Author: Shaun Peapell (VP of Global Threat Services)

During this year’s InfoSecurity Show, our team at Rootshell devised an engaging challenge for show-goers. The task? Picking a lock securing an ‘Ammo Box’, with intriguing contents serving as stepping stones on a thrilling ‘hack journey’.

The ‘Pick the Ammo Box’ challenge was met with enthusiastic participation, sparking a myriad of questions. Seeing this curiosity, it seemed fitting to address these queries through a blog post.

Blog image pick the lock

 

Let me share a bit about my background: Besides being a pentester, I’m also a qualified locksmith, and have past experience as a counter-intelligence physical security specialist. Hence, whenever the topic of physical security arises, you’ll find me brimming with passion and enthusiasm.

I know this blog post might look like we’re taking a scenic detour down the physical attack route. But, don’t worry – I’ve got electronic access control on my radar and we’ll be diving into that in upcoming blogs.

In the realm of physical security, doors play a vital role in safeguarding spaces and assets. However, understanding the vulnerabilities and potential attacks against physical doors is crucial to evaluate their overall security. In this blog post, I will explore various techniques and tools used to attack physical doors, shedding light on the vulnerabilities and highlighting the importance of robust door security measures.

Lock Picking / Raking / Slipping:

Lock picking is a common method used to bypass physical door locks without a key. Skilled individuals use specialised tools, such as lock picks, tension wrenches and rakes, to manipulate the lock’s internal components and align the pins, allowing the lock cylinder to rotate freely.

Alarmingly, these tools are freely and widely available to purchase online!

Mitigation:

  • Install high-quality, pick and slip resistant locks that comply with industry standards.
  • Consider using locks with additional security features, such as sidebar mechanisms or magnetic pins, to make lock picking more challenging.
  • Implement security measures to detect and deter lock picking attempts, such as security cameras or alarm systems.

Bumping:

Lock bumping is a technique that involves inserting a specially crafted bump key into a lock and applying force to jar the lock pins, causing them to jump momentarily and enabling the lock to be turned. Bumping is particularly effective against pin tumbler locks.

Mitigation:

  • Choose locks with anti-bumping features, such as security pins or advanced pin designs that resist bumping attempts.
  • Consider upgrading to smart locks that are less susceptible to traditional bumping techniques.
  • Utilise secondary security measures, such as security chains or deadbolts, in conjunction with the primary lock.

Impressioning:

Impressioning is a technique where an attacker uses a blank key and manipulates it inside the lock to create an impression of the lock’s internal components. By analyzing the impressions left on the key, the attacker can gradually refine the key until it matches the lock’s configuration, allowing them to open the door.

Mitigation:

  • Install locks with additional anti-impressioning features, such as mushroom or spool pins, which make impressioning more difficult.
  • Consider using locks with rotating or moving components that can change their configuration, making it harder to create an accurate impression.

Bypassing Physical Barriers:

Attackers may attempt to bypass physical barriers, such as doors with weak frames or hinges, by applying force or using tools to pry or break them. Weak or poorly installed doors, hinges, or frames provide an opportunity for attackers to gain unauthorised access.

Mitigation:

  • Ensure doors are made of durable materials, such as solid wood or metal, and have reinforced frames and hinges.
  • Install security plates or strike plates that reinforce the area around the lock and prevent brute force attacks or kick-ins.
  • Consider using additional physical security devices, such as door bars or deadbolts, to reinforce the door’s strength.

Key Duplication:

Unauthorized key duplication can provide attackers with easy access to a physical door. Traditional keys can be easily copied without proper restrictions or authorization.

Mitigation:

Implement key control policies, restrict key duplication, and ensure keys are stamped with “Do Not Duplicate” to deter unauthorized duplication.

Consider using high-security locks that require restricted key blanks and specialized equipment for duplication.

Conclusion:

Physical door security is a critical component of overall security measures. Understanding the potential vulnerabilities and attack techniques employed against physical doors is essential to implement effective mitigation strategies. By selecting high-quality locks, incorporating advanced security features, reinforcing weak points, and implementing access control policies, individuals and organisations can significantly enhance the security of their physical doors.

Remember, a robust door security system acts as a deterrent and provides an essential layer of defense against unauthorized access, protecting assets, and ensuring peace of mind.

Rootshell’s RedForce team have lead countless Red Teams and Simulated Attacks against clients and organisations over the years. Where clients agree to include the physical attack surfaces to an engagement, more realism is employed, rendering more true to life attack results which can be identified for remediation.

To find out more information about our RedForce Team, please head to our Red Team as a Service page.

Subscribe So You Never Miss an Update

Your data will be processed in accordance with our Privacy Policy

Related Posts

SEO Blogs May 7 olympics
Archiving and Custom Imports Blog
Overall Blog image