Physical Security: Hacking Elevators to Gain Physical Access

Hacking Physical Security

Welcome back, my aspiring cyberwarriors!

 

In the realm of physical security and red team operations, elevators present an often-overlooked but strategically important vector. While they may seem like mundane infrastructure, elevators are embedded with layers of logic, legacy systems, and mechanical overrides that can be leveraged or manipulated—given the right access and knowledge.

 

Understanding how elevator systems function, and the special modes built into them, is critical for penetration testers aiming to simulate real-world intrusions or bypass physical access controls.

 

Security Features in Modern Elevators

 

Modern elevators are equipped with a combination of digital control systems and mechanical fail-safes. Most commercial or institutional elevators are integrated with building access control systems, meaning badge readers, biometric systems, or PIN pads may limit access to certain floors.

 
A badge RFID access control system
 
A badge RFID access control system
 

However, elevator security can be surprisingly weak. In many cases, only a few key overrides or switches are needed to bypass these protections. And in legacy systems, security may be as simple as the presence or absence of a mechanical key.

 

Security Recall Posture: Fire Service Override Mode

 

Elevators are designed to respond to building fires through a feature known as Fire Service Mode, which is mandated by building codes in North America. This mode provides emergency responders with manual control over the elevator during a fire event. Triggering this mode requires access to the fire service default keys. The most commonly used key for fire systems is the FEO-K1key which is nationally used for elevators installed after 2006. The FEO-K1key can be easily purchased online from any major retailer or red team supplier.

 
You could be hacking elevators tomorrow with next day delivery
 
You could be hacking elevators tomorrow with next day delivery
 

Some states use their own state-specific fire service keys and elevators built before 2007 will likely not be retrofitted for then FEO-K1 key system. In these cases, you’ll need to access the fire service key boxes. These boxes are typically steel and mounted near elevator banks.

 
 

The FEO-K1 key will open this box unless you live in a state with state-specific fire service key, which can also be purchased online

 

This lack of variation, while convenient for first responders, poses a serious security risk. These keys are not truly restricted and are widely available for purchase online or through surplus suppliers.

 

This mode operates in two distinct phases:

 
  • Phase 1 (Recall Phase): When a fire alarm is triggered, elevators automatically return to a designated recall floor, usually the lobby or main exit level. Upon arrival, they open their doors and remain idle with service disabled. To

 
  • Phase 2 (Override Phase): Once on-site, firefighters can insert a special fire service key into the switch located in the car or the fire service control box in the lobby. This enables them to manually operate the elevator, selecting floors one at a time and overriding normal behavior, such as automatic door closing and floor call response.

 

If a hacker gains access to a fire service key, they can place the elevator into override mode, granting direct access to secure floors without triggering access control systems. Since this mode is considered a life-safety feature, it often bypasses all normal restrictions, assuming that anyone using it is authorized emergency personnel.

 

Some elevators also allow Phase 1 to be triggered manually by activating the fire recall switch—sometimes located in public areas. If the system isn’t integrated with a monitored fire control panel, this can be done without raising alarms, giving attackers a stealthy method of gaining control.

 

Independent Service Mode

 

Another exploitable feature is Independent Service Mode—designed to let building staff reserve an elevator for tasks like moving equipment or VIP transport. When activated, the elevator no longer responds to hall calls and can be controlled solely from inside the car. This feature is typically toggled by a keyed switch.

 

If a penetration tester gains access to the elevator’s internal control panel or secures a service key, they can isolate the elevator and use it without alerting security staff or triggering normal traffic patterns.

 

Security Switches and Standard Elevator Keys

 

Many elevator functions including independent service, inspection mode, and fire service are controlled via mechanical key switches mounted both inside the elevator car and at various access points such as the lobby, machine room, or rooftop.

 

The troubling truth is that most of these switches do not rely on unique keys. Instead, elevator manufacturers often standardize their keys across all their systems. This means a single key—like the GAL20, Yale 3502, Dover D880, or Otis L203 may work across dozens or even hundreds of buildings using the same equipment.

 

These keys are supposed to be restricted, but in practice, they are widely available from locksmith suppliers, online marketplaces, or even handed down between technicians. For a red teamer or attacker, a modest investment in a key ring of standard elevator keys can unlock a surprising number of capabilities.

 

Examples of key-operated functions:

 
  • Enabling Independent Service Mode

 
  • Activating Fire Service Mode (Phase 1 and 2)

 
  • Opening control panels inside the car

 
  • Accessing inspection mode, which allows manual control for maintenance

 
  • Unlocking rooftop or basement access via elevator-specific door zones

 

In older buildings, these switches are often located behind minimal paneling or held in place with tamper-prone screws. Gaining access is rarely difficult once the general elevator model is identified.

 

Special Modes of Operation: Beyond Fire and Service

 

Other special modes include:

 
  • Hospital Service Mode: prioritizes emergency patient transport

 
  • Inspection Mode: enables low-speed operation for maintenance

 
  • Attendant Mode: allows a human operator to control the car directly

 

Each of these can be exploited in different ways through unsecured access panels, maintenance rooms, or by simulating a fault to trigger manual intervention.

 

Final Thoughts

 

Hacking elevators doesn’t always involve writing code or exploiting software vulnerabilities. It often comes down to understanding the logic, keys, and mechanical systems that define elevator behavior. For red teamers, these systems represent both a challenge and an opportunity—bypassing physical access controls, isolating movement, or navigating secure floors with relative ease.

 

Once the attacker gains physical access, GAME OVER!