Physical Security: Hacking Elevators, Security Features and Exploiting Special Modes of Operation

Welcome back, my aspiring cyberwarriors!

In the area of physical security and red team operations, elevators present an often-overlooked but strategically important vector. While they may seem like mundane infrastructure, elevators are embedded with layers of logic, legacy systems, and mechanical overrides that can be leveraged or manipulated with the right knowledge.

Understanding how elevator systems function, and the special modes built into them, is critical for penetration testers aiming to simulate real-world intrusions.

Security Features in Modern Elevators

Many commercial or institutional elevators are integrated with building access control systems such as badge readers, biometric systems, or PIN pads. These are used to limit access to certain floors or completely limit your ability to call the elevator to you.

However, elevator security can be surprisingly weak. In many cases, only a few key switches are needed to bypass these protections. And in legacy systems, security may be as simple as the presence or absence of a mechanical key.

Fire Service Override Mode

Elevators are designed to respond to building fires through a feature known as Fire Service Mode, which is mandated by building codes in North America. This mode provides emergency responders with manual control over the elevator during a fire event. Since this mode is considered a life-safety feature, it often bypasses all normal restrictions. Triggering this mode requires access to the fire service default keys. The most commonly used key for fire systems is the FEO-K1key which is nationally used for elevators installed after 2006. The FEO-K1key can be easily purchased online from any major retailer or red team supplier.

You could be hacking elevators tomorrow with next day delivery

Some states use their own state-specific fire service keys and elevators built before 2007 will likely not be retrofitted for the FEO-K1 key system. In these cases, you'll need to access the fire service key boxes. These boxes are typically steel and mounted near elevator banks.

A common design for fire service key boxes

The FEO-K1 key should open this box unless you live in a state with state-specific fire service key, which can also be purchased online.

Once in possession of the fire service default keys you can call all the elevators to the lobby by turning the firefighters key switch to "ON".

This step is useful if there are security controls in the lobby to call the elevator. Once inside the elevator car, locate the firefighters buttons. Sometimes these buttons are inside a cabinet. Turn the fire service key to "ON", select the desired floor and hold the "CLOSE DOOR" button until closed. Once you arrive at your floor hold the "OPEN DOOR" button until doors open.

A typical fire service panel found inside a elevator car.

If the system isn’t integrated with a monitored fire control panel, this all can be done without raising alarms. However, in fire service mode none of the elevators will operate normally and the floor indicator will flash "FS". To avoid drawing attention you'll want to return the lifts to normal operation by turning the fire key switches in the car and lobby to "RESET" and then "OFF".

Independent Service Mode

Another exploitable feature is Independent Service Mode. It is intended to let building staff reserve an elevator for tasks like moving equipment or VIP transport. When activated, the elevator no longer responds to hall calls and movement is controlled from inside the car. You can typically bypass floor security lockouts and, if there are no cameras in the car, wait inside a stopped elevator until the building empties.

This mode is less likely to alert security staff so it is a preferred method over the Fire Service Mode. However, the keyed switch is typically found inside the cab so using this mode can be limited by access control systems to call the elevator. The independent service keys are often stored inside fire service key boxes that you opened with fire service default keys.

Security Switches and Standard Elevator Keys

The truth is that most of these switches do not rely on unique keys. Instead, elevator manufacturers often standardize their keys across all their systems. This means a single key may work across dozens or even hundreds of buildings using the same equipment.

These keys are supposed to be restricted, but in practice, they are widely available on online marketplaces. For a red-teamer an investment in a key ring of standard elevator keys can unlock a surprising number of capabilities. A list of elevator keys by manufacturer.

Other key-operated functions:

Inspection Mode(INS): allows the car to move manually at a reduced speed with the door open and can be operated from a panel on top of the car or in the pit.
Car top inspection controls
Attendant Mode (AS): the car receives hall calls, but you can manually determines if the car responds
Unlocking rooftop or basement access via elevator-specific door zones

In older buildings, these switches are often located behind minimal paneling or held in place with tamper-prone screws. Gaining access is rarely difficult once the general elevator model is identified.

Summary

Hacking elevators doesn’t always involve writing code or exploiting software vulnerabilities. It often comes down to understanding the logic, keys, and mechanical systems that define elevator behavior. For red-teamers, these systems represent both a challenge and an opportunity bypassing physical access controls, isolating movement, or navigating secure floors with relative ease.

Once the attacker gains physical access, GAME OVER!