Tales From the Road: It’s a Physical Penetration Test – Do You Know Where Your Network Is?

How one “hotel guest” gained access to the entire network from a switch found inside their hotel room’s linen closet during a physical penetration test.

When you think of where the physical components of a corporate network might be kept, images of a well-secured IDF closet located behind locked doors most likely come to mind. But an open linen closet filled with fluffy white towels and miniature bottles of toiletries? Not so much.

DirectDefense conducted a penetration test for a hotel client that proved how important it is to know where your network is. Our consultant, who was a legitimate paying hotel guest for this test, proved how anyone with a little persistence and a whole lot of luck could easily wander around the halls of a hotel, find an entry point into the network, tap into it, and have access to sensitive guest information.

Towels, Toiletries, and… Technology?
Our consultant was tasked to obtain physical internal network access at a hotel client of ours. As a guest at the hotel, our consultant began exploring the hotel facility (after enjoying his complimentary breakfast of course!) looking for any weaknesses in security controls that could potentially allow him to gain unauthorized access to the hotel’s corporate network. Unsurprisingly, our consultant found the data room which was clearly labeled as “Systems”. The door lock was secure and did not allow easy access to the sensitive systems within the room. (Here’s a little inside tip: Never label doors or areas that contain sensitive information; that only draws attention to them and makes it easier for someone with ill-intent to try and gain access.)

Not intending to give up that easily (mimicking the mind-set of an actual attacker), our consultant continued to roam the halls, searching for any way to gain access to the network. After another half-hour of searching, our consultant came across a linen closet on the second floor that was unlocked. To his pleasant surprise, the linen closet contained much more than towels and toiletries… It contained an unlocked cabinet containing network switch equipment! Who would have thought?

Getting Past the Hotel Guest Wireless Network
After removing the pieces of tape that were keeping the cabinet closed, our consultant connected his laptop to the switch and was able to connect to the hotel’s guest wireless network. That is, until he next discovered an additional switch at the bottom of the cabinet which gave him logical access to an internal VLAN within the hotel corporate network. Given the lack of proper segmentation on the network, the consultant had logical access to the entire internal network environment at that point. And given the existence of other exploitable vulnerabilities within the network, the consultant was poised to quickly gain access to the majority of sensitive data contained within it!

Our consultant spent the next several hours connected to the network in the compromised linen closet. During that time, hotel housekeeping employees came and went and only two stopped to ask him what he was doing. One of them starting a fifteen-minute discussion about the best way to learn routing protocols and configuration. None of them bothered to ask any further questions to validate his identity after he told them that he was performing “a little testing” (that would be an attacker’s code for stealing your guest’s credit card information – cha-ching).

After stocking up on some freshly laundered towels, our consultant took his laptop (and screenshots proving access to the hotel’s sensitive data) and headed back to his room for a well-deserved rest.

Lessons Learned from the Linen Closet
While we were able to easily gain access to the hotel’s corporate network from the linen closet, we couldn’t have gotten past the guest network if the hotel had a proper defense plan in place.

In the case of our penetration test, we were able to access the entire corporate network with no problem and gain access to sensitive hotel and guest data without being detected. Had we been an actual attacker, the credit card information of the hotel guests would have been there for the taking.

This exercise uncovered four specific areas in which the hotel’s security was insufficient:

  • Ineffective Physical Security: An unlocked door containing networking equipment is obviously a big problem. The client needs to ensure that all systems and network infrastructure equipment are located in properly secured areas with physical access to equipment granted to authorized personnel only. In addition, sensitive areas should not be labeled in an effort to avoid drawing attention to them.
  • Deficient Employee Security Awareness: The hotel should update employee and visitor identification procedures and implement a verification process to validate personnel and contractors. All employees should also be subject to a rigorous security awareness training that includes real-world examples.
  • Lack of Network Access Controls: The client does not have a NAC solution in place to ensure only authorized systems and devices can connect to the corporate network. If the hotel had well-secured NAC in place, our consultant would not have been allowed onto the corporate network.
  • Lack of Network Segmentation: It is common for a hotel to have a guest wireless network segmented apart from the corporate network. However, they need to establish firewall access controls between the various corporate network segments to mitigate and limit access to network resources in the event an attacker gains access to any given network segment.

Think Your Organization Can Pass the Test?
Find out! Our penetration testing team performs these routine tests to try and successfully compromise as much as we can within an organization to ensure someone with malicious intent won’t be able to. If your company is interested to see what vulnerabilities our penetration testing team can uncover, contact us today.