Physical Penetration Testing

Posted on: November 15, 2023
Reading time: 7 min read

DISCLAIMER: This post is for informational purposes only and should not be used as a guide for illegal activities. Engaging in activities such as breaking and entering, hacking, stealing, or any other similar illegal activities is against the law, even if an individual or entity is made aware or consents to the activity. Consent does not absolve one of legal consequences. These actions can result in severe legal consequences, including fines and imprisonment. I strongly discourage any attempt to engage in these activities. Always respect the law and the rights of others.

Table of contents

Finding and exploiting real world vulnerabilities

Physical penetration testing, often referred to as “physical pentesting,” is a cybersecurity assessment technique that involves assessing the security of physical facilities, such as buildings, data centers, or other on-site assets. It exposes weaknesses in physical security by simulating real-world scenarios to help test vulnerabilities and risks that could compromise a company’s physical security.

Companies that spend a lot of resources and time to secure their digital infrastructure, but lack physical security, leave themselves vulnerable to a two-faced threat. Cybersecurity teams will not be resilient if a malicious actor accesses a physical space and has access to private information or steals company devices.

Here are some common tactics attackers take to exploit physical security.

Reconnaissance

90% of hacking is information gathering. Attackers have access to a wealth of information thanks to the modern internet. To take advantage of the internet, they can deploy Open-Source Intelligence (OSINT) gathering looking at various sources such as public records and social media sites.

With public records, attackers can access addresses, phone numbers, emails, and other personal information of an individual or entity. Several social media sites, such as Facebook or LinkedIn, may house critical information of an individual target:

Social media and apps like Google Maps can also have details of a physical building. For example, photos from these platforms can provide information about the physical environment, such as the layout of a building, and work habits of employees. With enough information processed, a malicious actor can be well armed to plan and carry out a an attack.

Tailgating

With enough information to work off, attackers may not need “brute force” attacks to break into a building. If they study the work habits of employees, attackers can just follow an employee when they enter and leave work, or when they leave and come back from lunch break. This tactic is known as tailgating.

Sometimes it could just be a matter of asking someone inside the organization to let them in once they get close enough. If you look like you belong, then you belong. Combined with social engineering, they can put pressure on the employee and enter the building without much questioning.

From that point on, the attacker can try and gain access to restricted areas by pretending to be an authorized person.

Social engineering

If a malicious actor has enough information about a company, their campus, facilities, and employees they can engage in social engineering. Social engineering is the act of persuading targets to take certain actions that can lead to a security compromise. The goal of social engineering is to manipulate targets to steal data or other personal information to launch more sophisticated attacks.

When you really look into it, tailgating is an act of social engineering. Attackers will attempt to put pressure or otherwise psychologically manipulate their targets to allow them into a building.

Other forms of social engineering include:

Blackmailing

Finally, blackmail is similar to social engineering in that it relies on psychological manipulation to achieve its goal. Blackmail is a type of extortion in which a person threatens to reveal or publish damaging or embarrassing information about another person unless they receive something in return.

Blackmail can be very effective because it can play on people’s fears of shame, humiliation, or financial loss. For example, a blackmailer might threaten to reveal a post of embarrassing photos or videos of them online or to tell their employer about something they did wrong. In some cases, blackmailers may even threaten to harm the victim or their loved ones.

Blackmailers often gain victims’ information from data leaks, breaches online through sophisticated attacks such as phishing, or reach out disguising themselves behind catfish profiles online to gain compromising information.

RFID hacks

Moving into a more “brute force” method, RFID hacking is a form of cyberattack that targets Radio Frequency Identification (RFID) systems. RFID is used for short-distance communication of information and does not require line of sight to work, meaning that the RFID chip and the reader merely need to be within range of each other to communicate.

RFID hackers have demonstrated how easy it is to get hold of information within RFID chips. As some chips are rewritable, hackers can even delete or replace RFID information with their own data. It’s not too tricky for a hacker to build his or her own RFID scanner if they wanted to.

Companies should be concerned about RFID hacking since many modern buildings employ RFID readers as a way for employees to enter a building. RFID cards, usually built into an employee’s id, can be scanned by an attacker to duplicate the credentials without the employee knowing.

Lockpicking

Mechanical locks have changed little over the years, and they remain vulnerable to an adept lockpick. Many businesses use magnetic locks, which are much more resistant to. However, magnetic locks only function as long as they have power, making a backup power source essential.

If an attacker gets frustrated, they may deploy the less subtle, final “brute force” breaking down the door. Drilling out locks, breaking windows, kicking in doors, or similar steps are potentially possible, if not, already known security vulnerabilities.

Securing the fort

There are several ways attackers can gain unauthorized access to a physical building. Now, it’s time to talk about ways to secure physical spaces.

Risk analysis

Perform regular analysis of your building’s security vulnerabilities. Map the perimeter and monitor entrances such as doors, windows, gates, and any other access points to physical structures and to the property as a whole. Keep an eye out for unsecured entrances and other vulnerabilities.

When you discover these weaknesses in your building, you can employ security such as gates and stationed guards. This way it provides a strong deterrence, and if worse comes to worse, it will often be your guards who defend against any attacker that does get through defenses.

Security systems

Systems such as lighting, cameras, and motion detection should be employed to provide buffers inside your buildings. An attacker will be much less likely to attempt crossing blinding floodlights, even if they don’t see anyone immediately at hand. Cameras also make it less likely for attackers to attempt a break in because they would be caught on camera. Finally, motion detection supports deterrence because if an attacker triggers an alarm or gets lit up by a floodlight, they’ll worry they’ve been spotted. That’s reason enough to flee the scene.

Security culture

Educating employees about cybersecurity is crucial for the protection of your company’s intellectual property, data and systems. Remember, most cyberattacks target people, not systems. The vast majority of attacks can be traced back to human failures. So, when thinking about your company’s cybersecurity, you should really be thinking about your company culture.

Steps you can take to empower people include: