In early 2011, ten servers disappeared from the regional authority offices in Bad Hersfeld, Germany, along with (among other things) data belonging to the vehicle registration office. People were very surprised. After all, when you think of data theft, this is not typically what springs to mind. The culprits did not need to hack the network, because the people in charge had just ignored the issue of physical security.
Searching for vulnerabilities in the scope of penetration testing is a typical approach to improving the security of IT systems. One of the principles of a pentest is that the testers act like genuine hackers. But, this approach can cause a couple of problems. Although the system owners are not typically worried about a pentesters digital activities, they are unlikely to want a smashed window or door to simulate a physical attack. The result is that physical security is only checked by reference to checklists and best practices, not with actual penetration tests.
Even if the pentesters use only non-destructive methods, however, you might be surprised how far they get. In many cases, they can access what are considered to be secure rooms within just a couple of minutes. Many of the techniques used in the process are very simple, and this article will look at two of them.
Wireless Signals and Patch Cables
The first example is a classic case, and it relates to RFID-based access controls and other wireless technologies. How can an attacker get through doors secured in this way? Many people would start thinking about attacking the wireless interface, and some attacks of this kind have become public in recent years. In some cases, attackers have succeeded in sniffing and copying the transponders; in others, the original transponder opened the doors although it was nowhere near the building. Instead, the signals were forwarded via some other medium – such as cellular radio – with one attacker somewhere near the original transponder and another near the target door.
These types of attacks are technically complex, and attackers often have a much easier job. Often, the only thing keeping a door closed is the latch; a tiny piece of metal that is pressed into the frame by spring force. This latch is no problem for someone with experience – in fact, all you need is a piece of bent metal (Figure 1) or just a bent wire, known as a pick needle (Figure 2), and the door is open. In practical conditions, this process takes just a couple of seconds and is very difficult to identify on surveillance cameras.
But what about outside doors? At least they are locked at night – or are they? Many of these doors are emergency exits: In other words, they need to open quickly and easily in an emergency. Often, pressing the handle doesn't just activate the latch, but it also draws back the bolt on the locked door. In this case, an attacker needs a door handle catch (Figure 3). A piece of wire, bent in the right way, is pushed under the door from the outside and slots over the door handle on the inside. The intruder then pulls a cable on the outside, and the door is open.
Intruders use a similar approach with other emergency door mechanisms. In some places, and especially in the US, emergency exits are fitted with horizontal crash bars that work pretty much like a door handle, except a person just needs to run into the bar to open the door. This mechanism is useful in panic situations; needless to say, you can open this kind of door from the outside, too.
Sure, It's Locked
What is the attacker's target? Maybe they want to break into the server room. Let's hope they encounter a robust door when they try; one that makes it difficult to gain access. Many people believe that a locked door will keep an intruder out, but – unfortunately – this is not totally true. Although most stake holders will assure you that they always keep their server room doors locked, pentesters continually discover that the doors are simply closed but not locked.
Another problem that pentesters often encounter is that people think the server room doors don't have an emergency exit feature. But, this is only true until you install a fire extinguisher system. Once you install a gas-based extinguisher system, an emergency exit must be fitted, and again a door handle catch will serve an intruder in good stead.
But, why assume that the attacker even wants to get into the server room? Once an intruder has gained access, unnoticed and without damaging anything, it will often make more sense to sit down at a desktop. With insider knowledge, or by following signs such as door labels, worthwhile desktops are easy to find. In many cases, the intruder can find sensitive data just lying around – or discover the legendary post-it note with a password written on it. But, even if the intruder doesn't find such information, he or she can install a keylogger to record the user's input.
Some keyloggers take the form of small adapters that you can install between the keyboard and the PC (Figure 4). They are invisible to antivirus scanners and difficult to tell apart from bona fide IT hardware, even for experts. Who crawls under their desk every day to check the connectors on the back of the computer? And if they do, would they know a keylogger when they saw one?
On the occasion of a second "visit," the intruder can normally log in to the compromised PC and access the server from there. The keylogger knows the passwords, assuming the regular user logged in between the intruder's visits. Additionally, security considerations should not be restricted to the immediate workplace. Important documents and laptops may not be on the company's premises but somewhere in a hotel where exactly the same problems exist. Most hotel room doors are fitted with an emergency exit feature.
Just by using the methods I have mentioned thus far, attackers can make considerable progress through a building. They only need to follow the emergency routes back out. A critical problem here is that people tend not to notice that important items are being removed. Just like digital-only attacks, there are no obvious traces, and this is precisely what makes non-destructive intrusion so dangerous.
How can you protect yourself? Although you might be able to remove the emergency exit mechanism from some doors in a fire protection environment, this method is not typically going to work. If a door isn't used on an everyday basis – like an emergency exit that leads outdoors – an acoustic alarm, like the ones installed in most stores, will be a big help. Of course, you need to raise staff awareness to ensure that alerts are investigated immediately.
Without relaying the signal to an alert center, a permanent audible signal isn't going to help much. If the building isn't occupied at certain times, your only option is an alert center with alert tracking. Although this measure will not prevent a break-in, it will register the event, and it massively restricts intruders' options by reducing the time until the guards or police arrive on the scene.
If you have an alert tracking system, you should test it at regular intervals. Even qualified service providers can make mistakes. Although one of our pentesters was caught "red-handed" by the security guards on a customer's premises, no signs of a break-in were found and nothing physical was stolen, so the guard did not inform the customer. Even if staff members notice a stranger inside a building, they may not respond correctly. Most attackers will have a story to cover precisely this event, whereas the employee is taken by surprise.
If an intruder is accosted, he might say, "Good to see that you noticed. We're currently helping the management test whether strangers are discovered in the building and whether staff ask them what's going on. Can I make a note of your name so that I can mention you in my report? And please, keep the test a secret so that we can go on testing."
Classic social engineering. And, if you really are doing a pentest, you don't even need to lie. At the same time, employees think that they might be rewarded for their cooperation and, finally, the attacker is exerting subtle pressure. Non-cooperation might cause a problem: The test the management wants done might have to be abandoned. This simple example shows the importance of training your staff how to behave in this kind of scenario. The use of alert centers in particular leads to many attacks occurring during business hours.
Every administrator should question and test their security measures at regular intervals. Are the doors really locked? Are the network sockets in the meeting rooms really not patched? Is the surveillance camera outside of the building on a separate network? And, do the guards actually arrive when an alarm is triggered? A professional alert center service provider will not object to your running tests without prior notice, as long as you have talked about the coverage of costs up front.
Standard practices from the digital world can often be applied to physical security. Nobody needs a demilitarized zone if they can be sure that intruders cannot access a specific server. So, it's high time to apply well-known security concepts to your physical security. In many cases, you just need to consider what would happen if an attacker could access a certain workplace, and thus the network, for ten minutes, and consider the consequences.