On nearly every assessment I have performed, I have been able to piggyback my way into target buildings and sensitive areas. If you walk in with confidence and even attempt to ‘badge in’, most employees will pay little attention to the error sound or the red light of an illegitimate swipe. So, to the unaware, you can easily pass as an authentic employee as long as you look the part and appear to have the right badge; especially at a facility with a large employee body.
Using this technique, it is often inevitable that you will encounter a security guard, especially in the lobby area. If an area with a guard is unavoidable, I will wait for a guard to become engaged in conversation with another employee, receive a phone call sign for a delivery or become distracted in some other way in order to take advantage of the distraction. In my experience, a security guard will also pay little attention to the color of the light or the sound of rejection from a proximity reader.
On a recent Red Team Assessment, I found myself in a similar scenario. The only access point was the front door, beyond the security guard. So, with my fake badge attached to my hip and a smile on my face, I walked past the security guard as she was talking with some visitors. To her credit, she glanced up at me as I walked by. I just nodded and casually flashed my badge. She smiled and let me continue. Access granted.
On-Site Red Team Assessment
Once inside the facility, I was able to make my way up and down the stairwell to survey each floor. There were only four floors, so this didn’t take long. After about an hour of walking around, taking photos, picking the locks on office doors and shredder bins and practicing the ancient art of dumpster diving, I was able to gather quite a bit of sensitive data (some of which included scans of driver licenses and social security cards). In addition to the physical artifacts, I successfully used the good ‘ole “under-the-door” tool to bypass a lever handle door which lead to the IT department, and, fortunately for me, the data center area.
Since I had planned my assessment right around lunch time, most of the employees in the IT Department (outside of the data center area) were out of the office on their lunch breaks, granting me an undisturbed opportunity to examine the lock on the actual data center door and the authentication controls in place. This particular door required an employee code and badge. With some role research and a RFID stealer, it would have been possible to bypass the proximity reader; however, with the code in conjunction, I had to get creative.
Earlier, I noticed a few doors in the office had motion sensors on the opposite sides the doors for employees exiting the area, so I gave the ‘ole “envelope under the door” trick a try. I figured that either an employee would be on the other side to check it out (and thus opening the door and giving me the opportunity to lie directly to their face) or, the motion sensor could have a pretty big range and allow the door to open for me. Did I get lucky with the envelope too? Nope. So, I resorted to using the good ‘ole lock picks again. I felt the binding pin catch. The latch turned, bypassing the electronic controls, and I was in.
While in the data center, I not only had access to the servers, switches, laptops and a treasure trove of data, but I also found a box of handy “remote employee VPN devices and handbook.” This was it, the “golden key!” Did I need to do anything more? Hadn’t I already proved the lack of security controls and culture? Usually, once we’ve gained access to a place like this, it is game over. But, I wanted to push myself further.
Earlier, when I had surveyed the floors, I discovered that the Security Control Room was downstairs. How did I know it was the Security Control Room? It was engraved on a fancy plate outside of the door. How very helpful. This door did not have a lever handle or badge control. Instead, it was a plain ‘ole rounded door handle with an upside down pin tumbler lock core. I don’t know if you’ve ever tried to pick a lock upside down, but it’s not easy. This wasn’t the only obstacle working against me. The biggest hurdle was that this door was near the employee break area and delivery, which meant that traffic was getting pretty heavy thanks to lunch time coming to an end. I really wanted to get into this area, so I decided to push the assessment even further and made my way back to the lobby with a random key in hand. I went straight up to the security guard to see just how lucky I would be.
“Sorry to bug you, but I am doing a key inventory and John from facility services had given me this key for the Security Control Room, but it doesn’t appear to be working. He said that you should have one and to ask if I could use it for a minute. I promise to bring it right back,” I said as I stood in front of the guard’s desk, smiling and gently tapping the random key on the table.
The security guard raised her eyebrow, and for a moment I thought I had blown my cover, or perhaps overstepped in my attempt to exploit her. She paused for a moment longer, smiled and placed her hand in her shirt pocket and pulled out a key chain with a handful of keys on them. “Well, I suppose, but you better bring my keys back, or I am going to hunt you down.” I laughed and assured her I would bring them back as soon as I was finished. I disengaged and made my way back down to the door, unlocked it and then locked it back once inside.
This room had more goodies than I could’ve imagined. I felt like I had won a competition or something. THIS was the real “golden key”.
The Security Control Room contained access to the security cameras and security system, a badge maker, access logs, security staff files and, just what I was looking for, a key box. This box was made out of aluminum and had a generic lock that was easily bypassed (I wanted to try to bypass it, even though I had the guard’s keychain). It had a beautiful key spreadsheet on the inside of the door, and several keys hanging in it. There were keys to company vehicles, wiring closets, several rooms and cabinets, elevators and much more. The key that caught my eye was one labeled “Facility 2 – Server Rm.” I had agreed to not take anything outside of the facility, so I couldn’t take the key with me. So, I took a few pictures and the idea came to me — I would take several pictures of the key and attempt to replicate it later that night at my hotel.
After leaving the facility, some co-workers and I made our way to the nearest Lowe’s and purchased a few blank #69 keys (the same type the server room had) and some metal files. We went back to the hotel and each took turns trying to replicate the key. How did we do this? We took my hotel key card and cut it in the shape of the blank #69 with an Exacto knife and file to get the key as close as possible to the image on the smart phone (the zoom option is very handy in this kind of instance). Once the hotel key was in the shape we were pleased with, I took a fine tip marker and filled in the gaps between each tooth on the key, on the blank #69. My co-workers followed suit. Now, it was time to start filing and cleaning up for detail. What was the end result? A nice-looking replica that fit perfectly over the adjusted image of the key! Seriously? Did we really just copy a key via photo and elbow grease? Yes, we did.
The next day, we were not only able to compare the real key to the fake one, but the client would not let us leave with the duplicate. Lowe’s couldn’t have made a better replica!
So, what do we learn from this story?
If you know me or have read any of my previous blog posts, you know I enjoy targeting security guards. Why? Because they usually hold the keys to the kingdom and, once you’ve established a rapport with them, you no longer have to worry about pesky inquiries as to who you are or what you are doing. But, there is another reason: Many security guards are willing to help an “auditor” or someone from “corporate” doing inventory. How do I know this? I have used similar tactics several different times, without compromising my cover.
Employees rarely pay attention to badge detail or proximity reader authentication. You can, in fact, duplicate a basic tumbler core key via a photo.
How Do Companies Prevent This?
Tell your guards to stop being so trusting and to NEVER hand their keys over to a random “employee” who just so happens to mention other employee names. Guards are one of the first layers of security, but too many companies often depend on them to be the primary eyes and ears, where the whole employee body should be several eyes and ears.
- Don’t forget about the hard locks on doors and cabinets leading to restricted and sensitive areas. It doesn’t matter how great your electronic controls are, if you can bypass them via a poor physical lock.
- Make sure that your guards are alert and aware. Guard work can get boring, which enhances distractions (phone, Internet, conversation etc.). Make sure that the guards understand their roles and responsibilities.
- Always double check and never be afraid to validate the identity of someones. Someone doesn’t have a legitimate badge visible or isn’t escorted? Escalate. Did someone piggyback? Ask them to badge in and verify a successful result.
- Provide robust security awareness training. Again, a good security culture, social engineering countermeasures and enforced standards can prevent a potentially dangerous and damaging compromise. When it comes to physical security, it is more than information that could be at stake.
You don’t have to be paranoid but, in the age of hacktivism and terrorism influx, skepticism and awareness are traits every employee should have. Hackers do not care how hard your network is, if they can just walk in and ask for the keys to the building.