Why hackers learn to pick locks

Within a pentester's toolset you're likely to find an array of physical devices, anything from a keystroke injection tool to a WiFi Pineapple, a wireless card, and maybe a Raspberry Pi.

You might also find lock picks.

One of the more under-represented sides of penetration testing and red teaming is physical security.

Red teaming exercises are a real-world test of an organisation’s security posture; multi-layered attack simulations where pentesters basically try in any way - whether it be through people, networks, applications, or physical security - to break into your systems, across both digital and physical realms.

There’s often no warning of when these faux attackers will strike, and it usually provides an enlightening, albeit frightening, insight into an organisation’s weak points. Physical security attacks make up a crucial part of any red team exercise.

It’s for this reason that many pentesters will be skilled at picking locks, and it’s why a group of them decided to start Australia’s first lock picking and physical security conference: OzLockCon.

Held at The Comics Lounge in North Melbourne over the past weekend, more than 200 physical security enthusiasts congregated to test their lock picking skills and learn more about everything from alarm system and RFID hacking to key impressioning and red teaming - and magic.

The conference was born out of a global void of events for physical security aficionados, conference organiser and pentester Topaz Aral told iTnews.

There's also no certification or training for physical security in the same way that there is for information security, leaving it up to individual pentesters to determine their own levels of skill and proficiency through self-training and collaboration delivered from communities of like-minded peers.

Aral and his co-organisers knew there would be interest in OzLockcon - not only from an existing Slack channel dedicated to physical security with 150 members, but also based on his experience at the AusCERT infosec conference: Aral runs a lock picking booth that is one of the most popular attractions each year.

Protecting your perimeter

A compromise of a company’s IT systems isn’t necessarily achieved through a digital exploit alone. Think of where your servers are located, or all the sensitive information someone can access through the staff computers located in your office. How well are the entryways to these areas protected from malicious actors seeking physical access?

Assessing these avenues for weakness forms a big part of red teaming exercises. Some pentesters take this to the extreme: two New Zealand security researchers at OzLockCon showed how they managed to trick an access control system by manipulating electromagnetic signals to gain entry into a building.

In other scenarios it's as simple as walking into a building wearing hi-vis and carrying a clipboard, informing the front desk you're a contractor here to assess an air conditioning unit/water system/ insert excuse here, and sailing on through.

When a server room is controlled only by a lock and key, knowing how to manipulate the pins inside the cylinder can come in pretty handy.

But sometimes it’s as easy as simply jumping over a fence.

“It depends on the scope of the assessment. If someone just says 'get into our facility and our server room', we’ll look at things like the camera coverage, what are the fences like, what’s the access control like, do the doors have [physical] bypasses; can we pick/ shim the locks? Or can we just jump the fence?” Aral said.

“Once you get past that initial entry point you hit the fire escape, go up it, look under the door with an endoscope to see if there’s anyone around, slide your tools under the door and turn the handle, and you're in.”

Before pentesters even get to the point of entry, they will have done physical reconnaissance on the facility to work out patterns of behaviour - like noting that the cleaners come and go between 5pm and 7pm each day, that they clean each floor sequentially, and that the alarm won’t be armed until after they’re done.

“So you wait until they are done with the floor that you’re targeting, and then you go through,” Aral said.

Fire escapes are a traditional weak spot for many facilities, Aral said: organisations will generally have security cameras and access control systems on all of the exit and entry points within their facility, except for the fire escape.

And if doors haven’t been installed properly, it’s pretty much game over.

“This one company had fingerprint sensors that were worth thousands of dollars, super fancy locks on almost all of the doors, but then they hadn’t installed the doors properly. So you can just insert a shim and pull open the door,” Aral said.

“There are really simple ways to bypass doors.”

Physical security attacks are also tied intrinsically to social engineering. An example of this would be emailing a company’s help desk from a compromised account asking to be sent a new access control card to a remote location to replace a lost one.

So... Magic?

According to good guy hacker, magician, and OzLockCon presenter Alex, there are many parallels between red teaming and magic.

Both involve misdirection, sleight of hand, and being able to read and understand how people react to certain situations.

“With magic, you have to think about what the spectator is thinking. Because you want to do something that they’d catch if they were watching, and you don’t want them to watch,” Alex told iTnews.

“So you do things like use eye contact to make sure someone is looking at your eyes, and not at what you’re doing with your hands.

“Same with social engineering. Everyone has a script that they follow: a receptionist, for example, wants to put you in a bucket as fast as possible - you work here, you don’t work here, etc.

“And so your goal as a social engineer is to find out what their script looks like, and pick the one that ends up with you walking through their door.”

In both magic and red teaming, getting a read on the individual you’re targeting is crucial.

But there are also certain things that you can rely on for the majority of the population: the subconscious reactions that, for example, direct your attention to the shiny or moving object.

“Say you’re doing a red team engagement and you’re in a building and it’s time for you to leave and return your access pass. But you don’t want to return it, you want to keep it and use it again later,” Alex said.

“You can use the same sleight of hand movements that you use in the French drop trick to return nothing.

“Or, the best way - unless no-one is watching and you can just walk out - is to use pattern recognition; if everybody is walking in a line returning their access pass, you copy them exactly and confidently but you just don’t put anything in the access pass bin.

“You can also draw attention away from the thing you don’t want people to look at; as you pretend to drop the access card, you could make a joke to the person collecting them, or drop your wallet and make a scene so everyone will pay attention to that.

“You control the spotlight, and you shine it on where you want people to be looking.”

But these skills don’t just apply in physical red team exercises - they can also prove valuable in traditional network penetration testing of technology systems.

“You have to think about what someone could have been thinking at the time to make a mistake,” Alex said.

“A classic example is a lot of web apps will have a real, official API, but then they’ll have a secret API that the front end uses. And that API is just as real.

“When developers are making the official API they’re thinking a lot about security because everyone is going to use it. But when someone is making the front end, secret, undocumented API, they’re not really thinking about that - they’re just thinking about how to make the web app work.

“These APIs tend to have a lot more privacy or [technical] bugs, because at the time the person who is making the API is not paying attention to the privacy or security implications.”

Alex gained public attention last July when he revealed a vulnerability in Tinder’s Social feature - contained in one of these “secret” APIs - that meant you can view your Facebook friends’ photos and bio as well as when they were last active.

“[A researcher] also found last year that Facebook wasn’t rate limiting password attempts on its beta site, so anyone could brute force the log in. The site is on the public internet, but no-one thought about it," Alex said.

“Basically you’re looking for holes. So rather than looking at everything and deciding what is and isn’t a hole, you could think ‘if I was making this where would I get lazy and where would I not think about security’.

“Human brains have stacks of vulnerabilities in them, and there’s no way to patch them because they’re subconscious. You just have to figure out how you can exploit them.”