Assessment Background

Earlier this year, a friend (5tubb0rn) and I toyed around with some ideas at a local hacker workspace. I had been using a Proxmark/BishopFox build to steal proximity badges during some of our on-site Social Engineering Assessments and covert Physical Security Assessments. The Proxmark/BishopFox build was handy in that I didn’t have to bump into anyone in order to snag their badge for replication. The only problem I’ve had with this device is the size – it is a garage badge reader after all, and about the size of a laptop. There are smaller devices out there but we wanted to create something from scratch, utilizing a Raspberry Pi and some plug-and-play sensors that could be easily hidden by someone in the guise of a contractor. So, the two of us came up with a covert device we named “The Thief” aka “Covert Clipboard”. This device could be conveniently placed in a clipboard (with a compartment) without looking suspicious.

We had a great opportunity to test out our new gadget during an upcoming red team assessment.

On-site Red Team Assessment

With the clipboard in hand, a checklist for “badge inventory” on top, and a forged employee badge printed on a vinyl card, I was ready. My guise was Mr. Elliot Alderson (a fun reference to the television show Mr. Robot) and I was from corporate compliance doing some badge and key inventory. My co-workers Brent White and Drew Culbertson would be a couple of contractors assisting me with the task.

My colleagues Brent, Drew and I successfully entered the back of the building after using a shove knife to exploit the deviated strike plate, bypassing the badge reader. The emergency exit near the back entrance wasn’t readily available for us to access different floors. The elevator and stairs to the other floors were right in front of the security desk. Since we had to go past the security desk to gain access to the facility, we decided to test the awareness of the security guard. The guard was engaged in a friendly conversation with a vendor, so he was distracted.

I approached first and introduced myself. “Hi, do you mind if I take a look at your one-day badges?” I smiled and casually raised my clipboard and pen, “We are doing badge and key inventory.”

“No problem. What do you need?” The security guard rolled his chair over to acknowledge us.

“Well, first let me ask some questions about the badge procedure. How do you handle one-day and vendor badges? Let’s say someone forgot their badge…” I began to go into my “auditor” question list and learned a great deal. The guard then took out a binder with a plethora of RFID PVC badges. This was an opportune time to test out The Thief. I concluded the Q&A with, “Do you mind if I get some number samples off of those badges?” pointing at the badge binder with my pen.

“Sure. Not a problem. Do what you gotta do.”

“This will probably take you a while Elliot, do you have a seat he could pull up?” Brent interjected.

“Yup. You can sit back here.” The guard rolled his chair away and let me sit behind the desk in the second chair.

“Awesome. Thanks! I won’t be too long, we still have to visit the XYZ facility.” I dropped the name of another location. At this point, I pretty much kept to myself, as the guard went back to his conversation with the legitimate vendor. I placed my clipboard on the table and took out about 25 badges, one at a time, ensuring that I obtained information from each. The clipboard also had network connectivity to a mobile hotspot, where Brent and Drew were ensuring the data was being harvested. After about five minutes, I was happy with the data that we were able to gather and concluded my conversation with the security guard.

At this point, we could have duplicated the badges without worry of having a legitimate employee in mind, due to the sheer number of one-day, vendor and executive badges. We later found out that a specific pool of those badges allowed access throughout the entire facility – this was gold! This wasn’t even needed, however, because we were easily able to tailgate, bypass electronic locks and use the same type of guise to deploy malicious devices (keyloggers, LAN turtles, etc.) in cooperative employee offices during the red team assessment. We left the facility covertly and with a treasure trove of compromised data.

Lessons Learned

So, what do we learn from this war story?

  • Security Guards are the first human security layer and regardless of vendor, in-house guards or an administrator sitting at the desk, their diligence can make or break a compromise. Brent White and I recently did a talk at GrrCon called “Security Guards – LOL” that addresses many of the concerns we have with security guard companies and the lax effort that some of these companies put forth. Security awareness training should be comprehensive and robust for these guys, because they are an important asset when properly trained.
  • When utilizing one-day badges, ensure that they are restricted to role-based or minimum access. A generic badge should not have complete access to a facility due to the security risks, as we demonstrated during the assessment, and the possibility of accidental misplacement. A solid badge inventory procedure should be in place to ensure that all badges are accounted for. It may also not be a bad idea to have an RFID blocking binder when storing these types of badges outside of a locked container, even when a guard is present.
  • Make sure that if your doors have a gap, the strike plates and additional physical efforts to protect the latching mechanism from being exploited (like via a shove knife) are properly secured. You could have the fanciest electronic access controls, but if the physical lock can be bypassed, it doesn’t matter. Make sure all your doors are secured from a physical and electronic standpoint.
  • Robust security awareness training! Your training should include more than an annual checklist via an electronic quiz. NTT Security offers security awareness training in the format of a show-and-tell or “hacker Q&A.” This type of training allows managers and employees to learn about the techniques specifically used during social engineering and physical compromises.

Remember, the smarter your employees are, the smarter your security is. Don’t rely just on electronic security and physical security. When you have a robust security awareness program and incentives to continually improve the security culture within your enterprise, many of the attack vectors and social engineering as a whole can be deflected. It doesn’t matter how solid your technical controls are, if the people are exploitable.