So, you’ve gotten past the front door by piggybacking, were granted access to the elevator by the receptionist, and then find yourself standing in front of another restricted area. The next step is to find a way to trigger the motion sensor from the other side of the door so that it will open for you. What would you do?

Physical Security Assessments are an essential part of a security program. If an attacker is able to gain physical access to your building and equipment, they essentially have “the keys to the kingdom.”

When faced with certain situations during a physical security assessment, there are traditional and nontraditional tools and techniques which can greatly improve your chances of success. We’re going to outline a few of these tools as well as high-level ideas of when to use them.

Traditional Tools

The following are some traditional tools with which you may already be familiar.

  • Fake Badges: Whether they actually work, fake badges are a must-have for any engagement where the clients are required to wear them for access. During your reconnaissance phase, make sure to get a look at a company badge. Then, take a photo of yourself and try to duplicate the design of the badge at a local office supply store. As long as it looks close enough to an original, most will assume that it’s legitimate. You’ll need to get the timing right to piggyback into the building or room.If you do have the time and resources, you can try to temporarily borrow a badge from an employee who’s not paying attention. You can also get close enough to them with your RFID reader to get the information and clone the badge with your RFID writer.
  • Lock Picks: These are essential, however you can’t just buy a set, show up on your engagement and expect to use them successfully. Lock picking is a skill that must be learned and practiced. Picks are good for bypassing complex locks and are much easier on the locking mechanism than an alternative such as bump keys or shims.
  • Bump Keys: A great tool when you’re in a rush, bump keys are designed to be quick and dirty. However, there is also potential to damage the lock, so you have to be careful when using them. They are easy to conceal and are available in sets for residential, commercial, office and secure locks.

Nontraditional (MacGyver) Tools: 

Because of its ingenuity, we’ll name this after the fictional "master-of-ingenuity," MacGyver.

  • Duct Tape: It has several uses besides covering a surveillance camera. You can prevent a standard door from locking by taping over the hole in the strike plate and preventing the bolt from going into the hole.
  • Kneaded Rubber Eraser or Putty: One of our favorite uses is to stuff it inside the doorframe where panic bar locks are used. This allows the door to shut completely but prevents the door from locking. This will also prevent timed alarms from being triggered if the door is open for too long.
  • Hand Warmers and Coat Hangers: Hand warmers can be used to bypass motion detectors with heat sensitivity. Metal coat hangers can be used to trigger the motion sensor by raising the hand warmer up over the other side of the door.
  • Mylar Balloon: Not only is this a good way to get through the front door as a delivery person with a couple of inflated balloons, but you can also use it to open a door by triggering the motion sensor from the opposite side. This can be done using a half-full latex balloon, which can be concealed in your bag. Next, you’ll lay a flat, empty Mylar balloon on the ground and slide it underneath the door. Then, you’ll transfer the helium from the half-full latex balloon into the Mylar balloon. This should be enough helium for the mylar balloon to rise up on the other side, triggering the motion sensor. Make sure to adhere a piece of string to the balloon before sliding it under the door. This saves time tying it on and potentially losing the balloon if it were to slip away before you’re ready to raise it up.
  • Administrative Letterhead and Envelopes: This may come in handy when you don't have the time to forge a fake badge. Once you've obtained access to the facility and have seen what the badges look like, look around for some extra company letterhead or envelopes. It's possible to quickly put together a look-alike badge by placing relevant colors and logos from the documents into plastic badge sleeves.Need a photo? How about placing your tie over the section of the badge where the photo would be. Most of the time employees will not be staring at your badge, especially if you're on the move and not hanging out having a conversation with them.
  • Shims and Soda Cans: Let’s say you forgot your lock picks, bump keys and laser cutters (just kidding). You come across a locked server rack fence or a restricted area securied by a padlock. In this case, there are several methods of creating shims. One popular method is to cut up a soda can. With this comes risks, including that the shim could break in the lock.

This was a high-level overview of a few traditional and nontraditional tools which can be used to obtain access during your physical security engagement. We encourage you to practice with these tools, in a lawful way of course. Be creative, since you are probably only limited by your imagination. There are many other tools which can also help, but this list will certainly get you started.

This blog and its tips are intended for educational use only by security assessors and no one should use these tips unless authorized to do so.

Resources

https://www.nttsecurity.com/en/what-we-do/risk-and-compliance-management/

http://www.techopedia.com/definition/26992/radio-frequency-identification-reader-rfid-reader

http://stackoverflow.com/questions/18031632/how-can-i-write-data-on-uhf-rfid-tags

http://en.wikipedia.org/wiki/Lock_bumping

http://www.instructables.com/id/How-to-Make-a-Simple-Lock-Shim/

http://en.wikipedia.org/wiki/MacGyver

http://www.ehow.com/info_8162674_mylar-balloons.html

http://www.wikihow.com/Make-a-Padlock-Shim