Elevators Are Not Secure: Physical Bypasses You Can Actually Use

TLDR: Most physical security assessments ignore elevators, assuming they are "just" transport, but they are actually complex, networked control systems with significant access control flaws. By leveraging standardized service keys and manipulating car-top controllers, an attacker can bypass floor lockouts and gain unauthorized access to restricted areas. This post breaks down how to identify these vulnerabilities and why they should be part of your next physical penetration test.

Physical security assessments often stop at the front door or the badge reader. We spend hours cloning RFID cards or picking locks, yet we ignore the massive, industrial-grade machines that move people between floors. Elevators are not just boxes on cables; they are networked, programmable control systems that frequently rely on "security through obscurity" rather than actual authentication. If you are on a physical engagement, you are likely standing in front of a massive, unauthenticated access control bypass every single day.

The Myth of the Secure Elevator

Elevators operate on a few basic modes, and most of them are designed for convenience, not security. When an elevator is in "Normal" mode, it responds to hall calls and car calls. However, when you introduce a service key—which you can buy online for roughly twenty dollars—you can force the elevator into modes like Independent Service, Attendant Service, or Inspection Service.

Independent Service mode is the most common target. It effectively takes the elevator out of the building's dispatch logic. Once you flip that key switch, the elevator ignores all hall calls. It only responds to the person inside the car. In many buildings, this mode also disables floor lockouts. If you need to get to the 20th floor but your badge doesn't have the permissions, you don't need to hack the badge system. You just need to get the elevator into a mode where it stops caring about your credentials.

Mechanical Manipulation and the Car-Top Controller

If you cannot find a key switch or the system is more restrictive, you have to look at the hardware. Every elevator has a car-top controller. This is the brain that manages the car's movement, lights, and door operations. It is also where you find the physical interlocks that prevent the car from moving when the doors are open.

The electronics here are surprisingly simple. They operate on basic binary signals: open or closed, shorted or unshorted. If you can trick the controller into thinking a signal is present when it isn't, you can manipulate the car's behavior. For example, by shorting the terminals on a key switch mechanism, you can activate a service mode without ever needing the physical key.

You can see the technical documentation for these systems through ASME A17.1/CSA B44, which outlines the safety requirements for these systems. While these standards are meant to keep people safe, they also define the exact interfaces that researchers use to bypass security. If you are looking for a place to start, look for the escutcheon hole on the elevator door. This is the small hole that allows a technician to manually unlock the door from the outside. It is a massive, built-in vulnerability that is present in almost every elevator installation.

Real-World Engagement Strategy

During a physical penetration test, your goal is to map the building's security controls. If you find that the elevators are restricted, do not assume the restriction is absolute. Start by checking the car-top controller if you can gain access to the hoistway, or look for the service key switches on the car panel.

The impact of this is clear: if you can bypass the elevator's floor lockout, you have effectively bypassed the building's entire vertical security posture. You can move from the lobby to the executive suite or the server room without ever needing to touch a badge reader. This falls squarely under OWASP A01: Broken Access Control, as the system fails to verify the user's authorization before granting access to a restricted resource.

A Note on Safety

Do not mess with these systems unless you are a trained professional. The risks are not theoretical. People have died in elevator shafts because they didn't understand the mechanics of the counterweight or the dangers of the hoistway. If you are not certain about the safety implications of a specific action, do not do it. There are plenty of ways to demonstrate risk without putting yourself in a position where you could be crushed or fall down a shaft.

Defenders should focus on hardening these interfaces. If your facility has elevators, ensure that the service panels are locked with high-security keys, not the standard ones that anyone can buy on Amazon. Consider adding physical security fasteners to the car-top controller panels to prevent unauthorized access to the wiring.

Elevators are a critical part of a building's infrastructure, and they are currently one of the most overlooked vectors in physical security. Start looking at them as computers, not just transport, and you will find that the "secure" floors in your next engagement are much easier to reach than you thought.