There are many instances in my career where I have encountered a new lock, access control system or alarm I had not previously seen before. Often this happens when traveling abroad to a region I don’t operate in, but there are also occasions I have been surprised in my local area during a job.
Being able to identify a system (lock, PACS, etc) and, more importantly, already know its weaknesses and strengths will help you immensely during an engagement. Your time as a pentester is extremely limited, the client wants to pay for as little time as they can for your services while still getting quality, and that means you don’t have a lot of extra time to reverse engineer or dissect a new device looking for bypass methods.
This is why, I STRONGLY encourage every pentester to purchase, or at least get their hands on, as many systems that are popular in their region as possible, and also whatever the most popular global models are.
Understanding Your Local Landscape
Every region has its unique set of commonly used security systems. These can vary due to cultural, economic, or legal reasons. For instance, the type of locks used in Europe might differ significantly from those in North America. In Denmark for instance, 90% of every door lock will be a Ruko style Euro cylinder.
As a professional in this field, it's your responsibility to familiarize yourself with these regional peculiarities. This knowledge is not just academic; it's practical. Knowing the ins and outs of the systems you're likely to encounter during a test in your area can be the difference between a successful penetration test and a failed one.
If you had never encountered a replaceable Euro Cylinder lock before, you may not be aware that it is possible to snap the lock in half while still in the door to gain entry (or even replace the lock with one of your own).
Going Global: Learning About International Standards
While regional knowledge is crucial, it's also important to have a grasp of the global standards. This is especially true in an increasingly globalized world where multinational companies often implement standardized security systems across all their locations. Familiarizing yourself with these systems ensures you're prepared, no matter where your services are required.
For example, OTIS is one of the largest elevator brands in the world. If your engagement requires you to abuse or take over an OTIS elevator, it would be very beneficial if you already knew that you can get into most OTIS elevators with the FEO-K1 key.
Hands-On Experience: The Key to Mastery
Reading about locks and alarm systems is one thing, but nothing beats hands-on experience. Here's where your initiative comes into play. Invest in purchasing common locks, access control systems, and alarms from platforms like eBay, Amazon, or other vendors. These don't have to break the bank; many affordable options can provide you with the practical experience you need.
It is often not enough to be aware that a vulnerability exists within a system, you need to have actually practiced abusing it. If you watch 1,000 lock picking videos but have never tried it yourself, you may have a vast amount of knowledge, but zero experience and it will show when you’re on an engagement trying to pick your first lock under pressure.
Dissect and Learn
Once you have these systems, take them apart. Study them. Understand how they work, their weaknesses, and their strengths. This hands-on experience is invaluable. It allows you to understand the physical and mechanical aspects of these systems, giving you insights that theoretical knowledge alone cannot provide.
Here is an example of a self contained Access Control System that can actually be disected from the insecure side of the door. I have actually seen this exact door handle PACS used on more than a few engagemnts at this point, and knowing that you can abuse this setup has helped me to very quickly know at least one method for gaining entry as soon as I see this system.
Having played with this system multiple times, it means that I know exactly how to take it apart, and exactly what to do to abuse it which means I can do this quickly in the field.
Training for Real-World Scenarios
By practicing on these systems, you're essentially simulating real-world scenarios. This is crucial in physical penetration testing, where theoretical knowledge must be complemented with practical skills. Knowing a lock's limitations, the type of equipment that works against a particular access control system, and the ways to bypass certain alarms are skills that can only be honed through practice.
While picking a lock or cloning a badge at home can be fun and educational, I highly recommend attempting to do it under stress. You may find that you can decode a keybox in under a minute after a lot of practice, but the first time you attempt to do it in public on a real engagement you may find that you are to nervous, shaky, etc to actually pull it off.
I have personally seen absolute experts in RFID cloning act as though they’ve never touched a cloning device before when they are put into a real engagement attempting to simulatniously social engineer someone while cloning their badge.
Real-World Example
Having done your embedded recon, you have discovered that the front desk during the day, often has valid RFID cards for cleaning staff just behind the desk that you could grab and clone. There are typically 2-3 front desk staff present at any moment and the lobby has very heavy foot traffic.
Your goal is to steal or otherwise copy one of the RFID badges laying out just behind the front desk. Your assets for this part of the engagemnet:
No long range card reader
Any cloning device you’d like (flipper, proxmark, I-copy, etc)
1 teammate
Think about how you might go about accomplishing this and realize that while you may have practiced social engineering, card cloning etc, this is certainly something a bit harder than what you may have practiced at home.
Continuous Learning and Adaptation
The world of security systems is ever-evolving. New technologies emerge, and old ones get updated. As a physical penetration tester, your learning never stops. Stay updated with the latest trends, attend workshops, and participate in relevant communities. This continuous learning ensures that your skills remain sharp and your methods effective.
Conclusion
In conclusion, the effectiveness of a physical penetration tester lies not just in their ability to find vulnerabilities but in their deep understanding of the systems they are testing. By learning about the common locks, access control systems, and alarms in your region, and familiarizing yourself with global standards, you set the foundation for successful penetration tests. Remember, hands-on experience is key. Invest in these systems, study them, and keep learning. Your role is crucial in maintaining robust security postures for businesses and organizations, and your expertise in these systems is a vital component of that responsibility.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing