Posted by Chris Easton on Thursday, May 24th, 2018
In this example, Dave, our red team engineer, will attempt to gain physical access to a company’s server room by pretending to service the air conditioning.
Dave has picked the perfect day: The sun is shining, it’s the Friday before a bank holiday weekend, and everybody around him is in high spirits. Dave knows that on a Friday, people are less aware of their work duties and processes and more focused on the weekend that awaits them.
Dave starts his attack with some recon, identifying the common lunch hours and how staff present themselves and verify their identity. He notices that staff go to lunch between 12 and 1 p.m. and wear a blue lanyard with a badge holder. Visitors wear a red lanyard with a paper badge. Dave also notices that the air conditioning units sitting outside the building are covered with stickers from the manufacturer Airwoo. This gives Dave pretext for his attack.
Dave visits the reception desk of Acme Company on the following day at 11:45 a.m., informing the receptionist, Sue, that he is from Airwoo to do regular maintenance and servicing of the air conditioning units in the building. Sue calls down the company maintenance employee, Robin, and lets her deal with Dave. Dave repeats what he’s told Sue (to keep the story straight), and without any verification of his ID, Robin gives Dave a guest pass and provides him with a key fob that will give him access to all areas. Dave has to sign in, but he uses a fake name and doesn’t provide any ID to prove he is from Airwoo or that his name is actually Dave.
Once Dave has the pass and access fob, Robin directs him to the maintenance room with all the equipment. Dave knows that Robin will soon leave because it’s lunchtime, and Dave is right. Robin soon announces that she’s leaving for lunch and provides Dave a contact number while she is away.
Now that Dave is left alone, he walks around the office with his high-vis vest, toolbox, and lanyard until he finds the oh-so-helpfully labeled door “Server Room Authorized Access Only.” Dave swipes his fob and is greeted by a pleasant bleep followed by a green light and the door unlocking. Dave is now in the server room.
Dave doesn’t want to spend all day in the server room mining through and harvesting sensitive files. Instead he hooks up a small device that he connects straight to the company’s network and plants in between the server racks. This remote device has mobile data capabilities. Once powered on, it will open a remote SSH session on a server owned by Dave.
Dave knows not to stick around long. He packs up his stuff, leaves the server room, and heads back to reception. He informs Sue that he needs a part for one of the units and will return shortly.
Dave then gets back into his van, drives to the nearest coffee shop, and logs into his server remotely from his laptop, gaining a foothold in the network of Acme Company.
Later, once Dave has gained another foothold in the company that doesn’t require his device, he returns to Acme with the “new part” and is again provided a fob and lanyard. He goes straight to the server room, disconnects his device, and gets out before anybody questions him.
During his carefully executed plan, Dave was able to:
Dave was able to gain full control of the network simply by putting on a high-vis vest and pretending to be from the company whose labels covered the air conditioning units outside. There were many ways he could have been stopped, but nobody once asked Dave what he was doing, even though over 200 people worked in the office.
He also didn’t need to show ID to anybody, not even the receptionist, Sue, or the maintenance staff, Robin. Here, Sue assumed that Robin knew about the servicing and let Robin handle it.
Robin was, unfortunately, a new member of staff who wasn’t aware of the annual servicing schedule and didn’t fact-check before accepting Dave into the building.
Dave gained access twice, with zero verification of his identity. He was also provided with a master key fob to the entire building without supervision.
All members of staff should have the confidence to ask any individual who they are and what they are doing there. This doesn’t need to be aggressive: “Hey, I haven’t seen you around here. I’m Chris, and you are?”
Members of staff should be trained to report anybody who looks suspicious at the earliest convenience. Especially if the individual, like Dave, is accessing restricted areas.
Reception should verify identities when contractors and guests sign in. If a contractor is not expected, someone should contact the contractor’s office at the number listed on its website or stored in the company’s address book, not the number that the unexpected contractor provides.
Dave was left to wander the office unattended with a master key fob. Somebody should have supervised Dave while he performed his work, especially in restricted areas.
Finally, Dave was quickly able to identify the server room because of the big sign on the door. This convenience doesn’t just help staff; it helps attackers too.
Physical security threats should be explained and discussed in mandatory user awareness training, making it clear that challenging the presence of unknown people on-site is acceptable and encouraged.
Get the latest AppSec news and trends sent directly to you.