Let’s Get Physical* Part 1; Defeating Wetware Access Controls

Sally Vandeven //

I found myself with a little extra time one day (and I didn’t tell my project manager) so I thought it would be a great time to write a blog post.  I asked two friends/colleagues if there were any topics they would like to see covered and interestingly, they both independently responded with the same topic.  They wanted to read about some of the physical pen tests that we do.  Excellent idea! It is interesting, intriguing and mostly fun (more on that later) – so here you go.

Organizations hire us to test the security of their networks.  When you take a 30,000-foot view of computer security in general it basically boils down to access control.  It is all about keeping bad stuff out of the organization and preventing the good stuff from leaving the organization. Of course it is 2016 and in security we all have come to accept the premise that bad stuff WILL happen so we should focus on detection as well as prevention.

Security engineers, auditors and pentesters all have the same goal – to improve an organization’s security posture. But, as pentesters, it is our job to demonstrate risk in a controlled manner.  Instead of telling an organization what could happen if they don’t patch their systems or look at their logs we show them what can happen.  This can be very eye opening to skeptical managers that are hesitant to allocate budget for security projects.  I have found this to be especially true when it comes to demonstrating physical access attacks.  Let me explain with an example.

A colleague and I were doing a physical penetration test for an organization.  We were tasked with entering the building using social engineering only.  In this case, no lock picking and no badge cloning. The building had RFID access badge entry on all exterior doors as well as many interior doors.  At every locked door was a sign that read “No Tailgating”. There was a front door that remained open during business hours but a guard/receptionist was stationed immediately inside with full view of the door.  There was a sign-in sheet at the reception desk with a sign that read “Visitors Must Sign In”.

Video cameras were trained on all ingress doors and the guard/receptionist at the front entrance had a bank of monitors with the video feeds. Inside the building, employees were required to use an access badge to operate the elevator. There were of course stairwells but they were locked from the stairwell side and required an access badge to open from the stairwell.  Only the exterior door on the ground floor of the stairwell could be opened from inside without any access control.  This of course was a safety measure to ensure that all people inside the building could easily get out in case of an emergency. In other words, if you found yourself in a stairwell without the proper access card, the only place you could go was outside.  Also, all employees worked in cube farms or open office areas, each of which was behind a locked door with access controls enforced by the RFID badges. To some this sounds like bulletproof security.  But, to the bad guy or the scheming pentester, it sounds like an easy mark.  Why? Because as pentesters we learn that it is easy to defeat access controls if you look and act like an insider – like you belong there.

Look Like an Insider

Any good physical assessment should begin with some reconnoitering — colloquially referred to as “casing the joint”.  We rent an inconspicuous car and drive to the target site looking for clues as to how we will go about appearing like we belong.  If employees are wearing suits, we wear suits. If employees are dressed casually, we dress casually.  If employees are wearing or carrying a badge we create and wear a similar badge, etc. Whatever it takes to blend in.

For this particular assessment we observed that employees had access badges and most were attached to a particular color lanyard.  There was an outdoor picnic table near an employee entrance so we sat at the table and got close enough views of people entering and exiting the building with their badges that we were able to recreate one with surprising accuracy. These were simply look-alikes, not RFID clones so the only function they would serve was to help us look like legitimate employees. You might wonder if the staff we were observing found it suspicious that unfamiliar people were sitting at their outdoor lunch spot and you would be correct to wonder that.  The answer is, I imagine some do but in our experience rarely, if ever, do they approach us or report us.  We also observed that employees were letting others tailgate in – despite the signs on the door forbidding such actions.

Act Like an Insider

Once we got the lay of the land and had created or purchased all the props that we needed, we made our move to enter the building.  With physical testing involving social engineering, unlike a remote network assessment, each person gets one chance; if you get caught you are done.  Because of this we usually enter one at a time and stay separated inside the building.  On this particular occasion, I entered first by tailgating in with other employees.  They were happy to hold the door for me.  Why?  Because people are generally considerate of one another and want to be helpful and we take advantage of that.  I know that sounds very cold and cruel but since that is how criminals operate and we are trying to demonstrate risk, we do it too. So here is how it works; if you set up the situation such that anyone who does NOT hold the door for you appears rude then you will get in. This particular attempt happened like this:

  • The look-alike badge was hanging around my neck.
  • I was carrying some books and papers in one arm and also holding my morning cup-o-joe.
  • My phone was at my ear as if I was talking to someone
  • I smiled and made eye contact with the people approaching the door (I had watched them from the parking lot and carefully timed my approach accordingly).

The door was graciously held open for me as I entered the building.  Why did they let a stranger in?

  • When someone is on the phone, others are hesitant to interrupt.
  • People are conditioned to hold the door for others … especially older people and women.  In my case, I am an older woman (never thought that would be an advantage in this business, right?)
  • I looked like I might work in the building and I appeared happy and confident that I was in the right place so anyone who refused to help me at that point would have created a messy situation and probably felt like a jerk in the process. (By the way, this is one of the things about physical testing that most of us really don’t like – taking advantage of someone else’s good intentions)

Be an Insider

What happens next once you find yourself inside the building? I find this the trickiest couple of minutes on the assessment because in most cases, you don’t know the layout of the building unless you have been lucky enough to find a floor plan ahead of time.  If the people who let you in the building had any suspicion at all they will certainly be more likely to take some action if at this point you look like you don’t know where you are going. What I have found most successful is to enter boldly and plow ahead, looking hurried – like I am going to be late for a meeting.

Once I find myself in a location that is quiet, I stop and take stock of the situation thus far. For example, I look for a quiet corridor, a conference room, a restroom or even at a seat at a bank of unoccupied cubes. This is also when I contact my colleague via SMS and start a photo timeline.  A photo timeline is created by just snapping photos with the phone at regular intervals. The timeline can prove very helpful later during the assessment as well as later while writing up the report.  Basically the photo timeline helps me recreate my path in the building, provides timestamps for the customer (they can check against access logs) and may be the breadcrumb trail that is needed to get back out undetected.  When we first entered this particular building we had no idea that we would end up inside for several hours.

During this test I found an exterior unalarmed door near the back of the building with little activity. There was a video camera trained on the door but we were working under the assumption that the guard would probably not be watching and that turned out to be the case. Via SMS I communicated with my colleague to guide him to the door and opened it from the inside allowing him to enter.  He could have tailgated in as well but it provides more value to the customer if we can demonstrate different methods of entry.

Now that we were both inside we parted ways in order to cover more ground during our search for the flag.  The flag we were tasked to find by our point of contact (PoC) was the data center and we were asked to attempt entry, take pictures as proof and then leave — tampering with hardware was not in scope.

Since most areas required card access for entry we had to tailgate in everywhere, including the elevator.  We learned this the hard way.  After thoroughly searching one floor of the building and comparing notes with my colleague, we decided it was time to move to another floor.  I found an elevator and “called” it to my floor.  When the doors opened it was empty and there was no one else waiting to ride the elevator; I was alone. I entered the elevator and checked out the control panel – there was an RFID access pad.  Hmmm. On the off chance that I would not need to swipe, I pushed a button for another floor.  Nothing.  The light on the RFID pad was red. Not a good sign. I tried another button.  Nothing.  In the meantime, the doors to the elevator closed and I was inside.  It instantly became stuffy inside so I pushed the button for the floor I was on.  Surely that would be allowed. Nothing. I was stuck inside and could not move.  I texted my colleague and to my surprise I had enough signal and my text went through.  He found his way to what we hoped would be the same elevator on another floor and pushed the button to summon the elevator.  When the doors opened it was empty — another car had been summoned instead.  I ended up stuck inside the elevator for about 10 minutes but it seemed like 2 hours! Ultimately, because of others using the elevator “my” car eventually was called into service and when the doors opened I remained inside and tried to stay calm.  The person entering the lift looked at me and I smiled.  They swiped their badge and pushed floor 3, exactly the floor I was hoping for and I was able to “hitchhike” to the next floor without proper authorization.  If the person that had entered the elevator to go to the third floor noticed that none of the LEDs for any of the floors were illuminated (meaning I had not swiped and requested a particular floor) they didn’t say anything to me and allowed me to ride along.  Again, people tend to avoid conflict and don’t generally like to be rude so we use this to our advantage.

We spent hours inside the building but did not find the datacenter, our flag.  It was unmarked and apparently well hidden.  Frustrated, we found a cafeteria and sat down together to make a new plan.  Surely the datacenter was behind one of the many unmarked, locked doors that we had encountered that morning but which one?  Lock picking and badge cloning were out of scope for this particular assessment. We asked ourselves what access control is left to defeat?  The answer of course is the human — wetware.  So we decided to ask for help.  We approached a kind looking receptionist (not the one at the front door because she was trained to be suspicious and spot unauthorized activity).  We found a suite of offices on the floor that we were guessing might be the right floor (again more hitchhiking to get back there) and entered the suite.  The receptionist asked if she could help us and we said, “Yes you can! We are looking for the datacenter because we are supposed to meet someone there but we cannot find it.  Can you point us in the right direction?”

Unlike the guard at the front door, this person is trained to be helpful and courteous and she dutifully answered our question.  Bingo.  Before we knew it we were standing in front of the datacenter.  The receptionist noticed that the person we were supposed to meet was not there and asked us if she should call him.  We said, no that we would wait for him and thanked her for her help.  She left.  Now we just had to find a way in.  My colleague and I had decided that it was boom or bust.  We could both hear John’s voice in our heads, “Push it right to the edge! If you don’t get caught you didn’t try hard enough.”  So we knew that we were not leaving until either 1) we got in or 2) we got caught.

You see, getting caught provides valuable information to the customer as well.  We defeat as many controls as we can to show where the weaknesses are but we keep going until we get caught to show where the strengths are. Ultimately after several attempts to convince someone to open the datacenter door and allow us access, someone alerted security and we were promptly asked to leave.  By the way, we had a Get-Out-of-Jail-Free card, a letter signed by an executive stating that we were authorized to be there and it included phone numbers that the guard could call to verify.  Interestingly, in that particular case we were just asked to leave the building. We did. Mission accomplished.

Recap of the access controls defeated:

  • There are multiple entrances to the building through which employees can come and go, but none use turnstiles to ensure that people enter one at a time. Let’s face it. The amusement parks got this one right because every hot body that enters the park better have a valid ticket – its their bread and butter!  Its much more difficult to get away with jumping a turnstile than casually entering through a door held open by someone else.
  • There is only one entrance with an enforcing control; the front door with the guard.  
  • A single guard cannot watch the front door, check badges, get visitors to sign-in and watch all the monitors all the time.
  • The elevators cannot detect how many people step into the car at one time; to put the elevator in motion requires only one badge swipe.
  • People are generally considerate of one another and want to be helpful.

Coming up next:

Let’s Get Physical Part 2; Defeating Hardware Access Controls

Stay tuned…


*Want to have a little soundtrack while you read this?  Olivia Newton John’s “Physical” is the obvious choice!