Security: Truth Versus Fiction

by RussianBlue

In a world with cable news, internet, and search engines, we are provided with an almost live account of all the terrible things that our world is riddled with: violence, pain, and fear.

With this constantly reinforced feeling of danger, safety and security become precious commodities, sought after for a premium.  But while corporations tout products designed to make you safer, one must wonder: how much do fancy security measures matter?  Is there a way to break the system, even in the face of overwhelming efforts to cover every crack and patrol every corner?  As advanced as they are, can these systems be beaten?

This is the way hackers think.

Constantly we consider and reconsider the effectiveness of security systems; we look under every rock and peer into each nook and cranny to find that one tiny weakness which, given careful management of circumstances, compromises the system.  Often, however, it is a system of tiny flaws compounding each other that creates a little doorway through which the canny individual can squeeze and thereby penetrate what many would think impregnable.

Alone, these little flaws go mostly unnoticed by people who aren't looking for them, but a hacker is someone who not only knows where the flaws can be found, but also how to master their intricacies and achieve a desired end: in this case, to beat the system.  Let me supply my own story of a simple series of seemingly negligible flaws that added up to create a massive failure in the overall scheme of an establishment.

I am a university student living in a campus residence.

The building in which I live was converted from a hotel to a student living area.  A major selling point for the residence is its security.  To get to the elevators in the main level, one must show an access card to the security guard who keeps 24-hour watch.  To access a level of student rooms, one must swipe their access card.  To get into the mail room, laundry room, or dining area, you have to swipe the same card.  Each level has an individual who takes care of any reported security issues, such as intruders or suspicious activity.

This looks, on paper, like a very good system and no doubt ensures safety.  Students pay a premium for this security, as this particular residence is probably the most expensive on campus.

But is this security worth paying extra?

As educated hackers, I have no doubt you're already looking for ways to get around the various security systems.  Let me assure you, I have done the same.  Though I do not recommend trying to access someone's residence without their permission at any time, I "broke in" to a room on a different level than my own.  Please understand that I did so without malicious intent and only to prove that the system was flawed.  This story begins on ground level.

The first challenge that I faced was the necessity of accessing elevators.

People are not allowed on levels 2 or 3, which are used for conferences, without a pass.  The stairs are right next to the security station, and therefore inaccessible to people without proper credentials, so they were not an option.  Thus, one must somehow gain access to the elevators before they can even begin to penetrate the system.  The solution to this problem, I discovered, was in the lower level.  In the main area, there are stairs that go one level down to the mail room and laundry rooms, so you can traverse freely from the main level to the basement.  These stairs are actually concealed from security's view and therefore provide a free pass around the desk.  The main elevators also go directly down to the basement level.  This means that you can get into the elevators from that level without security knowing, an obvious security flaw.

The next issue is getting onto the level you're looking for.  If you are in the elevator, you need to swipe the card to go to a level where students reside.  Theoretically, if you were lucky, a student would want to go to the same floor as you and punch it in, or you might be able to hit the button while their swipe was still active.  I decided to try for a method that would work every time.  The elevator does allow non-swiped service to several levels usable by all students and staff including the ground floor, the basement area, and an entire floor deemed the student lounge: the second-highest floor in the building.

Again, a convenience for residents but a security flaw that adds to the pile.  While on the ground level, the stairs up are inaccessible; the student lounge, however, doesn't have security, and you are free to traverse the floors above the conference levels by way of the stairs.  Combine this with the previous way to access the elevators and student lounge, and you have a ticket to every level in the building that you could possibly care about.  Again, a huge security flaw in a place that touts student security as a main priority.

What has not yet been discussed, however, is what to do once on the targeted floor.

To get into the room, you need to swipe your access card.  No card, no access.  There is, once again, a simple solution.  Clearly posted by the elevators of each floor is the cleaning schedule for the rooms.  It tells you what day the cleaning service comes by to clean the bathroom in each room.  This part is more a matter of timing.  It takes cleaning about ten to 15 minutes to do a room, but as long as you're patient, you can get it right.  If you want a quick peek into the room, just walk by and you get your glimpse.  If you want access, you need only to catch the cleaners as they are finishing up.  They only do the bathroom and a quick vacuum, but most students are either in classes or clear out of the room for a few hours when it's cleaning day.  If you get into the room as the cleaners are leaving, they won't really bother you.  And there you will likely have access to the room for as long as you need it.

Doing this, I only left my friend a calling card to show off the little feat, but it would be child's play to do something more malicious.  The rooms don't have safes, and even if the resident does, you need only a box to take it out.  People move things in and out all the time, and nobody will think twice about it.  Passports, documents, work, or possessions could conceivably be taken.  Obviously the security is not as effective as the residence suggests.  It makes no sense that in a building that has 24-hour security I was able to access a particular room with only a couple of days of patience and a brain.  There was no trick key, and there were no tools involved.

Some of you are probably asking why I was not caught by the floor's other residents, as a stranger, or why the cleaning ladies didn't know that it wasn't my room.  The answer here is in the volume of people.  The building has almost 1000 residents, and each of these staff members sees over a hundred faces going in and out per day.  This rather foils the idea of people being able to simply recognize a stranger, given that many of the people who do live here are new to them every day.  Security flaw.

This brings us to an important question which we face in modern society: are the security systems touted by this residence and that apartment really effective enough to guarantee our safety, or are they just a ploy to attract potential customers?  It's a dilemma, and there are good arguments on both sides.  As logical people, I'm sure we can all appreciate the added security, and thus safety, of locking doors at night or installing an alarm system in our homes.

On the other hand, most of us are experienced hackers.  We know that every system has its weaknesses and therefore can be broken.  Thus, while my story tells you how to break into a university residence room, I hope that you give some thought not to breaking the system, but instead to what breaking this system means.

This ever-present ability to hack these systems counteracts the boasts that companies make about their security systems.  It would seem impossible to create a system that couldn't be hacked.  Does this mean that security systems are a waste of money?  Does it mean that complete safety is impossible?  Does it mean that, unable to afford much of the security used by corporations and companies, even reasonable safety is out of reach for most people?

These are not questions for which I profess to have answers, but they are something for every hacker to think about when finding holes in security schemes, be it security for a building or a computer program.

Think not only about where the hole is and what can be done through it, but what it means for safety and security as a whole.

Just some food for thought.