2025-08-05 – 21:30-21:50 (Africa/Abidjan), Florentine E
Case studies like DarkVishnya, where eight Eastern European banks lost tens of millions due to physical intrusion and malicious devices, highlight the critical importance of addressing physical security. SecureWorks has included physical intrusion in red team exercises since 2011, with the Japanese team's intrusion success rate remaining at 100%. This emphasizes the urgency of improving physical security.
This session leverages extensive penetration testing experience to illustrate differences in physical security practices between Japan and the United States, presenting real-world cases from both nations. It offers practical insights for effectively countering physical threats. Analysis indicates that Japan’s relatively lenient security, influenced by low crime rates, leaves organizations vulnerable to intrusions through social engineering and inadvertent staff cooperation. Conversely, the U.S. enforces stricter measures due to higher risk awareness but remains susceptible to vulnerabilities driven by human factors. Both countries must tackle their exposure to social engineering. Attendees will understand how cultural contexts shape security postures and gain actionable strategies to strengthen defenses against these weaknesses.
-
Introduction (Background & Motivation)
Incidents such as the large-scale DarkVishnya compromise—where malicious devices were planted onsite—and the leaked i-soon documents referencing suspicious hardware underscore how physical breaches, combined with social engineering, present a very real threat to enterprises. However, compared to digital security, the sharing of knowledge regarding physical defenses remains limited.
This session offers comparative insights drawn from multiple physical penetration tests (pentests) conducted in both Japan and the United States, highlighting unique lessons from each region’s security practices. -
Presenter Background
Let me provide some background about our presenters.
One of them is the lead for physical security in Japan team. Another is a professional who has handled numerous projects in the U.S. And finally, we have a member of the Counter Threat Unit team, who is well-known here in Japan. -
Overview of Physical Penetration Testing
-
Definition and Purpose
By simulating real-world attacks—such as social engineering, RFID cloning, or other hardware-based compromises—physical pentests assess the risk of adversaries gaining physical access to internal networks and systems. -
Common Techniques
These methods include not only direct system-level attacks (e.g., RFID cloning, wireless hacking) but also “soft” tactics like tailgating and leveraging employees’ goodwill. While such techniques require finesse, the presenters have achieved a 100% success rate in certain scenarios, underlining the pivotal role of human-factor vulnerabilities. -
Case Studies in Japan
- Cultural Background
Japan’s low crime rate fosters a pervasive atmosphere of trust, with employees seldom challenging unfamiliar individuals in office settings. - Security Measures
Although many organizations employ ID badges, gates, and other formal systems, employee vigilance is generally lacking, allowing attackers to easily install rogue devices or malware once inside. -
Intrusion Example
Even offices equipped with security guards, flap-gate turnstiles, and front-desk check-ins can be bypassed through social engineering. We will demonstrate how posing as a “late employee without a badge” or someone “rushing to a meeting” effortlessly exploits well-intentioned staff eager to assist. -
Case Studies in the United States
- Cultural Background
In contrast to Japan, the U.S. experiences higher crime rates and stricter liability concerns, prompting more rigorous security measures such as patrol guards and extensive surveillance. - Security Measures
Access privileges are firmly segmented, suspicious individuals are quickly challenged, and armed guard patrols are common. One speaker will recount how a colleague was immediately approached by security on the first day of a U.S. engagement, illustrating the prevalent “challenge” culture. -
Intrusion Example
Despite these robust defenses, carefully crafted social engineering frequently succeeds. Whether by engaging in conversation to clone RFID badges, tailgating into restricted areas, or calling a help desk for sensitive details like BitLocker keys, attackers can exploit the same human-factor weaknesses seen in Japan—thus compromising critical corporate assets. -
Comparative Analysis
- Key Differences
Japanese organizations may be undermined by cultural deference, whereas stricter enforcement characterizes the U.S. Even so, no system is impervious. -
Common Weakness
Human psychology remains the ultimate vulnerability. No matter how advanced the controls, a deceived or empathetic employee can inadvertently grant attackers entry. -
Conclusion
Physical security hinges not only on locks and guards but also on workplace culture and employee awareness. This presentation emphasizes the need for frequent physical pentests, practical training, and fostering what we term “friendly vigilance.” Drawing from real successes—and failures—across both Japan and the U.S., we will propose concrete countermeasures and strategic frameworks to help organizations stay ahead of evolving threats.
With a background in security incident response support and malware analysis and countermeasure research, he joined Secureworks in March 2016. Currently, as a researcher on the Counter Threat Unit team, he focuses on investigating the latest cyber attacks, particularly those targeting Japanese enterprises. He is also actively involved in incident response and red team testing. Additionally, he has presented his findings at prestigious conferences such as the FIRST Annual Conference and CODE BLUE.
Fumiya is a consultant at Secureworks. He leads the physical security domain within the Japanese team. He conducts physical penetration tests for companies in various industries and boasts a 100% success rate. He specialises in social engineering and has identified real threats using these methods.
With a passion for offensive security and a knack for creative problem-solving, I lead and execute red team assessments that span physical security, social engineering, and wireless testing. My work involves conducting thorough internal and external network penetration tests and vulnerability assessments to identify and remediate security gaps.
I specialize in developing custom exploit tools to replicate real-world attacks, providing actionable insights and practical solutions to both common and unconventional security challenges. From start to finish, I manage project lifecycles with a focus on measurable impact and continuous improvement.
I’m dedicated to helping organizations strengthen their security postures and adapt to an ever-changing threat landscape — and I’m excited to share some of those insights with the BSides community!