Physical Security

Physical Security Social Engineering

Shoulder Surfing

Shoulder surfing is a social engineering attack in which the attacker observes a target’s behavior without the target noticing. The target is typically at their computer or other device, and may be working with sensitive information or inputting their credentials into an authentication system. The attacker, who is behind the target, is able to see what’s on the screen or what keys the target is pressing.

Shoulder surfing doesn’t need to literally be someone peering over another’s shoulder. The attacker can accomplish the same thing by using a smartphone’s camera to capture pictures or video at a distance, with the added advantage of being able to go back to that recording later rather than relying on memory alone. The attacker doesn’t even need to be physically present during the attack—they can set the camera down on a nearby desk, press record, and leave. Later, they return to discover footage of the target working at their computer.

Tailgating and Piggybacking

Tailgating is an attack where the attacker slips in through a secure area while following an authorized employee. The employee doesn’t know that anyone is behind them. For example, an employee might enter the company lobby by using an access card on the locked entrance. They open the door wide and let it close by itself, not looking to see if anyone’s behind them. The attacker then quietly moves to the door as it’s closing and stops it, then walks in. Tailgating requires several factors to be effective: the doors must not close too quickly; the followed employee must not be paying attention; and there must not be an attentive guard or other personnel waiting on the other side.

Piggybacking is essentially the same thing, but in this case, the target knows someone is following behind them. The target might know the attacker personally and be complicit in their attack, or they might be ignorant of what the attacker is doing. For example, if the attacker was recently terminated from the company, the target might not know this and assume it’s just another day at the office. However, it’s more likely that the target doesn’t know the attacker, but is just keeping the door open for them out of common courtesy. The target may also let the attacker through in order to avoid confrontation. However, piggybacking will be less effective in smaller organizations where everyone knows everyone else, or in environments where building access is strongly controlled.

Piggybacking and tailgating are also examples of how you can use social engineering as part of a physical attack. For example, one of the easiest ways for an intruder to enter an access-controlled building would be to slip in with employees as they return after a fire drill.

Physical Security Controls

If you can breach a target’s physical security, it opens up many opportunities for attack. Just a few of the things you could do include:

  • Take pictures of restricted areas, proprietary devices, and internal vulnerabilities and defenses.
  • Steal devices, documents, and electronic data.
  • Access restricted systems.
  • Plant malicious devices such as keystroke loggers and Raspberry Pis on the private network.
  • Search for new targets.

Before you focus on specific physical attacks, it would help to understand what you may be up against. The following is a list of common physical security controls that might be in place on the target’s premises:

  • Door and hardware locks, both physical and electronic.
  • Video surveillance cameras inside and outside of a building.
  • Security guards stationed inside and outside of a building, or patrolling an area.
  • Lighting that makes it easier to spot an intruder at night.
  • Physical barriers like fences and gates.
  • Mantraps.
  • Alarms and motion sensors.

Fence Jumping

Fence jumping is the act of surmounting a height-based physical barrier like a fence, gate, or wall in order to gain access to a restricted area. Depending on the barrier’s height, you may find it easier to go over it than attempt to go around it or through it. For example, some fences are only three to four feet high and are designed to prevent someone from casually walking up to an area they shouldn’t be accessing. The fence may extend all along the perimeter, and is likely made of metal that is not easily bent or broken without the proper tools. Therefore, going over the fence could be the most viable option. However, someone attempting to climb or literally jump over the fence may attract suspicion if seen.

More restrictive premises will likely install taller fences, usually above eight feet, that cannot be jumped and must be climbed. Not only will these fences attract suspicion, but they are also designed to be difficult to climb over without considerable effort. A ladder may aid in your efforts to scale a tall fence, though again, this could draw suspicion.

More extreme anti-fence-jumping measures can come in the form of barbed wire or razor wire at the top of the fence. Even if you manage to scale the fence, you will have a difficult time actually going over it without injuring yourself. This acts as a powerful deterrent. However, sections of barbed wire and razor wire can be cut with the right tools, enabling passage over the fence without harm.

Dumpster Diving

Dumpster diving is the act of searching the contents of trash containers for something of value. In a pen test, dumpster diving can help you claim certain documents that contain sensitive information relevant to the organization. For example, in the first few weeks of the year, people often discard calendars from the previous year. Many people write their passwords down on their calendars so they don’t need to remember them. In addition to personal documents, organizations sometimes improperly dispose of official documents in hard copy, like past quarterly financial reports or product proposal drafts. These can give you an insight into the target’s business operations. You may even be able to piece together shredded documents with enough time and patience.

In addition to documents, organizations also improperly dispose of storage drives and even whole computers. They may have failed to wipe the data from these devices, enabling you to recover their contents and possibly find something of value.

Like fence jumping, dumpster diving will likely draw suspicion if you’re seen. Still, dumpsters are usually placed out of view and away from where people work. Dumpsters may also be conveniently accessible outside of restricted areas, so that external sanitation personnel can pick up the trash without needing to go through a security checkpoint. In other words, they may be exposed to the public and require little effort to access.

Lock Picking and Bypassing

Any given organization will undoubtedly have at least one door, cabinet, safe, device, or other asset that they will place behind a lock. You may need to find ways to circumvent these locks in order to achieve your goals. If you can’t even get into an office because the front door is locked, then your physical pen test will be cut short.

First and foremost, the type of lock will influence how you get around it. There are several different types of locks. One of the most common is a standard key lock, which, as the name implies, requires the correct key in order for the lock to open. Key locks typically use pin tumblers, interchangeable cores, or wafers under springs used for tension. Bolt cutters and hacksaws may be able to destroy locks that are made from substandard materials or are designed poorly.

Other than physical destruction, you also have the option to pick the lock. Lock picking is a skill and requires practice with the right tools. Some vendors sell lock picking kits that come with an array of tools to make the job easier, but you still need to know how to use the tools properly for them to be effective. Such kits are usually designed to pick pin-tumbler locks, whereas they may not be adequate for more advanced high-security locks. The basic process of picking a pin-tumbler lock is to use a picking tool to raise or lower a pin until it is flush with the shear line (the gap between the key pin and the driver pin), then use a torsion wrench on the lock plug to hold picked pins in place. Then, you move onto the next pin and again use a pick to raise or lower the pin until it is flush with the shear line. You repeat this process until all pins are picked, at which point you use the torsion wrench to turn the lock plug, which disengages the lock.

Not all locks use keys, however. Keyless locks like combination locks, access card locks, and biometric scanners must be either destroyed or bypassed. Simple combination locks can be brute forced with enough permutations, but access card locks and biometric scanners are difficult to bypass without the proper item or biometric profile. In these cases, you may need to think outside of the box. For example, the lock may only be active during off hours, so you can bypass it entirely by trying during a certain time. In some cases you might get lucky with a biometric lock: the product might have a high false acceptance rate (false positives) and allow unauthorized people to enter. You might even encounter doors that are physically weak or not installed properly, thus rendering their locks ineffective.


Radio-frequency identification (RFID) is a standard for identifying and keeping track of objects’ physical locations through the use of radio waves. RFID has many different applications, but in the context of physical security, it is often used with identification badges. An RFID tag is attached to the badge and contains an antenna and a microchip. A lock containing an RFID reader continuously sends a signal into the area surrounding the reader. The RFID tag’s antenna picks up this signal when in close proximity and the microchip generates a return signal. The RFID reader receives this signal and opens the lock if the signal is authenticated.

Unlike a card with a chip or magnetic stripe, an RFID badge does not need to be waved in front of the reader. It simply needs to be within a few feet of the reader, and can be inside of a bag, affixed to someone’s shirt, or otherwise physically obstructed. RFID authentication systems can support granular access control with unique badges, allowing only certain badges to open certain locks. Although a badge is technically a “key” to the RFID lock, it helps to mitigate lock picking while still requiring that the user present a specific item for authentication.

Badge Cloning

Badge cloning is the act of copying authentication data from an RFID badge’s microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without actually stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You simply hold the badge up to the RFID writer device, press a button to copy its tag’s data, then hold a blank badge up to the device and write the copied data. You now have a cloned badge. What’s more, certain badge cloning tools can read the data like any normal RFID reader, in that the reader can be several feet away and concealed inside a bag.

Note that badge cloning is most effective on older RFID badge technology that uses the 125kHz EM4100 protocol. This technology does not support encryption and will begin transmitting data to any receivers that are nearby. Newer RFID badge technology uses higher frequencies that increase the rate at which data can be sent, and subsequently, supports encryption. These badges only broadcast certain identifying attributes, rather than all authentication data on the badge.

Despite the advances in security, these encryption-based badges can still be cloned with the right tools. All it takes is an Android device with NFC capabilities and a cloning app. Certain apps will contain the default encryption keys that are issued by the badge’s manufacturer. Many organizations fail to change these keys, and as a result, you can easily copy the badge’s data to a new badge through NFC.

Motion Detection Bypassing

Motion detection systems are used to detect movement in a particular area for the purposes of identifying unauthorized physical access. Such systems typically incorporate sensors that are placed at a building’s key entrances and exits in order to monitor ingress and egress. Ingress and egress sensors can use a variety of different technologies to detect motion, but most focus on detecting minute changes in the infrared spectrum. Some sensors are specifically designed to detect the human body’s infrared emissions. Others may detect when a strong infrared pattern is being blocked. More advanced sensors can be supported by algorithms that detect any deviation from the established infrared baseline of an area. However the sensor works, if it detects motion, it will likely trigger an alarm or a fail-safe mechanism, such as activating a mantrap.

Bypassing motion detection systems can be tricky, especially if they cover an entire room that you want access to, or if they “block” your path to other rooms of value. The simplest method would be to assess where the sensors are and what zones they are covering, then attempt to move while staying out of the zones (i.e., taking advantage of blind spots). Most sensors are placed in ceilings and opposite of each other to cover the widest possible area. Finding a blind spot is not always feasible if the zones encompass too wide an area or you cannot identify where the sensor is.

Another method would be to place a piece of material, like cardboard, Styrofoam, or glass, over the sensor to block it entirely. If you can’t reach the sensor itself, you may be able to use the material to block your own body and minimize the infrared light you are projecting. However, this is not always effective and often requires you to move very slowly and use a large piece of the blocking material. Likewise, sensors that look for strong blocking patterns will not be fooled by either of these tactics.

Some sensors can be bypassed by focusing an infrared or near-infrared light at them. They will not necessarily detect any blocking patterns and the focused light source may be able to mask any human-based infrared emissions. Note that this will not work with sensors that use a baseline comparison.

Guidelines for Performing Physical Security Tests on Facilities

When performing physical security tests on facilities:

  • Identify the physical security controls in place at the target premises as best you can.
  • Look for low fences to entrances and other restricted areas that you might be able to go over.
  • Consider using a ladder to scale a taller fence.
  • Consider that scaling a fence with barbed or razor wire may lead to serious injury.
  • Look for dumpsters outside of buildings that may contain sensitive material the organization has disposed of.
  • Look for calendars containing passwords at the beginning of a new year.
  • Look for poorly disposed-of sensitive business documents.
  • Look for poorly sanitized storage drives and computer equipment.
  • Practice with a lock picking tool to gain enough skill and experience to pick a key-based lock.
  • Find other ways around keyless locks, like coming back at a time when the lock isn’t activated.
  • Use a handheld RFID writer to easily clone badges using insecure 125kHz EM4100 technology.
  • Conceal a cloning tool in a bag or other container that can read badge data from several feet away.
  • Use an Android device with NFC and a cloning app to clone encryption-based badges that use the default keys.
  • Identify the area that motion sensors cover.
  • Leverage motion sensor blind spots to move through a building.
  • Consider using a piece of material to block a motion sensor, like cardboard.
  • Focus an infrared light on a sensor to fool it into believing the area is at an acceptable level.

Leave a Reply

Your email address will not be published. Required fields are marked *