The illusion of security systems automation for gates
My main activity is the construction of various kinds of gates, wickets and other types of filling for the perimeter fencing of your yard or enterprise territory. That is, I am engaged in the most ancient and primitive type of security. Recently, I began to install various types of automation on gates and door entry systems with electromechanical locks, and, as an avid habrator, I immediately began to have ideas about how to bypass the security systems provided for so much in the hands of manufacturers.
The final idea to write an article appeared after the Security Service of Ukraine (Security Service of Ukraine) broke into one of our clients, and not as elegant as in movies about spies, but simply knocking the door.
For those who are not in the subject, I will spend a small educational program. Gates can be swing or retractable, and the type of automation itself, which is installed on the gate, depends on it. Let's consider the version with automatic for swing gates Roger Tehnology R23, because exactly when installing such a set I had thoughts about the shortcomings of the whole system.
The general essence of the automation system is as follows: there is an engine that opens and closes the sash (usually two), and the network of the control unit that controls the drives receives the signal from the consoles and controls and feeds additional devices such as safety sensors, warning lights, etc. Drives that open the door leaves are automatically blocked and it is difficult to open the door leaves when the engine is blocked. But the lock can be removed with a key for manually opening the gate in the absence of electricity. Often, they make an ingenious key so that the attacker does not open the gate and does not come to your courtyard.
')
This is the view of the H70 / 200ac unit:
Block diagram and connector numbers for connecting all devices.
We are interested in contact numbers 27 and 25. What is so interesting about them? The fact that such contacts are provided for the withdrawal of the button for forced opening or closing. With the closure of contacts 27-25, our gates themselves will open for the attacker. Since all control units are not equipped with any locks, their case is opened with a screwdriver within 30 seconds.
Well, how do we get to the courtyard, where is the control unit? This is the second part of my article - about Chinese intercoms in cheap fences.
The main vulnerability, I believe, is a simplified scheme to facilitate the installation of an intercom.
The control relay is located directly in the call panel, and from it are 2 wires that feed 12V to the electromechanical lock, when you need to activate the solenoid and open the gate.
As often happens, those who build a fence around the house, do not even know where, for what and which wiring should be laid and at what height and in which place it should be brought out. As a result, in the best case, the wire is at least on the right post and it is necessary to make a little for laying the cable, but sometimes there is no wiring or repair for pulling the cable at all. And then the installers pull the cable along the seams, between the stones and cover it with a thin layer of mortar or fugue.
This is where the main and decisive moment. Access to the wires can be obtained using the same screwdriver and file a 12v battery.
So, a more elegant algorithm for hacking and entering the courtyard right by the entire SBU department for the next raider run.
1. Using a screwdriver, open the fugue layer, find 2 separate wires.
2. Serve on their 12v
3. We go into the yard
4. Open the control unit
5. We close the necessary contacts
6. We call at least on the armored car
7. ???????
8. PROFIT!
In conclusion, I want to say that if the attackers want to come to the courtyard, they will surely stop by, but you also need to remember about such security holes, especially if you plan to build a really safe house. Good luck to all. Thanks for attention.
The final idea to write an article appeared after the Security Service of Ukraine (Security Service of Ukraine) broke into one of our clients, and not as elegant as in movies about spies, but simply knocking the door.
Part 1. On automation
For those who are not in the subject, I will spend a small educational program. Gates can be swing or retractable, and the type of automation itself, which is installed on the gate, depends on it. Let's consider the version with automatic for swing gates Roger Tehnology R23, because exactly when installing such a set I had thoughts about the shortcomings of the whole system.
The general essence of the automation system is as follows: there is an engine that opens and closes the sash (usually two), and the network of the control unit that controls the drives receives the signal from the consoles and controls and feeds additional devices such as safety sensors, warning lights, etc. Drives that open the door leaves are automatically blocked and it is difficult to open the door leaves when the engine is blocked. But the lock can be removed with a key for manually opening the gate in the absence of electricity. Often, they make an ingenious key so that the attacker does not open the gate and does not come to your courtyard.
')
This is the view of the H70 / 200ac unit:
Block diagram and connector numbers for connecting all devices.
We are interested in contact numbers 27 and 25. What is so interesting about them? The fact that such contacts are provided for the withdrawal of the button for forced opening or closing. With the closure of contacts 27-25, our gates themselves will open for the attacker. Since all control units are not equipped with any locks, their case is opened with a screwdriver within 30 seconds.
Well, how do we get to the courtyard, where is the control unit? This is the second part of my article - about Chinese intercoms in cheap fences.
Part 2. About intercoms
The main vulnerability, I believe, is a simplified scheme to facilitate the installation of an intercom.
The control relay is located directly in the call panel, and from it are 2 wires that feed 12V to the electromechanical lock, when you need to activate the solenoid and open the gate.
As often happens, those who build a fence around the house, do not even know where, for what and which wiring should be laid and at what height and in which place it should be brought out. As a result, in the best case, the wire is at least on the right post and it is necessary to make a little for laying the cable, but sometimes there is no wiring or repair for pulling the cable at all. And then the installers pull the cable along the seams, between the stones and cover it with a thin layer of mortar or fugue.
This is where the main and decisive moment. Access to the wires can be obtained using the same screwdriver and file a 12v battery.
So, a more elegant algorithm for hacking and entering the courtyard right by the entire SBU department for the next raider run.
1. Using a screwdriver, open the fugue layer, find 2 separate wires.
2. Serve on their 12v
3. We go into the yard
4. Open the control unit
5. We close the necessary contacts
6. We call at least on the armored car
7. ???????
8. PROFIT!
In conclusion, I want to say that if the attackers want to come to the courtyard, they will surely stop by, but you also need to remember about such security holes, especially if you plan to build a really safe house. Good luck to all. Thanks for attention.
Source: https://habr.com/ru/post/391433/
All Articles