Top Three Ways I Broke into Your Company: Physical Penetration Test Examples

In this blog we will cover the top three ways that we break into a building when performing a physical penetration test. For more information on physical penetration tests, and the questions they answer, start here. This will include some realistic physical penetration test examples you can expect if you were to be tested, such as tailgating, RFID cloning, and lock bypassing. Let’s dive in.

Physical Penetration Test Examples: Tailgaiting

Physical Penetration Test Examples: TailgatingThe first, and by far the most common, way to break into a building is through tailgating. Tailgating can take on many different forms, however, in it’s most basic form it involves having an authorized user open the door for an unauthorized user to enter. You may be thinking “My employees wouldn’t just blindly open a door for someone they don’t know.” Well, you would be surprised, because there are very few cases where tailgating has not worked. Mostly because it is usually more sophisticated than just standing outside asking for someone to open the door. Here are a few physical penetration test examples that involve tailgating that may give you some insight into how it is possible.

  1. After scouting out for awhile, the attack team will find out what door employees use most often, what’s their typical attire, and whether they are holding the door for other employees walking in. Then the attack team will make their move. Dressed up like an average employee, carrying a box in one hand and pretending to be on the phone in the other, the attack team will make their way to the target door at a high-traffic time, such as lunch. Then, when an employee is leaving, the attacker will either walk right-in or ask them to hold the door for them, all while pretending to be on the phone. This tactic has been used on multiple engagements, and very rarely results in questions or suspicion.
  2. Another form of tailgating can be conducted without the employee ever knowing they opened the door for the attacker. As part of their recon, the attack team will time the doors in the building, measuring how long it takes them to swing closed. If that time is long enough, they can hide in a concealed location, listen for the door to open, and grab the door before it closes.
  3. The third way to tailgate is to focus on vendors. A common way in is to wait for the cleaning crew to come by in the evening. Do they prop the door open? Will they let someone in if asked? After-hours attempts are often overlooked by organizational security teams and can lead to full access to the facility unchallenged.

How to Protect Against Tailgating

The best way to protect against tailgating is to train your employees to prevent someone from tailgating them, including making sure the door closes behind them. Equally as important is to encourage employees to challenge anyone who is not wearing a proper employee badge. Make sure your employee badges are easily recognizable and that all employees wear them visibly at all times. Another way to prevent tailgating for smaller corporations is to require all employees to use the main entrance and have a receptionist guard the workspace. Finally, use monitored video surveillance if you’ve got the resources as another line of defense.

Physical Penetration Test Examples: RFID Cloner

The second common method to break into a facility involves an RFID cloner. For a relatively low cost (under $1,000), an attacker can purchase the parts and assemble an Radio Frequency Identification (RFID) cloner. This cloner, pictured below, can be concealed in a laptop bag, and the attacker will walk around the public areas (lobby, outside the entrance, nearby coffee shop) carrying the cloner. When the attacker gets close enough to an employee’s badge (approximately 24″) the cloner will scan and save the employee’s badge. At that point the attacker can clone that badge to another one, and badge into your offices like any other employee.

Physical Penetration Test Examples: RFID Cloner
An RFID Cloner can be concealed in a laptop bag, and be used to steal employee badges as they walk by.

How to protect against RFID Cloning

The best way to protect against RFID cloning is to utilize multi-factor authentication. Multi-factor authentication is a combination of at least two of the following:

  1. Something you know (in most cases this is a password, but for physical protection this can be a PIN number that the employee has to type in).
  2. Something you have (this would be their RFID badge).
  3. Something you are (like a fingerprint scanner).

This protects against RFID cloning because, even if an attacker has access to the badge, they won’t know the PIN or won’t have the fingerprint. As a final thought, ensure that someone gets alerted if someone types an incorrect PIN multiple times.

Physical Penetration Test Examples: Lock Bypassing

The third and final most common way an attacker will gain access to your organization is through Lock Bypassing. The most famous form of this would be lock picking, however, most modern locks are designed to make that very difficult. But there are other ways to get past a lock without necessarily picking it. Here are some examples:

  1. In many organizations, the entrance is protected, however the exit just has a motion detector. A lot of the times, the motion sensor can be set off by shooting a can of compressed air into the crack of the door. If that doesn’t work, something can be waved under the door far enough to set off the motion detector.
  2. Sometimes the lock can be bypassed by inserting a credit card into the crack of the door, disengaging the latch. This can also be used in conjunction with a tailgating attack. A credit card can be taped to the inside of the door such that, when the door opens the credit card falls and covers the latch, preventing the door from locking.
  3. A third method, shown below, is using an under-the-door tool. If the gap in the bottom of the door is wide enough, the under-the door tool can be slipped under the door, and used to pull the handle from the inside, thereby bypassing the lock.
Physical Penetration Test Examples
An under-the-door tool can be used to pull the handle on the inside of the door.

How to Protect Against Lock Bypass Attacks

First and foremost, all of the above mentioned attacks require a gap between the door and the frame. Therefore, the best way to prevent these types of attacks is to ensure none of the exterior doors have gaps wide enough to fit anything through. Additionally, ensure latches are covered and the entrances to your facility are protected with monitored video surveillance.