How a Tiny Paper Crane Opened the Door to a High-Security Lab

This post will be a real story about getting into a high security facility and more importantly how I managed to use a tiny paper crane to bypass security and get into a coveted R&D lab.

While my little paper friend certainly did not manage to do all the work for me, it was pivotal in getting me past the final security barrier.

Before you read this story, I encourage you to think how such a tiny thing, made out of simple paper, could possibly manage to get me passed an access control system that required both an ID card & PIN.

Step 1: Reconnaissance

For this engagement, I began my recon as always, scouting the target building for details that would help me plan my approach. Immediately, I noticed it was a shared building, home to multiple companies and organizations.

Shared office spaces are often easier to navigate discreetly because they host a rotating population of employees from various businesses, making it harder for anyone to recognize who "belongs" and who doesn’t.

The ground floor also hosted a public-access café—perfect for conducting embedded reconnaissance without raising suspicion. I spent hours here, sipping coffee, observing employees and guards, studying movement patterns and very importantly that there was a nightly cleaning staff that made the rounds every evening … this will be important later.

The open environment provided cover to note critical details such as: when employees entered and left, where they wore their badges, and how the access control systems operated, among other things.

With a long-range badge reader hidden in my backpack and shoulder bag, I could capture badge data at a few feet away and in the two prime locations employees carry badges, around their necks and on their belts.

When an employee of my target company would come into the cafe, which many of them did fairly often for their caffeine and muffin fix, they would be wearing their ID badges, which I was able to see at enough of a distance to make my next move.

If an employee was wearing a badge as a necklace I would throw my backup on my back pointed behind me and get to the counter first ... stalling a bit not quite sure what drink i wanted ... taking my time and all the while having the employee with their coveted badge standing right behind me.

If they were wearing their badge on their belt, I would grab my shoulder bag and carry it as a briefcase and pull the same trick. This method, over a few days got me 5 badge reads, and now I had a few badges I could use to get upstairs.

Step 2: Getting to the Correct Floor

With the recon data in hand and badge scans secured, my next goal was to get to my specific target floor. From the floor by floor print out in the building lobby I knew my target was at a specific floor towards the top of the building, and by observing employees, I learned that the Physical Access Control Systems (PACS) despite having a badge reader and keypad, relied solely on badge scans which I know had.

Once on the correct floor I moved about, blending in and was able to accomplish a few things like locating printer & server rooms and even planting a few bugs, but in order to accomplish my ultimate goal, getting in to the R&D lab, which looked like a tiny area with a few dedicated people, I wanted to wait for nightfall ... to be alone with office to myself.

The R&D lab I noticed had its own access control system, also with a keypad …

In my experience, many times when an access control system has the options for a card & PIN, but the PIN doesn’t seem to be in use by employees during the day, it means the PIN will become active and required after work hours.

The Problem

I wanted the R&D lab to myself at night time to avoid having to blend in with a very small group of people who all knew each other and worked in a small isolated lab each day which would make blending in difficult.

While I had 5 ID badges, I did not have a single PIN code that went along with them. So my main options were:

• Go in to the R&D lab during the day with one of my badges (hopefully one of them would work), but the entrance to the room was where everyone could see, so if i started trying badges and none worked I might be burned.

• Go in at night, the building is now empty, and I can try to bypass the door via latch slipping, under door tools, etc … I liked this option more

Keep in mind, that if my assumption about the time activated PIN code was correct, I would not be able to breach the building at night because I wouldn’t have the PIN … well not as easily. But if i were already on the specific floor when the PIN code was activated, it wouldn’t really matter because I was already where I wanted to be

Step 3: The Tactical Bathroom

I previously wrote about the wonders that is the “tactical bathroom” and how hiding yourself in one for way to many hours often grants you access to an empty building so long as certain conditions are met, mainly there exists a cleaning staff that would appear that evening and turn off all the alarms.

So, just before EOD, I chose one of the many private bathrooms on the target floor as my hiding spot, waiting for employees to finish up for the day. PS this does mean you will likely be in here for many hours so come prepared.

I timed it to emerge around 6 p.m., when I expected the office to be mostly deserted. However, my plan took an unexpected turn when a cleaning woman knocked on the locked door, needing to service the room.

Thinking fast, I feigned a stomach bug as I stepped out. The cleaner, who had an accent, sounded Turkish, which sparked an idea, one in which I had used on several occasions before.

I engaged her in conversation, mentioning I was new to the country and job. Her face lit up when I expressed interest in one day traveling and exploring Turkey, and we bonded over shared stories of travel and she told me all about her homeland and how much she missed it. I asked her what things she liked most about Turkey and she told me about how she loved to cook traditional Turkish dishes, to which I flattered her and admitted I couldn’t cook to save my life but one day hoped to learn.

Having pivoted the conversation to travel, and built up some rapport, I was halfway to my social engineering goal. Keeping on travel, I next pivoted the conversation to Japan, mentioning I had lived there for a while as a boy and while I certainly could not cook a Japanese meal, I had acquired a useless skill in folding tiny origami cranes (and yes they are rather tiny).

Step 4: The Paper Crane Trick

The mention of origami worked like a charm. The cleaner was intrigued by the idea of a tiny paper crane, and I promised to fold one for her sometime and prove I wasn’t lying about how tiny they were.

At this point I mentioned we should both finish our work so we could go home, thanked her for the stories about Turkey and said goodbye, where I then resumed my work on the floor, discreetly setting bugs, snapping photos, and picking a few locks. However, the R&D lab—the ultimate prize—was still off-limits.

Some time later, I noticed the cleaner inside the R&D lab to empty trash and vacuum. I quickly folded a miniature paper crane and approached the door, tapping on the window to get her attention.

I smiled and held up the crane, to which she laughed, opened the door to accept the gift. She thanked me and while laughing did admit that the tiny folded creature was indeed tiny.

As she turned to finish her work, I subtly placed a piece of tape over the door latch, preventing it from fully closing and then walked away. Waiting some time for her to finish her work in the lab, I then simply pulled the door open and walked inside, free to complete my mission with no one the wiser.

The Takeaway

Security has three components,

• Compliance - the tools to keep you safe

• Defense - how those tools are used

• Offense - a reality check for the defense

When you are playing the role of offense, think outside the box, think creatively and don’t be afraid to try something out of the norm. Remember that there is no such thing as “out of scope” for real attackers.

While it was possible to have bypassed the R&D door in another way, this was an example of how there are always other, out of the box approaches that can work.

And while I am confident that no Defense team has a standard operating procedure for preventing tactical tiny paper cranes, the Offensive team can always come up with some wild, out of the box ideas on how to bypass your security and compromise your system.

Reality can be wild, unexpected and surprising and its why the Offensive team are the reality check.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Physical Audit Training - 2 day course on how to setup and run a physical security audit

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private Instruction - Focused learning & training based on your needs .