I used to live in an apartment complex that had an electronically controlled front door to the building, coupled with a very annoying call box.
The called party just has to press 9 on their end, front door unlocks.
This method is meant to selectively admit guests to the building.
What happens if you forgot your card key? You’d have to choose your roommate’s name in the list, or hope some stranger would let you in.
What if a robot answered and would let you in, provided the right PIN was entered? Easily done…
- This method requires the callbox not be hardwired to ring a bell in the apartment unit, but dial out to a phone number.
- It also assumes you have a basic understanding of how Asterisk works, and the way various config files are written.
You can brute force this method, however the environment it was implemented in would result in very, very long time to brute force. And well, someone would eventually just let you in anyway.
Overview of the context in Asterisk
- Call box dials a number that rings an Asterisk PBX.
- Asterisk answers the call and gives it to the [pin-unlock] IVR.
- Asterisk uses bundled recordings to present the caller with an IVR, with which the options are actually the PIN.
- A wrong PIN immediately (or time out) throws the caller out of the IVR, and sends them to a hunt group of extensions in the apartment. Reason for this is so a delivery person can answered and screened.
Time for the code
“55033” was the correct PIN. This translates to choosing those options in the IVR.
If the first digit was not 5, it would knock you out of the IVR.
Multiple PINs can be configured by simply duplicating any line containing the PIN below.
[pin-unlock] ; Log the call in Asterisk with a distinct note exten => s,1,Log(NOTICE, Prompting caller for Door PIN) ; Prompt caller for the password / PIN exten => s,n,Background(vm-password) ; Give the caller 5 seconds to begin entering the PIN exten => s,n,WaitExten(5) ; Log whether was not entered exten => s,n,Log(NOTICE, Door PIN not entered) ; If no PIN was entered goto hunt group 1103 exten => s,n,Goto(ring-groups,1103,1) ; Log correct PIN entered exten => 55033,1,Log(NOTICE, Door PIN Access Granted) ; Inform caller correct PIN entered and playback DTMF-9 which the callbox triggers the unlock mechanism with exten => 55033,n,Wait(.25) exten => 55033,n,System(/var/lib/asterisk/agi-bin/doorannounce.sh) exten => 55033,n,Playback(pin-number-accepted&tones/dtmf-9) exten => 55033,n,Hangup() ; Log that an incorrect PIN was used and goto hunt group exten => e,1,Log(NOTICE, Incorrect Door PIN entered) exten => e,n,Goto(ring-groups,1103,1)
I’m sure there are smarter ways to do this, but this was quick and dirty and worked reliably.