car hacking things ● High voltage projects ● CTFs (lifetime badge winner for Cyphercon) ● Infosec is a hobby ( I might be looking for a job) ● I am new to the infosec world (3 years)
  • 3. You can not control an elevator though the phone. You can not control an elevator though the phone.
  • 4. Who am I not?
  • 5. Want to know more on elevators? ● Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse (Watch the talk they did at HOPE) (We will have more from Deviant later on that guy is awesome.) ● Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse (Watch the talk they did at HOPE) (We will have more from Deviant later on that guy is awesome.)
  • 6. Topics we are going to be covering: ● Elevator phone systems basics ● History (not a lot of this since its 2019 I want about things that you can do TODAY) ● Information gathering ● Tools I like to use ● Elevator phone systems more advanced (you better be ready) ● Thinking out side the elevator ● Conclusion ● Elevator phone systems basics ● History (not a lot of this since its 2019 I want about things that you can do TODAY) ● Information gathering ● Tools I like to use ● Elevator phone systems more advanced (you better be ready) ● Thinking out side the elevator ● Conclusion
  • 7. Legal disclaimer ● I am not a lawyer please don’t hack things you don't own. ● None of the recordings involve a live human talking on the other end. ● Don't interfere with emergency communications these systems are in place for a good reason. ● I am not a lawyer please don’t hack things you don't own. ● None of the recordings involve a live human talking on the other end. ● Don't interfere with emergency communications these systems are in place for a good reason.
  • 8. Please don’t do this in the wild...
  • 10.
  • 12.
  • 13. To the outside world ● POTS ● VOIP ● Cell ● POTS ● VOIP ● Cell
  • 14. Elevator phone systems basics ● POTS (plain old telephone service) this is in most elevators it's how a phone will dial out. ● The device will dial when the hand set is picked up or when the button is pushed. ● ADA/ASME A17 is the reason we have changes in our elevator phones. Also there are building codes that need to be followed. ● POTS (plain old telephone service) this is in most elevators it's how a phone will dial out. ● The device will dial when the hand set is picked up or when the button is pushed. ● ADA/ASME A17 is the reason we have changes in our elevator phones. Also there are building codes that need to be followed.
  • 15. History time! ● When elevators phones started in 1968. ● We still find rotary phones! ● Ring down system. ● It was required for all elevators in 1976. ● When elevators phones started in 1968. ● We still find rotary phones! ● Ring down system. ● It was required for all elevators in 1976.
  • 16.
  • 17. Information gathering OSINT ● Who the phone dials to ● Building information ● Phone system information ● Phone number information (OpenCNAM) ● Google OSINT ● Who the phone dials to ● Building information ● Phone system information ● Phone number information (OpenCNAM) ● Google
  • 18.
  • 19. Information gathering Social engineering ● Pretend to be an elevator tech ● Remotely gathering target information by SEing the business and call centers Social engineering ● Pretend to be an elevator tech ● Remotely gathering target information by SEing the business and call centers
  • 20. Information gathering Physical ● How to control an elevator with independent service mode ● Where to go and what to look for Physical ● How to control an elevator with independent service mode ● Where to go and what to look for
  • 21.
  • 22.
  • 23.
  • 24. TOOLS ● Cell Phone ● Multi tool ● Land line phone ● Linesmen handset ● 9volt battery (some times a AA) ● Cell Phone ● Multi tool ● Land line phone ● Linesmen handset ● 9volt battery (some times a AA)
  • 25. Few good points ● Site ID 2 ● Hang up *# or # or *0 or 0 or (press the button again) ● PBX and line concentrators ● Site ID 2 ● Hang up *# or # or *0 or 0 or (press the button again) ● PBX and line concentrators
  • 26. PBX ● Private branch exchange ● Elevators can be on their own PBX ● Older PBXs you can find from a low voltage (24Volts) ● Private branch exchange ● Elevators can be on their own PBX ● Older PBXs you can find from a low voltage (24Volts)
  • 28. Line Concentrator ● Outbound one call at a time the other get a busy signal ● Inbound Call the LC pick up with a double beep ● With in 4 seconds enter “1”, “2” or “3” before it drops the line. ● When the power fails its a party! ● Outbound one call at a time the other get a busy signal ● Inbound Call the LC pick up with a double beep ● With in 4 seconds enter “1”, “2” or “3” before it drops the line. ● When the power fails its a party!
  • 29. Intercom ● Operated from outside the elevator ● Located in hall way, hostway or machine room ● Video time! ● Operated from outside the elevator ● Located in hall way, hostway or machine room ● Video time!
  • 31. Fire Fighters Phone ● The system looks for opens, shorts, or ground faults. ● Class A and Class B wiring ● Sounds an alert at fire command center until answered. ● The system looks for opens, shorts, or ground faults. ● Class A and Class B wiring ● Sounds an alert at fire command center until answered.
  • 32.
  • 33. Line detection ● Checking on the phone line ● The key can reset the device for 24 hours ● The key can control volume ● RTFM ● Checking on the phone line ● The key can reset the device for 24 hours ● The key can control volume ● RTFM
  • 34. The song of my people….
  • 35. The song of my people…. This an emergency telephone located at. This is elevator emergency inside car one at ________ main st please wait for two way communication thank you. Main menu press 1 to talk 2 to program or *0 to disconnect.
  • 36. The song of my people... This the automated emergency telephone located at Press 1 to talk to the party 2 to program 0 to disconnect Press 1 to talk to the party 2 to program 0 to disconnect
  • 37. Four ways to program ● Key pad ● Switches ● Remote ● Programming cable ● Key pad ● Switches ● Remote ● Programming cable
  • 38. Programming ● RTFM ● Use the key pad you You will need the battery ● Those buttons don’t work the way you think they do. ● RTFM ● Use the key pad you You will need the battery ● Those buttons don’t work the way you think they do.
  • 39. Programming ● RTFM ● Position 1 connects / disconnects ● Position 3 is programming or “Learn mode” ● Position 2 switch ON-Incoming calls are answered (factory setting) ● RTFM ● Position 1 connects / disconnects ● Position 3 is programming or “Learn mode” ● Position 2 switch ON-Incoming calls are answered (factory setting)
  • 40. Programming Number * Passcode * options *#Number * Passcode * options *#
  • 41. Default elevator passwords: ● 123456 GAL ● 123456 Lincoln ● 845464 (V-I-K-I-N-G) *some viking products don't even have a password* ● 123456 Viking access password ● 1234 K-Tech ● 35842 T.R.E. Communications ● # 94851 or # 9000000 Janus ● *3*12345678* Master Access Code to change all other codes (Talkaphone) ● *4** guard access (Talkaphone) ● 123456 GAL ● 123456 Lincoln ● 845464 (V-I-K-I-N-G) *some viking products don't even have a password* ● 123456 Viking access password ● 1234 K-Tech ● 35842 T.R.E. Communications ● # 94851 or # 9000000 Janus ● *3*12345678* Master Access Code to change all other codes (Talkaphone) ● *4** guard access (Talkaphone)
  • 42. HARDER PASSWORDS ● http://www.datagenetics.com/blog/september32012/index.html ● 1234 and 123456 are both at the top of the charts for the most common pins. ● The 4 pin code you have a 26.83% chance of getting it right this drops down to 16.12% if 1234 doesn’t work. ● A 6 pin code you have a 20.21% chance of getting it right with the top 20 pins though if its not 123456 it drops to 8.53%. ● http://www.datagenetics.com/blog/september32012/index.html ● 1234 and 123456 are both at the top of the charts for the most common pins. ● The 4 pin code you have a 26.83% chance of getting it right this drops down to 16.12% if 1234 doesn’t work. ● A 6 pin code you have a 20.21% chance of getting it right with the top 20 pins though if its not 123456 it drops to 8.53%.
  • 43. Programming Number * Passcode * options *#Number * Passcode * options *#
  • 44. Options? ● Phone number ● Connection time ● Tone or Pulse ● Silence time out ● Dial next number (no answer) ● Dial next number (busy) ● Mute dialing ● Auto talk on ring ● Phone number ● Connection time ● Tone or Pulse ● Silence time out ● Dial next number (no answer) ● Dial next number (busy) ● Mute dialing ● Auto talk on ring
  • 45. Attack!!!!!! ● Denial of service - Line no longer functions - Phone no longer calls the correct number ● Bypassing line detection ● Denial of service - Line no longer functions - Phone no longer calls the correct number ● Bypassing line detection
  • 46. Attack!!!!!! ● Turning the elevator into a covert listening device ● LED problem ● Connection time ● Noise when it picks up ● Turning the elevator into a covert listening device ● LED problem ● Connection time ● Noise when it picks up
  • 47. Attack!!!!!! ● You have an open telephone line! - Exifltrate data - register the line to a service like google voice - Dial some numbers… ● You have an open telephone line! - Exifltrate data - register the line to a service like google voice - Dial some numbers…
  • 48. 900-$$$-$$$$ ● 60 elevators at Brown University ● Each of those elevators has their own telephone line. ● 30 days x 24 hours = 720 hours ● 720 hours x 60 minutes = 43,200 minute in a month ● 43,200 x 60 elevators = 2,592,000 elevator minutes ● 2,592,000 x $2.55 per minute = $6,609,600 ● 60 elevators at Brown University ● Each of those elevators has their own telephone line. ● 30 days x 24 hours = 720 hours ● 720 hours x 60 minutes = 43,200 minute in a month ● 43,200 x 60 elevators = 2,592,000 elevator minutes ● 2,592,000 x $2.55 per minute = $6,609,600
  • 49. Are we all doomed?!?
  • 50. Look at: ● Monitoring (Why are we having an hour long call?) ● Logging (Why do 30 people call the elevator a day?) ● Alerting (Is there really an emergency?... We should deal with that) ● Monitoring (Why are we having an hour long call?) ● Logging (Why do 30 people call the elevator a day?) ● Alerting (Is there really an emergency?... We should deal with that)
  • 51. Manufactures ● NO DEFAULT PASSWORDS... Don’t allow the most common top 20 pins ● Don’t allow remote programming ● Train your call centers for SE attacks ● NO DEFAULT PASSWORDS... Don’t allow the most common top 20 pins ● Don’t allow remote programming ● Train your call centers for SE attacks
  • 52. Lets go further! ● Pools ● University campus ● Meeting areas ● THE STAIRS!!!! ● Pools ● University campus ● Meeting areas ● THE STAIRS!!!!
  • 53. Want to learn more? ● Watch TeleChallenge 2018 Walkthrough ● Watch Pit to Penthouse ● RTFM ● C*net ● Bin Rev ● Watch TeleChallenge 2018 Walkthrough ● Watch Pit to Penthouse ● RTFM ● C*net ● Bin Rev
  • 54. If you want to play at home... ● Buy elevator phones on ebay ● Used ones will most likely be broken $50 - $100 ● New phones cost $100 - $300 ● Buy elevator phones on ebay ● Used ones will most likely be broken $50 - $100 ● New phones cost $100 - $300
  • 55. Want to play around? ● PLA: 914-296-1862 ● FUTELL: 503-HOT-1337 ● ClownSec Phunhouse: 1-914-495-1365 ● PLA: 914-296-1862 ● FUTELL: 503-HOT-1337 ● ClownSec Phunhouse: 1-914-495-1365
  • 56. Thank you ● All of my wonderful infosec friends. ● @plugxor ● @wireghoul ● @SgtHowardPayne ● @deviantollam ● All of my wonderful infosec friends. ● @plugxor ● @wireghoul ● @SgtHowardPayne ● @deviantollam
  • 57. Thank you ● @willcaruana ● Call me 617-440-8667 (prank calls only) ● hvwill@protonmail.com ● @willcaruana ● Call me 617-440-8667 (prank calls only) ● hvwill@protonmail.com