Hack in an Elevator! Pentesting a Lift Control Web App

Imagine taking an elevator to go to the fourth floor, and suddenly you are stuck inside due to a cyber attack! This can happen since elevators have become Cyber-Physical Systems (CPS), which involve networked embedded computers, and therefore they are not anymore immune to hackers. In this research we assess the security of an elevator CPS designed and developed by an Italian company, which is deployed on several elevator installations in Italy. The objective is to evaluate if and to what extent the various cybersecurity risks are understood by CPS developers. In this paper we present the results of the first part of a complete penetration test, in which we focused on the elevator management web site only, which is the component most exposed to possible attacks due to its public and remote availability. From our experience we can conclude that the CPS developers have a good awareness of the most common cyber security threats, and they are aware of common defense techniques. Still, they miss to implement defenses against advanced client-side attacks, and they do not follow the best practices, which could lead to vulnerabilities in case some unfortunate conditions are met.