On Physical Security
Our mission at Risk I/O is to help businesses understand threats to their infrastructure, but as security practitioners we are interested in many forms of security, including physical. This blog post concerns something of particular interest to me, securing my office and a nearly successful theft, which was thwarted by a bit of hobbyist tech.
Risk I/O is an emerging tech company, and some of us work from home from time to time. I don’t have a car, so the garage is where I decided to set up my office. Because there would be some potentially valuable equipment (monitors/etc) in the garage, and because of my infosec background, physical security was an early consideration.
A quick YouTube search will show you how easy it is to open most automatic garage door systems with just a coat hanger. The technique involves making a hook on one end of the hanger, pushing it into the gap between the door and the top of the frame, and grabbing the emergency release. Bam, they’re in. The fix (nee: remediation) here turns out to be pretty simple. Wrap a zip tie around the emergency release, which the hanger won’t have enough leverage to break. The emergency release still works as intended, just requiring a firmer pull.
The door opener itself is a relatively modern LiftMaster, which utilizes a rolling code system. This rolling code prevents potential thieves from monitoring the radio signal and replaying it to open the door. This is a good first step, but considering garage theft is relatively common, I became interested in thwarting more types of attack.
Thanks to a retired KegBot, I had a few Arduinos and Raspberry Pis at my disposal. These made a great platform to throw some tech at the problem. I ordered some simple door sensors, a PIR motion sensor, and a relay that could be used to open or close the door. Total cost (including the Arduino/Pi/misc) was about $75. After a few hours of coding, I had a mostly functional system that could detect whether the door was open, whether something was moving inside the garage, and open the door. The project code and some basic info is freely available on GitHub: https://github.com/rawdigits/garage-io.
Fast forward a year and I have been using this homemade garage system daily. My iPhone acts as the primary method of opening or closing the door. The security features seemed like an interesting bit of learning, but I assumed they would never be put to the test. A few weeks ago, they were!
At 4am on February 14th someone was able to activate the automatic door, which, by design, sets my iPhone into a frenzy. My first thought was “wow, there is some bug in my code and having it wake me up at 4am sucks.” I opened the URL for the garage camera on my phone and sure enough the door was wide open! There was no one visible, so I immediately ran out to see what might have happened. San Francisco was asleep and there was no one around. Maybe it was a bug after all? I did a quick inventory and decided nothing was missing, but decided to check still images captured by the camera.
I never actually saw the thieves, but I think they must have been waiting around a corner waiting for the automatic light to turn off before pilfering the garage.
The next step was incident response. How the hell did they get in? In my initial assessment, I hadn’t noticed the wires that split off from the physical button inside the garage and ended up at a “key switch”. This 40-year old key switch uses a 3 tumbler lock that, when turned, is the same as pressing the button. A closer look revealed that it was so worn out that you didn’t even need the proper key to turn it. Facepalm.
The moral of this story is that you should play with Arduinos and Raspberry Pis, because it will pay off in not having some valuable items stolen. (Ok, perhaps that’s a bit far fetched, but if you have the time, they are really fun.)
The real takeaway here is that security is hard, and there is no such thing as perfect security. Despite your best efforts there are often a number of variables at play, which might be overlooked. Monitoring is sometimes viewed as low priority, but as in cases like this, it may just save you from a devastating breach.
P.S. I later learned that these thieves were successful in stealing from over 20 garages in the neighborhood over a one week period. Hopefully mine will continue to elude them and any future attackers.