Defending against physical intrusion attacks - The under door tool.



Good morning all, how are we doing today?

Watch anything good on Netflix recently?

Many plans for the bank holiday weekend?

Did you remember to deadbolt the office before you left yesterday?

Wait… what?

Yesterday the postman came. And this is what he brought me:


What the hell is that? 

Well it’s an under door tool (UDT) of course. A thin piece of flexible metal attached to a string, that can be folded away and neatly concealed in a rucksack, belt, or there are even versions that can be dismantled and stored in a pocket (great video by the notsocivilengineer - showing a homemade collapsable UDT).

So what does it do? And why should I care about your stupid bendy metal rubbish?

This tool is designed to bypass the type of doors that are locked from the outside, but open with just an operation of the handle from the inside. They are usually accompanied by an RFID entry system or a code. This means you need to have the authentication to get in, but anyone can get out. And herein lies the flaw this tool abuses. It reaches under the door, lifts up and wraps around the handle, and then a pull of the string operates the handle from the inside. Just like that, bob’s your uncle, and I’m in your office looking through your snack drawers.

Here's a quick video from the Coastal Fire training, showing a demo of this process.



Ok, my snacks are sacred. I'm sufficiently worried someone is going to break in and eat them, what should I do?

Well luckily enough, this attack is quite easy to mitigate. Any of the following will help stop me getting in and eating all your mars bars:

1) Remove the gap from the bottom of the door

There are many ways to do this. You could use a door bar, a draft excluder, or just get doors that actually fit the frame properly. An attacker requires around 3mm to use the under door tool. If that gap isn’t there, then they aren’t getting in. 


2) Shroud your handles. 

There are “out-the-box” solutions for handle shrouds available here there and everywhere. Both those intended for preventing this type of attack, and those for preventing babies from operating handles. And almost any of them will stop this attack. If the handle is shrouded then it is almost impossible to hook the tool over the interior handle, preventing this tool from working. 



3) Use flat bar door handles. 

The main requirement of this tool is that it can grab the handle at some point. This works best on handles with a 90 degree bend in them, but can also succeed down to handles with around 45 degrees of bend or less. If the handle is flat, then it is more chance than skill as to whether the door opens before the tool slips off the handle. Not a way to completely defeat the attack, but it certainly slows it down, and limits success to attackers with a greater amount of skill.

Like taking candy from a baby.

VS

    Like taking candy from a slippery, armoured, and angry, dragon.

4) Use a secondary lock like a deadbolt. 

Ok, so this one won’t prevent this attack during office hours. But securing the door at night with a deadbolt will mean the under door tool alone cannot grant access to your building. Basically like installing 2FA for your building. 

I've implemented the above, so I'm safe right?

If you follow the above, your snacks are safe. As is your corporate network and data. Well, safe from the under door tool at least. I will discuss further physical entry methods in another blog, I think I’ve given you enough to panic about for now. 

Happy hacking everyone!

Comments

Post a Comment

Popular posts from this blog

THM RootMe Walkthrough

Image
Welcome back geeks (a term of endearment I assure you). Today we are going to do a quick guided walkthrough of the RootMe box by  TryHackMe . Without further ado, start your engines and get ready for the nmap scan. This answers the first two questions: Scan the machine, how many ports are open? What version of Apache is running? It then tells us to perform a directory list scan on the box, and find the hidden directory. Easy enough! Browsing to our secret directory, we find a landing page with what looks to be an upload form. Im going to go straight for gold and see if it will take a php reverse shell. The one we are going to be using is the PentestMonkey PHP-Reverse-Shell. Make sure to edit the shell to contain your IP and listening port before uploading. Nope. Not sure what language that is, but I'm pretty certain it translates as "Nice try, not going to happen". I'm guessing it's a file extension filter, we can try and bypass that by changing our shell to php5.
Read more

THM Brooklyn Nine Nine Walkthrough

Image
Welcome to my walkthrough of the Brooklyn Nine Nine box from TryHackMe.com. This is my first writeup, so apologies in advance for any mistakes. I will try to keep things spoiler free whilst also showing as much information as possible. So without further delay, lets begin. First things first, start both the machine and the Attack Box, this takes a few minutes, so I'm going to grab a brew in the meantime. Hacking doesn't work without caffeine (and a black hoodie of course)! Ok. so coffee is sorted and box is loaded. Lets begin with an nmap scan, we're not trying to be stealthy here so I use aggressive mode with a full TCP connect and scan all ports. THM are known to hide things on obscure ports so best to check them all even if it does take a little longer. Scan results are in! We have port 21 running an FTP server, anonymous login is allowed and looks like we have an interesting file called "note_to_****.txt" . We are also running SSH on port 22 and HTTP on port 8
Read more