In ‘What The Hack’, Remco, an ethical hacker at The S-Unit, demonstrates how he gained access, including to the server room, during a partially anonymous social engineering test. How was this possible, and what can you do as a security officer to strengthen your physical security?
Together with my colleagues, I tested the physical security and security awareness of an organization with approximately 10,000 employees. The objective: to gain as much physical access as possible, without performing any remote hacking.
Every social engineering engagement starts with observing the environment. Among other things, we mapped out:
Does this strategy sound familiar? Our approach relied on the zeven beïnvloedingsprincipes by Robert Cialdini — techniques that also make phishing and marketing so effective. In this case, authority and likeability were the keys to success.
De zeven principes:
reciprocity, commitment & consistency, social proof, authority, likeability, scarcity, and unity.
We crafted a credible cover story: external Wi-Fi specialists hired to improve the wireless network. Since almost everyone complains about the Wi-Fi at some point, it served as the perfect smokescreen.
The on-site test could begin. During our preparation, we noticed on Google Maps that it seemed possible to enter the premises by climbing over the fence, but in reality, that wasn’t an option. So we used the intercom at the gate to request access. The operator was clear and firm: no access pass, no entry. Shortly after, an employee offered to help. After we gave a brief explanation, Bas, my colleague, was allowed to drive in behind him, and I quietly followed. The employee then helped Bas through a secured door and let him continue without asking any further questions.
In another building, an open warehouse turned out to be the weak link. An unsecured door inside the warehouse gave me direct access to the building.
Once inside the building, I had free access to workstations, meeting rooms, and the cafeteria. I spotted a network port and connected my laptop to it. The port was not secured (check), which meant I immediately received an IP address from the corporate network. Shortly afterward, I noticed an employee in the cafeteria who had left his laptop, phone, and documents unattended. I struck up a casual conversation with him at the coffee machine. No one questioned who I was or what I was doing there. I documented everything with photos and videos and continued my round. What else could I find?
Bas let me into another building. Our story proved convincing, employees even shared their network complaints with us. Bas then found a key safe with a note attached, including a phone number. I tried the first four digits. And… click. The safe opened. With the key, I gained access to the clothing room. We put on the company clothing and took photos and videos as evidence.
With a simple inquiry, an employee pointed out the server room and scanned his access badge for us — after we had first gained his trust. The first scan attempt failed. After some persistence, he scanned his badge again. This time, the door opened. He placed a chair between the door to keep it open, left us alone, and effectively gave us unrestricted access to the digital heart of the building. The server racks were not locked (despite this being a strict requirement under ISO 27001). As a result, we had access to everything. Meanwhile, we documented it all. Mission complete.
For five hours, we moved around without being challenged. Through careful observation, a credible cover story, and significant human errors, we gained access to buildings, workspaces, sensitive information, and even the server room, without triggering a single alarm.
How can you prevent these types of physical attacks?
Curious which risks social engineering exposes within your organization? Discover the posibilities.