• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Physical > Request to Exit Sensor Bypass

Request to Exit Sensor Bypass

November 6, 2014 By coldfusion

(Originally published by @coldfusion39)

When performing Physical Attack and Penetration Tests, we occasionally find ourselves on the wrong side of a locked door.  The exterior or public side, of these doors is often controlled by an Access Control System utilizing either a Prox or iClass card reader. Due to various fire codes and regulations, the secured side of these doors does not always require the employee to “badge out”, it just magically unlocks; it’s hard and crunchy security on the outside, soft and chewy security on the inside. So how do these doors keep unauthorized personnel out, while still allowing anyone to exit?

hid reader

Companies often use devices known as REX (“Request to Exit”) sensors. These sensors are similar in functionality and purpose to the motion detectors that automatically open main doors at major retailers like Target, Wal-Mart, and CVS among others. The main difference between these devices, security REX devices do not trigger solely on motion alone.

REX

The most common REX sensors use a technology called Passive Infrared or PIR. Motion is registered when the device detects a temperature change within its configured field of view. ” Change in temperature…” is the key phrase here. The fact that these sensors can be bypassed is not new knowledge. One of the more common methods involves using a straightened metal coat hanger and taping a hand warming pack taped to one end. The technique requires an attacker to slide the end of the coat hanger, with the hand warming pack, under or between the door and move it around to simulating motion and as well as heat.

Passive Infrared Old Method

hot pack heating element

While effective, there are some significant drawbacks to this particular technique. Sliding the coat hanger under the door can be difficult, especially if the door was installed correctly with a tight fitting door jam, or if the door has weather stripping. More importantly, who wants to carry around a metal coat hanger and take the time to unbend it during an engagement? Fortunately, a better solution exists. Remember that security REX sensors require motion and a change in temperature, not necessarily an increase.

CO2 Air duster

Anyone that has ever used a can of compressed air knows that if you turn the can upside down and pull the trigger a large cloud of cold air shoots out of the nozzle. Using this knowledge (and the little red straw!) it is possible to trigger a PIR REX sensor from a considerable distance. The red straw is smaller in diameter (3 mm) compared to a warming pack and coat hanger (6 mm) which could make a significant difference when attempting to bypass doors with weather stripping. Also, walking around with a can of compressed air (as compared to a wire coat hanger) less likely to draw attention in a corporate or office environment. It’s much easier to develop a cover story (“I’m from IT. We’re cleaning keyboards today…”).

Triggering PIR REX

co2 cold air

Feel free to tuck this door bypass technique into your physical security bag of tricks. There is always more than one way to enter a building. Sometimes it’s easy as having someone hold the door open for you…

examples of poor security

Post Views: 1,364
Share this...
Email this to someone
email
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Reddit
Reddit

coldfusion

Primary Sidebar

King Phisher Release

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10,683 views
  • DLL Injection Part 1: SetWindowsHookEx 10,384 views
  • Leveraging MS16-032 with PowerShell Empire 9,875 views
  • Bypassing Gmail’s Malicious Macro Signatures 9,759 views
  • How to Bypass SEP with Admin Access 8,321 views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2019 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.