Undercover Alerts: The Need For Code Words

Physical penetration testing is a unique realm of security where professionals are often tasked with simulating real-world attacks on facilities to identify weaknesses in an organization's security infrastructure. While the main objective is to probe physical defenses and access control measures, the human element can't be ignored. It is not uncommon for testers to find themselves shoulder-to-shoulder with employees, contractors, or security personnel.

In such situations, communicating with team members without arousing suspicion becomes interesting. This is where the use of code words and phrases comes into play.

Why Use Code Words?

1. Subtlety: Directly communicating your intentions can be a dead giveaway, jeopardizing the test's objective.

2. Safety: If team members are in potentially risky situations, code words can alert them without alerting adversaries.

3. Efficiency: A single word or phrase can convey a complete idea or update without the need for elaboration.

Elevator Encounters: A Hypothetical

Imagine you're in an elevator, discreetly working your way through a multi-storied facility. You're dressed as a employee and have a badge that has granted you initial access. You’re going to the 8th floor where one of your teammates, who has taken a different route through the building will meet you at the elevator.

When the elevator reaches the 4th floor, it stops and in walks two security guards who are engaged in a conversation. While listening in, you realize that your teammate waiting for you at the elevator entrance on the 8th floor has raised suspicion and the guards are looking to question them.

You need to alert your teammate immediately before the elevator reaches the 8th floor and they get caught but you obviously cannot say this over a call with the guards standing besides you, which leaves you with two choices:

1. Call the teammate and use a code word / phrase alerting them

2. Text the same code word or phrase

There are pros and cons to each method, but the use of a pre established code word that conveys a complex or specific instruction can be very useful.

In the example above, the code word may convey the need for your teammate to hide, leave the building or outright abort.

You can of course make code words or phrases tht convey a message to a specific teammate or the entire team.

Setting Up Code Words

1. Keep It Simple: The code should be easy to remember and natural to use. Over-complicating increases the risk of fumbling during critical moments.

2. Blend In: Your code words should be ordinary phrases or sentences that won't attract attention.

3. Be Comprehensive but not Excessive: Have code words for essential actions or updates but don’t create a whole dictionary.

4. Groups vs Individuals: Code words and phrases can be specific to a teammate or the entire team.

5. Allow for variation: Sometimes different situations, stress of the teammate, etc may make some phrases more or less suspicious. Allow a specific word or phrase to be used in any context but still have the same meaning.

Examples:

Anything referencing cigarettes could be use to mean abort or leave the building. The teammates themselves could use either their first names or a code name as a reference. So the phrase,

” No, I don’t have John’s cigarettes with me.”

Could tell your teammate John, he needs to immediately abort or leave the building which could be conveyed over a phone call.

Texting is easier, unless you are worried someone will see your texts, you can be much more direct. However, keep the texts short and to the point, especially if you are communicating on a group chat.

Group Chats:

When communicating with your team via a group chat, there are a few things to consider:

1. Keep the messages short and to the point

2. Clearly identify who the messages are for and lead each message with this name

3. If your team size is large, realize that constant messages may get lost, as your teammates are running around a building doing other things

4. Directly calling a specific teammate may be necessary in certain situations to ensure communication quickly or urgently

Texting vs. Speaking

Photo by Alex Ware on Unsplash

The mode of transmission is just as crucial as the message itself. Let's dive into the pros and cons of using text messages versus spoken words over a phone call.

Texting Code Words

Pros:

1. Discreet: Texting allows for silent communication, which can be ideal in situations where you're in close proximity to potential threats or eavesdroppers.

2. Permanent Record: You have a clear record of the message sent and received, ensuring that there's no ambiguity or misinterpretation.

Cons:

1. Delays: Text messages, depending on network conditions, can sometimes be delayed. This can be a challenge when timing is crucial.

2. Notification Issues: If the recipient's phone is on silent or if they’re preoccupied, they may miss the message entirely.

3. Occupied Hands: In situations where a tester's hands are occupied (say, with bypassing a lock or handling equipment), they may not be able to read or send a text.

Speaking Over a Phone Call

Pros:

1. Immediacy: Phone calls are generally more reliable and immediate, ensuring that the message gets through in real-time.

2. Feedback: You can instantly clarify or get more details, thanks to the two-way nature of a call.

3. Hands-free Option: With earpieces or Bluetooth devices, one can potentially communicate even when their hands are engaged.

Cons:

1. Less Discreet: A spoken conversation, even if whispered, can attract attention or be overheard, especially in quiet environments.

2. Dependent on Reception: Poor cellular reception can drop calls or reduce voice clarity, leading to potential misunderstandings.

Considerations for Changing Code Words

1. Frequency: If you're doing multiple tests for the same client, consider changing code words to keep things fresh and reduce predictability.

2. Compromise: If you suspect someone has caught onto your code words or phrases, change them immediately.

3. Complexity: If your team finds the code words hard to remember or use, simplify them.

Conclusion

In the world of physical penetration testing, the smallest details matter. Code words, while a minor aspect, can be the difference between a successful test and one that ends prematurely. They provide a safety net, enabling seamless and stealthy communication in environments thick with potential exposure. So, next time you find yourself in a tight spot, remember: the Bluebird might just be your way out!

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.