Red Teaming 101 — Physical Access Controls

Atumcell Labs
4 min readNov 1, 2023

--

Physical access controls are designed to prevent unauthorized access to secure areas directly. Examples of physical access controls include:

  • gates and barriers;
  • airlocks;
  • turnstiles;
  • locked doors;
  • motion detectors.

You can find a way around all of these controls.

Bypassing a Gate or Barrier

Generally, these can be bypassed with cloned IDs or exploits that target the access control systems. Still, it’s also possible to circumnavigate these controls by vaulting over or going around them. The things that generally prevent you from doing this are:

  • Staff members — If staff see you jumping over the barrier, they are
    likely to comment on it or report it.
  • Security guards or reception — These people can be distracted. The sorts of distractions you employ are limited only by your imagination.
  • Cameras — Most cameras won’t be pointing at the barrier itself but at
    the doorways into reception and sometimes at an area beyond it.

Breaching security by vaulting barriers in a public area should be
an absolute last resort. It’s better to try clone legitimate cards, disable the access controls system (Denial of Service), or socially engineer your way past it (you’re there to do repairs).

Working Around an Airlock

An airlock is a form of access control found in high-security
sites and is driven solely by ID badges. When you authenticate, the first door opens, you enter, and it shuts behind you. Only then does the second door open and permit your entry. The floor of the airlock is usually a pressure sensor that measures weight and weight distribution to detect the presence of more than one person.

Generally, you have two options when bypassing such obstacles:

Delivery Entrance

Delivery entrances are usually accessible by airlocks. If you don’t know where it is, show up at reception with a delivery, at which point reception will let you through alternative doors (sometimes found to the side of the airlock), or they will point you toward the delivery entrance.

Emergency Alarm

Access through an airlock is slow; it can take around 20 seconds for just one person to pass through it, which is unacceptable in an emergency, so certain events, such as fire alarms, automatically cause both doors to
open to permit swift evacuation.

Gaining Access Through a Turnstile

Turnstiles are a common sight at high-security facilities, usually outside,
at the site's border. Like an airlock, a turnstile is designed to permit
access to one person at a time and is challenging to bypass. You can usually avoid a turnstile by driving (or walking) into the car park, where staff and visitor access controls are likely internal. Other means of ingress
certainly exist. This is why recon is essential.

Breaching a Locked Door

By locks, we’re not talking about electronic proximity systems but traditional devices that open with cut keys. Some tests are inevitably going to include an element of lock picking. The sort of locks one can reasonably expect to encounter won’t be high security. Targets of lock picking during a physical test
include:

  • padlocks on side doors and storage;
  • locks on filing cabinets and desk drawers;
  • locks on office doors.

Bypassing a Motion Detector

Motion detectors are only utilized during office hours in
high-security areas and even at high-security sites. Such
devices are, therefore, only of concern if you are conducting a night-time
penetration of a smaller facility (more significant sites have 24-hour security). They tend to be activated by a central alarm system when business is concluded. One advantage to knowing in advance that the site is alarmed and equipped with motion sensors is that it means you’ll be the only person there.

The downside to this is bypassing the sensors themselves. This
may, however, be achieved in the following ways:

  • Some sensors have a bypass button on the bottom. If you can
    reach the detector without triggering it, you can disable it this way.
  • Motion sensors sense motion: move slowly! These devices are usually
    less sensitive than you would imagine.
  • Knowing the alarm code in advance is very useful. The number
    of people within the company that have access to this information
    directly impacts your chances of a social engineering attack, but
    this is the most elegant solution.
  • If you trigger enough alarms over the course of an evening, it will look
    like an equipment malfunction, and eventually, the alarm system will
    be disabled for the night. Once this occurs, wait a couple of hours
    before attempting entry.
  • You can disable some sensors by cutting off power to the building;
    some have a battery backup. Either way, it is rarely feasible to find out.
  • Sensors that use infrared (IR) light can be detected with the right
    equipment, such as a handheld camcorder in night vision mode.
  • Sensors that use radio frequency (RF) have a more extended tracking range and work in the same way as speed cameras (on the Doppler or radar principle). Detecting these sensors is not easy (you need to know what frequencies to scan for), but it can be done further away than IR sensors, which don’t require a line of sight.

All in all, we have just scratched the surface of what is possible with cyber-physical red-teaming. We will explore these topics in more detail in future posts. But remember, where there’s a will, there’s a way.

--

--