Physical Intrusion - Access Un-Controlled - Iain Parkes

good afternoon ladies and gentlemen So today we're going to be talking about how we can abuse integration it's something that I use for physical intrusions uh and it works very well so first of all just a show of hands how many people have an office or have a building maybe a floor maybe a multi-tenant multitenant office y yep and I bet once a week you hear a fire alarm system go off very annoying you normally on the phone at the time at the time it goes off uh but that single event is actually a massive security hole for quite a lot of companies that they don't even realize that it is uh and information around that event is

also a very big security risk and that's what I'm going to basically talk about it's something that is not new it's not something that's hidden um but it's something that people don't realize uh it's actually quite a big risk so disclaimer it's highly illegal to do physical intrusion so I don't want you breaking into novel server room room at the end of this um there are there are ethical ways to do it which I'm going to be going around but there also very unethical ways uh which I will touch on but I won't tell you to do it obviously um we're basically going to use the information provided information that's available in the uh via maybe uh

fishing or an email um or fishing uh and like I say there's nothing new this all exists and mitigations do exist a couple of companies do use mitigations which I will I will explain at the end it's normally more like retail chains use mitigations as opposed to uh Office Buildings uh and physical security is stressful but fun so you know if you're interested in it that's not mine are we on next doors let's watch next

door and with back sorry about that if you want to go next door now you've got a sneak preview there's going to be less IT Crowd references in that one anyway who am I I'm a security consultant working for rootshell I've worked in the fire alarm and security industry for 18 years before going into penetration testing uh I used to do mainly uh commissioning and signing off make sure things are compliant and work the way they should thus the compliance that's a knowledge of compliance I've performed many physical intrusions some abroad and hey I bet you recognize me no yes I was UN bargain hun I did lose 15 we all make mistakes I shouldn't have brought that

wheel anyway in this tour we're going to talk about various things so why we why are we doing this tour first of all cuz people focus on physic on on sort of cyber and digital defenses yet sometimes physical defenses are actually a greater concern because once I'm in your building anything I do in your building could be considered critical I could plant a key logger I could you know ask someone to use their computer which I've done on physical enragement and people do people let you use their computer if you ask them nicely enough um so yeah so physical intrusions are a a really good uh show a good way to show a client you

know you need to improve sort of of awareness uh one of the main problems of that is though it's not like in cyber security where you can do something and it's fixed it's ongoing you people have got to be ongoingly having this training otherwise it's it'll be okay today and tomorrow what about next week what about in two years time so I'm going to give you a bit of overview about fire alarm systems because this is the integration I'm mainly concerning with here I'm going to give you an overview of far of asset Control Systems how we can use this information within reconnaissance and execution uh I'm going to give you some real life examples of uh physical

intrusions I've done and how I've how I got into them using these these methods uh and what we can do to prevent them so first of all physical pent test you've never heard of physical pen test is when we try and get into a building maybe get to a critical risk area maybe a server room uh or even just get into the building plant something access access their uh infrastructure so it all starts with information gathering so the information gathering is where we look online for things so we might look online unlikes Google maps to see a building to see what sort of entrances are there social media people like to post pictures of like birthday parties

or giving a big check to someone so you can get some good information of things like lanyards and ID cards from that uh also people you know finding out who people are it's always good to know who people are who who is the people you're going to you don't want to avoid so if you're going in as a as a certain pretex of someone you want to avoid a person who's going to know you're not that person so it's good to know who the people are information about the building who built it you know who was a main contractor that built the building who is who looks after the building are there any thirdparty contractors that

you can find information about uh a good another uh good place to get information gathering is planning offices sometimes people uh post you know plans of the actual building layout which is great to find out where the server room is um so it's all great good information G and then we do some onsite recant this is where we actually physically go onsite we might scope a building out for a day uh on a minimum just to kind of see what people's movements are see what actually happens you know what what do people do where do people go to lunch are they wearing bads am I trying and get pictures of their badges or their lanyards um what's security like is a a

back door or a front door uh nine times out of 10 I'll try and go for a not the front door I'll go to the back door because it's normally got left security uh so we're looking at this on the sort of onsite reconnaissance we then do the most important part which is planning and preparation so this is where we get ID cars made lanyard maybe a pretext so a pretext is like a like you pretend to be an essentially and you pretend I'm so and so I'm so and so but it all depends on what you found in those previous steps and then the execution is when we actually do the physical intrusion there's a little note at the bottom of

there which is basically the more planning and preparation you do the less uh the more likely the execution is going to go well uh physical penetration test is a a mixture between luck and preparation so the more preparation you do the less luck there's always going to be a luck element because you might have that one person that doesn't trust anyone you know even if you know them they don't trust you so it's always good to be prepared that there could be that one person that you need need to try and convince fire alarm system this nice little picture here this is a a fire alarm system and its components so the part in the middle that is the fire

alarm control that's the brains on most fire alarm systems so this is an addressable system there's two types it's addressable and conventional conventional is very sort of onoff and that's it uh addressable actually all the detectors that connect to the fire alarm panel itself are actually done they're just sens as giving data to the fire alarm panel so at the top top left you got a fire alarm call point which is used for weekly test and set it off the a fire alarm don't do it there's probably one over there somewhere uh smoke detectors which there's probably one in the sky somewhere uh which s for smoke you got fire alarm Sounders which on the top right the most important part

is that little white box there that little white box connects to different things so on a fire alarm system there's got to be certain things to make it safe to exit the building so um if for example the fire alarm goes off we want to make sure all the doors are released so we can get out in in a safe manner so we don't have anything blocking our way we want to shut down air handling units which could spread the fire we want to shut fire doors so you know fires can't spread and various things shut the lifts down so you know people AR in the lift getting burnt to a crisp so all these

things happen with interfaces like that white box there uh and that basically communicates to those parts the main thing with firearm systems is everything's fail safe so it needs to really physically break that connection so it's no data connection at that point it's a physical break of a wire and that will stop the thing from working or make the thing work not on here nobody really wants a fire alarm system it sounds a bit weird to say that but they have to have it you know it's not a very pretty piece of equipment it hasn't changed much in many years and the main reason it hasn't changed is because it's so expensive to change it for example a

fire alarm panel is actually made of several components all them components have to go through um certification that certification cost quarter of a million pounds per certification attempt uh and if it doesn't pass they have to then play another quarter of a million and that doesn't include all the R&D that's involved so because the industry is so protected that it needs to keep that things don't change very often so it's very old technology from the from the get-go everyone wants fancy security systems and nice conference systems it looks prettier they can see it nobody's going to look at the firearm panel nobody wants to see it and as I mentioned on there that you know it's important that it works right

so especially with the disasters we've had lately people want firearm system just work shut down what they need to do get people out the building uh probably 10 15 years ago people wanted more comp system to kind of delay people exiting the building uh but because of certain disasters happening in like office blocks Etc uh and um you know accommodation that we've had like grenfall Tower uh it's more of the fact that let's just get people out safer so you know people just want them to work we really fail safe so testing and maintenance the firearm system has a lot of uh code of practice and actually some requirements from the health and safety at work act

so firearm systems must be maintained as part of a respon employer's responsibility they need to be checking them every week and when they're checking them every week they need to be checking certain things so every week a um a weekly test is performed by the responsible person that person is deemed as a as a responsible person and is liable for not doing these things uh and it's to check that a the firearm system works everyone knows what it sounds like the client knows how to actually use it and to make sure there's no problem so you can see now why it operates every week is to to fit those criteria fire think of a firearm system if goes off

that's the perfect situation but that's why they have to do the weekly test to make sure they know what it means when it goes off and how it sounds we've all been in that situation where we've heard a fire alarm system and we've R nobody moves for the first 10 seconds because they can hear something they go what's everyone else doing and then everyone moves so it to have that regular sound it means people are calm and they move uh correctly and it says on there that the firearm system must be maintained by a competent person so this is a company who will maintain it over a year period and they will check every component on

that fire alarm system over that year access control system like the one I have here which I'll show you so access control system this is a kind of different systems work slightly differently but they generally have these components so in the top left you've got the reader or or a keypad uh these are a data signal that connects then to the door controller in the middle these door controllers are normally placed above a door or around nearer by a door uh you've also then connected on there you've got a power output that goes to the lock so on the top right we've got a magnet a magnet lock which normally above above the door and just below that you've normally got

a latch lock uh you get two types of lock you get fail safe and fail secure fail secure obviously if he loses power it'll means it'll lock the door however that gets criteria with the with the fire alarm side that it needs to be able to release in a fire condition so you don't see many fail secures on Final exits for example and then the magnet one there if he loses power it just releases the good thing to note about the magnets is they actually work to a certain uh Newtons rating if if they're connect if they're installed correctly they're not installed correctly they will release if you push them hard uh there was a school where they had these

on there uh and there wasn't they was install correctly and the kids could open the door by running at them really hard so people think these are skew but if somebody really wants to push it open they can push it open same as if you get a screwdriver onto the plate and you can slightly lever it you can open it as well uh and also if it's installed on the wrong side so if there installed the so the magnet part of it the larger part you can see there if that's installed on the unsecured side I could just unscrew the plate and take the wire out what's stopping me so it's all about how it's

installed in that location on the bottom left is a very interesting piece of equipment which is the emergency door release we're going to really focus on that because I've used that on on numerous occasions these should only be installed on the secure or protected side because these actually released the door uh so we'll talk about how they can be installed wrong and can cause lots of problems so this is a general sort of connection there's a lot of wires going on there but you can see the door controller talks to everything you've got a data patch that talks to uh like on a network of of door controllers they're all programmed they can actually work independently like this uh so you

don't actually have have to connect them to like a server uh and you see door readers come in and then the interesting part that we need to be look at it is where we can see that green brake glass and the door lock we can see that that green brake glass has to go in line with the door lock it has to be a physical uh secure we can't rely on software to release that door so that green brake doesn't directly connect to the door controller it's actually in line so that that brake glass will break the power and to show this a bit more so you can see that this is how a fire alarm would

be not very good picture because it's white uh but you can see the door controller the power from the door controller powering the door goes via the fire alarm interface goes via the door door release and then goes to the magnet so either of those items if they operate will break break the power to the door the door will release and the door controller won't know that the door has released at that point because it doesn't know that the power stopped so generally you can see that those two items on the left hand side so the fire alarm interface and the door controller need to be uh in a secure location because the door controller may have a

tamper on the door so if the the the the cover's removed it might come up with a an an event message to say that somebody's tampering with it the fire alarm does not have a tamper on it because they won't cuz it's it's a completely separate system so if I was are able to access that door that fire alarm interface I can just disconnect the wire and then the door will come open so if that was installed on the unsecured side you can see how the security of that item just alone means I can get into that into that room without having to do much and yet again the green brake gust if that's installed on

the wrong side why why do I need an access card so in uh so as I mentioned here the emergency the the emergency uh green brake glass is there required for you to exit the building and there's requirements in place to say that it should not be the single roll so that's why you've got the fire alarm in place as well um it also mentions that if you've got a secure area you should have the the a door forced alarm should be used so door Force alarm basically means that the door has been opened without using an Access Control Card uh I'll show you some uh ways that that is kind of not really used or if it is used it's

used in correctly uh because of the way they set it up uh what you'll probably find in most external doors will have the door Force connected to the access uh the Intruder alarm system so that will generate an almost like an intruder alarm condition which people take more notice of big loud sounds uh but it's very rare that and it's normally connected on internal uh doors it's connected to actual access control system itself which is not monitored as much and you will ignore it cuz I will show you how how similar it is to to other parts it also mentions about Brak glasses should be double knock I've never seen a double knock one being used

or even triple knock to put a a message on to say that it's been operated yet again I've never seen that been used before uh the interesting part is the fire alarm um standards uh sorry the fire alarm standards varies from the access control standard the access control standard mentions you can use a Access Control input to release the doors however that is deemed unsafe for British stand standards because British standards say it should be the physical disconnection because if you're using a software input then your cables need to meet the requirements of the fire alarm which means it needs to be uh fire uh needs to withstand an hour's worth of fire and it needs to have your battery

backup uh and you don't see that in Access Control Systems very often so they will deem to put an interface at every single door is the easiest way rather than use software input because it changes the whole access control system and obviously you should do a risk ass assessment on doors uh where you've got get this so I'm going to show you in Action a access control system and fire alarm and how they operate together if this works Tada so here we got here we got the door reader got the access control unit this is my fake fire alarm system so this is a uh it's not fake it's actually real so this is a

smoke detector and this is a Sounder this is the green brake glass door controller this is the exit button so you might have it on a door when you go out of the building you might press it to it uh that just so you know this light is the important bit this is basically saying that the magnet's energized so the door is locked uh and I'll mention other things as we go along so you've probably seen these before show the camera uh these are the action control Focus you scan on there data signal goes to door access control the door has released you heard the beep you might also have a case where somebody leaves the door open for too long and

you hear this noise well you don't hear this noise that noise so that's a sort of sound you might have heard before when somebody's held a door open for someone it's very annoying and then it stops as soon as someone shuts the door that's important to note because that sound is probably the same sound you'll hear in a minute so if I come along to the uh exit button yeah again exit button releases the door green brake glass now watch everything on here if I do the green brake glass I'm going to use a test key for this situation you can see that the door has been released but the door controller knows nothing of it if I do open the

door at this point you can hear I got the door forced alarm but as soon as I shut that door it stopped nine times out of 10 they will use the same buzzer or Sounder especially on the internal doors as they will on um on on the the uh door held open so the sound is is actually the same and the mo most bit you've been all been waiting for we love this bit uh fire alarm this is my smoke I carry everywhere you never know when you need to smoke fire emergency please remain calm and evacuate the building immediately don't evacuate the building immediately you can stay for 5 minutes longer and then you'll burn to death so as you can see

here the fire alarm has gone off and the door has released yet again exactly the same if for when to go and open the door you get the same horrible noise when the fire alarm system is reset you can see that the door goes back to how it sh so there you can kind of see how it all integrates and how the door controller is none the wiser of of these items here but how it all operates

together we'll shut him up hope track two have not evacuated can somebody check to make sure track two are still in the building uh anyway so this is sort of a log message that you'll probably see if they've connected the door forced alarm to uh the access control system it will basically be a small log entry saying the door has been forced and the door is now relocked you can also see there if somebody used the wrong type of card as well you'll get the sort of log on there so it's not something that you'd really notice unless they've got some sort of Automation in place that it emails someone uh which you can see

why you can see how insecure this could actually be so how can we use all this information I've just mentioned so going back to fire alarm system we're going back to we're going back to Recon days so fire alarm systems have what they call a zone chart next to them and within the standards this Zone shot needs to be near a fire alarm panel and this fire alarm panel needs to be by the front door Tada we've now got a building layout for free so this is an example of a retail unit by my house I've I've masked it off so you don't know which it is uh but from here we can see very

clearly thing we can see zone areas which are fire alarm zones which we're not really interested with although some might reveal certain areas but we can see building layers we can see doors we can see toilets very good always good to know where a toilet is on a physical Recon uh and you know we we see Server rooms could we see you know cash offices you know all sort of information that could be very handy in a Recon situation so we know exactly where we're going um we also might see company names on there of who who who um installed the system or who maintains the system uh yeah again very interesting information also contractors who built the building might

be on there as well so we might be able to go back and find more information about them firearm panels themselves this is a firearm panel yet again uh we can see a couple of things on here we see the make a model of the fire alarm system so that this will help us determine if we need any props if we want to go as a fire alarm engineer we can take props uh that fits we might be able to see faults this has no Faults which is good very good company uh but we might see faults on there we could use that as part of a pretex saying oh we've come to look at

the fault on your fire alarm system so yet again uh information we can see there it says panel two so we know there's more than one panel uh sometimes companies replace their logo where it says Advance with their own company name or have a sticker on there with their company contact details on yet again all information we can use in a pretext an important one on this one I don't want to tell you this too loudly but you see where it says level two that basically means it's unlocked uh which means we could go into the menu system and do really nasty things like just tell the doors to open uh so yet again not a good

thing to leave a firearm system in level two weekly test what can we do with weekly test so this is what I do quite a lot I give them a call I say hello I'm a fire officer from uh Bristol fire brigade uh we're just updating our records can you let us know when you're the time and date of your weekly test and they go oh yeah let me just check oh yeah it's 9:00 on a Monday because most people are going to know it if they work in an office and they go ah so uh what company looks after your fire alarm system who's the responsible person I get all this information because I use

it as part of the pretext uh importantly most sites do not have isolation key switches on fire alarm panels for doors in fact fire alarm companies discourage it because you're not testing the fire alarm system if you're isolating it so there's a high possibility that when the fire alarm is ringing going off the doors are unlocked which you and na told me the time and date when the doors are going to be unlocked awesome so and also to help us even more there's a big loud noise telling us the fire alarm's going off so the doors are unlocked there's almost like a man shouting down the street the doors are unlocked so we can use this information

and yeah uh if somebody asks us oh yeah you know we got the responsible person's name oh yeah Steve let me in I'm testing the firearm system and a good thing to note as well if it's an addressable system like we mentioned before they don't reset straight away so even if the sound is stopped it can take up to 20 30 seconds to the doors to relock again so we have actually got more time than we think and yet again internal doors were released as well what don't we we looked at the diagram we found the we found the server room we found the cash office we know the doors are unlocked win so what else can we do so Access

Control cards and lanyards so as I mentioned before you know I'll look at lanyards and access control cards on social media you know can we reproduce them I'm not really interested in technically reproducing them I'm going for the easy win so can I just visually clone them you know I can get a visit lyard off Amazon I can go to a company and get a custom one printed off they normally don't want to do it for companies that you don't work for but they give you like this little nice little check box that says I have permission so you you tick that and you're fine and you might see a picture like this very badly AI generated picture of

people wearing their lanyards on social media so you can see what they have it's great and then execution phase so this is a very common uh issue can anyone see the issue with the picture here oops they put the door release next to the access control uh scanning in box so why would I use the access control when I can just press that and the door will open and yes I have seen this it's not uncommon at all and then my favorite piece of device is this little black key you can get them like a million for a quid and it releases them little green brake glasses there and they don't break cuz the way

these are designed are they designed to lap so when you push them in they're actually not glass they're just plastic and then you can reset them this is a reset key so you can set it off open the door click it back up and nobody would ever know you activated it so yeah again so how can we use these so what I tend to do is if I am using this I still have a fake card and I pretend to scan in I copy what everyone else is doing because people don't people expecting you to scan if you don't scan in they're going to think he never scanned in interesting but if you scan even if your card doesn't work it

just adds that sort of people believe you're meant to be there and yeah again I mentioned the green Brak glass and that the lovely thing there so also as well can I see a door controller can I see a fire alarm interface you know I might carry a ladder with me on an engagement people like opening doors for people with ladders uh but if I can't get into a server room I'll just pop my head above the tile and say oh that there's a farm interface Bing and open the door so I'm going to give you some real world examples of how this is used so uh I had one engagement where it was a

multitenant office uh so it was easy to get past the security I could get past the security but I couldn't get to the client's floor they had Access Control uh they were very clued up on not to hold the door open for people which is great um so I wanted to see what I could get so I called the site up to get the information about the firearm test they quite happily gave it to me uh I then appeared on that day at that time to confirm it so I I basically done the onsite reconnaissance on the same day as I give the fire alarm test and I watched the one security guard that's sitting on

the desk walk over set up a call Point somewhere else in the building come back and reset the fire larm system it was it was activ activated for about a minute which meant I had a whole minute to get in that building so what did I do so I come back the next day the next uh week dressed up like everyone else does so I I merged in I went in I said good morning to the security guard knowing that he was my magic person who was going to let me in and he didn't realize it I went up the stairs because I don't like using lifts so I went up the stairs and I waited by the door I watched my

watch I heard the fire alarm and I pulled the door open I went into the main area and I thought I want to go a bit further so I noticed people around so I had a had an ID I had a Access Control Card that looked similar to what they had so I went to a room like another open plan office I held it I knew the door was unlocked I just pulled the door open so I pretended to swipe I pulled the door open I sat down I sat there for about four or 5 hours just cuz why not so doing various Network penetration tests they didn't realize that I was running responder while they

were working which was nice one of them actually made me a drink which was really nice um it was hard work when it respond on a network and Gathering hashes um and then I wanted to wh it a little bit so because people had seen me there for like a good couple of hours thinking I was working for it I then started to ask people if I could use their computers and surprisingly most people said yes so you know I'll go to various computers we've run benign uh par shell command but quite a lot of them just let us use their unlock computers and then I walked out the building they all pushed to exit no

cards to get out so I just walked out so that's one good example uh another one that noticed there was a building layout outside the office uh with this building layout I could see the fire alarm system and it had some faults on it I did note that the fire alarm uh manufacturer is one where not everyone can work for them so uh they're what they call a closed protocol so only that company can work on their system so I know for a fact who it who the company was um so I came back and I said oh I've come to look at XYZ uh thoughts on their on their phone line system they were very nice and gave me

an all access pass so I use this all access path to go to my client FL floor and then they they could see I got in and they said oh yeah I said I'll come to do some work on the firearm system uh oh yeah I said I need to get into a couple of meeting rooms if that's okay and she went yeah that's fine so she led me into some meeting rooms I planted some Rogue devices she's quite happily and talked to me she gave me a can of Coke and then I thanked her and left uh while somebody else did some uh Network reconnaissance uh oh I got one more as well uh another one similar uh I walked in

the building I changed it into a fire alarm engineer waited for the fire alarm to activate and then I W around the floor with a device called a decibel meter nobody knows a decel meter fire alarm systems have to have a certain decibel level to be compliant so this allows me to stand behind people without looking weird uh so what I do is I take my decel meter which is you know a small device like this and I stand behind people looking at all their information on their screen watching them typ in their password why the firearm's going off and then I do it to the next person and the next person and and yet again

people don't back when I did in fact somebody call somebody said excuse me you haven't signed in went oh sorry so I went back to reception worried at this point I signed in and they let me carry on so I planted a device and left another engagement I had is I gained access VI tailgating to the the the building at that point you know most people would be like well I haven't got a card to get anywhere but I noticed the green brake glass of Doom so I basically let myself into the open plan office from there dressed up as a fire alarm engineer again talked to a couple of people asked them what areas they work

in uh I know to the server room green break grass by the server room I got very excited at this point so I W over to the BR breake glass I activate it nothing went off I open the door I heard a sound nobody turned around and looked so I shut the door again and did it again still nobody turned around and looked so I thought okay so I walked into the server room uh it was a very nice server room lots of things that I could take uh so I acted that server room and I noticed ah they got another server room on another floor okay let's go there very busy floor lots of people

I did the same yeah again nobody did anything because it was just this buzzer and people used to this buzzer when people hold the door open so I walked into another server room I had to look around there was a uh a caged area for a secure server area cuz it was a um you know it had secure data on uh I turned around I saw the door controller I saw the fire alarm interface and I could reach them it was out of scope but I could have easily unlocked I took the cover off and disconnected the wire without anyone being aware I then left the building quite happy told the client the client was very

unhappy but it went well for me it was a good report but it showed that not only social engineer is involved in that one uh pretending to be someone who I wasn't uh but also the fact that people didn't really do anything with the alarms it showed that there's a technical problem as well as a an installation problem as well as a social engineering problem so what can we do about it how can we stop all these really easy attacks so first of all disa of information we don't want to disclose any information over social media so lanyards and things like that being seen out in public with lanyards uh it only needs to be caught once you

know when I do onsite reconnaissance I will stand outside an office and watch people go into work I'll watch them go for lunch I'll see where they go at the end of the day I'll see their smoking area and I will always get a badge because somebody will will forget and yet again with the fire alarm sound the fire alarm weekly test it's information you shouldn't be just giving out to someone over the phone you should take their details um give them to the responsible person let the responsible person um communicate with the fire brigade directly obviously install isolation key switches on firearm panels uh to disable the access control from releasing when you're doing your weekly test uh some

companies so retail units quite L's um uh shopping uh like grocery stores uh will actually have a delay on the on the doors releasing so what they do is they put a delay of like 10 to 15 seconds which is which is compliant which means that cuz they had quite a lot of problem with people hitting the fire alarm brake glass which would obviously release the doors cuz the fire alarm would go off and then Nick a TV out the out the door so what they did is they put a delay time on of about 15 seconds and that was just enough to stop the majority of people trying to run away with a TV so

you could put a delay on uh which could which could be like 15 seconds which would limit that and also to make people aware of of that happening as well you can try and fit a Zone Char so it's not easily visible so although it's got to be on show you can put it on like a door if the firearm's hidden away a little bit uh it's very hard to not comply with that quite a lot of places have Zone lists uh which are semi- compliant but you need to really have a zone chart uh so quite a lot of places they have it like a little door or behind reception so you can't really see

from outside so you have to be inside green brake glasses install them in the right areas don't put them on the unprotected side uh same with door interfaces and door controllers they're all high-risk elements that mitigates the use of Access Control control you know with that with the office block I mentioned I basically told them your access control does not work anyone off the street could use it could could gain access to their server room and you know it was something that they really need to look at so it all needs to be in the protected area uh door forced alarms need to actually work and let people know that somebody's gone in when they

shouldn't have so uh what we sort of suggest uh is these should be connected to the actual Intruder alarm system because then Security will actually do something about it connect on the access control system it's just a logged event and there's probably millions of logged events where people tried to go in the wrong area or they've used the wrong card so it needs to be like a proper uh it needs to properly be connected to the Intruder alarm system so it creates an actual alarm uh for security to actually action because in that when when that when I mentioned about that access in the server room security didn't even know I entered the server room um for the simple fact that

uh they didn't know that I entered it because the door forced alarm was just a local alarm and it just logged it on the access control and obviously staff training as I mentioned before it's not something you can do training once and then that's it it needs to be ongoing training ongoing awareness you know that the when the firearm goes off it's a it's a risky time people should be aware of who's coming in office and they don't recognize that person or they don't they're not familiar with them they should question them who are you can you swap your badge in again to prove that you're actually meant to be there and that is all I've got to do

I've got to say a thanks to alarm and vision Who provided the equipment so I could make a lot of noise for you today uh and I work for root shell so if you need any physical penetration tests please come to us and we can help you out any questions no one how does what sorry how does AI change it it doesn't it makes it easier we can create better templates for fishing any other questions H whatever that am I hiring it's great fun it is great fun I had another client where I uh I broke it we got in we pretended to be it and we had um we made a very good visual clone

of their ID card in fact I got lanyard made and everything uh and they believed us so much that we were meant to be there they tried to actually add my Access Control Card to their system it's only because I actually used the wrong type of Access Control Card that it didn't actually register uh so I panicked a little bit when he didn't register but hey we got in any other question sorry you have a question can I ask I'm sure you comp what was the worst sort of setup you've seen up until now set you've seen up until now in terms of shi shi security system set up by any I think it's more where people

get a full sense of security by having an access control system and people thinking once I think people have this presumption that once you've passed that first barrier you've passed the main entrance you're meant to be there and I think it needs to be instilled on people that that is not the barrier uh you know as I mentioned before there was a there was another intrusion where they had very tight and very good Security on the front there was no way I was getting in the front uh however the back door even though it was uh two Access Control doors and a barrier there was no security guard down there so I just I I

tail someone in and that person I just said my my card isn't working and they beat me in the rest of the way so you know I'm not going to go to the place where the most security is you need to be secure in all the areas um and obviously let them know that you know pretex is can be very very convincing you know um because I have previous knowledge of fire alarm systems it doesn't mean I'm never going to be a criminal I'm not a criminal uh but it means that I can use these sort of skills that I already know to sound very very believable and that's why most physical pent testers normally have a

previous skill that use and rely on uh for engagements because it makes them more believable and it it's harder to question that that's not what they're there to do um so you know you know with the access control where I mentioned about the green brake glasses yet again uh that is a really uh bad security and that was installed like that and it's probably been there for years uh and nobody's ever really thought about oh can somebody just not press that and get in and they didn't think that but we obviously showed them uh um I come from a background that's more Technical and kind of red teaming or you know pentesting or whatever like online um where you can do

like labs and stuff online and there's like try hack me and hack the box or whatever how does a person get into this field uh I would say you have to jump feet first when when I first done it uh first done engagement it was very I didn't really have experience of it a part of my had sight experience so you know being a fire alarm engineer and you know I I'm used to talking to people on sites uh it's very much kind of learning almost like learning on the job you kind of learn what what to look out for and learn the insecurities and it's about being a good actor as well you know you

need to be able to be believable you need to be able to take it when people are uh pushing you up against a wall against something and have the right answers there's one engagement where I literally had finished engagement I was just passing my laptop and la and guess what Windows update I was waiting for Windows update so I could leave this building and a lady come up to me saying oh I'm sorry we we don't know who you are and you've been on various computers you know can I verify who you are at this point I panicked cuz I'm still waiting for Windows you know Windows 10 it takes ages um so uh what I did in that situation is

I I Nam dropped some names that I'd researched and she obviously knew them she mentioned her name but I didn't know who she was but she acted like that I should have known who she was which worried me a little bit uh so I mentioned they say oh okay yeah I'll come and verify my identity I'm just going to pop to the toilet and that's what I left so uh she shouldn't have obviously it sounds bad but she shouldn't have let me go to the toilet or had someone there making sure I come back out uh but I basically went to the toilet and I left the building I called the client up immediately because obviously at that

point that she's going to say well this person hasn't come back we've actually had an intruder and obviously they're not aware that the the physical engagement is going ahead so uh it's all about like this this acting that you need to have the right response and that's why the preparation part is very important so you know on an engagement I will spend a good day on just prep uh preparing a pretext um and uh basically how I'm going to do in XY Z if somebody stops me on and do this or have various ways I'm going to get in so if I can't go through the back door if I can't tailgate will I try a different method

so it's always good to have uh a couple of options maybe even a couple of people you know it's good to have what I call a burner person you can have that you can literally send to the dogs uh while you sneak in the in the back door uh so you know I'll send someone in to go to reception so they can scout out reception for me so that I haven't been seen um so it's all about practice everyone you do it's I get nervous every time I do it and I've done a a fair few now but uh it it is very it is very like tricking people it's it's a horrible thing to do when you look look back but

uh you see how easy it can actually be and you can just tailgate someone in and get 90% of the 90% of the places I haven't really answered your question but follow up any more questions hello oh yeah I was going to quickly follow up and just say that did you study pretexting and and that kind of thing from anywhere in particular or did you just learn it as you went along and just with the pretexting I'll try and pick something that I know something of so I wouldn't go pre-ex iners an IT engineer is really good to go for if you're already doing uh penetration testing because you already know the IT background so you can already say some

things that sound believable even if you don't really understand them yourself I wouldn't go saying I'm Pest Control when I don't know anything about pest control or I wouldn't go in saying I'm a lift engineer if I don't know anything about lifts because they might ask me a question or might ask me to actually fix the lift uh uh so you know you don't want to go preex into something that a is going to get you caught or that's going to be rarely recognized or uh or B something you don't don't really know much about also as well uh when you got multiple offices it's always good to go as person from some another office

because they might not be known so you don't want to pick people who are actually going to get caught you want to pick someone that they're not going to recognize you so you need to design that in your pretext that if you're not recognized why are you not recognized oh it's because I'm new I'm just been hired or you know you look at those different ways you can you can use that that's of being anonymous almost a couple questions let's go I think which one's the easiest to get to

there I'm just wondering um is it allowed to use a uh fiz pen as a pretext or a fake um uh get out jail card yes so I've done this before where I've actually had two I always carried two get out of jail cards so get out of jail card if you don't know it's a letter that basically says if I get caught and they're going to call the police or it gets really serious my plan is to never use this letter I never intend to get this out of my pocket but I keep it in in a way that if it's getting quite serious I'll pull this letter out and it says it's normally on headed paper from the client

saying this person has been said that they can do this this this and it's signed by this person I'll normally have a a copy with a different telephone number on there so what I'll say is call this number and this number will will be one of my client one of my uh colleagues who will answer and say yeah yeah he's meant to be there just send him to fourth floor so you can kind of do a double Bluff uh almost it's a little bit sneaky but it's always good to try that one to say actually your staff should have called the number that's on their directory or a no number not a random number on a piece of paper so yeah we do

that as well that is horrible okay so no more question thank you Ian for great talk Ro security congratulations