This chapter covers physical security testing techniques, a critical component of the PT0-002 exam's 'Attacks and Exploits' domain (Objective 3.3). Physical security is often overlooked but can be the weakest link in an organization's defense; a skilled tester can bypass even the best logical controls by gaining unauthorized physical access. Expect approximately 5-10% of exam questions to touch on physical security topics, often integrated into broader attack scenarios like social engineering or multi-factor authentication bypass.
Jump to a section
Physical security testing is akin to a professional safe cracker evaluating a bank vault. The safe cracker doesn't just try to blow the door open; they methodically test every component: the lock's tumblers, the door hinges, the alarm sensors, the camera angles, and even the floor beneath the vault. They know that a single weak point—a misaligned sensor, a worn tumbler, a blind spot in camera coverage—can be exploited. Similarly, a penetration tester assesses physical controls like locks, biometrics, security cameras, and access logs. The safe cracker uses tools like stethoscopes and tension wrenches; the tester uses lock picks, RFID cloners, and social engineering. Both must understand the underlying mechanisms—how a pin tumbler lock works, how a biometric scanner matches fingerprints, how a security camera records and stores footage. The safe cracker doesn't guess; they apply pressure, listen for clicks, and feel for feedback. The tester manipulates electronic locks with voltage glitches or bypasses mantraps by tailgating. Both operate under the principle that security is only as strong as the weakest link, and both must document their findings without causing permanent damage. The final report is like the safe cracker's diagram of vulnerabilities: here's how to bypass the lock, here's where the camera blind spot is, here's how to reset the alarm without detection.
What is Physical Security Testing?
Physical security testing involves evaluating the effectiveness of physical controls that protect an organization's facilities, equipment, and personnel. These controls include locks, fences, guards, alarms, cameras, biometric readers, mantraps, and security policies. Unlike logical testing, which attacks networks and applications, physical testing requires the tester to be on-site, often posing as an employee, contractor, or visitor. The goal is to identify weaknesses that could allow an attacker to gain unauthorized access to sensitive areas, steal equipment, plant surveillance devices, or install rogue hardware.
Key Components of Physical Security
Locks: Mechanical (pin tumbler, wafer, tubular) and electronic (magnetic, electric strike, RFID). Each type has specific bypass techniques.
Access Control Systems (ACS): Card readers, keypads, biometric scanners, and their communication protocols (Wiegand, OSDP).
Surveillance Systems: CCTV cameras, DVRs/NVRs, analytics software. Testing includes identifying blind spots, tampering with recording, and bypassing motion detection.
Perimeter Security: Fences, bollards, gates, and barriers. Testing includes climbing, cutting, or bypassing via nearby structures.
Environmental Controls: Locks on server racks, cable locks, laptop locks, and secure disposal containers.
Personnel and Procedures: Guard patrols, visitor logs, tailgating policies, and clean desk policies.
Testing Methodologies
Physical security testing follows a structured process: 1. Reconnaissance: Gather information about the target facility through open-source intelligence (OSINT), dumpster diving, or site surveys. Identify entry points, guard schedules, and camera placements. 2. Threat Modeling: Determine the most likely attack vectors based on the organization's assets and threat profile. For example, a data center may prioritize server room access, while a retail store may focus on cash handling areas. 3. Exploitation: Attempt to bypass controls using techniques like lock picking, tailgating, badge cloning, or social engineering. Document each attempt and its success or failure. 4. Reporting: Provide a detailed report of vulnerabilities, including evidence (photos, logs) and remediation recommendations.
Lock Picking and Bypass Techniques
Pin Tumbler Locks: Use a tension wrench and pick to lift pins to the shear line. Common attacks: raking (using a rake pick to rapidly set pins), single-pin picking (SPP), and bumping (using a bump key).
Wafer Locks: Use a jiggler key or wafer pick to rotate wafers into alignment.
Tubular Locks: Use a tubular lock pick that applies tension and lifts all pins simultaneously.
Electronic Locks: For magnetic locks, cut power or use a shim to separate the magnet and armature. For electric strikes, manipulate the strike mechanism with a tool.
RFID Locks: Clone or replay RFID signals using a Proxmark or Flipper Zero. Default credentials or backdoor codes are common.
Biometric Locks: Spoof fingerprints using gelatin or silicone molds, or exploit poor liveness detection. Some scanners can be bypassed by replaying stored templates.
Tailgating and Piggybacking
Tailgating occurs when an unauthorized person follows an authorized person through a controlled entry point without their consent. Piggybacking is when the authorized person knowingly allows entry. Testing involves: - Social Engineering: Approach an employee with a plausible excuse (e.g., "I forgot my badge") and see if they hold the door. - Impersonation: Dress as a maintenance worker, delivery driver, or IT staff to blend in. - Exploiting Layout: Use the momentum of a group entering, or slip through a door before it closes.
Bypassing Security Cameras
Blind Spots: Identify areas not covered by cameras by observing angles and obstructions.
Tampering: Spray paint or tape over lenses, cut cables, or jam wireless signals.
Replay Attacks: Capture and replay video feed to security monitors using a laptop with a video capture card.
Exploiting Recording Systems: Access DVRs/NVRs via default passwords or network vulnerabilities to delete or alter footage.
Bypassing Mantraps
A mantrap is a small room with two interlocking doors; only one door can be open at a time. Testing techniques: - Mechanical Bypass: Force both doors open simultaneously using a wedge or by disabling the magnetic locks. - Electronic Bypass: Short-circuit the door sensor or relay to trick the controller into thinking the door is closed. - Social Engineering: Convince a guard to override the system, or claim a maintenance emergency.
Dumpster Diving and Trash Reconnaissance
Searching through trash for sensitive information: paper documents, hard drives, badges, etc. This is often a precursor to other attacks. Testers collect and catalog items, then report on the types of information found.
Tools of the Trade
Lock Picks: Standard sets (e.g., SouthOrd, Sparrows) for pin tumbler, wafer, and tubular locks.
Bump Keys: Pre-cut keys that fit many locks; used with a bump hammer.
RFID Tools: Proxmark3, Flipper Zero, and NFC readers for cloning and replay.
Biometric Spoofing Kits: Gelatin, silicone, and conductive inks for fingerprint spoofing.
Camera Bypass Tools: IR illuminators to blind cameras, laser pointers to damage sensors, and video capture cards.
Social Engineering Props: Fake badges, uniforms, and delivery packages.
Legal and Ethical Considerations
Authorization: Always have written permission specifying the scope of physical testing. Unauthorized testing can lead to criminal charges.
Safety: Avoid damaging property or endangering personnel. Use non-destructive techniques where possible.
Confidentiality: Do not disclose discovered vulnerabilities except to authorized parties.
Interplay with Logical Attacks
Physical access often enables logical attacks: plugging a USB Rubber Ducky into an unlocked workstation, connecting a Raspberry Pi to an internal network port, or installing a keylogger on a server. Conversely, logical access can aid physical attacks: disabling alarm systems via network access, or viewing camera feeds remotely.
Common Vulnerabilities Found
Unsecured Server Rooms: Doors propped open, missing locks, or lack of access logging.
Visible Access Codes: Keypad codes written on sticky notes near the door.
Outdated Locks: Old pin tumbler locks that can be easily bumped.
Poor Visitor Control: No visitor badges, no escort policy, or unmonitored entry points.
Inadequate Camera Coverage: Blind spots near critical assets, or cameras pointing at walls.
Unsecured Dumpsters: Trash containing sensitive documents or hardware.
Reconnaissance of Target Facility
Begin by gathering information about the target from public sources: Google Maps for satellite imagery, social media for employee photos and badge styles, and company websites for visitor policies. Conduct a physical drive-by or walk-around to observe entry points, guard presence, camera locations, and access control systems. Note the make and model of locks, card readers, and cameras. Collect discarded badges or documents from dumpsters if accessible. This phase sets the foundation for all subsequent testing.
Threat Modeling and Attack Planning
Based on reconnaissance, identify the most critical assets (e.g., server room, CEO office, data center) and likely attack paths. For each entry point, list potential bypass methods: lock picking for mechanical locks, tailgating for manned doors, RFID cloning for electronic readers. Prioritize attacks that are stealthy and low-risk. Plan contingencies for alarms, guards, and cameras. Document the plan to ensure systematic testing.
Attempt Tailgating or Piggybacking
Approach a secured entrance during busy hours, carrying a prop like a coffee cup or a large box to appear burdened. Wait for an authorized employee to badge in, then follow closely behind before the door closes. If challenged, use a pretext like 'I forgot my badge' or 'I'm with IT.' If successful, note the time, employee behavior, and any bypass of mantraps. Repeat at different times to assess consistency.
Test Mechanical Locks
Select a lock that is accessible and within scope. Use a tension wrench and a rake pick to attempt a quick bypass; if that fails, proceed to single-pin picking. For tubular locks, use a tubular pick. Document the time taken to pick and the difficulty level. If the lock is easily bypassed (e.g., bump key works), photograph the lock and keyway. Always use non-destructive techniques; never force the lock.
Bypass Electronic Access Controls
For RFID readers, use a Proxmark3 to capture the card's signal and replay it. If the reader uses a keypad, observe or guess common codes (e.g., 1234, 0000). For biometric readers, attempt to spoof a fingerprint using a gelatin mold. If the system has a maintenance backdoor (e.g., default password), try to access its configuration. Document any successful bypass and the method used.
Bypass Security Cameras
Identify camera blind spots by observing the field of view from multiple angles. If a camera must be bypassed, use a laser pointer to temporarily blind the lens (for non-critical tests), or apply a thin film of spray paint for a more permanent cover. For IP cameras, attempt to access the network and disrupt the feed via ARP spoofing or DoS. Document all actions and ensure no permanent damage.
Document Findings and Report
After all tests, compile a report detailing each vulnerability found, the method used, the time and date, and the level of risk. Include photographic evidence (with appropriate blurring of sensitive info). For each finding, provide a remediation recommendation (e.g., upgrade to high-security locks, enforce tailgating policies, install additional cameras). Present the report to the client in a debrief meeting.
Scenario 1: Data Center Physical Penetration Test
A Fortune 500 company hires a penetration testing firm to assess the physical security of its primary data center. The facility has a perimeter fence with a guarded gate, a mantrap entrance with biometric and card readers, and 24/7 CCTV. The testing team begins with reconnaissance: they observe that delivery personnel are often let in without proper ID checks. They dress as a delivery driver and tailgate through the gate. Inside the mantrap, they pretend to have a fob malfunction and an employee escorts them through. Once inside, they find that server racks are locked with simple key locks that can be picked with a basic set. They gain access to a rack containing backup tapes. The report highlights the need for stricter delivery procedures, mantrap training, and high-security locks for racks.
Scenario 2: Corporate Office Social Engineering and Lock Bypass
A financial services firm wants to test its physical security across multiple branch offices. The testers use OSINT to find employee names and job titles. They call the branch and pretend to be an IT support technician needing to perform a 'security update' on the server. The receptionist lets them in without verifying. Once inside, they find that the server room door is protected by a keypad with a code taped underneath the keyboard. They access the server room and plug a network tap into an unused port. The test reveals that visitor policy enforcement is lax and that keypad codes are poorly managed. Remediation includes mandatory visitor badges, escort policies, and periodic code changes.
Scenario 3: Retail Store Theft Prevention Audit
A retail chain wants to prevent internal theft and external break-ins. The testers simulate a thief by entering through a fire exit that is propped open for smokers. They find that the alarm on that door is disabled. Inside, they access the cash office by tailgating behind an employee. The office has a simple wafer lock that they pick in under 30 seconds. They photograph the safe combination written on a whiteboard. The report emphasizes the need for stricter door alarms, employee training on tailgating, and removal of written combinations.
The PT0-002 exam tests physical security testing under Objective 3.3: 'Given a scenario, perform physical security testing.' Key areas include: - Tailgating and Piggybacking: Recognize that tailgating is unauthorized following, while piggybacking involves authorized consent. Common wrong answer: confusing the two terms. - Lock Bypass Techniques: Know that bump keys work on pin tumbler locks, not wafer or tubular locks. A trap: 'Bump keys are effective on all mechanical locks' — false. - RFID Cloning: The exam may ask about tools like Proxmark3 or Flipper Zero for cloning low-frequency (125 kHz) and high-frequency (13.56 MHz) cards. Wrong answer: 'RFID cloning requires physical access to the card' — actually, some cards can be read from a distance. - Biometric Spoofing: Gelatin or silicone molds can fool optical fingerprint scanners; however, capacitive scanners are harder to spoof. The exam may ask which type is more secure. - Social Engineering: Pretexting (creating a fabricated scenario) is a common technique. Wrong answer: 'Shoulder surfing is the same as tailgating' — shoulder surfing is observing someone enter a PIN, not following them. - Dumpster Diving: The exam may test that it is a physical security threat, not a logical one. - Mantraps: Know that a mantrap's purpose is to prevent tailgating by allowing only one person at a time. A bypass method is to force both doors open. - Legal Considerations: Always obtain written authorization before testing. A common wrong answer: 'Verbal permission is sufficient' — false. - Common Numbers: Default keypad codes (1234, 0000), common bump key profiles (e.g., KW1 for Kwikset). - Edge Cases: The exam may present a scenario where a biometric lock has a 'fail secure' vs 'fail safe' mode. Fail secure remains locked on power loss; fail safe unlocks. Know which is appropriate for different environments (e.g., fail safe for fire exits).
Eliminate wrong answers by focusing on the mechanism: if a question mentions 'bump key', think 'pin tumbler lock.' If it mentions 'tailgating', think 'unauthorized following.' If it mentions 'pretexting', think 'false scenario.'
Physical security testing requires written authorization before any activity.
Tailgating is unauthorized following; piggybacking is with consent.
Bump keys work only on pin tumbler locks, not wafer or tubular.
RFID cloning can be done from a distance using Proxmark3 or Flipper Zero.
Biometric spoofing often uses gelatin molds for optical scanners.
Dumpster diving is a physical reconnaissance technique for sensitive documents.
Mantraps prevent tailgating by allowing only one person at a time.
Fail secure locks remain locked on power loss; fail safe locks unlock.
Common default keypad codes include 1234 and 0000.
Pretexting involves creating a fabricated scenario to gain access.
These come up on the exam all the time. Here's how to tell them apart.
Tailgating
Unauthorized follower enters without consent.
Often happens during busy times when doors are held open.
Exploits social norms of politeness or inattention.
Can be prevented by mantraps and strict door policies.
The follower is aware they are unauthorized.
Piggybacking
Authorized person knowingly allows entry.
Often due to social engineering or coercion.
The authorized person may hold the door for someone they believe is legitimate.
Prevention requires security awareness training.
The authorized person may be held accountable.
Mistake
Bump keys work on all types of locks.
Correct
Bump keys are only effective on pin tumbler locks. They do not work on wafer, tubular, or electronic locks because the mechanism is different. A bump key uses the pin stack's spring to momentarily lift pins above the shear line, which only applies to pin tumbler designs.
Mistake
Tailgating and piggybacking are the same thing.
Correct
Tailgating is when an unauthorized person follows an authorized person without their knowledge or consent. Piggybacking is when the authorized person knowingly allows the unauthorized person to enter, often out of politeness or social pressure. The exam distinguishes between the two.
Mistake
RFID cards can only be cloned if you have physical access to the card.
Correct
Many RFID cards (especially low-frequency 125 kHz) can be read from a distance of several feet using a high-gain antenna. This allows cloning without the cardholder's knowledge. High-frequency (13.56 MHz) cards have shorter read ranges but are still vulnerable to close-proximity cloning.
Mistake
Biometric scanners are foolproof and cannot be bypassed.
Correct
Many biometric scanners, especially older optical fingerprint readers, can be spoofed using gelatin molds or printed fingerprints. Liveness detection (e.g., pulse, temperature) can mitigate this, but not all scanners have it. Capacitive scanners are more resistant but not immune.
Mistake
Physical security testing is low-risk and doesn't require authorization.
Correct
Unauthorized physical security testing can be considered trespassing, breaking and entering, or even espionage. Penetration testers must have explicit written permission defining scope, boundaries, and methods. Even with authorization, testers must avoid causing damage or alarm.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Tailgating is when an unauthorized person follows an authorized person through a secured door without the authorized person's knowledge or consent. Piggybacking is when the authorized person knowingly allows the unauthorized person to enter, often because they believe the person is legitimate or due to social pressure. In terms of security, both are breaches, but piggybacking involves a conscious decision by the authorized person, making training and awareness critical for prevention.
The most common tools are the Proxmark3 and the Flipper Zero. The Proxmark3 is a powerful RFID research tool that can read, clone, and emulate a wide range of low-frequency (125 kHz) and high-frequency (13.56 MHz) cards. The Flipper Zero is a multi-tool that includes RFID functionality and is popular for hobbyists and pentesters. Both can capture card signals and replay them to access systems.
Yes, many fingerprint scanners can be bypassed using spoofed fingerprints made from gelatin, silicone, or even printed paper. Optical scanners are more vulnerable because they rely on visible light to capture the fingerprint pattern. Capacitive scanners, which measure electrical conductivity, are more resistant but can still be fooled with conductive materials. Liveness detection (e.g., checking for pulse or temperature) adds a layer of security but is not foolproof.
A mantrap is a physical security access control system consisting of two interlocking doors with a small room in between. Only one door can be open at a time. When a person enters, the first door closes before the second opens, ensuring only one person passes at a time. This prevents tailgating because if someone tries to follow, they would be trapped between the doors. Some mantraps include weight sensors or biometric verification to further enforce single occupancy.
Dumpster diving is the practice of searching through an organization's trash to find sensitive information that has not been properly disposed of. This can include paper documents with passwords, account numbers, or proprietary data, as well as discarded hardware like hard drives or badges. It is a form of reconnaissance that can provide valuable intelligence for further attacks. Proper shredding and secure disposal policies mitigate this risk.
Non-destructive testing methods include lock picking (which does not damage the lock if done correctly), social engineering (no physical damage), and using tools like RFID cloners that only read signals. Always have permission and a clear scope. Avoid forced entry, cutting cables, or damaging cameras. Document everything with photos and notes. If a lock is difficult to pick, report it as a strong control rather than forcing it.
To identify blind spots, observe the camera's field of view from different angles. Note the camera's lens type (wide-angle, fixed, PTZ) and its mounting height. Use a laser pointer to trace the edges of the coverage area. Also, look for obstructions like pillars, furniture, or signage. During reconnaissance, walk around the facility and note areas where you feel unseen. Combining multiple observations will reveal gaps.
You've just covered Physical Security Testing Techniques — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?