This chapter covers physical security attacks, a critical topic for the SY0-701 exam under Domain 2.0 (Threats, Vulnerabilities, and Mitigations), Objective 2.2. Physical security attacks exploit weaknesses in tangible barriers, locks, environmental controls, and human procedures to gain unauthorized access to facilities, equipment, or data. Understanding these attacks is essential because they often bypass sophisticated digital defenses; if an attacker can physically touch a system, they can compromise it. This chapter maps to exam sub-objectives on social engineering, dumpster diving, tailgating, and hardware attacks.
Jump to a section
Imagine a medieval castle with towering walls, a moat full of crocodiles, and archers on every battlement. The castle's digital security is equally impressive: firewalls, intrusion detection systems, and encryption. But the castle also has a small postern gate used by servants to bring in supplies. The gate is guarded by a single sleepy guard who checks a list of authorized suppliers. An attacker, dressed as a baker, approaches the gate with a cart full of bread. The guard, seeing the familiar face of the baker (who was bribed earlier), waves him through. Inside, the 'bread' is actually a crate of swords. The attacker then opens the main gate from the inside, letting in an army. This is exactly how physical security attacks work. The castle's perimeter (electronic security) is strong, but the postern gate (physical access) is weak. The guard (access control) was bypassed using social engineering (the disguise and bribe). Once inside, the attacker can bypass all digital defenses because they have physical access to the network. The moral: no amount of cybersecurity matters if an attacker can walk in and plug a device into an internal port. Physical security attacks target the human and environmental layers that digital defenses cannot protect.
What Are Physical Security Attacks?
Physical security attacks are attempts to breach the physical perimeter of an organization to steal assets, install malicious hardware, or gain access to networks and data. Unlike cyberattacks that exploit software vulnerabilities, physical attacks exploit weaknesses in locks, doors, cameras, guards, and environmental controls. The SY0-701 exam emphasizes that physical security is the foundation of defense-in-depth; if an attacker gains physical access, all other security controls can be bypassed.
Types of Physical Security Attacks
#### Tailgating (Piggybacking) Tailgating occurs when an unauthorized person follows an authorized person through a secured entry point without using their own credentials. The attacker exploits social engineering and the human tendency to hold doors for others. For example, an attacker carrying heavy boxes might ask an employee to hold the door, gaining entry without a badge. On the exam, tailgating is often confused with piggybacking; the difference is that piggybacking involves the authorized person knowingly allowing entry (e.g., under duress), while tailgating is unauthorized but the authorized person is unaware or too polite to refuse.
#### Dumpster Diving Dumpster diving involves searching through trash for sensitive information such as passwords, account numbers, or proprietary documents. Attackers look for discarded hard drives, printed reports, sticky notes, or even shredded documents that can be reassembled. The exam emphasizes that shredding alone is not sufficient if documents are not cross-cut or incinerated.
#### Shoulder Surfing Shoulder surfing is the direct observation of a user's screen or keyboard to capture passwords, PINs, or confidential data. This can be done with the naked eye or using binoculars, cameras, or telescopes from a distance. In exam scenarios, shoulder surfing is often combined with other attacks like keylogging (physical or software-based).
#### Social Engineering in Physical Context Physical social engineering attacks include impersonation (posing as a repair technician, delivery person, or security auditor), baiting (leaving infected USB drives in parking lots), and pretexting (creating a fabricated scenario to obtain information). For example, an attacker might call a help desk pretending to be a new employee who forgot their badge, requesting a temporary PIN to enter the building.
#### Hardware Attacks - Malicious USB devices: USB Rubber Ducky (keystroke injection), USB Killer (destroys hardware via power surge), or BadUSB (firmware reprogramming to act as a keyboard). - Keyloggers: Hardware keyloggers inserted between the keyboard and computer, capturing keystrokes. - Evil Maid Attack: An attacker with temporary physical access installs a bootkit or hardware keylogger on a device (e.g., laptop left in a hotel room). - JTAG/SWD debugging: Using physical debug ports to extract firmware or inject code.
#### Environmental Attacks - Power attacks: Surges, spikes, or brownouts can damage equipment or cause data loss. Attackers may intentionally cut power to disable security systems. - HVAC attacks: Overheating or flooding a server room can cause denial of service. - Fire suppression system tampering: Disabling or triggering fire suppression to cause damage (e.g., Halon or FM-200 discharge).
How Attackers Execute Physical Attacks
Reconnaissance: Attackers observe the target's physical security posture—camera placement, guard schedules, entry points, employee behavior. They may use Google Maps, LinkedIn (to identify employees), or simply drive by.
Weaponization: Attackers prepare tools: lock picks, cloned badges, USB devices, uniforms for impersonation.
Delivery: The attacker approaches the target using a pretext (e.g., 'I'm here to fix the printer').
Exploitation: The attacker bypasses a physical control (e.g., tailgates through a door, picks a lock, or uses a cloned badge).
Actions on Objective: Once inside, the attacker may connect a malicious device, steal documents, install a keylogger, or exfiltrate data.
Defensive Countermeasures
Access control: Badge readers, biometrics, mantraps (two interlocking doors to prevent tailgating).
Environmental design: Crime Prevention Through Environmental Design (CPTED)—natural surveillance, access control, territorial reinforcement.
Security guards: Trained to challenge tailgaters and verify identities.
CCTV: Coverage of entry/exit points, with analytics for loitering or object detection.
Lock types: Deadbolts, electronic locks, combination locks, cable locks for laptops.
Secure disposal: Cross-cut shredders, degaussers, incinerators for sensitive media.
Policies: Clean desk policy, no tailgating policy, visitor logs, escorted access.
Real-World Example: Stuxnet
Stuxnet, a sophisticated worm that destroyed Iranian centrifuges, was likely introduced via a USB drive dropped in a parking lot (baiting). This physical attack vector bypassed all network defenses because the air-gapped network had no internet connection. The USB drive contained a zero-day exploit that infected the internal systems.
Exam-Relevant Tools and Commands
While the SY0-701 exam does not test specific tool commands for physical attacks, understanding tools like lock picks (e.g., Peterson picks), RFID cloners (Proxmark3), and USB Rubber Ducky is important. For example, a Proxmark3 can read and clone low-frequency RFID badges (125 kHz) used in many access control systems.
Key Standards and Frameworks
ISO 27001 Annex A.11: Physical and environmental security controls.
NIST SP 800-53: Physical and environmental protection (PE) family.
FIPS 201: Personal Identity Verification (PIV) for federal employees.
Summary of Mechanisms
Physical security attacks leverage the weakest link: humans and physical barriers. The defense must be layered: deterrence (visible cameras), detection (alarms), delay (locks), and response (guards). The SY0-701 exam will test your ability to identify the attack type from a scenario and select the appropriate countermeasure.
Reconnaissance of Physical Perimeter
The attacker begins by gathering information about the target's physical security. They observe the building layout, entry points, guard patrol patterns, camera blind spots, and employee behavior. Tools used might include Google Maps (for overhead views), social media (to identify employees and their roles), and physical surveillance (e.g., sitting in a nearby café). The attacker notes badge reader types (e.g., HID iClass vs. proximity), lock brands, and whether doors are propped open. Logs would show no suspicious activity at this stage, but security guards might notice someone loitering or taking photos.
Weaponization and Pretext Development
Based on reconnaissance, the attacker prepares the necessary tools and a believable pretext. For a tailgating attack, they might wear a uniform similar to a delivery service and carry a large box. For a dumpster diving attack, they bring gloves and bags. For an RFID cloning attack, they use a Proxmark3 device. The pretext is a fabricated story to justify their presence, such as 'I'm here to service the vending machines.' The attacker may also create fake IDs or badges using a printer and blank cards. No security logs are generated yet, but the attacker's actions become more risky.
Bypassing Perimeter Controls
The attacker executes the chosen method to gain entry. For tailgating, they wait for an employee to badge in and then slip through behind them before the door closes. For lock bypass, they use lock picks, bump keys, or electronic lock bypass tools. For RFID cloning, they capture the badge signal with a Proxmark3 and replay it. Security logs would show a valid badge swipe but potentially two entries without a second swipe (if the system tracks tailgating). Cameras might show the tailgating, but if not monitored in real-time, it goes unnoticed.
Achieving Physical Access to Target
Once inside the building, the attacker navigates to the target area (server room, executive office, cubicle). They may need to bypass additional locks, use social engineering (e.g., asking an employee to let them into a secured area), or follow another employee. If the target is a laptop, the attacker might look for an unattended device. The attacker avoids security guards and cameras. Logs from access control systems show the path taken by the cloned badge or the tailgated employee. At this point, the attacker has physical proximity to assets.
Executing the Objective and Covering Tracks
The attacker performs the intended action: plugging in a USB Rubber Ducky to steal credentials, installing a hardware keylogger, photographing documents, or copying data to a portable drive. After completing the objective, the attacker leaves the building, often by simply walking out (exit doors usually don't require badging). They may discard tools or disguises. To cover tracks, they might delete logs from the keylogger or remove the USB device. Post-incident, the organization may not discover the breach until later, when anomalous network activity or credential misuse is detected.
Scenario 1: Data Center Breach via Tailgating A SOC analyst at a financial firm notices an alert from the access control system: two entries with the same badge within 1 second at the data center door. The analyst reviews CCTV footage and sees an employee badging in, followed closely by an individual in a maintenance uniform carrying a toolbox. The maintenance worker did not badge in. The analyst immediately contacts security to detain the individual. The correct response is to treat this as a potential breach: lock down the data center, escort the unauthorized person out, and inspect the area for planted devices. A common mistake is to dismiss the alert as a system glitch or assume the maintenance worker was authorized. The analyst should also check for missing equipment and review other logs for unusual activity.
Scenario 2: Dumpster Diving at a Healthcare Provider A security engineer discovers that a patient's medical records were posted online. Investigation reveals that a contractor discarded paper records in an unlocked dumpster behind the building. An attacker retrieved the records and sold them. The engineer implements a secure disposal policy: all sensitive documents must be cross-cut shredded and placed in locked bins. Additionally, the dumpster area is fenced and monitored by CCTV. The common mistake is assuming that shredding alone is enough; but strip-cut shreds can be reassembled. The correct approach is cross-cut or micro-cut shredding, and for electronic media, degaussing or physical destruction.
Scenario 3: Evil Maid Attack on Executive Laptops A company's CEO reports that their laptop, left in a hotel room, was behaving strangely. The IT team finds a hardware keylogger between the keyboard cable and the USB port. The keylogger captured passwords, including the CEO's VPN credentials. The attacker later used those credentials to access the corporate network. The correct response is to immediately change all passwords, scan the network for lateral movement, and implement a policy requiring employees to use laptop locks and store devices in hotel safes. A common mistake is to only focus on the laptop and ignore the compromised VPN credentials, allowing the attacker continued access.
The SY0-701 exam tests physical security attacks under Objective 2.2: 'Explain common threat actors and motivations.' Specifically, you must be able to identify physical attack types from scenarios and choose appropriate mitigations. The exam emphasizes social engineering variants like tailgating, piggybacking, shoulder surfing, and dumpster diving.
Most Common Wrong Answers: 1. Confusing tailgating with piggybacking: Candidates often choose 'piggybacking' when the scenario describes an unauthorized person following an authorized person without consent. Remember: tailgating is without permission; piggybacking is with permission (e.g., under duress). 2. Choosing 'shoulder surfing' for any observation attack: Shoulder surfing specifically involves looking at a screen or keyboard. If the attack involves overhearing a conversation, it's 'eavesdropping,' not shoulder surfing. 3. Selecting 'dumpster diving' when the scenario mentions trash but the information was obtained via a different method: Read carefully—if the attacker retrieved a document from a recycling bin inside the office, that's dumpster diving only if it was from trash; if it was from an unlocked desk drawer, it's 'theft.' 4. Picking 'baiting' for any USB attack: Baiting specifically involves leaving a malicious device (e.g., USB) in a location where the victim will find it. If the attacker directly hands the USB to the victim, it's 'social engineering' or 'pretexting.'
Specific Terms and Acronyms: - Tailgating vs. Piggybacking (know the difference) - Shoulder surfing - Dumpster diving - Evil Maid attack - USB Rubber Ducky - Proxmark3 (RFID cloning tool) - Mantrap (prevents tailgating) - CPTED (Crime Prevention Through Environmental Design)
Trick Questions: - A scenario where an attacker uses a cloned badge to enter a building is NOT tailgating; it's 'access control bypass via cloning.' - A scenario where an attacker watches someone type a PIN from across the room using binoculars is shoulder surfing, not eavesdropping. - A scenario where an attacker finds a password written on a sticky note in a trash can is dumpster diving, but if the sticky note was on a desk, it's 'improper disposal' or 'negligence.'
Decision Rule: When given a scenario, first identify the attack vector: Is it physical? Is it social? Then determine if the attacker used deception (social engineering), technical tools (cloning, keyloggers), or simply took advantage of human behavior (tailgating). Match the specific verb to the attack name: 'followed' → tailgating; 'watched' → shoulder surfing; 'searched trash' → dumpster diving; 'left a USB' → baiting.
Tailgating involves unauthorized following; piggybacking involves consent under duress.
Shoulder surfing can be done with optical devices from a distance.
Dumpster diving requires secure disposal: cross-cut shredding or incineration.
Evil Maid attacks exploit temporary physical access to install bootkits or keyloggers.
Mantraps with two interlocking doors prevent tailgating.
USB Rubber Ducky is a keystroke injection tool that mimics a keyboard.
Proxmark3 can clone low-frequency RFID badges (125 kHz).
CPTED uses environmental design to deter crime through natural surveillance and access control.
These come up on the exam all the time. Here's how to tell them apart.
Tailgating
Unauthorized person follows authorized person without consent
Authorized person is unaware or too polite to stop
Exploits social norms of holding doors
Mitigation: mantrap, security awareness training
Example: attacker carrying boxes slips through door held by employee
Piggybacking
Authorized person knowingly allows entry
Often under duress (e.g., threat of violence) or due to perceived authority
Exploits trust or fear
Mitigation: duress alarms, two-person rule
Example: attacker impersonates IT support and employee lets them in
Mistake
Tailgating and piggybacking are the same thing.
Correct
They are distinct: tailgating is unauthorized following without the authorized person's knowledge or consent; piggybacking involves the authorized person knowingly allowing entry, often under duress or due to social obligation. The SY0-701 exam tests this distinction.
Mistake
Shoulder surfing only happens in person, up close.
Correct
Shoulder surfing can be done from a distance using binoculars, telescopes, or hidden cameras. It can also be performed by reviewing CCTV footage of someone typing a password. The key is observation of input or output.
Mistake
Dumpster diving is only about physical trash.
Correct
Dumpster diving can also refer to digital trash, such as searching through unsecured cloud storage or discarded hard drives. However, on the exam, it typically refers to physical trash.
Mistake
An Evil Maid attack requires a hotel room.
Correct
The term 'Evil Maid' originates from a hotel scenario, but the attack can happen anywhere an attacker has temporary physical access to a device, such as a laptop left in a conference room or at a coffee shop.
Mistake
Physical security attacks are low-tech and easy to prevent.
Correct
While some attacks are simple (e.g., tailgating), others involve sophisticated tools like RFID cloners, lock bypass tools, and custom USB devices. Prevention requires layered controls including technology, policies, and training.
Tailgating is when an unauthorized person follows an authorized person through a secured door without the authorized person's knowledge or consent. Piggybacking is when the authorized person knowingly allows the unauthorized person to enter, often due to social pressure or fear. On the exam, if the scenario says the attacker 'followed' or 'slipped through,' it's tailgating. If the employee 'held the door' or 'allowed entry,' it's piggybacking. The mitigation for tailgating is a mantrap; for piggybacking, it's duress alarms and training.
Yes, shoulder surfing does not require close proximity. Attackers can use binoculars, telescopes, or hidden cameras to observe screens or keyboards from a distance. For example, an attacker in a parking lot could use a zoom lens to watch a user typing a password in a ground-floor office. The exam may present scenarios where the attacker is 'across the street' or 'using binoculars'—that is still shoulder surfing.
The best defense is a combination of policies and procedures: (1) Shred all sensitive documents using cross-cut or micro-cut shredders (strip-cut shreds can be reassembled). (2) Use locked bins for discarded media. (3) Incinerate or pulverize highly sensitive materials. (4) Implement a clean desk policy to ensure documents are not left out. (5) Secure dumpsters in locked enclosures with CCTV monitoring.
An Evil Maid attack occurs when an attacker gains temporary physical access to a device (e.g., a laptop in a hotel room) and installs a bootkit, hardware keylogger, or other malware. The attacker then leaves the device as if nothing happened. The victim returns and continues using the device, unaware that their credentials or data are being captured. Defense includes using full disk encryption with a pre-boot authentication PIN, tamper-evident seals, and never leaving devices unattended.
The exam expects familiarity with tools like the USB Rubber Ducky (keystroke injection), Proxmark3 (RFID cloning), lock picks, and hardware keyloggers. You do not need to know specific commands, but you should recognize these tools by name and know their purpose. For example, a Proxmark3 can read and clone 125 kHz proximity cards used in many access control systems.
A mantrap is a small room with two interlocking doors. The first door must close and lock before the second door opens. This prevents tailgating because only one person can enter at a time. If two people enter the mantrap, both doors lock and an alarm sounds. Mantraps are often used at high-security entrances like data centers. The exam may ask you to identify mantrap as a control against tailgating.
Baiting involves offering something enticing (e.g., a free USB drive, a gift card) to lure the victim into performing an action that compromises security. The key is that the attacker leaves the bait for the victim to find. In contrast, pretexting involves fabricating a scenario (e.g., pretending to be IT support) to obtain information directly. On the exam, if the attacker 'leaves' a USB drive in the parking lot, it's baiting. If they call and pretend to be from the help desk, it's pretexting.
You've just covered Physical Security Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?