Greetings, fellow hackers and penetration testers! Today, we’ll be diving into the fascinating world of physical security bypass techniques in the realm of red teaming. As we all know, red teaming is a crucial aspect of testing an organization’s security measures, and part of that involves breaking into secure facilities or circumventing physical security measures. As professional hackers, we constantly strive to stay ahead of the curve and learn the most effective ways to bypass security in order to expose vulnerabilities and make the world a more secure place.
In this article, we’ll explore various physical security bypass techniques, from lock picking and key duplication to leveraging radio frequency identification (RFID) systems and social engineering. We’ll also provide examples of real-world scenarios where these techniques have been employed successfully. This article assumes you have an intermediate understanding of security and hacking, so let’s get started!
Lock Picking and Bypassing Techniques
Lock picking is an essential skill for any red teamer, as it allows us to unlock doors and bypass physical security measures without causing permanent damage. Here, we’ll cover various techniques and tools used in lock picking, from basic pin tumbler locks to more advanced and specialized mechanisms.
Pin Tumbler Locks
The most common type of lock used worldwide is the pin tumbler lock, which consists of a series of spring-loaded pins that prevent the lock from turning unless the correct key is inserted. To pick a pin tumbler lock, you’ll need two tools: a tension wrench to apply torque to the lock’s cylinder, and a pick to manipulate the pins.
Example: The DEFCON 19 conference showcased a talk by Deviant Ollam and Babak Javadi, where they demonstrated lock picking techniques and shared tips for mastering the art. You can find the video here: https://youtu.be/WMtBjnWtP5Y
Wafer Locks
Wafer locks are similar to pin tumbler locks, but instead of pins, they use flat wafers that must be aligned correctly for the lock to turn. Wafer locks are commonly found in filing cabinets, desk drawers, and some automotive applications. Picking wafer locks typically requires a slightly different set of tools, such as wafer picks or jiggler keys.
Tubular Locks
Tubular locks use a circular arrangement of pins, with a cylindrical key that presses down on the pins. To pick a tubular lock, you’ll need a specialized tubular lock pick that applies tension to the lock while manipulating the pins simultaneously.
Example: In 2016, Samy Kamkar demonstrated the “Combo Breaker,” a motorized, 3D-printed device capable of cracking Master Lock combination locks in just a few minutes. You can find more details here: https://samy.pl/combobreaker/
Lever Locks
Lever locks are commonly found in safes and high-security doors, utilizing a series of levers that must be lifted to the correct height for the lock to open. Picking lever locks typically requires specialized tools, such as lever lock picks or try-out keys.
Bypassing Techniques
In addition to traditional lock picking, there are other ways to bypass locks that exploit design flaws or specific vulnerabilities. Some examples include:
Bump Keys
A bump key is a specially modified key designed to bypass pin tumbler locks by transferring force to the pins, causing them to momentarily separate from the driver pins and allow the lock to turn. Bump keys can be easily made by filing down the peaks of a key blank.
Decoder Picks
Decoder picks are specialized tools that allow the user to both pick and decode a lock simultaneously. This is particularly useful for combination locks, where the decoding process can reveal the correct combination for future use.
Shimming
Shimming involves inserting a thin piece of metal, such as a shim or feeler gauge, between the lock’s components to manipulate or bypass the locking mechanism. This technique is particularly effective for bypassing padlocks and some latch-based systems.
Key Duplication and Impressioning
Even with the rise of electronic access control systems, physical keys still play a major role in securing buildings and facilities. In this section, we’ll discuss key duplication, impressioning, and other techniques for creating unauthorized copies of keys.
Key Duplication
The simplest way to create a duplicate key is to use a key duplication machine, which traces the shape of the original key onto a key blank. However, gaining access to a target’s key can be challenging, and there are alternative methods that can be employed, such as casting or 3D printing.
Casting
Casting involves creating a mold of the target key and then filling it with a metal alloy to create a duplicate. This can be done using materials like clay or silicone to create the mold and low-melting-point metals like pewter for the duplicate key.
Example: The popular TV show “Mr. Robot” featured a scene where the main character, Elliot Alderson, successfully duplicated a key using the casting technique. You can find a tutorial on the process here: https://youtu.be/i3Xq5dZx5AM
3D Printing
Recent advances in 3D printing technology have made it possible to create working copies of keys using digital models. By obtaining the key’s bitting code or taking high-resolution photos, a skilled attacker can create a 3D model and print a functional duplicate.
Example: In 2011, Jos Weyers and Christian Holler demonstrated how they could duplicate a high-security key using only a photograph and 3D printing technology. You can find more information on their work here: https://youtu.be/zu5jli8-8c0
Impressioning
Impressioning is a technique used to create a working key by manipulating a blank key in the lock and observing the marks left by the pins. By filing down the key to match the marks, a functional duplicate can be created.
Example: At the Black Hat conference in 2010, Marc Weber Tobias demonstrated how he could impression a Medeco high-security lock in just a few minutes. You can find more details on his presentation here: https://youtu.be/kp5e5a_vJus
RFID Systems Exploitation
Radio Frequency Identification (RFID) systems are widely used for access control and asset tracking purposes. In this section, we’ll cover how to exploit RFID systems to bypass physical security measures, including cloning and spoofing techniques.
RFID Cloning
RFID cloning involves creating a duplicate of an RFID tag or card by capturing and replicating its unique identifier. Tools like the Proxmark3 or Chameleon Mini can be used to read, analyze, and clone RFID tags.
Example: In 2015, security researcher Francis Brown demonstrated the “Tastic RFID Thief,” a long-range RFID reader capable of stealing card information from up to three feet away. You can find more information on this project here: https://youtu.be/qmfoKpEZPLM
RFID Spoofing
RFID spoofing involves sending a forged RFID signal to the reader to trick it into granting access. This can be done using tools like the Proxmark3 or custom-built hardware and software.
Example: In 2008, researchers Chris Paget and Karsten Nohl presented their findings on “Ghost and Leech: A Framework for RFID Security” at the Chaos Communication Congress. Their work demonstrated how an attacker could intercept and replay RFID communications to bypass security. You can find their presentation here: https://youtu.be/5cPb8Yx3qtc
Access Control Systems Bypass
Access control systems are designed to regulate who can enter a facility, often using a combination of electronic and physical security measures. In this section, we’ll discuss various techniques for bypassing access control systems, including credential forgery, door unlocking, and network-based attacks.
Credential Forgery
Forging access credentials, such as ID cards or badges, can be an effective way to bypass access control systems. This may involve creating a counterfeit card with the necessary authentication data, or altering an existing card to provide elevated access.
Example: In 2013, security researcher Brad Antoniewicz demonstrated how he could forge HID cards, a popular access control technology, using off-the-shelf hardware and software. You can find more details on his work here: https://youtu.be/5QC5r5rIyJY
Door Unlocking Techniques
There are several ways to physically unlock doors without using a key or RFID card, including:
Under-the-Door Tools
An under-the-door tool is a slim, flexible device that can be slipped beneath a door to manipulate the handle or latch from the inside. This technique is particularly effective on doors with lever-style handles.
Bypassing Electric Strikes
Electric strikes are commonly used in access control systems to secure doors. However, they can often be bypassed using simple tools, like a flathead screwdriver, to apply pressure to the strike and force it to release.
Network-Based Attacks
As access control systems become more integrated with networked infrastructure, they become vulnerable to network-based attacks. This may involve exploiting vulnerabilities in the system’s software, intercepting communication between components, or gaining unauthorized access to the system’s database.
Example: In 2016, researchers Eric Evenchick and Zach Banks demonstrated how they could exploit vulnerabilities in a popular access control system to unlock doors remotely. You can find more information on their work here: https://youtu.be/2nYsfoIYAdw
Social Engineering in Physical Security
Social engineering involves manipulating individuals into divulging information or performing actions that compromise security. In the context of physical security, this can include posing as a trusted individual to gain access to restricted areas or tricking employees into revealing sensitive information.
Pretexting
Pretexting involves creating a believable story or scenario to justify a request for access or information. This may involve impersonating a contractor, employee, or other trusted individual.
Example: In 2016, security consultant Chris Hadnagy shared his experiences in social engineering during the DEF CON 24 conference. His talk provides numerous examples of successful pretexting techniques: https://youtu.be/1eT0T9XxLRs
Phishing and Vishing
Phishing involves using email or other electronic communication to trick individuals into revealing sensitive information or performing actions that compromise security. Vishing is the voice equivalent, using phone calls or voice messages to achieve the same goal.
Tailgating and Piggybacking
Tailgating involves following closely behind an authorized individual as they enter a secure area, exploiting their access to bypass security measures. Piggybacking is a similar concept, but involves the attacker gaining access by convincing the authorized individual to let them in, often by feigning forgetfulness or a lack of credentials.
Mechanical and Electronic Tailgate Detection
To counter tailgating and piggybacking, organizations may employ mechanical or electronic tailgate detection systems. Mechanical systems use barriers, such as turnstiles, to physically prevent unauthorized entry. Electronic systems use sensors or cameras to detect unauthorized entry and trigger alarms or alerts.
Bypassing Tailgate Detection Systems
Tailgate detection systems can be vulnerable to various bypass techniques. For example, an attacker could time their entry to coincide with a large group of authorized individuals or use social engineering to gain access without triggering the system.
Bypassing Surveillance Systems
Surveillance systems, such as CCTV cameras and motion detectors, play a crucial role in physical security. In this section, we’ll discuss techniques for evading or bypassing these systems, including blind spots, infrared light, and jamming.
Exploiting Blind Spots
Surveillance cameras often have blind spots where their field of view is limited or obstructed. By studying the camera’s positioning and coverage, an attacker can exploit these blind spots to avoid detection.
Infrared Light
Some surveillance cameras are sensitive to infrared (IR) light, which is invisible to the human eye. By shining a powerful IR light source, such as an IR LED or flashlight, at the camera, an attacker can potentially blind the camera and avoid detection.
Jamming
Surveillance systems that rely on wireless communication can be vulnerable to jamming, where an attacker floods the system with noise or interference to disrupt its operation. This can be achieved using off-the-shelf hardware, such as a software-defined radio (SDR) or a dedicated jamming device.
Example: At the DEF CON 22 conference, security researcher Michael Ossmann demonstrated how he could jam wireless surveillance systems using a low-cost SDR. You can find more information on his work here: https://youtu.be/_zZQvDntiuE
Vehicle Barrier Systems Bypass Techniques
Vehicle barrier systems are designed to prevent unauthorized vehicles from entering secure areas. In this section, we’ll discuss techniques for bypassing these systems, including tailgating, ramping, and using decoy vehicles.
Tailgating
Similar to tailgating in pedestrian access control, tailgating a vehicle involves closely following an authorized vehicle as it passes through the barrier system. This can be accomplished by closely timing the attacker’s entry or using a modified vehicle with a low-profile or retractable bumper.
Ramping
Ramping involves using a vehicle with a modified or reinforced suspension to drive over or through a barrier system. This can be achieved using off-road vehicles or custom-built ramps designed to overcome specific barrier types.
Decoy Vehicles
Decoy vehicles can be used to distract or confuse security personnel, allowing the attacker to bypass the barrier system unnoticed. This may involve using a vehicle that closely resembles an authorized vehicle or creating a diversion that draws attention away from the attacker’s entry.
Real-World Examples
Throughout this article, we have discussed various physical security bypass techniques and provided examples from real-world scenarios. To reiterate the importance and effectiveness of these techniques, let’s review some notable cases:
The Stuxnet Attack (2010)
The Stuxnet worm, which targeted Iranian nuclear facilities, reportedly gained access to the secure facilities through an infected USB drive. This demonstrates the effectiveness of combining physical and digital attacks to compromise high-security environments.
The Great Train Robbery (1963)
The Great Train Robbery involved a group of criminals who stopped a Royal Mail train carrying millions of pounds by tampering with the trackside signaling system. This historical example highlights the importance of securing infrastructure and the potential for attackers to exploit physical vulnerabilities.
The Hatton Garden Heist (2015)
The Hatton Garden heist, one of the largest in British history, saw a group of thieves bypass multiple layers of physical security, including a heavy vault door and metal shutters, to steal millions in cash and jewels. This case underscores the need for comprehensive and multi-layered physical security measures.
Conclusion
Physical security bypass techniques play a critical role in red teaming and penetration testing, allowing security professionals to assess the effectiveness of existing measures and identify potential vulnerabilities. By understanding and mastering these techniques, red teamers can help organizations strengthen their defenses and protect against real-world threats.
From lock picking and key duplication to RFID exploitation and social engineering, the techniques covered in this article provide a comprehensive overview of the many ways attackers can bypass physical security measures. With ongoing advances in technology and ever-evolving threats, it is essential for security professionals to stay up-to-date with the latest bypass techniques and countermeasures to ensure the continued protection of their organizations’ assets and facilities.
In conclusion, the importance of physical security in the overall security posture of an organization cannot be overstated. By understanding the techniques and methods used by attackers to bypass these measures, security professionals can better design, implement, and maintain effective defenses, creating a safer and more secure environment for all.