Assessment Type: Covert Physical Security Assessment (Onsite)
Target Type: Corporate Financial Institute
When performing red team engagements that include physical and onsite social engineering components, our ability to piggyback/tailgate into target buildings and sensitive areas has an extremely high success rate. Walking in a confident manner and going through the motions of “badging in,” is simple enough to blend in, and most employees will pay little attention to the badge reader’s “error” beep, or the red light triggered by reading invalid credentials.
To the unaware, you can easily pass as an authentic employee as long as you look the part and appear to have the a legitimate badge; especially at a facility with a large employee body.
(Note: If you want to go the extra mile, you can even play the Proxmark authentication sound from your phone as you badge in.)
When only a single point of entry is available it is often inevitable that you will encounter a security guard or administrative check-in station, or a turnstile. If an area with only a guard is unavoidable, I will wait for that guard to become engaged in conversation with another employee, receive a phone call, sign for a delivery, or become distracted in some other way. In my experience, a commercial security guard will also pay little attention to the color of the light or the “error” alarm from a proximity badge reader while they are occupied – as long as there is foot traffic through the access control(s).
In one particular assessment, we found ourselves in a similar scenario. The only point of entry was the front door, beyond the security guard. With my fake badge attached to my hip, eyes on my intended direction, and a smile on my face, I walked past the security guard as his attention was focused on the conversation he was having with a few visitors. To his credit, he glanced up at me as I walked by. I just nodded and casually flashed my badge. He smiled and let me continue. Access granted.
Now for the fun stuff.
On-site Covert Physical Security Assessment
Once inside the facility, I was able to make my way up and down the emergency exit stairwell to survey each floor. This also afforded me the opportunity to come and go as I pleased, since the emergency exit doors did not require a badge to access each floor. Those doors also had other easily-exploitable vulnerabilities such as an accessible crash bar from the inside, and an easily pickable tumbler lock on the exterior. There were only four floors, so a quick survey and look at the emergency exit / floor layouts, neatly displayed by each door, didn’t take long.
After about an hour of walking around, taking photos for evidence of issues/vulnerabilities, picking simple locks on office doors and shredder bins, and practicing the ancient art of “dumpster diving”, I was able to gather quite a bit of sensitive data (some of which included hard-drives scheduled to be scrubbed, scans of driver licenses and social security cards). I had also found some unracked servers containing hard drives, resting against an unoccupied push cart. In addition to the physical artifacts, I successfully used the good ‘ole “under-the-door” tool to bypass a lever handle door which led to the IT department, and fortunately for me, the data center.
My plan of attempting initial entry around lunch time was a great decision as most of the employees in the IT Department (outside of the data center area) were on their lunch breaks out of the office. This granted me an undisturbed opportunity to examine the lock on the actual data center door and the electronic access controls in place. This particular door required a employee PIN and badge. It may have been possible to bypass the low frequency badge reader; however, with the two-factor authentication, an uncertain amount of time, and fear that any efforts to brute force a PIN and/or legitimate badge might alert any access log monitoring, I had to get creative. I remembered that a few doors in the office were equipped with motion sensors on the opposite sides the doors for employee’s exiting the area, so I gave the classic “envelope under the door” trick a try. This is where you slide an envelope under the door through the gap as fast as you can, with hopes to trip the sensor. I figured that either an employee would be on the other side to check it out (and thus opening the door and giving me the opportunity to lie directly to their face) or, the sensor could have a pretty big range and possibly allow the door to open for me. Did I get lucky with the envelope? No. It is an old trick for older, improperly configured motion-based REX sensors that do not require a temperature fluctuation along with the motion before it will trigger. We don’t really see those around anymore, so this particular bypass is moot at this point. So, I resorted to using lock picks again. Score! I was able to bypass the electronic access controls by simply unlocking the door’s mechanical lock.
While in the data center, I not only had access to the back-ups, servers, switches, laptops and a treasure trove of data, but I also found a box labeled “remote employee VPN devices and handbook.” This was it, the “gold!” Did I need to do anything more? There are limitations that are discussed by the client during the “Rules of Engagement” review and kick-off call. It is important that you stay within those boundaries and it just so happened that this particular client did not want us to connect to their network during this part of the assessment (which was unfortunate because I later discovered that DHCP was enabled on the core switch, with no filtering). The primary goal was to attempt to replicate an unauthorized user and gain access to sensitive areas and data. Hadn’t I already proved the vulnerabilities in security controls and culture? Usually, once we’ve gained access and collected enough evidence, it is game over. But, I wanted to push myself further.
Earlier in this assessment I discovered that the Security Control Room was downstairs. How did I know it was the Security Control Room? It was engraved on a fancy plate outside of the door. Brent and I often find that these rooms are where keys, badge makers, security systems, etc. are kept. They always seem to be in similar locations. How very helpful. This door did not have a lever handle or badge control. Instead, it was a plain rounded door handle with an upside down lock core. I had a few factors that would delay picking the lock quickly, in addition to a heavily congested area. The biggest hurdle was that this door was near the employee break area and delivery, which meant that traffic was getting pretty heavy thanks to lunch time coming to an end. I really wanted to get into this area, so I decided to push the assessment even further and made my way back to the lobby with a random key in hand. If you’ve heard us speak or read some of my other publications, you’ll recognize this trick: I went straight up to the security guard to see just how lucky I would be. I had done something similar in the past with security guards, by simply handing over some bump keys I had in my pocket.
“Sorry to bug you, but I am doing key inventory and John from facility services had given me this key for the Security Control Room, but it doesn’t appear to be working. He said that you should have one I could use for a minute. I promise to bring it right back,” I said as I stood in front of the guard’s desk, smiling and gently tapping the random key on the table.
The security guard raised their eyebrow, and for a moment I thought I had blown my cover, or perhaps overstepped in my attempt to exploit her. They paused for a moment longer, smiled and placed their hand in their pocket and pulled out a key chain with a handful of keys on them. “Well, I suppose, but you better bring my keys back, or I am going to hunt you down.” They laughed. I laughed. It was a good time. I assured them I would bring they keys back as soon as I was finished. I disengaged and made my way back down to the door, unlocked it and locked it back once inside.
This room had more goodies than I could’ve imagined. I felt like I had won a competition or something. THIS was the real “golden key”.
The Security Control Room contained access to the security cameras and security system, a badge maker, access logs, security staff files and, just what I was looking for, a key box. We often see this kind of box in security areas and it is full of goodies. This box was made out of aluminum and had a generic lock that was easily bypassed (I wanted to try to bypass it, even though I had the guard’s keychain). It had a beautiful key spreadsheet on the inside of the door, and several keys hanging in it. There were keys to company vehicles, wiring closets, rooms and cabinets, elevators and much more. The key that caught my eye was one labeled “Facility 2 – Server Rm.” I had agreed to not take anything outside of the facility, so I couldn’t take the key with me. So, I took a few pictures of the key bitting and the idea came to me — I would take several pictures of the key and attempt to replicate it later that night at my hotel. Note: There are some great field impression kits for replication and mobile applications that can take some solid guesses at bittings via a photo.
After leaving the facility, some co-workers and I made our way to the nearest Lowe’s and purchased a few blank #69 keys (the same type the server room had) and some metal files. We went back to the hotel and each took turns trying to replicate the key. How did we do this? We took my hotel key card and cut it in the shape of the blank #69 with an Exacto knife and file to get the key as close as possible to the image on the smartphone (the zoom option is very handy in this kind of instance). Once the hotel key was in the shape we were pleased with, I took a fine tip marker and filled in the gaps between each bitting on the key, on the blank #69. My co-workers followed suit. Now, it was time to start filing and cleaning up for detail. What was the end result? A nice-looking replica that fit perfectly over the adjusted image of the key! Seriously? Did we really just copy a key via photo and elbow grease? Yes. Yes we did.
The next day, we were not only able to compare the real key to the fake one, but the client would not let us leave with the duplicate. Lowe’s couldn’t have made a better replica!
Lessons Learned / How do companies prevent this?
So, what do we learn from this war story?
- If you know me, have heard any of our talks, or have read any previous war stories, you know that we enjoy targeting security guards. Why? Because they usually hold the keys to the kingdom, and once you’ve established a rapport with them, you no longer have to worry about pesky inquiries as to who you are or what you are doing. There have been far too many times where we have been able to simply sway the guard into handing over their keys. But, there is another reason: Many security guards are willing to help an “auditor” or someone from ”corporate” doing inventory. How do I know this? I have used similar guises several different times, without compromising my cover.
- Tell your guards to stop being so trusting and to NEVER hand their keys over to a random “employee” who just so happens to mention other employee names. Guards are one of the first layers of security, but too many companies often depend on them to be the primary eyes and ears, where the whole employee body should be several eyes and ears.
- Employees rarely pay attention to badge detail or authentication. Warn your employees of the dangers of tailgating and not to get in the habit of holding the door open for people who do not badge in.
- You can, in fact, duplicate a basic tumbler key via a photo or impression.
- Don’t forget about the hard locks on doors and cabinets leading to restricted and sensitive areas.
- It doesn’t matter how great your electronic controls are, if you can bypass them via a poor physical lock.
- Make sure that your guards are alert and aware – Guard work can get boring, which enhances distractions (phone, Internet, conversation etc.). Make sure that the guards understand their roles and responsibilities.
- Always double check and never be afraid to validate the identity of someone.
- Someone doesn’t have a legitimate badge visible or isn’t escorted? Escalate.
- Did someone piggyback? Ask them to badge in and verify a successful result.
- Provide robust security awareness training – Again, a good security culture, social engineering countermeasures and enforced standards can prevent a potentially dangerous and damaging compromise. When it comes to physical security, it is more than information that could be at stake.
You don’t have to be paranoid, but in the age of hacktivism and terrorism influx, skepticism and awareness are traits every employee should have. Hackers do not care how hard your network is, if they can just walk in and ask for the keys to the building.