Back to the failure - Did your physical security really evolve in the last 40 years?
2024-10-24 , Europe - Main Room

There was time when computer security was not a thing. A time blessed by wannabe hackers when sensitive facilities were just wide open because, seriously, who would really attempt to hack into a research or a leading industry system ? This was a long time ago... or was it ? What if I tell you there is a whole branch of information security which still happily lives in this stone-age ?


In this presentation we will see how this mindset still survives nowadays in the physical security realm. We will see how the very same mindset leads to the very same errors, false beliefs, and often very expensive false sense of security. A realm which should be blessed by nowadays hackers as doing tourism in so-called "highly secured" data centers and industrial sites is just so fun, and a mindset which should be avoided by the responsible of such sites who actually care about their security.

A part of our job is to do physical pentest assessments on those “secure” facilities which usually spend huge amounts of money in various security bell and whistles, from the concrete wall surrounded by shiny barb wire up to highly technological access control, intrusion or theft detection systems such as biometric sensors and some mantraps, all this surrounded by hundreds of surveillance cameras and 24/7 on-site security teams. Too often I encounter the same dated mindset, where all these features are actually thought by vendors to impress honest people (starting with the facility owners themselves) without effectively taking offensive mindset into account. The consequences are usually multiple, but usually end up as our teams getting uninvited free access to the targeted most critical area, with just $30 worth of tools, without feeling concerned by all this costly stuff and without being actually noticed by anyone.

The real issue here is not money, it is the mindset, the same security mindset that has been built during the last decades in the cyber world and is, more often than not, totally lacking in the physical realm. The goal of this presentation is therefore to raise awareness about this situation, and by comparing obsolete IT habits from the early 2000s with current physical security practices we will see which kind of vulnerabilities can often be encountered, how they could be exploited, and how they should be prevented.

See also: Slides (4.1 MB)

Pentester @Synacktiv, I like as much trying to enter into your computers than into your facilities.

I'm a physical intrusion specialist, and more specifically like the technical aspect of it, as opposed to the social engineering side which I use as a second resort. I'm particularly happy when I manage to demonstrate how the creative use of low cost items may allow to easily circumvent seemingly secure systems: this usually lead people to look at their locks differently, which I consider as one of the goals of my pentester job.

While also doing physical intrusion into offices, industrial sites are often more challenging and have a neat "urbex" feeling where you never know what awaits you behind that closed door. A huge difference however is that this activity is not only legal, but also helps to improve the security ecosystem.