It’s an occupational hazard to see vulnerabilities everywhere. When I see a router sitting in plain sight I think, “The default creds are probably printed on the back; I wonder if those were ever changed?” When I see an unattended locked door propped open by a shoe or a box, it’s “Why would they just leave it like that? Should I go close it? Do they not have a key?”
When I see a friend or family member who doesn’t even have a pattern lock set up on their phone, I start preaching, horrified, about how they’re doing it wrong. (Seriously Aunt Laurie, please lock your phone. Please. For me.)
The story below illustrates one of these situations where every step of the way I was thinking, “I shouldn’t be allowed to do this. Why are you letting me do this? Why aren’t you stopping me??” The purpose of publishing this story is to highlight what went right, what went wrong, and what could have been done better in hopes that its readers will reflect and apply insights gained to their own situations.
Accidental Social Engineering
This month, my friend had surgery in a hospital in Japan. They wouldn’t release her unless she had someone to take her home, so I volunteered. She assured me it was an international hospital and I could just ask for her at the reception desk using English.
The hospital was in an area I’d never been to before. I got lost on the way and my friend wasn’t answering her phone. I found the building I thought she was in, tried calling once more, and then walked inside.
The building seemed a lot more closed off than hospitals in America and I was immediately wary. There was only one entrance, and I had to talk with a security guard in order to enter.
I walked up to the security guard posted at what seemed to be the reception desk and his deer-in-the-headlights expression told me he was not a man well accustomed to receiving foreign-looking visitors. I used my broken Japanese to try to convey that I was here to wait for my friend’s surgery and eventually got the point across. He asked for her name but he couldn’t find it in his system. He asked for her room number, but I didn’t know what it was. I said, “Maybe the 9th floor?” He had me fill out a slip of paper with my name, arrival time, and allowed me to leave the destination field blank on the form.
I entered the elevator alone and hit the button for the 9th floor. Only one nurse was present, and she went out of her way to pretend she hadn’t seen me. I approached her and she looked at me with the typical panicked Japanese stare of I took some English in high school and I don’t remember any of it. I told her in disjointed Japanese that I was looking for my friend, who was staying at this hospital.
“This is the exercise/rehabilitation floor, there are no patients here. What did reception say?” the nurse said.
“I asked reception, but…” (trailing off is a classic way to let other people draw conclusions and that way you only have to remember half as many words)
“Well, you really need a badge.” She gestured at what looked like an RFID access card. “Your friend is probably on the 8th floor, but you really need to go get a badge from the 1st floor.”
I thanked her and went back to the elevator. I closed the elevator door and considered my next move. Going back down to talk with the reception desk guy sounded painful. I hit the button for floor 8.
Floor 8 had badge readers. I looked at them for a moment thinking, This is it, you’ve gone too far. Tailgating is probably illegal here, let’s just go home.
Then a nurse noticed I looked lost and opened the door for me. ¯\_(ツ)_/¯
This is indicative of situations that we encounter often on physical engagements. We often don’t need to go for the “mission impossible” style tasks like picking locks, cloning ID cards, or bypassing security systems. By simply allowing employees to draw their own conclusions we can be allowed entry into restricted areas. People being too polite or “helpful” can be incredibly harmful when it comes to physical security.
A review of what was done right and wrong in this situation:
This did not seem like the kind of hospital that expected any kind of visitors, and at the start, they seemed to have the right kind of fail-safes:
- Entering through the only obvious entrance to the building required visitors to interact with the security guard at reception
- Required to know who you were visiting, and what floor they were on
- Required to sign in at the front desk
- Unable to enter “high risk” floors without a badge
- Employees knowing that badges were distributed at reception and (initially) not using their own badge to get me where I wanted to go
On the other hand…
- I was allowed to sign by scribbling some unintelligible Japanese on a sticky note
- I was not required to produce any ID
- I was allowed to enter without having a clear destination
- There were no controls on the elevator preventing me from navigating to restricted floors
- When entering restricted areas, employees ignored me or opened locked doors for me
What could have been done better:
Despite all of these controls, I was able to enter a locked area of the building by just walking around and looking confused. What could have stopped me from getting as far as I did? A few closing thoughts (from someone who has admittedly never worked in healthcare):
- Reception could have sent a coworker to ask around about the existence of my friend
- Reception could have tried harder to find my friend in their system instead of giving up when he didn’t know how to spell it
- My name could have been somewhere in their system; my friend informed me the hospital needed her to provide an emergency contact. If my name wasn’t in the system I shouldn’t have been allowed past reception.
- The nurse on floor 9 could have escorted me down to the reception desk on the first floor
- The nurse on floor 9 could have called reception to make sure they knew I was in the building
- The nurse on floor 8 could have asked me to get a badge from reception instead of letting me in through the locked area
- Or could have found someone to escort me downstairs
(P.S. I found my friend on floor 8!)
*For anyone who’s ever been a physical pentester, these things often cross our minds. We see the world in a slightly different way, no matter how “ordinary” these things seem to others.
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.