Cybersecurity is not limited to the digital sphere. Physical attacks are also part of the modus operandi used by cybercriminals. The principle is simple: look for a human or material flaw within your company to gain access to your data or disrupt the smooth running of your business. This threat is particularly acute in public areas.
We found this out during a physical pentest commissioned by one of our customers, a furniture company. On this occasion, we infiltrated one of its furniture stores. In this real-life case study, you’ll discover how a physical pentest enabled us to identify four major security vulnerabilities.
Physical Pentesting: our 4-step approach
As with any pentest, a good test methodology is essential:
- Retrieve online information about the store, such as opening hours and location, as well as information about employees and access routes.
- Obtain information on the spot, based solely on our sense of observation and without intrusion. The aim is to wander around the store, posing as normal customers, to gather as much information as possible: the schedule of employees’ cigarette breaks and staff changes, the location of accessible computers and the store manager’s office… all without arousing suspicion.
- The information obtained enables us to establish intrusion scenarios in consultation with the customer.
- Setting up the test to achieve our objectives. In this case, we had to :
a. Enter the store manager’s office and leave proof of our presence, undetected.
b. Break into the store’s computer system by connecting malicious equipment to employees’ computers.
We had one constraint: social engineering was forbidden as part of this pentest.
Reconnaissance and intrusion work is carried out in pairs, and requires several visits to the store. To avoid detection by staff, camouflage is important! As part of this physical pentest, we changed our style of dress between our different scouts, used accessories to modify our appearance, shaved our beards, etc. so as not to be recognized by staff and to look like totally different customers.
Vulnerability no. 1: Unlocked computers left unattended
The company, which we’ll call ExCorp, has a sales lobby in its store. Our scouting revealed two types of computer. The first are housed in a “column” cabinet and are used by store employees. The others are located on a desk where kitchen designers can welcome customers, provide information on available stock or issue quotations.
Once booted up and used for the first time, these computers are usually left unlocked and unattended by store staff. These terminals then become an entry point for cybercriminals, especially in a public space with a high flow of visitors. In the event of a physical intrusion, a malicious person could divert the attention of sales staff and use the devices to extract data or access the company’s internal network.
At the end of the pentest, we suggested to ExCorp that they implement an automatic lock of the lobby computers after a predefined time of inactivity, e.g. after 5 minutes. Should this prove too restrictive for employees, a user-friendly solution would be to implement the possibility of unlocking the computers using a badge. In any case, locking will limit the risk of intrusion by a third party.
Vulnerability no. 2: USB ports activated and usable on lobby computers
By spotting this first flaw, we were able to easily approach the terminals and see that their USB ports were activated and functional. It was therefore easy for us to take advantage of an employee break to plug a so-called “Rubber Ducky” USB stick into the two types of computer we had identified. The Rubber Ducky emulates a keyboard and contains malicious code. This enabled us to take control of an unprivileged user present on the “examplecorp.com.local” domain.
Thanks to this simple operation, which only took us a few seconds in the field, we were able to take control of a machine inside the company’s network: a critical flaw that could be exploited by attackers to carry out successful cyberattacks against the brand.
Such an intrusion can have several consequences: firstly, it can enable data to be collected and exfiltrated without the company’s knowledge. A rival company could, for example, capture customer data and exploit it for its own purposes. Malicious scripts can also be executed to deploy ransomware, keyloggers or any other type of malware capable of crippling store IT operations and stealing sensitive information. The financial consequences of such an attack can thus be very significant.
To correct this flaw, we have recommended that ExCorp disable the USB ports on the computers in the store lobby, to prevent USB sticks or other malicious devices from being plugged in. In addition, access to the computer towers can be secured by installing a lock that can be opened with a key or code.
Vulnerability no. 3: lack of network access control (NAC)
As part of this physical pentest within the ExCorp store, we also managed to act quickly during a moment of inattention by staff to connect a LanTurtle between one of the lobby computers and the network switch to which it was connected. This device is used in penetration testing to intercept or manipulate network traffic.
This connection is all the more discreet for having been hidden on the floor (under a desk). It enabled us to obtain an IP address in the ExCorp.com.local domain.
The LanTurtle was previously configured to make an SSH connection (encapsulated in TLS to pass through the firewall on port 443) to a server under our control. This enabled us to gain direct remote access to ExCorp’s internal network. To achieve this, the only constraint was for the attacker to physically connect the equipment without being caught.
Our recommendation for eliminating this flaw: use a network access server that authenticates and authorizes each user by verifying their login details, and blocks access to cybercriminals.
Vulnerability no. 4: access to the manager’s office
One of our objectives was to reach the manager’s office undetected. Every store is required by law to display a map of the building with emergency exits. We consulted the ExCorp store’s map, which showed us the location of the manager’s office (upstairs), a sensitive piece of information that should not have been included on this document.
During our scouting, we noticed that the offices are accessible by stairs, protected by an access door requiring a badge. However, close observation revealed that, although the door folded back as employees passed through, it did not close completely: we were therefore able to pass through it easily.
At this point, we were entering an area off-limits to the public. So we had planned a scenario: the idea was to pass ourselves off as the company checking the fire hydrants, which are present in both the store area and the offices. We passed several employees to whom we politely said “hello”, but were not questioned as to why we were in the offices.
Thanks to the evacuation plan, we knew exactly where to find the manager’s office: we made sure we weren’t seen and went inside, as the manager was away. We left an object in the room to prove that the intrusion had been successful.
Thanks to this intrusion, Hackmosphere was able to make several recommendations to ExCorp: post evacuation plans that do not include sensitive information, repair the door to the area off-limits to the public, make employees aware of the need to be vigilant in the event of strangers entering an area off-limits to the public and to escort them to the exit if necessary, and install a lock on the door to the director’s office.
Physical Pentesting: what lessons can be learned?
While cybersecurity is a growing concern, and is often the subject of major investment in protection against cyber-attacks, it is essential not to neglect the threats posed by physical intrusions. Incorporate into your cyber strategy rules and protocols for securing employee terminals, especially those used in public reception areas. Train store staff in these security issues, and organize regular tests to test compliance with instructions and help your staff acquire the right reflexes.
Would you like to challenge your company to a penetration test to identify your vulnerabilities and increase your level of security? Contact us to schedule a free initial audit!