Mind the Gap - Hacking our own REX sensor entry system

August 12, 2019 | Posted in Red Teams by Ian Stubenbord


Please mind the gap and pardon our dust as we settle into our new SRA office in Rochester, New York.  With a new office comes the need for an initial physical penetration test.  The front door of the new office space was equipped with a request-to-exit (REX) passive infrared sensor directly linked to the door latching mechanism.  With a few trials and a tinge of error we were able to gain root access of the office with a simple bag of frozen water.  Ice, mylar, frozen paper towels, or a bowl of hot water proved to be enough of a shock to the sensors to pop the door lock open to the public.  Please enjoy the video below of our successful attempts at bypassing the REX sensor.

Passive infrared sensors operate based on a threshold of infrared light (i.e. change of temperature) detected within the given proximity.  The mylar balloon provided enough infrared disruption to trip the sensor into a false positive alert – thinking that someone was exiting the office.  As demonstrated in another popular REX sensor exploit online, external access can lead to comical means of entry to a secure location.  At least our tested methods didn’t involve spraying booze across the victim’s entryway.  It turns out that in the case of these REX sensor configurations untraceable entry is entirely achievable.

After a myriad of hypotheses and testing, our first ambitious test of a mylar balloon inflated with helium to defeat the sensor proved to be the most complex.  While it was the most complex, it is also the most effective as a mylar balloon can slide through the slightest of door cracks to be inflated.  With the balloon properly airborne on the opposite side of the door, access to the location is a matter of floating the shiny orbed surface to the correct location and giving it a shake.  With a little indeterminate amount of fiddling the infrared sensor can be fooled, unlocking the door.  If the door gap is wide enough, a simple thin ice pack labeled “office key” will grant access as well.  The cost of entry to our office using a mylar balloon sans a key fob was about $25 for a tank of helium, ingenuity, and a shiny balloon.

Please note: The door sensor vulnerability has been remediated by the time of publishing.  Please do not show up to the Rochester SRA office with ice and balloons unless we are celebrating our Grand Opening Event on September 26!