The LOD/H Technical Journal: File #5 of 10 (ISSUE #2) Lex Luthor and The Legion Of Doom/Hackers Present: Identifying, Attacking, Defeating, and Bypassing Physical Security and Intrusion Detection Systems PART II: THE EXTERIOR INTRODUCTION: ------------- The 'exterior' refers to the area directly outside of a building and the things within the building which are on the exterior. These obviously are: doors, air conditioning ducts, windows, walls, roofs, garages, etc. I don't believe the word 'exterior' is the exact definition of what this article will encompass, unlike the 'perimeter', but it's the best I could come up with. This article primarily is of an informative nature, although methods of "attacking, defeating, and bypassing" will be explained. Its purpose is not specifically to encourage you to breach a facility's security, although I acknowledge that it could be used as such. Some of the devices mentioned in the physical security series are used in homes as well as corporate, industrial, and military installations, but my aim is specifically towards the commercial aspect of buildings, not homes and apartments. Entering a facility to obtain information such as passwords or manuals is one thing, breaking into someones' home to steal their personal belongings is another. THE EXTERIOR: ------------- A facility's second line of defense against intrusion is its' exterior. The exterior may have any or all of the following: * Window breakage detectors * Keypad systems * Card access control systems * Magnetic locks and contacts * Security lighting and CCTV CCTV which is also used, was mentioned in Part I: The Perimeter. Card Access Control devices will be mentioned in Part III: The Interior. WINDOWS: -------- Windows are a large security hole for buildings. You may notice that many phone company buildings and data processing centers have few if any windows. There are two things that can be done to secure windows aside from making sure they are locked. One is to make them very difficult to break, and the other is to detect a break when and if it occurs. Here is a quick breakdown of the common types of glass/windows in use today: Plate glass: Can be cut with a glass cutter. Tempered: Normally can't be cut. Breaks up into little pieces when broken. Safety: You need a hatchet to break this stuff. Wire: This has wire criss-crossed inside of the glass, making it very hard to break, and even harder to actually go through the opening it is in place of. Plexy: Very hard to break, doesn't really shatter, but can be melted with the use of a torch. Lexan: This is used in bulletproof glass. One of the strongest and most secure types of glass. Herculite: Similar to Lexan. Foil tape: ---------- This is by far the most common, and probably the most improperly installed form of glass breakage detection, which also makes it the most insecure. This is usually a silver foil tape about 5/16" wide which should be placed on the whole perimeter of a glass window or door. In the case of plexyglass or a similar material, the tape should be placed in rows separated by 6-12 inches. The older foil was covered with a coating of eurathane or epoxy which enabled it to stick onto the glass. The newer foil has an adhesive back making installation much easier. There should be two connectors which are located at the upper top part of a window, and the lower part of the window which connects the foil to the processor, thus, completing the circuit. Foil may or may not have a supervised loop. If it is supervised, and you use a key to scratch the foil (when it is turned off) making a complete break in it, an alarm will sound when it is turned on. Foil is commonly used as a visual deterrent. Many times, it will not even be activated. The easiest way to determine if the facility is trying to 'B.S.' you into thinking they have a security system, is to see if there are any breaks in the foil. If there is a clean break, the 6-12V DC current which is normally making a loop isn't. Thus, breaking the glass will do nothing other than make some noise unless you take steps against that happening. As was stated, foil is the most improperly installed type of glass breakage detection. When it is installed improperly, it will not cover all the area it should. An easy way to defeat this is by the following diagram: +-------------+ ! ........... ! ! . . ! . = foil tape ! . put . ! - = top/bottom of door ! . contact . ! ! = sides of door ! . paper . ! / = dividing line between 2 pieces of contact paper ! . in . ! $ = ideal places for initial breakage ! . this +-! ' = clear area or outline of second piece of contact paper ! . area ! ! <-- door handle ! . +-! ! . . ! ! ........... ! !/////////////! !'''''''''''''! !' '! !$'''''''''''$! +-------------+ As you can see, the installer neglected to place the foil all the way down to the bottom of the glass door. There is enough room for a person to climb through. They may have thought that if someone broke the glass, it would all break, which is normally correct. But if you obtain some strong contact paper, preferably clear, adhere it to the glass as shown, and break the bottom part at the '$' it will break up to the '/' line and thats it. Thus, leaving the foil in-tact. This will work on tempered glass the best, and will not work on Lexan or Plexyglass. There is a transparent window film with a break strength of up to 100 pounds per square inch which can be obtained from Madico, Inc. It is called, Protekt LCL-400 XSR, and makes glass harder to break and stays essentially in place even when broken. This can be used in place of the contact paper. Obviously, it is also used to protect glass from breakage. Audio discriminators: --------------------- What these do is to compare the frequency of the sound that glass makes when it breaks, to the actual breakage of glass. This frequency is relatively unique, and can accurately determine when and if glass actually breaks. Your best shot at defeating this, is to do the same thing as mentioned above. Cover the glass with a film which will keep the glass in place after breaking it. If you break it properly, the frequency will not match that of glass breaking when it is not held in place. Glass shock sensors: -------------------- These devices detect shock disturbances using a gold-plated ring that "bounces" off a pair of normally closed gold-plated electrical contacts. This will send a signal to a Signal Processor (SP) which determines whether an alarm condition exists. There are two settings the SP can be set to which are: SHOCK-BREAK: This mode requires an initial high energy shock, followed by a very low engery shatter. The shatter must occur within about 1 second before an alarm can occur. SHOCK-ONLY: An alarm will occur once the first shock is detected. This may or may not be accompanied by a shatter. Obviously the more secure setting for a facility would be shock-only. Though, both are equally dangerous for an intruder. The methods mentioned earlier about preventing the glass from shattering will not work when this device is used in the shock-only mode. It may work, depending on the type of glass, if it isn't in the shock-break mode. These devices are usually found protecting large plate glass and multi-pane windows. They are roughly 2 inches by 1 inch and can be mounted on the frame of a window, between two windows, or on the glass itself. These sensors can cover up to 150 square feet of glass. These are the best of the lot for window breakage detection. Most devices have a constantly supervised loop, and if you cut a wire, that loop will break, and cause an alarm condition. They are typically placed somewhere on the window pane and not on the window, thus, making them harder to visually detect...from the outside that is. Though from close inspection, you may be able to determine if these are in place. Obviously they can easily be seen from the inside... The sensor is normally placed no more than a couple of inches from the glass. If it is too far away, or if you can move one over 4 inches from the glass, its detection capability is somewhat diminished. It is probably screwed in, and has an adhesive backing, so moving it may not be too easily accomplished. False alarms are not common, unless the windows rattle. There are sensors available which are not as sensitive, and will not "overreact" to slight vibration, these are called "damped" sensors. MAGNETIC CONTACT SWITCHES: -------------------------- The word "contact" is somewhat contradictory to how these devices are commonly used. In most cases, the magnet and the switch are not in physical contact of each other, rather, they are in a close proximity of each other, although there are some models which are indeed in contact with each other. There are various types and levels of security that these devices possess. They can be surface mounted (floor or wall mounted) or concealed (recessed). The most common are surface mounted which are placed on top of the door. When inspecting for these devices, examine the whole perimeter of the door, from top to bottom. Most doors have a +/- 1/4" gap all the way around, in which you should also check for concealed contacts. These are round cylinders that are recessed into the door or wall, which obviously makes them less visible. The other contacts range from miniature, with dimensions as small as 1x1/4x1/4" to the larger ones at 5x2x1". They are usually in colors of off-white, grey, and brown and are mounted with nails, screws, double sided tape, or are epoxied onto the door or wall surface(s). The switches are hermatetically sealed, as are the glass breakage detectors mentioned earlier, can operate in moist or dusty areas, are corrosion resistant and have indoor/outdoor use. They can also be used on windows, fence gates, truck trailors, boats, heavy equipment, safes, and vaults. The different types of devices in order of least to most secure are: 1) Standard Magnetic Contacts: These consist of one reed switch and one magnet. They may be defeated with the use of a second magnet which would be placed in the vicinity of the switch, while opening the door or window and while closing them also. This way, the switch never detects the abscense of the magnet, thus, no alarm occurs. 2) Biased Magnetic Contacts: These consist of one reed switch with a "biasing" magnet that changes the state of the reed switch. The magnet is then placed at the correct distance to offset the bias magnet, creating a "balanced" condition. The switch can be defeated with the use of a single magnet. The trick is to: A) You must have the correct size magnet, which can be accomplished by obtaining the same type or model as what is in place. B) You must determine the correct polarity which may be accomplished with either a compass, or if the alarm is not activated, (possibly during normal business hours), by opening the door and placing your magnet near the device's magnet and determine the polarity. If you do not have much time, then its a 50-50 shot. C) The last criteria is to keep the magnet at the same or close to the same distance from the switch as the original magnet was. In some cases the device will be placed in such a manner that correct placement of the second magnet will be difficult if not impossible. 3) Balanced Magnetic Contacts: These consist of one biased reed switch and one unbiased reed switch. The second reed will be of the correct sensitivity and position so as to not operate with the actuator magnet. It must also operate with the addition of a second magnet. It could be defeated by a single magnet that is moved into place as the door is opened. This requires coordinated movement of the door and magnet. 4) Preadjusted Balanced Magnetic Contacts: These consist of three biased reed switches and may have an optional fourth tamper reed. Two reeds are polarized in one direction and the third is polarized in the opposite direction. The housing consists of three magnets with the polarity that corresponds to the switches. It is preadjusted to have a fixed space between the magnet and the switch. This is the most secure type of magnetic contact switch. The three-reed type could be defeated by using one of its own magnets, but not a bar magnet. The type with four reeds cannot be defeated with either of the two magnets because the fourth reed will activate when a magnet is brought within actuating distance. If you are able to determine which is the tamper reed, you can try to keep the three magnets in contact with the corresponding reeds. At the same time you must have the correct polarity, and in the process, not activate the tamper reed. If you accomplish those, you may be able to defeat it. This will most likely require two people and a bit of luck. The most secure devices are made of die cast aluminum instead of plastic, are explosion proof (for vaults and safes), have terminals mounted inside the housing which provides protection from tampering and shorting, and have armored cabling. A wider break distance will prevent fasle alarms due to loose fitting doors, thus, if the door is loose fitting it may have a wide break distance. The wider the break distance, the easier it is to defeat. This will allow you to introduce another magnet in cramped places since the door can be opened a wider distance before an alarm condition occurs. Some devices allow the installer to adjust the gap with a screwdriver instead of placing the switch a certain distance from the magnet. In some devices, use of any ferrous (Iron) material in the vicinity of the switch can cause a change in gap distance. As a gap is increased, the switch may bias and latch. When latched, the switch will remain closed even when the magnet is removed!! This means that when you open the door, it thinks that the door is closed, and you are able to stealthily go thru the door. You can test for a latched condition by removing the magnet (opening the door) and using a Volt Ohm Meter, if it reads INFINITY, the switch is OK. If not, it may be latched. If you can adjust the gap to the point of it being latched, without being noticed, you've got it made. Wireless Switch Transmitters: These are essentially the same as the other devices mentioned except that they use an FM digital signal for alarm conditions (a door or window open) and for maintenance conditions (low battery, transmitter malfunction/removal, long term jamming, etc). There should be continuous polling and a maintenance alarm will occur if the signal is missing for a few minutes. The transmitters are usually powered by a couple of AAA 1 1/2V pen cells, which can last a few years. Most devices will send out a signal after a specific interval. Common intervals are about every 30 seconds. You can verify if the device is indeed sending out a signal by placing a milliammeter capable of reading 10 ua in series with the batteries and reading the discharge current. If it occurs every 30 seconds, then it is sending out a signal every 30 seconds. A hint that this type of device is in use, is since range generally decreases as a transmitter gets closer to the floor, the transmitter will be placed as high as possible. The transmitter probably has a range of about 200 feet, although some environments may reduce this range due to construction materials inherent in the building. The frequency should be in the 314 MHz range. As was mentioned, these are the same as regular magnetic contact switches except that there is a transmitter instead of a wire for transmitting alarm and maintenance conditions, thus, the switch can be defeated in the same manner as has been previously stated. Defeating an X-mitter is much easier than defeating a wire. You can defeat the transmitter if you can sufficiently block or diminish the signal strength so that the receiver is unable to receive it. Radio waves have a tendency to bounce and reflect off of metallic surfaces, which includes foil, and pipes. If you have located the transmitter, which should be attached to or near the actual contact, you can block or jam the signal as you open the door. Hopefully this will be between the 30 second interval that it sends an "i'm ok" signal to the receiver, but it's not critical to do so. As was stated, most receivers will not cause an alarm condition if it doesn't recieve a signal once or twice, but after a few minutes it will. So, as you open the door, it tries to send the signal, you block or jam it, and you slip through without detection. This information can also apply to security relating to the 'interior' of a facility, ie. Part III of this series. Many of the techniques for defeating magnetic contact switches are geared toward being inside the facility. Many facilities have switches on doors to monitor movement of personnel within the facility. But it also is used on the exterior and some methods will work on doors and possibly windows on the exterior. Of course, you have to have a way of opening the door, and that follows. DOORS AND LOCKS: ---------------- As you know, doors are the primary entrance point into a building. Since they are the primary target for unauthorized entry, they have the most security added. I am not going to mention anything about the art of picking locks. Although mechanical locks and keys have been the most common type of security used in the past as well as today, I am going to concentrate on the more advanced security systems in use. Pushbutton keypad locks: ------------------------ There are two types, mechanical and electronic. I will go into detail about each. I will give you a few examples of these devices which comes directly from brochures which I have been sent. I am merely summing up what they said. Electronic: Securitron DK-10: This is a unit which has dimensions of 3x5x1". It has a stainless steel keypad which is weatherproof, mounts via hidden screws and has no moving parts. The keypad beeps as each button is pressed, and an LED lights when the lock is released. It is slightly different in appearence than most other electronic keypads: +----+ ! 1A ! Each block (1A/B2) is one button. Thus, there are 5 buttons total on ! B2 ! this device. The "/"'s at the bottom of the device represents the name ! ! of the company and possibly the model number of the device. ! 3C ! (ie. Securitron DK-10). It has 2-5 digit codes. Thus, a 2 digit code ! D4 ! will have a maximum of 5 the the 2nd power (5 squared=25) combinations. ! ! Of course it increases as the number of digits used increase. ! 5E ! This unit has an 11 or 16 incorrect digit threshold. If it is reached ! F6 ! a buzzer sounds for 30 seconds during which it will ignore any entries. ! ! When a valid code is entered, the lock is released for a 5, 10, 15 or ! 7G ! 20 second interval. ! H8 ! ! ! ! 9K ! ! L0 ! ! ! !////! !////! +----+ Sentex PRO-Key: This device has a keypad resembling one of a payphone. It is a sealed, chrome plated metal keypad. It has the standard 10 digits with * and #. It can have up to 2000 individual codes with a lenght of 4 or 5 digits. It allows 8 time zones, "2-strikes-and-out" software which is its invalid code threshold, and anti-passback software. Obtaining codes-- Your aim is to obtain the correct code in order to open the door. Plain and simple. There are various methods in which you can accomplish this. You can try to obtain a telescope or similar device and attempt to get the exact code as it is being entered. This is obviously the quickest method. If you cannot discern the exact code, the next best thing is to determine exactly how many digits were entered, since most devices have variable code lengths. If you can make out even one digit and when it was entered, you will substantially reduce the possibilities. Another method is to put some substance on the keypad itself, which preferably cannot be noticed by the user. After someone enters a code, you can check the keypad to see where there are smudges or if you use what the police use to find fingerprints, you can see what digits were pushed, although you will have no idea in what order. This will drastically cut down the combos. Say that someone enters a 5 digit code on a 10 digit keypad. You check the keypad and see that, 1,2, 4, 7, and 9 were pushed. If you attempted brute force, you will have 25 combinations to try. If a 4 digit code 'appeared' to be entered, as 0, 2, 4, 8 were 'smudged', it is possible that one of the digits were pushed twice. Keep that in mind. A way to know for sure would be to clean the pad and 'dust' it, most fingerprints will be clear, but one will be less clear than the others. Thus, you can be reasonably sure that the digit which is smudged was pressed twice. Thresholds-- Brute force attempts on electronic keypads is suicide. Once a certain number of invalid attempts has been reached, it will probably be logged and a guard may be dispatched. Your best bet is to try once or twice, wait (leave), try once or twice again, wait, etc. Sooner or later you will get in. Auditlogs-- Many of these devices are run on micro's. The software that runs these devices allows for an increased ability to monitor the status of these devices. They can track a person throughout the facility, record times of entry and exit, and when the maximum invalid code threshold is reached. Anti-passback-- This term is commonly used in card access control, but it applies differently to keypads. This feature prevents the use of two codes being used at the same time. That is, Joe Comosolo uses code #12345 and enters the building. Then, you enter Mr. Comosolo's code, #12345 but the system knows that Joe is already in the building, and has not entered his code before leaving. Thus, you do not gain access, and that action is most likely recorded in the audit log. This option will only be in effect when: 1) Each individual has a different code. 2) There is a keypad used for entry, and a keypad used for exit. Tailgating-- This occurs when more than one person enters through a controlled access point. Joe enters his code, and goes into the building. You follow Joe, and make it in just before the door closes, or in the case of the devices waiting 10 or 20 seconds before the door locks again, you let it close, and open it before it locks. Open access times-- During peak morning, noon, and evening hours, a facility may set the system to not require a code during, say, 8:55AM to 9:05AM, thus, enabling most anyone to gain entry during that time. Hirsch Electronics Digital Scrambler: This has a 12 button arrangement with the addition of a 'start' key. This is probably the most secure type of keypad security system in use today. It only allows a viewing range of +/- 4 degrees horizontally and +/- 26 degrees vertically. This means that it would be very difficult to watch someone enter their code, thus, eliminating the 'spying' technique mentioned earlier. The buttons on the keypad remain blank until the start button is pressed. Then, instead of the numbers appearing in the usual order, they are postitioned at random. A different pattern is generated each time it is used. The numbers are LED's in case you were wondering. This eliminates the 'dusting' technique which can be used on the other types of keypad systems. The Model 50 allows control of 4 access points and has 6 programmable codes. The Model 88 controls 8 doors and has thousands of codes. The features that this device has makes it very difficult to do anything but use brute force to obtain the code, but since it is controlled and monitored by a computer, the audit logs and maximum invalid code threshold can put a stop to that method. The other alternative, which applies to any of these systems, is to socially engineer the code from someone, or if you know someone, they may give you it. Both methods are not ideal. I have come up with a way to reduce the possibilities to a very reasonable level, but I will not explain it here. If you are really interested, contact me via the LOD/H Technical Journal Staff account on the Sponsor boards. Mechanical Keypad locks: The best thing about these types of locks, is that they are 100% mechanical. This means that it is not computerized, and there is no monitoring of bad codes or the door staying open for too long, or anything! All you have to worry about is getting a correct code. Probably the largest manufacturer of these devices, is Simplex Security Systems, Inc. The devices are called, Simplex Keyless Locks. Every lock of theirs that I have seen, has 5 buttons. Combinations may use as many of the five buttons the facility cares to use. The biggest problem with this type, is that there is the option of pushing 2 buttons at the same time, which would be the same as adding another button to the lock. Thus, button 1 & 5 can be pushed simultaneously, then button 3, then buttons 2 & 4 would be pushed at the same time. These are supposedly, 'keyless locks' but on many models, a 'management key' can be used to override the security code, so obtaining the key, is a way to bypass the code. Both the spying and dusting methods apply to these devices, and the best thing is that you can try all possiblities you want without an alarm signalling. Magnetic locks: --------------- These are commonly called 'Magnalocks' and use only the force of electro- magnetism to keep a door shut. Typically, the magnet is mounted in the door frame and a self aligning strike plate is mounted on the door. These locks provide the capability of up to a few thousand pounds of force for security. They are not only found on doors, but can be put on sliding doors, glass doors, double doors and gates. The magnet and plate is roughly 3 inches by 6-8 inches. There are a few things you should try to findout about these devices before attempting anything: Is there backup power? (ie. Usually a 12-24V battery can be used) Obviously, if there is no backup power and there is a power outage, there will be nothing to stop you from opening up the door. Most devices have the capability to monitor whether the door is closed, which is what magnetic contact switches do. But there is another option, which will provide a voltage output signal on a third wire, which determines whether the lock is powered and secure. If there is no monitoring of whether the door is secure, then there is no way of knowing it is locked, unless it is physically checked. There are optional LED's which can be mounted on the lock to indicate its status. For the Securitron Magnalock, an amber LED will indicate that the lock is powered. A green light shows the lock is powered and secure. Red, shows that the lock is unlocked, and no light means there is a violation, ie. the power switch is on, but the lock is not reporting secure. You can use these lights to your advantage. If a magnalock is tied into a fire alarm system, such that it is automatically released in the event of fire, then you or an accomplice can signal a fire alarm and sneak in while the lock releases. MISCELLANEOUS: -------------- LED's: Some devices or models of devices have LED lights built into/onto the device. They are usually used to indicate a secure or insecure condition. This applies to magnetic contacts, shock sensors, and other devices. Even when the security system is not in a secure mode, (for example, during regular business hours a system may be off, but after 6pm it is turned on) the LED will light when an alarm condition occurs. For example, you bang on a window that has a shock sensor, and the red LED lights, or blinks for a few seconds. You can use this to your advantage to test theories or methods during a time which a receiver pays no attention to the signals sent to it. Then when it is turned on, you will have more confidence in what you are doing. Supervised loops: Most if not all devices will have supervised loops for constant monitoring of battery power, electrical shorts, and defective devices. If the security system of the facility is very old, loops may not be supervised, and simply cutting a wire will disable the alarm. Naming of devices: For large orders, manufactures of security devices may put the facility's name on the product instead of their own. This is probably for esoteric purposes. This hampers your efforts in obtaining the name of the maker of any type of product for purposes of geting additional information and brochures on the device. Single person entry: These devices include mechanical and optical turnstiles which meter people in and out one-by-one. Mantraps, usually found in high security installations are double-doored chambers which allow only one person in at a time, and will not allow the person out until the system is satisfied he is authorized. Extreme weather conditions: Unlike perimeter security devices, most exterior security devices are either placed inside the facility, or can withstand just about any type of environmental condition, so there is not much that you can take advantage of. CONCLUSION: ----------- People typically make security a lower priority than less important things. Those who do not upgrade their systems because of spending a few dollars are rewarded by being ripped off for thousands. I have no pity for those who do not believe in security, physical or data... ACKNOWLEDGEMENTS: ----------------- Gary Seven (LOH) And of course, the information from brochures, and questions answered by the nice technical support people for the companies specifically mentioned in this article.