Hacking Time
by HoTsAbI (hotsabi@yahoo.com)
Perhaps you've scanned the telephone numbers in your area, so now comes the time to start entering the unknown. Each time you found a modem number your software should have logged it for a later attempt.
Some numbers will be fax machines - not a lot of fun there unless you have some product you may be selling. Other numbers may be gates (Jaundice, "Adventures With Neighborhood Gates," 16:2). Perhaps you may discover an X10 house system.
But not so well known are time clocks. And if you find one you may want to know how to get connected and enter with administrator privileges.
That is exactly what you may learn from reading this. But first the disclaimer: Please don't try this at home kids, as you may damage the stored data held in the memory of the time clock and maybe someone will not get paid.
With that out of the way, on to a brief description of a remote time clock (see Photo 1).
Photo 1
Mounted on the wall, employees "swipe" their cards, much like a debit or credit card machine. The reader then decodes the simple Manchester-encoded magnetic strip. This information is typically the employee card number. The time clock then stores this number along with the date, hour, minute, and seconds for later retrieval.
The time clocks I am discussing are "ETC" model made by Qqest Software Systems in Utah. They currently make several models, including "Biometric."
The one in Photo 1 is a model ETC 100, one of the least expensive units available. It can be remotely accessed via a 2400 baud modem and typically will have a dedicated land line.
Normally payroll departments will use the provided Windoze program to download the punches from the time clocks every two weeks. They should be the only ones who call the time clocks. However, using a simple terminal scripting program like ProComm, anyone can access the time clocks.
To enter into communications mode with the time clocks you will need to set your speed to 2400. Use 8/N/1 on the ETC 100s. The IQ 500 require 33.3 kbps and also 8/N/1.
Then, when prompted, enter the username (default is the clock number). Next you will be asked for the password. Enter ETC (default). The password is seldom changed.
- Default Clock ID: 1
- Default Password for IQ 300, 400, 500: ETC
- Default Password for IQ 1000: IQ 1000 (or IQ1000?)
- Default Ethernet Password: 1111
- Default Administrator ID: 8888
- Default Administrator Password: 1111
- Default Supervisor Password: 2222
- Default Password for V800: V800
Another way to access these clocks is through direct "daisy chain" as the time clocks all come equipped with a RS-232C socket in the form of a RJ11 jack next to the one marked "TEL". For this the company provides an adapter to your serial port.
The IQ 500 also has a keypad. When you press the menu key you can gain "Supervisor" or "User" mode. The default password for user mode is: 22222
This will allow you to read all the card numbers and punches. If you enter 11111 you will gain Supervisor access and you can change the time, or even clear the memory of the punches.
On an ETC 100 boot version 3.41, just trying to access the clock with a voice line will cause the modem to hang, meaning it will not reset. And after many calls with tech support, the only remedy is to disconnect the power for 15 seconds. This can cause a big headache for the company that is trying to track their employees' time. Other versions don't seem to suffer this "annoyance."
I am sure there are other units on the market and they no doubt will use the same type of system, typically a programmable CPU like a Zylog or Intel 8551, with a simple modem and "buggy" software.
As a note it never ceases to amaze me that these companies all like to use simple pass codes, like their company name, store number, etc.
How long will it take before real security is the norm? Only time will tell...