How we “stole” our client’s Tesla during a physical penetration test.
Protecting Private Internal Data Needs to Start with Enacting Strong External Security
We talk a lot about how to protect your organization from being the target of an attack to your internal network by creating strong passwords, keeping network hardware under lock and key, and network segmentation – but the first line of defense should always be ensuring that your physical security is tight. And someone with ill-intent can’t get access to your physical network if they can’t get inside the building…right? (Hint: Locked doors are not enough.)
A Smooth Ride
One of our utility clients recently engaged our consulting team to test the physical security of their main facility. The results proved how this critical area of security can easily get overlooked while many organizations focus all their attention on securing their internal network.
To cut to the chase, our consulting team was in the driver’s seat – literally. They were able to break into the building after hours and have open access to everything inside the building – including the entire fleet of company vehicles (with unlocked doors and keys stored inside – thank you). According to one DirectDefense consultant conducting the physical penetration test, “the Tesla drives very smoothly”.
Our team may have driven away with the Tesla (for just a short joy ride), but a bad actor could have driven away with a whole lot more, costing the organization an estimated loss of over twenty million dollars, not including the risk of data loss and reputational loss which could easily exceed one million dollars.
Here’s a breakdown of how we were able to gain entry into this client’s utility operations, and more importantly, what you can do right now to improve your physical security and protect your internal assets from driving out the door.
11 Physical Security Measures to Implement NOW
1. Install Security Astragals on Exterior Doors
Locked doors are no match for the right tools. Using tools specifically designed to bypass exterior door latching systems (by being easily slid between double doors or between a door and the jamb), we were able to manipulate latch bolts on side doors and the crash bar on the front door to enter our utility client’s main facility.
To prevent a bypass attack, we recommend installing Security Astragals on exterior doors that cover the entire length of the door.
2. Sound the Alarm
Because the main facility didn’t have an intrusion alarm system in place to notify personnel or authorities of a break-in attempt, we were able to access and remain within the facility for multiple hours overnight without interruption. If we had been an actual intruder, we would have had a lot of time to do a lot of damage.
Implementing an alarm system that is capable of alerting personnel or authorities during unauthorized door opening, interior motion, or glass breaking should be a top security priority.
3. Lock Filing Cabinets
Once inside, we were able to gain access to unlocked filing cabinets and to the vault, both of which contained personal information about employees, including social security numbers.
We recommend locking filing cabinets when practical, especially cabinets where sensitive data is stored.
4. Strengthen Ongoing Cyber-Physical and Social Engineering Awareness Activities
We utilized information collected from the first night of the penetration test to social engineer our way back into the office multiple times during business hours. We bypassed the reception desk by presenting them with donuts and pretending to sign in to the visitor log. As a result, we were permitted access unescorted into the facility where the team proceeded to the computer room/data center unaccompanied.
We recommend maintaining an ongoing social engineering awareness program for employees. Employees should be trained in proper visitor access procedures and understand how to recognize potential unauthorized access.
5. Implement a Fleet Key Management System
One of the more significant aspects of our team’s physical penetration test was when they discovered that the keys to the company’s entire fleet of vehicles were located inside each vehicle in the garage, allowing them to start up a Tesla and drive it right out of the building.
To protect your company vehicles, implement a fleet key management system where vehicle keys are stored in a centralized secure location. Additionally, we recommend implementing a check-in/check-out system for managing access to vehicle keys.
6. Switch to an RFID/NFC Garage Access System
The garage door access system utilized a generic, RF transmitter garage door opener that was easy to copy, and which is what ultimately allowed us to drive the company’s Tesla. With this type of garage door opener, there’s no way to revoke access for a single opener in the event of theft, and no way to prevent cloning of that opener for use at another time.
We recommend utilizing a badge access system for opening the garage doors. Badge access would allow for access revocation and is more difficult to clone than the existing RF access system.
7. Add Inswing Door Latch Protectors
The vault door, communications room door, and data center door all were found to have in-swinging doors that are vulnerable to a shimming attack. We were able to slide a piece of metal between the door and the jamb to apply pressure on the latch bolt, allowing it to be disengaged from the strike plate, thus opening the door. This allowed us to enter the communications room; if a bad actor had this access, it could result in a take-down of the company’s entire communication network.
Protect critical equipment and sensitive data by installing latch protectors that would prevent access to the latch bolt while the door is closed.
8. Install Door Sweeps
We were also able to take advantage of a gap between the bottom of a door and the floor to gain access to a locked office using an Under Door tool.
We recommend placing a door sweep between the bottom of the door and the floor on all exterior doors, and secure interior doors. The door sweep should be sturdy enough so that it is not possible to slide a tool under the door. If a door sweep is not practical, a modification can be made to the interior door handle so that it is not possible to manipulate the handle with an Under Door tool.
9. Use Fence Gate Security Posts
Moving on to evaluating the security of structures outside of the main facility, we found that the fence gate on the south side of the building did not have a security post, allowing us to push the fence away and slip right through.
We recommend adding security posts to all gates to prevent a small-statured attacker from being able to slip between the gate and the fence.
10. Lock Any Exterior Doors
Once we passed the exterior fence and got into the backyard area of the facility, we found that the storage sheds were unlocked after business hours, allowing us full access to these buildings and to the expensive equipment located inside. Additionally, the heavy machinery located inside the sheds had keys in the ignition.
We recommend key locking any doors when not in use or implementing badge access control. And store keys somewhere other than the vehicle’s ignition!
11. Use Security Cameras
We discovered that several substations did not have security cameras installed, therefore making it impossible for a remote operator to notice unauthorized access to the substation.
We recommend placing cameras with remote viewing capability around any company buildings. Additionally, cameras capable of night vision and human detection are recommended.
When it Comes to Physical Security – Don’t Take a Back Seat!
Our consultants’ ability to gain significant access to the premises of our client’s facility and surrounding buildings demonstrates the importance of tight external security. Good lighting and locked doors are a great start but clearly aren’t enough. Even cameras will only let you observe what happened after it’s happened. And by then, it’s too late.
The best approach to physical security is to understand where your external weaknesses lie and to tighten the security controls inside your physical environment as well. These security controls also include regular security awareness training for employees using simulated events, such as the scenario carried out by this attack, in addition to other physical and digital social engineering attack scenarios.
Slow down attackers or, better yet, stop them in their tracks! Get a physical penetration test to understand how the security of your physical environment – from the outside in – could be improved.
Contact Us Today!
Take stock of how secure your organization is from malicious attackers. Set up a security consultation or call us at 1 888 720 4633.