Wednesday
Aug212019

The Not-So-Private Elevator

Next time you’re in an elevator, be advised that someone – besides building security and fellow elevator riders – might be listening.  
A recent Wired article exposed the hidden world of elevator phreaking. By calling an unsecured elevator phone, a third party can expose a person, and potentially an enterprise, to a major security and privacy risk. Since elevator phones doesn’t require anyone to pick up the phone to open the circuit, a third party can make a call and be connected – allowing them to eavesdrop on conversations happening inside the elevator. Given the competitive nature of industries like banking and technology, it isn’t completely unthinkable for a hacker to eavesdrop this way.

Rise of Security, Privacy Risks
With large enterprises routinely being hacked and new laws requiring companies to notify consumers of data breaches, issues of privacy and data security are now mainstream. We still need to be continually reminded that the camera and microphone are always “on,” regardless of where we are. The recent spate of publicly announced hacks exposed vulnerabilities in expensively and ostensibly safeguarded systems. Consumers who thought their information was secure might have discovered that some hacker (who may or may not be living in his/her parents’ basement, dining on Cheetos) that  exposed their confidential information – think Target,  Anthem Health and Capitol One, among a long list of others.

This privacy invasion, however, is different because it simply isn’t something most people even consider.   How many people actually know phones are in elevators, let alone that they can be accessed remotely? Privacy is only one concern. The other is that a knowledgeable phreaker (a hacker of communications systems) can reprogram unsecured elevator phones by modifying passwords, caller IDs, and/or the path that calls made from the elevator take.  

Legal Issues
Calling an elevator phone, whether the caller announces themselves or not, isn’t a crime, but listening to conversations certainly can be. There are both state and federal prohibitions against eavesdropping, particularly if the caller records the conversation. At least in New York, the eavesdropping law found in Sections 250.00 and 250.05 of the Penal Law, has been written to address electronic communication. The state’s definition of “wiretapping” is “the intentional overhearing or recording of a telephonic or telegraphic communication by a person other than a sender or receiver thereof, without the consent of either the sender or the receiver by means of any instrument, device or equipment.” Other states have similar, if not identical, laws. It’s important to recognize on a state level that certain types of electronic eavesdropping, particularly but not exclusively those including recordings, can rise to the level of a felony. (To get an overview of the laws, check out Matthiesen, Wickert & Lehrer, S.C.’s state-by-state guide on laws pertaining to phone recordings.)

On the federal level, it’s a crime to wiretap or use a machine to capture the communications of others without court approval, unless one of the parties has consented. Further, it’s a federal crime to use or disclose information gained from illegal wiretapping or electronic eavesdropping, and the fines can be significant (up to $500,000 for organizations). Lurking listeners who have called into elevator phones absolutely implies no consent from either party, although practically speaking, if it’s virtually impossible to identify the caller who has silently called into the elevator phone, there’s little to prosecute against.    That’s not to say that nothing can or should be done to minimize this exposure to rogue stealth eavesdroppers.

Practical Steps
The first – and most important step – is to change passwords on elevator phones from standard default remote access codes to complex passwords, which minimizes the risk of passwords or other features being changed without the elevator owner’s/property manager’s approval. This is a simple step that can cut the exposure risk significantly. Certainly, phreakers who either tamper, change, or jeopardize an emergency communication system in any way not only create the possibility of public harm, but commit a crime as well.

A second step is to simply deny remote access programming of these devices. Such limitations would certainly create a crimp for the phreakers who dial-in either for fun or simply to create mayhem and risk to others.

Elevator phone numbers aren’t readily accessible. It’s not like you can look them up in the phonebook (when did you last see or use a phonebook?).  But they remain vulnerable because phreakers, who get a kick out of finding and accessing them, are out there trying every day. Who knew? 

PrintView Printer Friendly Version

EmailEmail Article to Friend

Main | GDPR: A Boring but Important Update »