Four Physical Attack Categories
| Attack Type | What Is Attacked | Method | Primary Defense |
|---|---|---|---|
| Physical Brute Force | Doors, windows, frames, walls β the physical barriers protecting secure areas | Force β pushing, kicking, levering, cutting; no technical knowledge required | Reinforce the full perimeter (frames, walls, windows); vibration sensors; motion detection; physical security testing |
| RFID Cloning | Access badges and key fobs used for physical entry | Read badge wirelessly with a cheap device; copy data to a blank card; use cloned card for access | MFA for physical access (card + PIN or biometric); access log monitoring for impossible simultaneous-location events |
| Environmental Attack β Power | Electrical distribution infrastructure feeding the data center | Interrupt or manipulate power supply β cuts power to all systems without entering the server room | Secure power infrastructure with managed access controls; UPS and redundant feeds; log and alarm electrical room access |
| Environmental Attack β HVAC / Humidity / Fire Suppression | Cooling, humidity, and fire suppression systems supporting the data center | Disable cooling β overheating shutdown; manipulate humidity β ESD or condensation; trigger suppression β denial of service | Secure HVAC plant rooms; network-segment HVAC management systems; environmental monitoring with alerts; physical locks on manual suppression controls |
RFID Cloning β How It Works
Attacker Obtains RFID Reader/Writer
A commercially available RFID cloning device β purchasable online for under $50. Reads compatible RFID badge frequencies (common standards: 125 kHz low-frequency or 13.56 MHz high-frequency HID/MIFARE formats).
β
Read Target Badge Wirelessly
Attacker positions the reader within range of the target badge β in a crowded elevator, on a commuter train, in a queue. The badge is still in the victim's pocket or on their lanyard. The victim is unaware. The capture takes seconds.
β
Write Data to Blank Card
The same device writes the captured identifier to a blank writable RFID card. The cloned card is now a functional duplicate of the original β it broadcasts the same identifier to every reader. Process takes under 30 seconds total.
β
Use Cloned Badge for Access
Attacker presents the cloned card to any reader. The reader sees the correct identifier and grants access β identical to the original badge. The access log records the entry as the legitimate employee. No alarm. No detection.
β
MFA Stops It Here
If the reader also requires a PIN or biometric, the cloned card alone is insufficient. The attacker has the "something you have" factor but not "something you know" or "something you are." Access denied.
Why "Physical Access = Full Control"
| Physical Action | What It Bypasses | How It Works |
|---|---|---|
| Boot from external USB/DVD | OS authentication (login passwords, BitLocker without pre-boot PIN, Windows Hello) | External OS loads directly; installed OS never runs; access to files on the drive depends on encryption implementation |
| Remove the storage drive | OS-level access controls; file permissions; network restrictions | Drive connected to another machine; files read directly from hardware; OS controls exist only in software on the original machine |
| BIOS/UEFI access | Boot order controls; Secure Boot (if no BIOS password set) | Allows changing boot device, disabling Secure Boot, resetting hardware settings; most BIOSes have no password by default |
| Install hardware keylogger | All encryption; OS-level monitoring | Hardware device between keyboard and USB port captures keystrokes before any OS security layer; invisible to software scans |
| Physically take the hardware | Everything β network access controls, remote monitoring, remote wipe | Hardware in attacker's possession; they can attempt to decrypt offline at leisure; all remote defenses are irrelevant |
Environmental Attack β Data Center Dependency Chain
Power Infrastructure
Everything requires stable electrical power. The electrical distribution panel feeding the data center floor is the single most impactful attack target. Often located in utility rooms with lower physical security than the server room.
β
HVAC and Cooling
Servers generate intense heat. Without continuous cooling, hardware reaches thermal limits within minutes. Servers begin throttling CPU, then shutting down to protect themselves. No attacker commands required β thermal protection triggers the shutdown automatically.
β
Humidity Control
Too much humidity β condensation β short circuits and corrosion. Too little humidity β electrostatic discharge risk. ESD can instantly destroy sensitive components. Humidity control is a hardware-protection requirement, not a comfort feature.
β
Fire Suppression
Triggering fire suppression causes an emergency shutdown and floods the space with suppression agent. Can be triggered manually (pull handle), by false alarm (smoke near a detector), or by compromising the suppression control system. Denial of service without touching servers.
Physical Security Defense Stack
| Threat | Defense | Key Detail |
|---|---|---|
| Brute force entry | Perimeter hardening: reinforced frames, walls, and windows; vibration/motion sensors; physical penetration testing | Test the full perimeter β locks, frames, adjacent windows, walls. The weakest point is rarely the main lock. |
| RFID cloning | MFA for all physical access points; access log monitoring for simultaneous-location anomalies | MFA is the definitive defense. A cloned card + no second factor = full access. A cloned card + required PIN/biometric = blocked. |
| Power attack | Managed access to electrical rooms; UPS and redundant power feeds; monitoring electrical room entry | Utility rooms feeding the data center must have the same access control standards as the server room itself. |
| HVAC attack | Physical locks on HVAC plant rooms; network segmentation of building management systems; temperature alerts | HVAC management interfaces should be isolated from server networks and require authentication to access. |
| Humidity attack | Continuous environmental monitoring with humidity thresholds and alerts; ESD protection (anti-static flooring, wrist straps) | Humidity deviations cause gradual or instant damage. Monitoring with alerts provides time to respond before hardware is harmed. |
| Fire suppression abuse | Physical locks on manual suppression handles; restricted access to suppression control systems; monitored smoke detectors | Manual pull handles should not be accessible to unauthorized individuals. Suppression control systems should be on secured, isolated networks. |
| Tailgating / piggybacking | Man-trap entry vestibules; security awareness training; turnstiles; security guards | Man-traps enforce individual authentication for each person entering. No tailgating is possible if the first door must close before the second opens. |