The industry
consensus is that manual penetration testing is the best way to test your
networks and web applications, finding vulnerabilities you didn’t know you had,
and helping you protect your most valuable assets. This is justified, of
course, but if you are looking for something that is just as important, then look no further than your physical security. It doesn’t always spring to mind, however information about your
physical security (in the wrong hands) can be just as much of a chink in your
armour as a failure in your coding can. How easy is it to get into your
building? Is there adequate security around your servers? Are your employees
too trusting of strangers in their workplace? The hackers' weapon of choice to
exploit these vulnerabilities is Open Source Intelligence (OSINT). Here we
discuss some of the techniques hackers will use and how you can being to
protect against them.
If you are not already familiar with the concept of open-source intelligence, or OSINT, it refers to any information about a target that can be gathered from public sources, and has been a staple of government operations, hacking - both ethical and unethical - as well as criminal investigations for many years. But OSINT can be incredibly valuable to a physical security tester as well. In this blog post, we will demonstrate how it is possible to enumerate everything from the type of elevator and alarm system present in a building and who installed and serviced it, to pictures of employee badges and photographs of the target building from multiple angles. In addition, you can find sources and detailed information about people who work in that building, all from the comfort of your home office. This blog post will highlight some of the ways we leverage open-source intelligence for physical security testing at a very high level. It is important to note, however, that none of the techniques in this article are intended to replace proper onsite reconnaissance.
Geotagged social media posts
In many ways platforms such as Twitter, Facebook, YouTube, Flickr,
and Picasa are the OSINT goose that lays golden eggs, both in the amount of
valuable intelligence they produce and the ease in which their APIs make this
information available. Often without the user being made aware, these platforms
allow anyone with API access to query for content created in the vicinity of a
specific area based on embedded geographic metadata, and this is also true for
all the smaller social media platforms that rely on them as a back end. Instagram once allowed such queries but they have sadly made changes
to their API to prevent this. Tools such
as the Recon-ng framework automate querying the APIs of Twitter, YouTube, Flickr,
Picasa and Shodan (we will come back to Shodan later) as simply as feeding it
API keys, GPS coordinates, and a radius, and it will happily gather all the geotagged posts in the specified radius and overlay them over Google Maps for
you. Unfortunately recon-ng currently is unable to query the Facebook Live API,
however this information can still be gleaned as well as many other
platforms.
Geotagged social media posts are incredibly valuable not only because they
reveal people who frequent a target area, but more importantly it gives us
photos and videos of the target facility’s area from different perspectives, and
can cut down the amount of time we need to spend onsite doing recon.
Sensitive information leaked via social media
A rather strange trend that seems to be focused around new hires and
exiting employees is to post pictures of their employee badge on social media. This
not only simplifies the process of forging an employee badge, but often the badge
ID number can be seen written on the badge which often is all that needs to be
written to a RFID credential to be granted access by a reader. This kind of
exposure is trivial to exploit with Google and Twitter’s own search engine. However
the Twitter account @NeedAnIDBadge (https://twitter.com/needanidbadge)
does a great job of archiving many of these posts. Besides pictures of employee
IDs, it is often easy to identify corporate language, terms and organisational unit
names from social networks like LinkedIn that can be extremely useful when
assuming the pretext of an employee. Posts made by corporate social media accounts
can also be used to gauge corporate culture and dress code, as well as events
that can offer new pretexts as well. For example, if a major R&D lab
announces that it is hosting a press conference that coincides with the
engagement on Twitter, masquerading as a blogger or freelance journalist is a
simple and effective pretext to gain access to the facility.
Open Government Records
In many countries, but the
United States especially, most if not all building permits and inspection
records are a matter of public record. Cities like New York City and sometimes
at a state level have Building Information System (BIS) portals where anyone
can query what fire/burglar alarms were permitted in that building and who
installed them. There should also be inspection records for elevators which
often reveal the make, model and installer of a building’s elevator, something
that can speed up the elevator attack process. A tester can also query similar
portals to identify whether the target has a permit for armed or unarmed
security guards. It is, however, important to note that if security guards are
contracted to an agency as opposed to being proprietary they might not show up.
It is also worth noting that not every company feels the need to hire licensed
security guards or to go through official channels to contract them. Checking
FCC filings can also reveal what radio frequencies security staff are utilising
for their radios.
Satellite and other imagery sources
Probably one of the most useful and least known assets in doing remote
recon on a building is Mapillary. Mapillary is like Google Street View but instead
of gathering photos with a car, Mapillary utilises crowd-sourced photographers
with mobile phones and GoPros, which results in street-level photos of areas a car,
and therefore Google Street View wouldn’t be able to access. I often find that
if Google Street View can’t give me a good shot of a building, Mapillary can do
the job. But besides Street View and Mapillary, Google Earth is a powerful tool
not just for OSINT, but managing data gathered onsite as well. Not only can it
ingest output from GPS-enabled tools or anything that outputs a KML. Sadly, I
have not yet found an easy way to get Google Earth to ingest Recon-ng’s output
yet, but it can parse geotagged photos as well, meaning that if you import
photos taken with a GPS-enabled camera, it will become a pushpin on Google Earth.
What also adds to the versatility of Google Earth is the wide array of overlays
that can be imported into it; everything from weather satellite imagery to Bing
maps.
This brings us to OpenStreetCam and Shodan. While there are many
sources like OpenStreetCam and Shodan, these two I have found to be the best
at what they do. OpenStreetCam offers us the ability to identify and access security
and traffic cameras that are exposed to the internet. While it’s a bit hit and
miss (missing more often than not), OpenStreetCam, under the right circumstances, offers us the ability to recon a building and, if the stars align, monitor it
from the comfort of our own home office (and did I mention you can use it as a Google Earth overlay?). Shodan, on the other hand, offers us the same potential
and so much more. While most people are familiar with Shodan, an internet
scanning service that allows users to search the majority of the internet for
connected devices, I don’t think anyone fully grasps its full utility for physical security testing. Using Shodan I have found countless security cameras,
burglar alarm panels and other pieces of physical security equipment exposed to
the internet and ripe for compromise. If you recall, I mentioned Shodan briefly
in the context of recon-ng. Luckily for us physical security testers, Shodan
allows us to filter our searches to a geographic area and, because it is
supported by recon-ng, we can overlay its findings on the same map as our social
media mining. I personally find it essential to check for internet exposed
hardware whenever I do a physical security engagement.
ZeroDayLab is often engaged by our clients to carry out physical security penetration tests and site surveys on their various facilities. To
ensure that we use our time onsite as efficiently as possible and that we
deliver our clients as thorough and informative a report as possible, we have
developed an open-source intelligence gathering methodology to gather as much
pertinent information to a physical attacker as possible, before we even arrive
on site. This blog should have helped you understand how operational security
can have a huge impact on physical security and how much of a force multiplier
OSINT can be when conducting physical security engagements.