How do you protect yourself from under-the-door attacks? And no, mouse traps won't work. This is something much more serious than your average vermin intrusion. I’m talking about bad guys–think Marv and Harry from Home Alone–gaining full access to everything inside your business locations by exploiting easily-fixable vulnerabilities in your door's configuration with an "Under-the-Door" tool . Consider this thing to be the keys to the castle (without the keys), the VIP pass (without the pass)… believe me, nothing is off limits!
What is the Under-The-Door Tool?
The Under-the-Door-Tool is designed to open lever handle doors from the outside via reaching under the door. It is comprised of two parts, a steel rod and a replaceable stainless-steel cable. While its design is very basic, it yields impressive results.
Often a result of the American Disabilities Act (ADA), most commercial building codes now require lever-style handles (vs. round knobs) to increase the usability of these doors for disabled persons. While there is nothing wrong with a handle per se, many doors are not properly configured in other areas around the handle and this is what the UtDT exploits. Primarily, this is the gap "under" the door. Oftentimes, doors are not custom built to the exact location they are installed in and some assumptions are made in the manufacturing process such as hinge placement, which directly affects floor clearance. This clearance has to account for different flooring options (concrete, hardwood, low-pile carpet, etc.) and thus the gap is often generous—allowing for exploitation.
There are three (3) steps to using the Under-the-Door-tool.
1. Insert tool under the door.
2. Work the tool over the latch.
3. Pull down on the cable to open the door.
Now that you're familiar with the Under-The-Door Tool, let's talk about how to prevent its use. Luckily, there are a few effective options. The first (best) option is to create a tight seal under the door. When you close the gap under the bottom of the door an attacker won't be able to insert the tool under the door to attempt the exploit in the first place. Commercial threshold guards are available for purchase, just ensure that if you screw the device to the door, the screws are not accessible on the insecure side of the door. During simulations, SEVN-X consultants have actually unscrewed these threshold protectors from the door and performed the attack. Use rivets or install from the secure side of the door.
Alternatively, they make more advanced versions that integrate into the door that deploy when the door is closed. As a bonus this will also offer draft protection against losing cool air in the summer and hot air in the winter.
Another effective mitigation is the latch guard, which can be installed to prevent the UtDT from getting behind the lever and "hooking" it. This mitigation does not ensure protection but can certainly frustrate an attacker.
And in true hacker fashion, there are multiple "hacks" that can keep the tool from working as intended including wedging a towel in the handle itself.
Wrapping It Up (Get It?)
Now that you know the details you have two choices: protect yourself or let Marv and Harry do some Christmas shopping inside your business. As much fun as booby trapping your office and running the bad guys through a gauntlet of painful obstacles sounds, it's much easier to make a few upgrades to your door to ensure that they won't be coming in this holiday season, or ever! Hopefully this post summarized the risks and preventative measures in an actionable way for you and your organization, but if not, please leave us a comment and let us know about your unique situation.
Send Us Your Comments
What did you think of this article? Send us a note to let us know what you liked, would like to see more of, or what we can do better. And don't be surprised if we reach back out with a small 'thank you' gift for your feedback.