Using Red Teams Techniques and a Little Common Sense to Defeat Advanced Security Systems

by October 22, 2012 10/22/12

Editor-in-Chief’s note: This post was written by security expert U. Fridman and originally ran on his company blog,  Red Teams.

A few years back, a customer asked us to test their newly installed (and very expensive) surveillance and security system. The product promised them an automated system that was so secure they wouldn’t have to place a security guard there.

After some recon we discovered that while the entrance was guarded by a very secure keypad + access card combination lock, the inside had an automated “unlock” sensor so if anyone wanted to come out, the door would unlock from the inside.

Using a high resolution night capable camera, we took photos of the door and lock. After careful review of the pictures we found out that the top and bottom of the doors were not sealed tight against the floor as we could see a tiny bit of light from there. A plan was set in motion.

Later when we arrived, we approached the door carefully and removed a piece of gear from our kit that would, hopefully, allow us to bypass the “very secure” lock: an old credit card.

We slid the old credit card under the door and… nothing.

After a few seconds we agreed that the sensor wasn’t picking the movement, maybe because we were too close to the door and sensors usually “look” a bit farther out.

We retrieved another credit card and we tied it up to a piece of metal string (essentially several springs from a pens click mechanism tied together). We pushed the card under the door again, then carefully we pushed it farther with the metal string. And farther, and farther and… voila! The motion sensor detected movement “from the inside” and unlocked the door.

We were in.

Big, expensive, digital lock defeated by an old credit card and a spring.


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


jcrist
jcrist

I'm in the security business and trust me, we know how REX's work. Now, a salesman from ADT or the typical poorly trained young dude working for the local burg outfit doesn't really give a shit. If you do work for DOE facilities or the like who suffer constant security audits, this stuff doesn't fly. I just wish there were more "security critical" customers out there we could do work for!

Maglocks suck, and this is usually the case when this "trip the REX from outside" trick works. Using a pushbutton on the wall is an easy way to keep that trick from being utilized but it's less "convenient" for the customer. They we go - convenient or secure. Top security facilities couldn't care less about convenience. Electric strikes are the best way to go IMO, we always try to use them over Maglocks. But, many programmers do not set them up properly. A REX is still needed to let the system know that egress of OK at the time the door opens to prevent false "forced door" alarms but usually the default programming is for the REX not only to tell the system a door is ok to be opened - but to change relay state or unlock the strike. You are right back to being able to unlock the door by tripping the REX from outside. The correct programming is to set the REX to only tell the system a door is OK to open or "shunt door contacts only".

If security matters to you, contact a company that gives a shit, is involved with serious security and not just slinging hardware to meet a quota. Tactical guys make the best security contractors!

jcrist
jcrist

I'm in the security business and trust me, we know how REX's work. Now, a salesman from ADT or the typical poorly trained young dude working for the local burg outfit doesn't really give a shit. If you do work for DOE facilities or the like who suffer constant security audits, this stuff doesn't fly. I just wish there were more "security critical" customers out there we could do work for! Maglocks suck, and this is usually the case when this "trip the REX from outside" trick works. Using a pushbutton on the wall is an easy way to keep that trick from being utilized but it's less "convenient" for the customer. They we go - convenient or secure. Top security facilities couldn't care less about convenience. Electric strikes are the best way to go IMO, we always try to use them over Maglocks. But, many programmers do not set them up properly. A REX is still needed to let the system know that egress of OK at the time the door opens to prevent false "forced door" alarms but usually the default programming is for the REX not only to tell the system a door is ok to be opened - but to change relay state or unlock the strike. You are right back to being able to unlock the door by tripping the REX from outside. The correct programming is to set the REX to only tell the system a door is OK to open or "shunt door contacts only". If security matters to you, contact a company that gives a shit, is involved with serious security and not just slinging hardware to meet a quota. Tactical guys make the best security contractors!

Jason
Jason

I have used this trick a number of times when locked out of a commercial building. A piece of ceiling wire (or a stout coat hanger bent straight) bent into a hook on one end with a piece of stiff paper like a manila folder taped to it will fit through most any commercial door at the bottom if not the top and trigger the motion sensor release. There are also entry tools for exit push bars like the one 1/2 down this page http://www.firehooksunlimited.net/entry.html . For cars (I spent many years in auto repair) the MCOT tool lets me into pretty much any car with power locks in a few seconds https://www.pro-lok.com/pc-66-37-ao24-mcot-handle-opener-tool.aspx

Most locks only deter the casual entrant. There are configurations that can help, like having the motion sensor not unlock the door after hours but only disable an instant alarm feature if the push bar is used (otherwise an instant alarm if the card reader is not used) Or a card out required to avoid an alarm. Fire regs do require a way to get out no mater what, but it can trigger an alarm.

Jason
Jason

I have used this trick a number of times when locked out of a commercial building. A piece of ceiling wire (or a stout coat hanger bent straight) bent into a hook on one end with a piece of stiff paper like a manila folder taped to it will fit through most any commercial door at the bottom if not the top and trigger the motion sensor release. There are also entry tools for exit push bars like the one 1/2 down this page http://www.firehooksunlimited.net/entry.html . For cars (I spent many years in auto repair) the MCOT tool lets me into pretty much any car with power locks in a few seconds https://www.pro-lok.com/pc-66-37-ao24-mcot-handle-opener-tool.aspx Most locks only deter the casual entrant. There are configurations that can help, like having the motion sensor not unlock the door after hours but only disable an instant alarm feature if the push bar is used (otherwise an instant alarm if the card reader is not used) Or a card out required to avoid an alarm. Fire regs do require a way to get out no mater what, but it can trigger an alarm.

John
John

My locksmith continually tells me that locks are only for honest people.

Mark
Mark

Or you can just have the interior burg area turn off the REX motions when armed (i.e. interior is empty and REX is not needed). As a security integrator and former locksmith, I find maglocks to be harder to defeat than strikes (the locks themselves, not the access control systems). That said, in most cases, REX motion problems stem from an improper install. For some reason, people like to center certain models over the door, where they are looking straight down, when they were designed to be mounted on the hinge side of the door, looking diagonally down at the handle. Salespeople also like to sell the cheapest units.

In the case cited in the article, I'd be curious to know if a simple can of air would have let them in.

Mark
Mark

Or you can just have the interior burg area turn off the REX motions when armed (i.e. interior is empty and REX is not needed). As a security integrator and former locksmith, I find maglocks to be harder to defeat than strikes (the locks themselves, not the access control systems). That said, in most cases, REX motion problems stem from an improper install. For some reason, people like to center certain models over the door, where they are looking straight down, when they were designed to be mounted on the hinge side of the door, looking diagonally down at the handle. Salespeople also like to sell the cheapest units. In the case cited in the article, I'd be curious to know if a simple can of air would have let them in.

Mike
Mike

I was doing this same thing about 7 years ago when the company I was working for as a security contractor said their doors were secure and without a swipe card access was impossible. I walked to a door took a phone book from the recycling barrel next to it pulled off the cover and ran it through the top of the door, Voila. Beat 85% of the doors in the facility.

The Latest
Squawk Box