The illusion of security automation systems for gates
My main activity is the construction of various kinds of gates, gates and other types of filling to protect the perimeter of your yard or the territory of the enterprise. That is, I am engaged in the most ancient and primitive form of security. Recently, I began to put various types of automation on gates and doorphone systems with electromechanical locks, and as an avid habractor, I immediately got the idea of how to get around the provided security systems that are so avidly advertised by manufacturers.
Finally, the idea to write an article came up after the SBU (Security Service of Ukraine) broke into one of our clients, moreover, not as elegantly as in films about spies, but simply knocking out the door.
For those who are not in the subject, I will conduct a small educational program. The gates can be oar or sliding, and the type of automation itself, which is installed on the gate, depends on this. Let's look at the option with automatic equipment for swing gates Roger Tehnology R23, because it was during the installation of such a kit that I had thoughts about the shortcomings of the entire system.
The general essence of the automation system is as follows: there is an engine that opens and closes the leaf (usually there are two), and the control unit network, which controls the drives, receives a signal from the control panels and controls and powers additional devices, such as safety sensors, warning lights, etc. The drives that open the gate leaves are blocked automatically, and it is difficult to open the gate wing when it is blocked by the motor. But the lock can be removed with a key to manually open the gate in the absence of electricity. Often they make an ingenious key so that the attacker does not open the gate and does not call into your yard.
Here is a view of the H70 / 200ac unit:
Block diagram and connector numbers for connecting all devices.
We are interested in contact numbers 27 and 25. What is so interesting about them? The fact that such contacts are provided for displaying a forced opening or closing button. When the contacts 27-25 are closed, our gates themselves will open for the attacker. Since all control units are not equipped with any locks, their case is opened with a screwdriver in 30 seconds.
Well, how do we get into the courtyard, where the control unit is? About this, the second part of my article is about Chinese intercoms in cheap fences.
The main vulnerability, in my opinion, is a simplified scheme to facilitate the installation of the intercom.
The control relay is located directly in the call panel, and from it there are 2 wires that supply 12V to the electromechanical lock, when you need to use the solenoid and open the gate.
As often happens, those who build a fence around the house do not even know where, why, and what kind of wiring to lay and at what height and in what place to put it. As a result, in the best case, the wire is led out at least on the necessary pole and you need to ditch it to lay the cable a little, but sometimes there is no wiring or even a corrugation for pulling the cable at all. And then the installers pull the cable at the seams between the stones and cover it with a thin layer of mortar or fugue.
Here is the main and decisive moment. Access to the wires can be obtained using the same screwdriver and apply 12V from the battery.
So, a more elegant algorithm of hacking and entering the yard directly by the entire SBU department for the next raider attack.
1. Using a screwdriver, open the layer of the fugue, we find 2 separate wires.
2. We serve them 12v
3. We go into the yard
4. Open the control unit
5. Close the necessary contacts
6. We call at least on the armored car
7. ???????
8. PROFIT!
In conclusion, I want to say that if attackers want to call into your yard, then of course they will, but you also need to remember about such security holes, especially if you plan to build a really safe house. Good luck to all. Thanks for attention.
Finally, the idea to write an article came up after the SBU (Security Service of Ukraine) broke into one of our clients, moreover, not as elegantly as in films about spies, but simply knocking out the door.
Part 1. About automation
For those who are not in the subject, I will conduct a small educational program. The gates can be oar or sliding, and the type of automation itself, which is installed on the gate, depends on this. Let's look at the option with automatic equipment for swing gates Roger Tehnology R23, because it was during the installation of such a kit that I had thoughts about the shortcomings of the entire system.
The general essence of the automation system is as follows: there is an engine that opens and closes the leaf (usually there are two), and the control unit network, which controls the drives, receives a signal from the control panels and controls and powers additional devices, such as safety sensors, warning lights, etc. The drives that open the gate leaves are blocked automatically, and it is difficult to open the gate wing when it is blocked by the motor. But the lock can be removed with a key to manually open the gate in the absence of electricity. Often they make an ingenious key so that the attacker does not open the gate and does not call into your yard.
Here is a view of the H70 / 200ac unit:
Block diagram and connector numbers for connecting all devices.
We are interested in contact numbers 27 and 25. What is so interesting about them? The fact that such contacts are provided for displaying a forced opening or closing button. When the contacts 27-25 are closed, our gates themselves will open for the attacker. Since all control units are not equipped with any locks, their case is opened with a screwdriver in 30 seconds.
Well, how do we get into the courtyard, where the control unit is? About this, the second part of my article is about Chinese intercoms in cheap fences.
Part 2. About intercoms
The main vulnerability, in my opinion, is a simplified scheme to facilitate the installation of the intercom.
The control relay is located directly in the call panel, and from it there are 2 wires that supply 12V to the electromechanical lock, when you need to use the solenoid and open the gate.
As often happens, those who build a fence around the house do not even know where, why, and what kind of wiring to lay and at what height and in what place to put it. As a result, in the best case, the wire is led out at least on the necessary pole and you need to ditch it to lay the cable a little, but sometimes there is no wiring or even a corrugation for pulling the cable at all. And then the installers pull the cable at the seams between the stones and cover it with a thin layer of mortar or fugue.
Here is the main and decisive moment. Access to the wires can be obtained using the same screwdriver and apply 12V from the battery.
So, a more elegant algorithm of hacking and entering the yard directly by the entire SBU department for the next raider attack.
1. Using a screwdriver, open the layer of the fugue, we find 2 separate wires.
2. We serve them 12v
3. We go into the yard
4. Open the control unit
5. Close the necessary contacts
6. We call at least on the armored car
7. ???????
8. PROFIT!
In conclusion, I want to say that if attackers want to call into your yard, then of course they will, but you also need to remember about such security holes, especially if you plan to build a really safe house. Good luck to all. Thanks for attention.