In our presentations on “Covert Entry“, we discuss bypassing locked doors equipped with REX (request-to-exit) sensors as it’s one of the go-to vulnerabilities that we exploit during assessments. The vulnerability is very common, and the attack is quick. When we share this information, there are those who think it’s just a “trick” and the door was already unlocked, “you’re lying”, “There is someone on the other side”, “REX and PIR aren’t configured this way” etc. Unfortunately, this is not the case. So, if we’re not lying, and these attacks are real, how is it even possible?
Here’s How It Works
The common REX (Request-to-Exit) sensor that we often come across and reference is a passive infrared (PIR) sensor on access control systems that is triggered after two requirements are met: temperature variance and motion. The motion requirement is pretty self-explanatory. The temperature requirement can be anything that’s different than the baseline temperature, hot or cold. This is why waving a hot hand warmer, or spraying very cold compressed air will trigger the device by spoofing both requirements. You may have seen videos of some friends of ours using unconventional methods to trip the sensors: David Kennedy using a vape, and Deviant Ollam creates a mist by blowing whiskey through the door gap.
Once the device is triggered, what happens next depends on how the device is configured within the access control system. What should happen is that the installation is configured to prevent a “forced door” alarm state when the door is open, to cut down on false-positives in the report. However, as physical penetration testers, we frequently encounter systems that are configured to unlock the electric strike once the sensor is triggered–which can be exploited if the sensor can be reached.
By the way, if you’re a physical pen tester and want to up your game with canned air attacks, check out this post “Improved Canned Air Attacks Against REX Sensors” where I share a new upgraded version of this attack.
Here are a few examples of us exploiting this:
At the start of the video, I pull hard on the door to show it is locked. I then spray the canned air into the physical gap between the doors, aiming up at the REX sensor, which then unlocks the door. You can see me open the door with much less force than what I was exerting at the start of the video to show it was locked.
No one pushed the door open. No one is near the door other than me, and the person recording the video is out of range of the sensor.
In this example, I’m recording Tim Roberts from the interior side of the door, as he stands on the exterior side, moving a hand warmer close enough to the REX sensor to trigger it.
We have several examples of us exploiting this during assessments. Here is a former co-worker Drew Culbertson exploiting this as well, as we record out of range of the sensor on the interior side of the door, while he’s on the exterior side, spraying canned air upwards towards the REX sensor.
In this example, I’m recording Tim Roberts as he’s holding the canned air’s straw in a position so that it will spray underneath the door. As you can see in the video, there’s a multi-factor fingerprint reader/badge scanner access control unit controlling the door. However, by triggering the REX sensor, the electric latch is triggered, unlocking the door, as it believes someone is trying to leave the room.
PRO TIP: Bring extra canned air straws with you. Watch the video and you’ll see why. 🙂
As mentioned earlier, the temperature variance can either be hot or cold. It just has to be something different than the baseline temperature. This means that other materials can be utilized to trip these sensors.
In the below, I’m using a hand warmer (like Tim is doing in the earlier example) that we attached to a long piece of wire – in this and several cases, we just the wire from the Under-the-Door tool. The motion and heat from the hand warmer meets both requirements to active the sensor: temperature variance, and motion. Before I open the door into the data center segmentation cage, you can see that the light on the HID badge reader is red. Right before the door opens, you’ll see the light turn green. This is showing that the REX sensor has been triggered, unlocking the door for egress.
How can you stop these attacks from happening? Here are a few recommendations:
- The sensor shouldn’t default to unlock the door. Rather, it should be configured to prevent a “door forced” alarm state within the security system. bypass “door forced” alarms within the access control software to avoid false alarms.
- Install a “Push to exit” button near the door, but not close enough that it could be pressed with something from the opposite side of the door.
- Install a security Astragal on the meeting edge of double doors to close off the physical gap.
- Place sensors further away from the door (they are often placed directly in front of the inside of the door).