Ethical Hacking: all about physical intrusions
To carry out a technical audit (or a pentest), our experts also target the premises… just like cybercriminals do.
Entering through the front door
Physical intrusion is an attack phase that consists of an attacker breaking into a company’s premises by various means. The objective of this phase is to gain initial access to the target, especially if other attempts have failed (phishing, Internet attacks), or because the objective can only be reached physically, or when its realization seems to present few difficulties.
Regularly neglected in the security of an IS, the possibility of a physical intrusion nevertheless offers attackers an effective means of directly accessing a company’s IT equipment, and of using their network access to carry out various internal attacks.
This allows the attacker to have direct access to all internally accessible resources by bypassing all the perimeter security measures in place (the line of defense between the Internet and the company’s internal network) consisting of network firewalls, application firewalls, and other equipment and configurations used to prevent an attacker from crossing this border.
This can allow an attacker to gain access to users’ fixed workstations, which generally have a lower level of protection than mobile workstations because they are considered less exposed. Moreover, physical access to the company’s servers can allow the attacker to technically shut down the IS by sabotaging the hardware.
Preparing for the physical intrusion
How do I go about it?
A targeted physical intrusion, as practiced by our experts, first involves a preparation phase. This phase is particularly important because it maximizes the chances of success of the mission. It consists mainly of the realization of scouting and the collection of information to discover a maximum of entry vectors and to adjust as well as possible the scenarios which will be set up.
The Internet is the main source of information for this stage. We distinguish three main types of sources.
OSINT (Open-Source Intelligence): this is all data that is freely available. For example, we can cite the company’s institutional website, public tenders – in particular for construction or security projects – press releases, or the list of the company’s suppliers.
SOCMINT (Social Media Intelligence): this is all the data available on social networks. Useful information can be found both in the communication of a company’s official accounts and in the public publications of employees (holiday dates, photos of the premises during after-work, photos of the badge obtained on the first day of work, etc.).
GEOINT (Geographic Intelligence): this is the geographic information exposed by sites such as OpenStreetMap, Google Maps, Geoportail… These sites allow the retrieval of numerous views of the target, both aerial and street shots, and sometimes even the interior of the premises or campus.
This approach is usually complemented by one or more physical surveys, directly on-site and in the vicinity.
What information are we looking for?
Among the information collected, the most interesting are the following:
- The geographical layout of the premises and surroundings: are the premises shared? Is there access to the floor plans of the premises? Are the premises in a remote location? In a business district? How many entrances does the building have? Is there a car park, a delivery area, a company restaurant?
- Security measures in place: Is there a reception or security staff? A gate? An individual badge reader? Cameras? A precise protocol for visitors?
- Service providers: Which service providers have regular access to the premises (maintenance, distributors, catering, etc.)? What are their hours?
- Network: Are there network outlets available outside the perimeter? Is Wi-Fi accessible from the surrounding area? Is it properly configured?
All this information is then aggregated and used to set up one or more intrusion scenarios.
The realization of the physical intrusion
Physical intrusion methods can be classified into 3 categories. These categories are complementary and must be combined to maximize the chances of success of a mission.
The first category concerns social hacking (or social engineering) and is therefore based on the human factor. This is the most complex aspect for a company to master and is therefore often the most effective way to penetrate the targeted premises. Social hacking consists of deceiving the vigilance of the company’s personnel so as not to arouse suspicion, or even, in the best of cases, obtaining help from employees. For example, some successful scenarios involve posing as an IT service provider who needs access to the server room to perform an update.
The second category, known as physical hacking, consists of circumventing physical protection measures. For this, many techniques exist such as picking locks to open locked doors or lockers. Methods to disable alarms or open emergency exits from the outside are also used. The simplest (but most proven) technique, however, is tailgating: the attacker takes advantage of an open door (or one held as a courtesy) by an employee who has access, especially when they return from a break. This is particularly effective on auxiliary entrances where only one person can sign in and open the door for a group of colleagues.
The last category is digital hacking. One of the main attacks in this area is to create a duplicate of an employee’s badge. Depending on the technology used, it can be very affordable to clone a contactless access badge (RFID) in a reasonable amount of time, using dedicated equipment hidden in a computer bag, for example. All you have to do is walk by the target (in a corridor or a subway train, at the reception desk, or the exit of the company) to obtain the badge’s data and then to create valid access to the premises.
This category also includes all logical intrusion techniques that are deployed after a successful physical intrusion. At the network level, it is possible to place an implant providing remote access to the target’s internal network. This implant can, if needed, bypass the network access protection mechanism (802.1x) thanks to the dedicated Fenrir project. At the workstations and servers level, the goal will be to install backdoors thanks to various vulnerabilities whose exploitation is made possible thanks to the physical access to the machine:
- Unlocked and unattended station(s).
- No hard drive encryption.
- Lack of BIOS protection .
- DMA  attack.
- PXE configuration default .
- Hardware keyloggers, some of which transmit captured keystrokes via Wi-Fi or 4G.
Physical intrusion by Orange Cyberdefense experts
Physical intrusion audits can be performed as a separate pentest. However, they are usually included in Red Team technical audits as an effective way to gain access to a company’s IS and data.
During a Red Team operation, the company is targeted by our experts, who try to break in using realistic techniques used by cybercriminals, over a period that can extend from one to several months. A multitude of vectors is used, such as the exploitation of exposed services on the Internet, spear-phishing , telephone calls to extract information from employees, or physical intrusion into the premises.
The exact date of the intrusion is generally not communicated to the client’s teams to maintain the surprise effect and to best evaluate the security teams, the quality of the processes put in place, and their compliance in real conditions. The objectives are set in agreement with the client and vary according to his needs.
Some are quite generic such as a simple drop of our network implant or USB keys containing a viral load within the premises. Other requests can be more specific such as attacking a specific restricted area like an archive room or a data center, stealing paper documents, recovering mathematical algorithms, etc.
Physical intrusion: examples of missions conducted
Here are some examples of intrusions we have performed on behalf of our clients.
Example 1: Intrusion facilitated by lack of perimeter control
The objective was to compromise the company’s IS as part of a Red Team mission. After the detection phase, a first intrusion was attempted through the company’s parking lot. Once on-site, the auditor was able to access the company’s data center via an unlocked door accessible directly from the parking lot. From there, he was able to stay long enough to compromise the entire IS, introduce a backdoor, and leave the premises undetected.
Example 2: Intrusion facilitated by weak access control and lack of staff vigilance
After a quick wait at the main entrance of the company, the auditor was able to enter the premises by following an employee (tailgating). Since the staff at the reception desk did not react despite the absence of a visible badge, the auditor was able to move freely around the premises, take a few photos, place and conceal a network implant at a printer and leave using the same method. Despite these physical security flaws, the company’s IT security team (called the Blue Team) detected an attack from the implant on the network a few days later. Without their vigilance, this short intrusion would have been enough to compromise the entire IS.
Example 3: Successful intrusion by creating a copy of an access badge
After having settled in the reception area of one of the target company’s buildings and outside the field of the cameras thanks to upstream scouting, the auditor intercepted some employees with RFID access badges to the company. He presented himself as a service provider who had to carry out a verification of badge updates, badges that he was thus able to compromise thanks to dedicated equipment.
In addition, thanks to the collection of information on social networks, the visual of the badge could be reproduced identically, thus allowing our teams to have functional and realistic copies of the access badges to the premises. These could be used to enter the premises without arousing the slightest suspicion and the confidential documents requested were recovered. Once on-site, the auditors also compromised several user stations using the BadUSB  attack. This attack allows, with the help of a dedicated USB key, to simulate a keyboard and to “type” at very high speed a series of pre-programmed commands.
As we have seen, the possibility of a physical intrusion is based on physical protection, surveillance, procedures, and their proper respect, but also the level of awareness of employees and providers.
To avoid such pitfalls, it is recommended to ask yourself the following questions:
- Do you think a malicious person can enter your premises without clearance?
- What business systems and applications could it access?
- What secrets could she recover?
- What would be the impact on your company?
Orange Cyberdefense experts can help you to answer these questions and advise you on how to secure your premises. Do not hesitate to contact them!
 Basic Input Output System
 Direct Memory Access
 Pre-boot Execution Environment
 Spear-phishing is a highly customized phishing technique based on social engineering.
 BadUSB is an attack that exploits an inherent vulnerability in USB firmware.