The Man Who Wasn’t There
When it comes to a buildings physical security, few objects represent this concept more so than a surveillance camera. Indeed, when we see such devices littered about a building , most people immediately think of security and it would in fact be odd to find yourself in a building today without such devices.
Knowing that there is a surveillance camera pointing in your direction makes most people think they are being watched, however, there are two fundamental errors with this thinking that actually make surveillance cameras as much of an asset to the attacker as the defender of a building.
Security for Hire
For starters, very few buildings have an active security service whome actively monitor their camera network. In most cases, buildings these days hire out to a third party security service, in Western Europe. This of course means however that security cameras are usually only investigated after an alarm has been triggered or a security request has been made by the client company (perhaps something was stolen from an office and the client wants to see if the culprit was caught on camera).
Indeed many third party companies will not check the status of certain devices like surveillance cameras daily. I have spoken to clients who have informed me that after removing a camera for various reasons several days or even a week had transpired before they got a call from their security company asking about why one of their cameras were offline. During a penetration test I often find myself either tampering with cameras or outright disabling them during key moments without security being alerted.
As an attacker, what this should tell you, is that there is a very good probability that nobody is actively watching the cameras in or outside of a target building. While it isn’t advised to do things to overt directly in front of one (mostly because passers by may notice and report you), you shouldn’t be concerned that your every movement is being monitored as you stroll around.
That said, it is very much in an attackers best interest to perform some OSINT / reconnaissance / social engineering to discover if the building you are going after has internal or external security before making engagement ending assumptions.
The Money Trap
A staple of life is that money tends to have the final say in most of our decisions and security is no different. Everything from whether to perform a pentest at all, to what kinds of security devices to use within your building or home, money is always a major limiting factor.
How this applies to surveillance cameras is in one very important way, namely how long a security company will keep surveillance tapes. In my long history of performing physical security assessments, it is the extremely rare company that keeps surveillance camera tapes beyond a month and far more common is a few days. This means that after a period of time, usually less than week and sometimes as short as 1-2 days, the surveillance camera tapes are recorded over to save space and money.
As an attacker this should tell you that if you have managed to gain entry into a building using covert means or social engineering and planted various bugs, stolen or copied key documents, etc if this activity hasn’t been discovered before the surveillance camera tapes are recorded over, than your entire documented history of being onsite has been erased.
This makes the life of a defender significantly more difficult. By the time a bug is discovered or documents are reported missing, if there is no longer any surveillance camera footage of the attacker, they have very little to use in order to figure out who the attacker was or even when the breach occurred.
Imagine moving the TV in your apartment one day and finding a listening device plugged into the back. You have no idea how long its been there or who may have placed it and without surveillance camera footage there is no way to even attempt to figure this out.
Laziness & Complacency the Human Condition
The benefit of having a surveillance camera, or even better a collection of them, is that a security person can monitor many locations at once. Indeed, this ability allows for a single person to have eyes on every key location inside and around a building or complex simultaneously … or at least thats the idea. As I have previously discussed, it is the rare building that has an actively monitoring surveillance camera security service, but even those that do all have one thing in common, its humans watching the monitors, and humans are lazy.
At any given day, at any given moment, many security alerts are likely to be going off in or around a building and as the building scales up, so does the number of alerts. In nearly every case, these alerts are innocent things such as an employee who accidentally set off an alarm for an understandable reason.
I once broke into a bank who’s lobby had a single use turn style (One person swipes a card and only one person can go through before the turn style locks) and pressure sensors on the turn style itself to alert security if someone were to vault over it. However, most employees would put their bag or briefcase on the turn style while they got out and swiped their badge, setting off an alarm that would only last a second or two. The guards, who were only a few meters away, had become so accustomed to hearing this stopped paying any attention or simply casually glancing to see if things looked ok when the alarm went off, an error I took advantage of to get into the building.
By timing it correctly, I held my own companies badge in one hand and a cell phone in the other as I vaulted over the turn style. The pressure sensor made the, now routine alert, but as soon as I landed on the other side I put the phone to my ear and held my card in the opposite hand as I casually walked into the building. Because no employees saw me and the security staff only saw a nicely dressed person talking on a phone with an ID card in the correct hand along with a small bag, they assumed nothing of it and never approached me.
Because of the frequency of little, innocent alarms or alerts, security will very quickly become complacent and give that “causal glance” towards the event. This allows attackers to find ways to blend into what the actual employees are doing in order to make the security staff very unlikely to approach me.
By taking note of how actual employees enter buildings, are dressed, and what they typically carry its very easy to blend into the crowd or at least convince a guard you are one of them. I often approach employees after gaining entry into a building and engage in casual conversation and have been told several times by security staff during debriefings that because they saw me on the monitors speaking with employees they knew, they assumed I must be an employee they simply didnt know.
This tendency of glancing at a monitor and almost looking for an excuse not to physically go find the suspicious person, is so easily capitalized upon because most people don’t want to bother other people , they dont want to have to leave their chair and they simply dont believe that this could be a real attacker (they’ve become complacent).
The Take Away for Defenders
- Find out how long your security service keeps surveillance camera footage
- Find out if your security service actively monitors your cameras or only responds to alerts
- Physical Pen testing should be a regular event to keep security personnel from getting complacent
- Every security alert should be investigated in person, NEVER allow security to talk themselves out of going and checking because they saw something on the monitors that looked innocent
- Realize security cameras are like a ticking clock, if you don’t discover the breach or attacker soon, you may never
The Take Away for Attackers
- Discover if the target building uses active or responsive security monitoring
- Discover how long the security service keeps surveillance footage
- Become an employee by taking note of their clothing, badges, bags & entry time to a buildings
- Most buildings do not use active security monitoring services
- Most security staff are looking for a reason not to approach you, give them a few reasons
- Alarms that occur often will be ignored or paid lip service
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.