Elevator Security in the Age of Hacking: Can Your Elevator Be Hacked?
You can almost see the Hollywood trailer in your mind: An unsuspecting well-dressed man, surrounded by the trappings of wealth and power, steps into a gleaming elevator from his posh penthouse digs. The doors close as he pushes the ground floor button. The camera immediately pans to a hooded dark figure perched over a keyboard. He types a few commands and pushes ENTER. The camera snaps back to the elevator, the music intensifies, as the car shutters and then starts to freefall, plummeting with its doomed cargo trapped and terrified inside.
Cybersecurity and computer hacking on the silver screen may garner accolades for nail-biting suspense and action, but decidedly less so for realism and accuracy.
For more than a century, the safety and security of the elevator system was purely defined in physical and mechanical terms, including elements like cable strength, hydraulic pressure, overspeed safeties, and the like. Elevators that were built well and serviced regularly were safe and secure – end of story.
Today, that initial calculus remains, but the landscape and safety goal posts have shifted. Modern office buildings and skyscrapers are no longer isolated clusters of concrete, steel, and glass. They are also complicated digital systems interconnected in ways that didn’t exist in the past. And so, as buildings and their connected networks grow more advanced, the systems responsible for vertical transportation have evolved from that of standalone mechanical boxes into one more interwoven digital cog in the Internet of Things (IoT).
With this digital revolution comes a pressing 21st-century vulnerability for elevators: cybersecurity. For building owners, property managers, elevator manufacturers, and the mechanics who service these elevators, a key question must be answered: Is your elevator at risk of being hacked?
Elevators and the IoT
To begin understanding the hacking risk of modern elevators, it helps to start by looking at the broader shift toward IoT in commercial real estate (IoT refers to everyday devices that are connected to and centrally managed through the cloud).
In modern commercial buildings anything can be online, including:
- HVAC Systems: Climate control can be automated to optimize energy usage based on building occupancy, weather patterns, and other variables.
- Lighting and Access Controls: Smart badge readers may be used to control who can enter certain floors, syncing with security databases in real time.
- Utility Monitoring: Power and water grids can send real-time data back to utility providers and facilities management dashboards for monitoring and evaluation.
Elevators, likewise, have become an extension of this connected infrastructure. Some modern elevators contain an array of specialized systems linked to the cloud, including:
- Microprocessor-Based Controllers: The “brains” of the elevator, these systems can route cabs efficiently between floors.
- Destination Dispatch Networks: Computerized screens in the lobby group passengers together by floor before they even step inside the elevator cab.
- Remote Monitoring Units: Systems providing continuous data back to facility and maintenance teams.
- Multimedia and Emergency Communications: In-cab screens that can stream news (or advertising), or provide voice and video lines to emergency response centers.
Make no mistake, this connectivity can support operational efficiency. By linking elevators to the internet, building managers can optimize traffic flow, reduce energy costs, and may cut down on wait times through predictive algorithms. They may also detect or anticipate problems or issues more quickly. On the other hand, that same connectivity providing an upside can also be a doorway to exploit for nefarious actors.
Elevator Networking: Air-Gapped vs. Connected
To properly assess the risk of a cyberattack, it is useful to compare legacy elevator systems with contemporary vertical transportation systems.
Older elevator systems, such as those installed before the late 1990s, relied primarily on electromechanical relay logic or early, isolated microprocessor boards. These systems were hard-wired and entirely “air-gapped,” meaning they had no connection whatsoever to external networks or the internet. If an individual wanted to manipulate an older elevator, they needed physical access to the machine room, a specialized key, or direct access to the hoistway.
Today, many modern elevators are built on and around digital networks. Connected sensors can provide additional information about potential issues within the elevator system. While this digital connectivity has some benefits, it also effectively eliminates the historical air gap that served as a native security feature.
What Does it Mean to “Hack” an Elevator?
When we hear the phrase “elevator hacking,” those Hollywood tropes play in our head – there’s a bad actor wreaking serious havoc on an elevator system thousands of miles away. The reality is that the physical safety of elevators is managed by independent, mechanical fail-safes, including brakes, governors, and counterweight buffers that operate completely outside of the software architecture. In other words, hackers cannot rewrite the laws of physics or bypass the mechanical counter-mechanisms designed to prevent accidents or a freefall.
But the fact is, a digital breach is still incredibly dangerous. In cybersecurity, “hacking” an elevator means exploiting software bugs, weak network protocols, or unencrypted data streams to gain unauthorized control over an elevator’s controller or management software. The impact on a compromised system can be severe. Hackers can bypass floor restrictions, granting unauthorized access to highly secure executive suites or laboratory levels. Alternatively, they can launch a Denial of Service (DDoS) attack, parking all cabs on the ground floor with their doors open, effectively suspending elevator operations within a corporate campus or hospital.
The New Elevator Cybersecurity Threats: Myths & Quantum Computing
Had this discussion of elevator hacking taken place only a few short years ago, the risk parameters would be different, framed mostly by human-powered exploits of security lapses from network weak points and compromised passwords. We’d focus on more typical, known threats, including hacked WiFi networks or remote service portals reached through a successful phishing effort, allowing unauthorized access to elevator systems. Unfortunately, this new threat profile has two new powerful technical vectors: AI and quantum computing.
Increasingly strong artificial intelligence models such as Mythos from Anthropic can already find and exploit software vulnerabilities well beyond that of human hackers (and coding agents can then generate working exploit code based on that analysis). In fact, the company behind Mythos held off on public release, given that the risk of software exploitation was so great.
And then there’s quantum computing, an emergent field. Whereas traditional computers (like the one you’re using right now to read this) process binary 0s and 1s, quantum computers are based on something called qubits, which allow them to perform extremely complex calculations exponentially faster than even today’s supercomputers. Quantum computing is seriously concerning because it risks decoding encryption systems some elevator systems depend on for protection.
Defending Elevator Systems: Safeguard Considerations
In the face of these emerging and current threats, securing vertical transportation systems requires active collaboration between building owners, cybersecurity experts, manufacturing engineers, and the skilled mechanics keeping these critical systems running. To guarantee – or at least greatly enhance – system resilience, organizations should prioritize a multi-layered defense strategy. This may include:
Network Segmentation
An effective way to protect an elevator system from a cyberattack is to isolate its network completely from the rest of the building’s internet traffic. The elevator controls, destination dispatch networks, and in-cab communication lines should sit on a dedicated Virtual Local Area Network (VLAN) with strict firewall rules preventing lateral traffic from the building’s standard office networks.
Strict Access Management and MFA
Every portal used by facility managers or third-party service contractors to monitor elevator health should be locked behind Multi-Factor Authentication (MFA). Furthermore, all default passwords installed by the factory must be changed immediately. “Password1234” is not a password.
Rigorous Patch Management
Just like an operating system on a computer, the firmware on an elevator controller and the firewalls and other networking devices in its environment require updates to fix newly discovered security loopholes, particularly as new AI models are uncovering them at an accelerated rate. Building owners must ensure their maintenance contracts include regular firmware verification and prompt security patching.
Choosing IUEC Expertise for Your Elevators
The human element is either the strongest or weakest link in the cybersecurity chain. When elevator systems go through modernization or complex maintenance, the mechanics who interact with the controller must be trained to work on modern systems. This is why working with IUEC-affiliated contractors backed by the National Elevator Industry Educational Program (NEIEP) in the U.S or the Canadian Elevator Industry Educational Program (CEIEP) in Canada is crucial. NEIEP’s and CEIEP’s comprehensive curriculum continuously adapts to technical shifts, ensuring that union mechanics aren’t just skilled in mechanical work, but are increasingly well-versed in digital advances and emerging technologies.
Elevating the Industry Standard for Cybersecurity
By choosing to connect an elevator to the internet, building owners must be aware of and comply with the ASME A17.1 safety code to improve the security of their elevator systems as well as their building security (future ElevatorInfo articles will contain information about building owners’ responsibilities when it comes to ensuring code requirements for elevator equipment connected to the internet are met).
As elevators continue to evolve as data-driven connected assets, the line between physical safety and digital security dissipates. While a hacked elevator may not plummet down a shaft Tom Cruise style, it can still trap passengers, expose secure corporate infrastructure, breach data privacy, and paralyze the daily operations of a hospital, office building, or other commercial or residential facility.


