Lately, I’ve been drawn to do some desk research and limited hands-on testing of physical security measures. I’ve written about this subject before, you can find the article here. However, that article was written from the perspective of using social engineering to get into target locations during day time. Which was always lots of fun to do!
This time I was much more wondering about, what if you want to get in at night, while all the security measures are in place? If you wonder why, well for one because it is fun to do this type of breaking & entering legally and also because there are a ton of gadgets or potential gadgets.
This blog is mostly intended to make sure I don’t forget about all kind of possibilities to break in to facilities while all the security measures are enabled. Always useful to talk to yourself in written form right (hence the feeling that it might feel like ramblings, if you decide to read on)? This blog is not intended to determine if physical attacks are the most appropriate attacks to execute, since most attackers nowadays are doing almost everything remote. At least that is the current view on threat actors as far as I can tell from public sources.
Keep in mind that I’m no expert on this subject and that most of these options have only been desk researched and others are sort of a hobby for me. Basically: I am pretty sure I’m gonna be wrong in a couple of places. Feel free to leave better suggestions in the comments.
- Protection categories / levels / grades
- Physical damage makes life easier
- Reconnaissance & technical understanding are key
- Cables are underrepresented
- Tempest / physical clamping is underrepresented
- Alarm (detector) bypasses
- Seeing through walls/plastic works
- Miscellaneous
- References
Protection categories / levels / grades
In contrast to the digital security field, there are (depending on the country) different guidelines on the levels of protection offered by the security measures. For example things like locks, glass, alarm detectors, alarm connections etc have varying levels of protection. Which in turn makes it much easier for a lay person to make an informed decision, but without necessarily being properly aware of the actual risk being accepted. Or phrased more direct, how easy is it really to bypass lower category/level security measures? This type of information is not always present. Here is an example grading systems for alarm systems, the neat part is that the grade of the overall system is graded based on the component with the lowest grade. The testing standards for these system do provide a lot of information on potential bypasses.
Physical damage makes life easier
Yes, this doesn’t fit all kind of different attack scenarios. Still, it makes me wonder on things like, facilities protected with strong locks, but with a lot of glass (not even special glass). If you can cut through the glass or just break it, if there is no alarm system why bother with the lock? Bad idea if you are going for stealth, interesting idea if you just want to steal a specific object, piece of information etc.
A less extreme example is lock tampering where you can break, pull, drill most locks in different manners. Which goes back to the whole grading system I observed earlier, it seems that companies consciously have lower grade and deem it good enough.
Reconnaissance & technical understanding are key
This one is luckily very familiar from the digital security domain. With good reconnaissance either on the facility or on the security measures themselves you can save yourself a lot of trouble. I wrote on reconnaissance in the previous blog, the part that really got me going now was understanding how Passive Infrared (PIR) sensors actually work, or how magnet door open detections work or how radar based detectors work. There is no substitute for trying out yourself and reversing the mechanics based on the desk research that I’ve done so far. Which is pretty similar to understanding how for example an Endpoint Detection & Response (EDR) systems work or reversing a specific Windows feature to understand the inner workings better.
Cables are underrepresented
Cables that carry interesting information are less protected than you’d think. For example the twisted pair cables that carry a lot of the traffic, the cables that handle the Physical Access Control (PAC) systems, the camera cables and sometimes even the alarm system cables. Yes, for high security environments this is probably correctly installed and not accessible. However, last couple of weeks/months I’ve been paying more attention and it seems that a lot of cables are either directly accessible or accessible by drilling from the unsecured part of the target facility. Got no clue, how feasible it is to do this at 3AM, depending on other security measures, still interesting observation from my point of view nonetheless.
Tempest / physical clamping is underrepresented
Attacks where you physically attach cables to another cable are actually not that impossible as I thought, same goes for attacks that use tempest. Yes, the higher speeds make it more challenging and you need more expensive equipment, but it’s not like it is totally inaccessible.
Something I haven’t been able to find is physical clamping devices that just transmit the signal. I got no clue if that’s because it’s infeasible from an electrotechnical perspective or because the idea just doesn’t make sense.
Oh and, yes fiber cables can also be tapped, which is pretty fun and seems way less convoluted than I anticipated as well. Interesting to see how much is going on in the fibre tap / detect / prevent market and the type of solutions that you can find.
Alarm (detector) bypasses
This is one of the few that I tried out together with a colleague, since there is some information on it, but not really on what works and what doesn’t. So we just used one of those ‘gold and silver mylar thermal blankets’ (gold side towards us) and started to walk slowly in front of an alarm detector with PIR & Radar capabilities. To our surprise this worked! Not a 100% reliable, but sort of good enough? Specially since we had improvised the holding of the blanket and didn’t really think it through. A better approach would have been to use a FLIR camera to first determine how to properly reduce the infrared signature before just yolo-testing it out. I still don’t understand why it also worked on the radar part of the detector.
There are alarm bypass trainings out there, just not sure if they teach you to bypass the sensors in similar manners or if they are more aimed at exploiting either detection threshold/logic errors or bypassing them physically if you can tamper with them.
For wireless alarms it gets interesting, since there are cases of burglars using jammers as well as SDR attacks that capture the signal and just repeat the signal. This last one concerns detectors that send out a ‘every second’ type of signal indicating that nothing was detected, if you flood those messages than the ‘I detected message’ never gets through, in a sense also a sort of jamming.
Seeing through walls/plastic works
Bit divided, seems like you can ‘buy’ see through wall radars, but by the looks of it, it also seems like you might be ‘validated’ before being allowed to buy one? Then again I haven’t tried to buy one from ‘cheap/scammy’ websites to see if they’d deliver and if they’d actually work.
All of this, cause I wanted to know how to find magnetic detectors and the placement of cameras and alarm detectors. You don’t always need fancy see through wall radars, but it sure was fun to see if they might be accessible? Sometimes a simple magnet or those construction things to detect cables is good enough. Also, most of the times, it seems that placing alarm detectors in the corners is the preferred spot anyhow.
As for seeing through plastic, I’m still not entirely sure what the best approach is, but it seems that it is possible. Using FLIR technology and maybe portable X-Rays? Reason for looking into this is due to knowing if there are any tamper detection pins on things like badge readers, alarm detectors, the alarm control itself etc.
Miscellaneous
There are a lot, no seriously, a lot of tools to bypass locks, remove hinges, go under the door etc. Also a lot of information on weaknesses on specific locks and how to exploit them. There are also a lot of fun things in the realm of microphones like vibration microphones, laser microphones etc.
Surprisingly or maybe not so much the counter IED and counter terrorism fields, also have a lot of interesting information on this subject of breaking & entering.
References
The following URLs are not an endorsement of the products or the vendors. These are just some of the results while looking around for what is currently available out there. Maybe it helps others to also go down fun rabbit holes :)
- https://covertaccessteam.substack.com/
- Fiber taps
- Tempest/clamping attack
- Bypassing magnetic door sensors
- Bypassing motion sensors
- https://www.youtube.com/watch?v=9oZLnDa-UkI
- https://www.youtube.com/watch?v=qZGVbNJrsIk
- https://dsiac.org/technical-inquiries/notable/defeating-passive-infrared-motion-sensors/
- https://www.researchgate.net/publication/326010538_Testing_of_Detection_Characteristics_of_the_Passive_Infrared_Motion_Detectors
- https://www.youtube.com/watch?v=rofpPi-ApzI
- See through stuff
DiabloHorn 