Simplex locks (such as the one shown below) have a wicked reputation.
www.syngress.com
Physical Security • Chapter 4 97
Noted security researcher Michal Zalewski goes high-tech against locks like this and his results are nothing short of spectacular. In his paper “Cracking Safes With Thermal Imaging” (http://lcamtuf.coredump.cx/tsafe), Michal shows that heat left behind from a user’s fi ngerprints can be detected with a thermal imaging device up to several minutes later, as shown below.
Popular video games like Splinter Cell have gotten in on this action, too.
The in-game photo below shows a combo lock as seen through Sam Fisher’s thermal goggles moments after a guard punched in the combo.
In my opinion Michal’s truth is cooler than video game fi ction, but either way, thermal imaging is a pretty sweet high-tech attack. But this book is about no-tech, so let’s get to the no-tech options. Since the buttons used most often will have a thin
98 Chapter 4 • Physical Security
layer of fi nger-oil residue, you could dust the panel with baby powder, and blow away the excess to fi nd the combo buttons. Or you can trick a user who knows the combo into touching some UV-reactive gunk so that when he or she touches the buttons you can later hit the panel with a UV light to see which buttons were touched, sort of like that scene in National Treasure. You could even brute-force these puppies if you’ve got serious hand-eye coordination and aren’t prone to bouts of carpel tunnel.
But so far, the techniques I’ve discussed are not truly no-tech. These attacks require actual tools and some gear, and at the very least some baby powder. Let’s go all the way down to no-tech for a real-world attack. Come with me as I head to the airport, home of some of the most paranoid and advanced security systems anywhere, armed only with my eyeballs and an optional digital camera in search of a prime shoulder surfi ng opportunity.
Past the security screening checkpoints, I spot several Simplex locks, but they all have the distinct look of a janitor’s closet. Eventually, though, I fi nd a Simplex lock protecting what appears to be an offi ce door. The door is adjacent to a gate checking area, and as I step closer a pilot walks up to the door, punches the digits and pushes through, revealing a windowed offi ce overlooking the runway, and a computer system.
Thrilled to see that the lock protects an actual offi ce, but bummed that I missed the combo, I look for a good place to sit and wait for another pilot to poke out the digits.
The perfect seat would be relatively close to the door and at an angle that allows me to see the buttons clearly as they are entered. I fi nd the perfect seat, and just as I am about to sit down, I spot this sign:
I dutifully ignore the sign, plop down in the “restricted area,” and pull out my laptop. I set my camera on the keyboard, making sure that it’s out of view of casual
www.syngress.com
Physical Security • Chapter 4 99
passers by, and wait. I do have to wait long. Within moments, a pilot comes by and punches out the combination. The stills below speak for themselves.
Although I’ve presented the stills in a random order (and maybe even removed one or two) the message is still clear: shoulder surfi ng rules, especially when you left your thermal imager in your other pants. The pilot pushes through the door, leaving it wide open. I lift my camera and continue fi lming. The next shot shows shoulder surfi ng, Round Two.
I purposely blurred the image to protect the innocent, but even still, do you see what I see? I hope you do because that means this book is teaching you something.
I know you can’t read anything in the photo, but you should be able to pinpoint at least fi ve items a no-tech hacker would focus on for more information. Do you see them? Go ahead, give it a try before you continue reading.
100 Chapter 4 • Physical Security
How did you do? The monitor is a gimme. We’ve got a whole chapter on shoulder surfi ng monitors. What about the stickies on the monitor—one small, and one super-sized? One could be a barcode, and the other could be just about anything.
Let’s go deeper. What about the brand of monitor? Combined with the barcode, it may give you a clue about who handles tech support at the airport. Social engineering, anyone? What about the laser printer? Again we see another sticky that may list instructions for the printer, IP addresses, print queue names and more. The brand of printer might clue us in to another social engineering gag. We could be the printer repair guy. There’s other stuff here as well. Did you catch the seriously old and discolored dot-matrix printer? It’s got stickies, too—more than one. Check out the sign above the phone. Could it have important extensions? Did you catch the poster?
Could it contain industry jargon important for a social engineering attack? The pilot at the terminal can be visually disassembled as well, even though we could just as easily do this outside the offi ce. Is he married or single? Ex-military or civilian?
Neat or messy? The list could go on and on.
The next photo sums up the success of this real-world scenario, as I capture not only a shoulder surfi ng session and a roomful of potential information, but also one pilot’s lanyard and string of badges. So many options in one photo.
The point here is not to pick on the airport’s security, or the pilot’s lack of awareness, or the TSA’s obliviousness to the whole affair. Rather, the point is that even in an environment where security is a top priority, no-tech hackers can have an absolute fi eld day. If it’s possible to gather all this information in mere moments at an airport, it’s possible anywhere.
101