As a professional hacker, physical security testing is an integral part of my job. This is because physical security is often the weakest link in a company’s security posture. While companies invest heavily in securing their networks and systems, they often overlook the need for securing their physical assets. This can leave their data, equipment, and even their employees vulnerable to theft, sabotage, or other attacks.
Physical security testing involves assessing the effectiveness of a company’s physical security measures, including access control, surveillance, and intrusion detection systems. In this article, I will discuss some of the techniques and best practices that I use when conducting physical security testing.
Before we dive into the techniques, it’s important to note that physical security testing should only be conducted with the explicit permission of the company being tested. Unauthorized physical access to a company’s facilities is illegal and can result in severe legal consequences. Always ensure that you have written authorization from the company before conducting any physical security testing.
Techniques
Now, let’s dive into the techniques and best practices for physical security testing.
Social Engineering
Social engineering is the practice of manipulating people to gain access to information or systems. In the context of physical security testing, social engineering is often used to gain access to restricted areas or equipment. Social engineering can be achieved through various methods, such as pretexting, phishing, or tailgating.
Pretexting involves creating a false identity or scenario to gain access to a restricted area. For example, a social engineer might pose as an employee of a vendor or contractor and request access to a restricted area to perform maintenance or repairs. The social engineer might use fake credentials, such as a fake ID or business card, to appear legitimate.
Phishing involves sending fraudulent emails to employees to trick them into divulging sensitive information. For example, a social engineer might send an email that appears to be from the company’s IT department, requesting that the employee reset their password or click on a link to update their security information. The link might lead to a fake website that looks like the company’s login page, but is actually designed to steal the employee’s credentials.
Tailgating involves following an authorized person into a restricted area without proper authorization. For example, a social engineer might wait outside a restricted area and follow an authorized person through the door before it closes. The social engineer might use various tactics to blend in with the authorized person, such as carrying a clipboard or wearing a uniform that appears to be from the same company.
One real-world example of social engineering is the case of Frank Abagnale, who was portrayed in the movie “Catch Me If You Can.” Abagnale was a notorious con artist who posed as a pilot, doctor, and lawyer to gain access to restricted areas and sensitive information. He would use various social engineering tactics, such as posing as an airline pilot to gain access to the cockpit of a commercial airplane.
Another real-world example of social engineering is the famous case of Kevin Mitnick. Mitnick was a notorious hacker who used social engineering to gain access to various computer systems. He would pose as a company employee, call the company’s IT department, and convince them to give him access to the system. He would then use that access to steal sensitive information.
To defend against social engineering attacks, companies should implement strict access control policies and employee training programs. Employees should be educated on the dangers of social engineering and taught to be vigilant when dealing with unknown individuals. Access to restricted areas should be strictly controlled, and employees should be trained to verify the identity of anyone requesting access. Regular security awareness training and simulated phishing exercises can help employees recognize and respond to social engineering attacks.
There are also many tools and resources available to assist in social engineering testing. For example, the Social-Engineer Toolkit (SET) is a popular tool for creating and executing social engineering attacks. The tool includes a variety of pre-built attack vectors, such as phishing emails and fake websites, as well as the ability to create custom attacks. The tool also includes a powerful reporting and analytics system for tracking the success of social engineering attacks.
Lock Picking
Lock picking is the practice of manipulating a lock to open it without the proper key. This technique is often used to gain access to restricted areas or equipment. Lock picking requires skill and patience, as each lock is unique and requires a different approach.
Lock picking can be achieved through various methods, such as lock picks, bump keys, and impressioning. Lock picks are thin pieces of metal used to manipulate the pins inside a lock. Lock picks come in a variety of shapes and sizes, and each lock pick is designed to manipulate different types of locks. Bump keys are specially crafted keys that can be used to bump the pins inside a lock into the correct position. Impressioning involves creating a copy of a key by making an impression of the key inside the lock.
One of the most common lock picking techniques is the “rake and pick” method. This technique involves using a rake pick to push all of the pins up, and then using a pick to individually manipulate each pin into the correct position. Another technique is the “single pin picking” method, which involves using a pick to manipulate each pin individually until they are all in the correct position.
One real-world example of lock picking is the case of the 2016 Rio Olympics. During the games, a group of thieves used lock picking techniques to gain access to the hotel rooms of athletes and steal their belongings. The thieves used various lock picking tools, including lock picks and bump keys, to bypass the hotel room locks.
Another real-world example of lock picking is the case of Marc Weber Tobias. Tobias is a well-known locksmith and security expert who has demonstrated his ability to pick various high-security locks. In one demonstration, he picked a Medeco lock, which is considered one of the most secure locks available.
To defend against lock picking attacks, companies should implement high-security locks and restrict access to sensitive areas. Regular maintenance and replacement of locks is also important to ensure that they are functioning properly. In addition, companies should implement strict access control policies and employee training programs to prevent unauthorized access.
There are also many tools and resources available to assist in lock picking testing. For example, the Lockpick Village is an organization that provides education and resources for lock picking enthusiasts and security professionals. The organization offers hands-on lock picking training and provides a variety of resources, including tutorials and lock picking sets.
In conclusion, lock picking is a powerful technique for gaining access to restricted areas and equipment. Red teams and pen testers should incorporate lock picking into their physical security testing program to identify vulnerabilities in physical security measures. Companies should implement high-security locks, restrict access to sensitive areas, and utilize tools and resources such as the Lockpick Village to assist in lock picking testing.
Physical Bypass
Physical bypass is the practice of circumventing physical security measures to gain access to a restricted area or equipment. This technique involves finding vulnerabilities in the physical security measures, such as a weak door or window, and exploiting them to gain access.
Lock bypassing involves bypassing the lock mechanism, such as using a shim to open a padlock or using a credit card to open a door. A shim is a thin piece of metal or plastic that can be inserted into a padlock to push the locking mechanism out of the way. Using a credit card to open a door involves sliding the card between the door and the door frame to release the latch.
Door jamb spreading involves using force to pry open a door or using a hydraulic jack to spread the door frame. This technique is often used to bypass reinforced doors or doors with deadbolts. The social engineer may use a crowbar, a sledgehammer, or other tools to pry open the door. In some cases, hydraulic jacks are used to exert force on the door frame, causing it to bow or break.
Window smashing involves breaking a window to gain access to a building or room. This technique is often used when other physical bypass methods are not feasible or effective. Social engineers may use a hammer, crowbar, or other tools to break the window. They may also use a glass cutter to create a hole in the window.
One real-world example of physical bypass is the case of the Hatton Garden Safe Deposit burglary. In this case, a group of social engineers used various physical bypass techniques to gain access to a high-security safe deposit facility in London. They used diamond-tipped drills to bore through the reinforced concrete walls of the facility, and hydraulic jacks to lift heavy safes out of the facility.
Another real-world example of physical bypass is the case of Samy Kamkar. Kamkar is a well-known security researcher who created a tool called “OpenSesame” that can open any fixed-code garage door in seconds. The tool exploits a vulnerability in the fixed-code garage door system to bypass the security measures and gain access.
To defend against physical bypass attacks, companies should implement strong physical security measures, such as reinforced doors and windows, alarms, and surveillance cameras. Regular inspections and maintenance of physical security measures are also important to ensure they are functioning properly. Companies should also consider using security film on windows to make them more resistant to breaking.
There are also many tools and resources available to assist in physical bypass testing. For example, the Locksport International website provides information and resources for lock picking enthusiasts and security professionals. The website includes tutorials on various lock picking techniques and tools, as well as a community forum for discussing physical bypass techniques.
Surveillance
Surveillance is the practice of monitoring a company’s physical security measures to identify vulnerabilities and potential attack vectors. This technique involves observing the company’s physical security measures, such as access control systems, cameras, and security guards.
Surveillance can be achieved through various methods, such as physical observation, video analysis, and social media analysis. Physical observation involves physically observing the company’s physical security measures, such as watching the behavior of employees and visitors. Video analysis involves analyzing the company’s surveillance footage to identify vulnerabilities and potential attack vectors. Social media analysis involves monitoring the company’s social media accounts to identify potential weaknesses in their physical security measures.
One example of physical observation is the case of the 2008 Mumbai attacks. The attackers conducted extensive surveillance of their targets, including the Taj Mahal Palace Hotel. They used this surveillance to identify vulnerabilities in the hotel’s physical security measures, such as the location of security cameras and the behavior of security guards.
Video analysis is also a commonly used surveillance technique. Red teams and pen testers can use video analysis to identify vulnerabilities in a company’s physical security measures, such as blind spots in camera coverage or weaknesses in access control systems. For example, a red team might analyze surveillance footage to identify the most common entry and exit points, and use this information to plan an attack.
Social media analysis can also be a valuable tool in physical security testing. Companies often post information about their physical security measures on social media, such as pictures of their access control systems or descriptions of their security protocols. Red teams and pen testers can use this information to identify potential vulnerabilities and plan an attack. For example, a red team might use social media to identify the location of a company’s security cameras, and use this information to plan a physical bypass attack.
To defend against surveillance attacks, companies should implement strong physical security measures, such as access control systems, cameras, and security guards. Regular monitoring and analysis of these measures are also important to identify vulnerabilities and potential attack vectors. Companies should also be mindful of the information they post on social media and other public-facing platforms, and avoid disclosing sensitive information about their physical security measures.
There are also many tools and resources available to assist in surveillance testing. For example, the Recon-ng framework is a powerful tool for conducting open source intelligence (OSINT) gathering. The tool includes a variety of modules for gathering information from social media platforms, web pages, and other sources.
Physical Access Control
Physical access control is the practice of controlling who has access to a company’s physical assets, such as buildings, rooms, and equipment. This technique involves implementing access control systems, such as locks, keycards, and biometric scanners, to restrict access to sensitive areas.
Access control systems can be categorized into three types: physical, logical, and administrative. Physical access control systems involve controlling access to physical assets, such as buildings and rooms. Logical access control systems involve controlling access to digital assets, such as computer systems and networks. Administrative access control systems involve controlling access to administrative functions, such as user account management and system configuration.
One example of a physical access control system is a keycard system. A keycard system involves issuing keycards to authorized individuals, which are used to gain access to restricted areas. The keycard system can be configured to restrict access to specific areas at specific times, and can be audited to track access history.
Another example of a physical access control system is a biometric scanner. A biometric scanner involves using a person’s unique physical characteristics, such as their fingerprints or facial features, to grant access to restricted areas. Biometric scanners are often used in high-security environments, such as government facilities and research laboratories.
To defend against physical access control attacks, companies should implement strong access control systems and restrict access to sensitive areas. Regular maintenance and testing of access control systems is also important to ensure that they are functioning properly. Companies should also be mindful of the risks of social engineering attacks and implement training programs to educate employees on the dangers of unauthorized access.
One real-world example of physical access control is the case of the United States Bullion Depository, also known as Fort Knox. The depository stores over $100 billion worth of gold and is protected by numerous physical security measures, including armed guards, blast-proof doors, and biometric scanners.
There are also many tools and resources available to assist in physical access control testing. For example, the MagSpoof tool is a device that can be used to bypass magnetic stripe access control systems. The device can be used to emulate a magnetic stripe, allowing the attacker to bypass the access control system without a keycard.
Real-World Example
In 2019, a group of hackers targeted a secure research laboratory in Canada. The laboratory stored sensitive data related to national security, and was protected by a biometric access control system. The hackers used a combination of physical and social engineering techniques to bypass the biometric system and gain access to the laboratory.
First, the hackers conducted extensive reconnaissance of the laboratory and identified weaknesses in the physical security measures. They discovered that the biometric system was connected to a network that was not properly secured, and that the network could be accessed from a nearby building.
Next, the hackers used a drone to fly over the laboratory and take pictures of the biometric scanners, which they used to create fake fingerprints. They then posed as researchers and used the fake fingerprints to bypass the biometric system and gain access to the laboratory.
This real-world example illustrates the importance of implementing strong physical access control measures and regularly testing and updating them to prevent potential breaches. It also highlights the need for companies to consider the potential risks of external access points and ensure that they are properly secured.
Conclusion
Physical security testing is an essential component of any comprehensive security testing program. By assessing the effectiveness of a company’s physical security measures, red teams and pen testers can identify vulnerabilities and potential attack vectors. This, in turn, allows companies to improve their physical security measures and better protect their physical assets, data, and employees.
In this article, we discussed some of the techniques and best practices for physical security testing, including social engineering, lock picking, physical bypass, surveillance, and physical access control. By incorporating these techniques into your physical security testing program, you can ensure that your company is prepared for potential physical security threats.
It’s important to note that physical security testing should only be conducted with the explicit permission of the company being tested. Unauthorized physical access to a company’s facilities is illegal and can result in severe legal consequences. Always ensure that you have written authorization from the company before conducting any physical security testing.
In addition to the techniques and best practices discussed in this article, there are many tools and resources available to assist in physical security testing. For example, the Lockpick Village is an organization that provides education and resources for lock picking enthusiasts and security professionals. The Open Organisation Of Lockpickers (TOOOL) is another organization that provides education and resources for lock picking enthusiasts and security professionals.
There are also many commercial physical security testing tools available, such as the Proxmark3, which is a tool for RFID testing and cloning, and the Kali Linux operating system, which includes a variety of tools for penetration testing, including physical security testing.
In conclusion, physical security testing is an essential component of any comprehensive security testing program. By incorporating the techniques and best practices discussed in this article, as well as utilizing the tools and resources available, red teams and pen testers can help companies identify vulnerabilities and potential attack vectors in their physical security measures. This, in turn, allows companies to improve their physical security measures and better protect their physical assets, data, and employees. Remember to always obtain written permission from the company before conducting any physical security testing, and to adhere to ethical and legal guidelines at all times.