Red Teaming 101 — Physical Access Controls
Physical access controls are designed to prevent unauthorized access to secure areas directly. Examples of physical access controls include:
- gates and barriers;
- airlocks;
- turnstiles;
- locked doors;
- motion detectors.
You can find a way around all of these controls.
Bypassing a Gate or Barrier
Generally, these can be bypassed with cloned IDs or exploits that target the access control systems. Still, it’s also possible to circumnavigate these controls by vaulting over or going around them. The things that generally prevent you from doing this are:
- Staff members — If staff see you jumping over the barrier, they are
likely to comment on it or report it. - Security guards or reception — These people can be distracted. The sorts of distractions you employ are limited only by your imagination.
- Cameras — Most cameras won’t be pointing at the barrier itself but at
the doorways into reception and sometimes at an area beyond it.
Breaching security by vaulting barriers in a public area should be
an absolute last resort. It’s better to try clone legitimate cards, disable the access controls system (Denial of Service), or socially engineer your way past it (you’re there to do repairs).
Working Around an Airlock
An airlock is a form of access control found in high-security
sites and is driven solely by ID badges. When you authenticate, the first door opens, you enter, and it shuts behind you. Only then does the second door open and permit your entry. The floor of the airlock is usually a pressure sensor that measures weight and weight distribution to detect the presence of more than one person.
Generally, you have two options when bypassing such obstacles:
Delivery Entrance
Delivery entrances are usually accessible by airlocks. If you don’t know where it is, show up at reception with a delivery, at which point reception will let you through alternative doors (sometimes found to the side of the airlock), or they will point you toward the delivery entrance.
Emergency Alarm
Access through an airlock is slow; it can take around 20 seconds for just one person to pass through it, which is unacceptable in an emergency, so certain events, such as fire alarms, automatically cause both doors to
open to permit swift evacuation.
Gaining Access Through a Turnstile
Turnstiles are a common sight at high-security facilities, usually outside,
at the site's border. Like an airlock, a turnstile is designed to permit
access to one person at a time and is challenging to bypass. You can usually avoid a turnstile by driving (or walking) into the car park, where staff and visitor access controls are likely internal. Other means of ingress
certainly exist. This is why recon is essential.
Breaching a Locked Door
By locks, we’re not talking about electronic proximity systems but traditional devices that open with cut keys. Some tests are inevitably going to include an element of lock picking. The sort of locks one can reasonably expect to encounter won’t be high security. Targets of lock picking during a physical test
include:
- padlocks on side doors and storage;
- locks on filing cabinets and desk drawers;
- locks on office doors.
Bypassing a Motion Detector
Motion detectors are only utilized during office hours in
high-security areas and even at high-security sites. Such
devices are, therefore, only of concern if you are conducting a night-time
penetration of a smaller facility (more significant sites have 24-hour security). They tend to be activated by a central alarm system when business is concluded. One advantage to knowing in advance that the site is alarmed and equipped with motion sensors is that it means you’ll be the only person there.
The downside to this is bypassing the sensors themselves. This
may, however, be achieved in the following ways:
- Some sensors have a bypass button on the bottom. If you can
reach the detector without triggering it, you can disable it this way. - Motion sensors sense motion: move slowly! These devices are usually
less sensitive than you would imagine. - Knowing the alarm code in advance is very useful. The number
of people within the company that have access to this information
directly impacts your chances of a social engineering attack, but
this is the most elegant solution. - If you trigger enough alarms over the course of an evening, it will look
like an equipment malfunction, and eventually, the alarm system will
be disabled for the night. Once this occurs, wait a couple of hours
before attempting entry. - You can disable some sensors by cutting off power to the building;
some have a battery backup. Either way, it is rarely feasible to find out. - Sensors that use infrared (IR) light can be detected with the right
equipment, such as a handheld camcorder in night vision mode. - Sensors that use radio frequency (RF) have a more extended tracking range and work in the same way as speed cameras (on the Doppler or radar principle). Detecting these sensors is not easy (you need to know what frequencies to scan for), but it can be done further away than IR sensors, which don’t require a line of sight.
All in all, we have just scratched the surface of what is possible with cyber-physical red-teaming. We will explore these topics in more detail in future posts. But remember, where there’s a will, there’s a way.