Blog

According to ISACA (Information Systems Audit and Control Association), physical security is the most overlooked aspect of corporate security. In fact, physical security often overlaps closely with digital security. Physical access to systems can provide an easier means to installing malware such as ransomware, stealing sensitive data such as credentials, or other cyber attack tactics such as privilege escalation, installing rootkits, or other techniques. 

While most organizations employ a combination of surveillance, and access control mechanisms such as physical and digital locks protected by keys, proximity cards, smart-cards, these measures need to be verified to assure their effectiveness. Hollywood teaches us there is no shortage of clever covert entry tactics, and recent statistics from law enforcement indicate there is no shortage of bad guys seeking to break and enter for personal gain. 

Below, we will cover some essential tools that make up a basic toolkit that organization's can use to test their own physical security and some additional tools that, while illegal to possess, should be considered in table-top exercises and risk assessments when planning contingency plans for when existing physical security controls may be circumvented. 

Before we begin, it’s important to note that the use of these tools and methods can be illegal and subject to strict regulations depending on the jurisdiction. Their use is typically reserved for authorized personnel or used under specific conditions where privacy laws are applicable. Unauthorized use could lead to criminal charges, including vandalism, tampering with surveillance equipment, or more serious cybercrime charges. In some cases such as wireless frequency jammers, simple possession is a crime without an exception order or license. Always ensure compliance with local laws and regulations when considering the use of such tools.

Tools For Circumventing Locks

• Pocket Key Cast: A tool called The Replicant isn't something you might intuitively think about when it comes to covert tools that can fit in an attacker's pocket. It's a tiny yet complete cast and die kit that is capable of making a virtually perfect copy of any physical key an attacker is in possession of. Although the process involves making a die of the physical key, melting metal, and casting a replication, it can actually happen in a matter of minutes using The Replicant toolkit. The implication is that lending a physical copy of a key, even for a few minutes, can result in an immediate copy being made. 

• Keyway Camera Enabled Pick: The LockTech LTKSD (LockTech Key Shove Knife Decoding Tool) is a versatile lock bypass tool designed primarily for opening and decoding simple latch-type locks without damaging them. It works by sliding between the door frame and latch, allowing users to gently manipulate or retract the latch to open the door, while also providing the capability to decode or read certain types of locks to assist in creating a key. Sold for around $300 USD, the LockTech LTKSD isn't cheap, but greatly increases the ease of picking a lock. 

• Lishi Tools: The most basic form of a lockpicking kit is familiar to almost everyone. A tension wrench is placed into the keyway to create pressure turning the cylinder while a thin pick tool acts to depress each pin until it snaps into place. While the concept is simple, the practice itself is an art for the nimble and practiced.  Lishi tools make the process much easier by combining it all into a single tool. The implication is that the skill of lock picking is much more accessible to the average person with limited time to learn. 

• Topolino Self-Impressioning Tool: This tool functions by inserting a blank with movable pins into the lock; as the user manipulates and turns the tool within the lock, the pins are pressed against the corresponding lock pins  In the case of the Topolino, the tolls can automatically adjust pressure on the individual pins leading to a compromised lock and unauthorized access. 

• Mechanical Bump Tool: A mechanical bump tool (aka bump guns), whether manual or electric, is designed to be inserted into a lock’s keyway and rapidly jiggle or bump the pins inside the lock. Used in lock picking, particularly for quickly opening pin tumbler locks. The tool provides a burst of kinetic energy to the pins, momentarily aligning them to unlock the mechanism.

Tools For Circumventing Doors

• Slim Jims:  Slim Jims are long, flat strips of metal, while lock shims come in many other shapes, sizes, and materials depending on the target lock configuration. These tools are specifically for manipulating the internal latches and rods within car doors or other standard door-frames. By inserting the tool between the door and frame, skilled users can open a door by manually lifting the locking mechanism. These tools are often used by locksmiths and roadside assistance services but require expertise to avoid damaging internal door components.

• Air Wedges: Air wedges are used by inserting the deflated wedge into a door frame, then inflating it to separate the frame from the door slightly. This creates enough space to insert tools that can unlock the door.

• Traveler Hook: A traveler hook is a tool used for manipulating locks, especially in situations where direct access to the locking mechanism is challenging. The design allows it to hook onto latches or internal lock parts to aid in unlocking.

• Hinge Pin Remover: A hinge pin remover is designed to remove non-captive hinge pins from door hinges, allowing the door to be removed from the frame. These tools can be string loaded and small enough to easily be concealed in a pocket or even in a hand.

• Proxmark/ Blueshark: Proxmark / Blueshark are digital tools used for copying key cards. These devices can read and clone RFID, NFC, and other contactless cards by capturing the data they transmit. Employed for security testing and by ethical hackers to identify vulnerabilities in access control systems. The devices can read, analyze, and emulate or clone contactless cards, demonstrating potential security risks.

Tools Circumventing Surveillance Cameras

• Wireless Jammer: Wireless frequency jammers are illegal to operate in North America and the most of the rest of the world.  However, that won't stop the bad guys.  Any surveillance system that depends on Wireless networking for connectivity can be essentially disabled by a Wireless jammer putting chaotic radio signals into the same frequency such as the 2.4 GHz, 5.2 Ghz, or 5.6 Ghz frequency ranges of WiFi devices, among other frequency ranges. 

• Laser Pointers: Aiming a laser pointer directly into a camera’s lens can temporarily blind or damage the sensor, thereby preventing it from recording usable footage. Also, by wearing a hat or glasses equipped with high-intensity IR LEDs, an individual can obscure their face from surveillance cameras, as the IR light can blind the cameras’ sensors.

Conclusion

Here we have provided a basic list of fundamental covert physical pentesting tools, which can help organization's assess the effectiveness of physical security controls. These tools support security testing and risk assessments. A physical breach can lead to digital compromise that give attackers a foothold on the network, or steal sensitive data that can kick off a cyber attack campaign with disastrous and costly effects. It's critical for businesses of all sizes to consider how their existing physical security controls may be circumvented and the associated risks or unauthorized access to sensitive areas.