Chapter 44 Β· Advisories

Physical Attacks

Three formal security advisories from the Physical Security Assessment Unit β€” covering brute force physical entry, RFID badge cloning, and environmental attacks against data center infrastructure.

CONTROLLED β€” FACILITIES & SECURITY DISTRIBUTION
ADVISORY ID:PHYSEC-2024-001 CATEGORY:Physical Entry β€” Brute Force Barrier Defeat SEVERITY:HIGH AFFECTED ASSETS:Server rooms, data centers, communications closets, and any restricted facility relying solely on locks without perimeter hardening

Advisory: Brute Force Physical Entry β€” Perimeter Weaknesses Beyond the Lock

Executive Summary

Physical brute force attacks overcome barriers through applied force rather than credential theft or technical bypass. Assessments consistently demonstrate that organizations invest in high-grade lock hardware while neglecting the structural components the lock is mounted in β€” door frames, adjacent walls, windows, and ceiling panels. An attacker does not need to defeat the lock if they can defeat the structure around it. This advisory addresses the scope of physical brute force risk and the perimeter evaluation methodology required to identify real exposure.

Technical Analysis

A locked door provides security only if the frame holding it, the wall surrounding it, and any adjacent entry points are equally resistant to forced entry. In practice, organizations focus security investment on visible lock hardware β€” electronic access control readers, reinforced deadbolts, security hinges β€” while leaving supporting structures at standard commercial construction specifications.

Common findings in physical penetration assessments include: server room doors mounted in standard drywall frames anchored with construction screws (defeatable with shoulder impact in two attempts); adjacent corridor windows that open from outside with no alarm integration; ceiling tiles adjacent to card-reader-controlled doors that can be lifted to bypass the doorway entirely; and loading dock doors sharing a wall with the secure server room.

The fundamental attacker methodology is to identify the path of least resistance. The front door of the server room may be impenetrable. The adjacent supply closet sharing a wall may have a standard hollow-core door with a latch lock. Physical security must be evaluated as a perimeter system β€” not as a collection of individual hardened points.

All digital security investments β€” firewalls, OS hardening, encryption, endpoint detection β€” provide no protection once an attacker is physically present at the hardware. With physical access, an attacker can boot from external media to bypass OS authentication, remove and directly read storage drives, install hardware keyloggers, and reset BIOS/UEFI configurations. The assumption underlying all digital security controls is that the attacker is remote. Physical access eliminates that assumption.

Attack Surface Assessment Matrix

ComponentCommon WeaknessAttacker Technique
Door frameStandard construction screws; drywall mountingShoulder impact; pry bar on frame gap
Adjacent windowsNo alarm integration; standard latchesUtility knife on frame seal; latch manipulation
Wall constructionDrywall or lightweight partition between spacesRemoval of wall section in adjacent unmonitored room
Ceiling accessDrop ceiling tiles throughout facilityLift tiles adjacent to door; bypass badge reader entirely
Hinges (exterior-facing)Pin hinges exposed on the accessible sideRemove hinge pins to detach door without defeating lock

Recommended Mitigations

  • Structural reinforcement: Reinforce door frames with steel plate inserts and through-bolts into structural elements. Replace standard construction screws with security-grade hardware anchored to concrete or steel framing.
  • Perimeter window hardening: Replace any openable windows adjacent to secure areas with fixed panes. Integrate fixed windows into the intrusion detection system (vibration sensors, glass break sensors).
  • Vibration and motion detection: Install vibration sensors on server room walls and motion-triggered cameras covering all approach corridors. Intrusion detection should alert before forced entry succeeds, not after.
  • Perimeter assessment methodology: Physical security assessments must evaluate the full perimeter including adjacent spaces, shared walls, ceiling access, and exterior approaches β€” not only the primary entry point. Engage a physical penetration testing firm to conduct adversarial testing.
CONTROLLED β€” SECURITY DISTRIBUTION
ADVISORY ID:PHYSEC-2024-002 CATEGORY:Credential Compromise β€” RFID Badge Cloning SEVERITY:HIGH AFFECTED SYSTEMS:Physical access control systems using RFID proximity cards as the sole authentication factor

Advisory: RFID Badge Cloning β€” Silent Credential Theft in Proximity Environments

Executive Summary

RFID proximity access cards can be cloned using commercially available equipment costing under $50, without physical contact with the target badge, without the badge holder's awareness, and without leaving any trace on the original credential. A cloned badge is indistinguishable from the original by every reader in the access control system. Access logs will show the original employee's badge identity at times and locations inconsistent with their actual presence. This advisory describes the cloning mechanism, the detection challenge, and the required control: multi-factor authentication for physical access.

Technical Analysis

RFID (Radio Frequency Identification) proximity badges broadcast their credential data wirelessly when they detect a compatible reader field. Standard office access badges operate at 125 kHz (older HID EM4100 technology) or 13.56 MHz (MIFARE, ISO 14443). The badge does not authenticate the reader β€” it responds to any compatible field signal, whether from an authorized door lock or an unauthorized capture device.

RFID reader/writer devices capable of capturing and rewriting these credentials are available on consumer electronics marketplaces for $30–$50. The devices are compact (fitting in a jacket pocket or a bag) and operate passively β€” no physical contact with the target badge is required. Capture range depends on badge technology and antenna configuration: standard reads occur at 2–5 cm, but modified antennas can extend range to 30+ cm.

The cloning sequence: the attacker captures the badge identifier during proximity (commuter trains, elevator lobbies, cafeteria queues, and office corridors provide natural opportunity). The captured credential is written to a blank card in seconds. The cloned card presents the same identifier to all readers. The access control system has no mechanism to distinguish two badges transmitting the same identifier β€” it grants access to whichever one arrives at the reader. The original cardholder's access log shows simultaneous activity at geographically separated locations, which is the primary anomaly detection signal.

Attack Characteristics

FactorDetail
Equipment costUnder $50; commercially available without restrictions
Required proximity2–5 cm standard; 30+ cm with modified antenna
Contact with victim requiredNone
Trace on original badgeNone β€” capture is read-only; badge functions normally
Victim awarenessNone β€” no notification or physical indication
Time to cloneUnder 30 seconds (capture + write)
Detection in access logsSimultaneous swipes at geographically separated locations (impossible travel)

Recommended Mitigations

  • Multi-factor authentication for physical access: The single most effective control. A system requiring only a badge (something you have) is defeated the moment the badge is cloned. Augmenting with a PIN entered at the reader (something you know) or a biometric (fingerprint, hand geometry, iris) means the attacker has the cloned card but lacks the second factor β€” they cannot gain entry. Implement MFA on all high-security access points immediately.
  • Upgrade to cryptographically protected badge technology: Modern MIFARE DESFire and similar smart card technologies use mutual authentication and cryptographic challenge-response protocols that cannot be trivially cloned by read/write devices. Migration from legacy 125 kHz proximity cards closes the cloning window entirely.
  • Impossible travel monitoring: Configure access control system alerts for badge activity showing the same credential used at two geographically separated locations within a time window that physical travel cannot explain. This is the primary automated detection signal for active cloned badge use.
  • RFID shielding sleeves: Provide all employees with RFID-blocking sleeves or cardholders for their access badges. These physically prevent unauthorized readers from exciting the badge. A low-cost mitigation that eliminates remote capture in proximity environments.
CONTROLLED β€” INFRASTRUCTURE SECURITY DISTRIBUTION
ADVISORY ID:PHYSEC-2024-003 CATEGORY:Infrastructure Attack β€” Environmental Systems Exploitation SEVERITY:CRITICAL AFFECTED SYSTEMS:Data center power distribution, HVAC and cooling systems, humidity control, and fire suppression infrastructure

Advisory: Environmental Attacks on Data Center Infrastructure β€” Taking Down Servers Without Touching Them

Executive Summary

Environmental attacks target the physical infrastructure that computing equipment depends on β€” power, cooling, humidity control, and fire suppression β€” rather than the computing equipment itself. An attacker who cannot breach a hardened server room can frequently achieve an equivalent denial of service by attacking the supporting infrastructure, which is often secured to a significantly lower standard than the server room it supports. This advisory documents the attack surface exposed by common infrastructure configurations and the controls required to achieve a consistent security posture across the full facility footprint.

Environmental Attack Surface Analysis

TargetAttack MethodEffectCommon Security Gap
Electrical distribution panelPhysical access; circuit interruptionImmediate total power loss to all served equipmentStandard padlock; utility room with no managed access control, no logging, no alarming
HVAC / cooling plant roomPhysical breaker; network-accessible control systemTemperature rise triggers thermal shutdown cascade in 15–30 minutes; sustained outage if cooling not restoredLess segmented than server networks; physical plant room often accessible to facilities staff without security logging
Humidity control systemDisable or misconfigure humidity regulationExcess humidity: condensation, short circuits, corrosion. Low humidity: electrostatic discharge (ESD) capable of destroying sensitive componentsOften managed through same building management system as HVAC; infrequently monitored
Fire suppression systemPull manual activation handle; trigger false smoke detection; compromise suppression control systemGaseous suppression agent deployment; automatic safety shutdown of all equipment; extended outage during ventilation and investigationManual activation handles in corridors and server room approaches; accessible without access to server room itself

Technical Analysis β€” HVAC Failure Sequence

Data center servers generate heat at densities of 5–30 kW per rack depending on equipment density. Cooling systems maintain ambient temperatures within the operational band specified by hardware manufacturers (typically 18–27Β°C / 64–80Β°F). When cooling fails, the thermal sequence is as follows: ambient temperature rises at a rate determined by the thermal mass of the room and the heat output of active equipment. Hardware firmware monitors internal temperatures continuously. At threshold temperatures (typically 40–45Β°C for most server platforms), CPUs throttle clock frequency to reduce heat generation. At higher thresholds, non-critical processes are halted. Above the maximum rated temperature, servers execute emergency shutdown to protect hardware. From cooling failure to first shutdowns: approximately 15–30 minutes at typical data center densities.

HVAC control systems at many facilities are managed through web-accessible building management interfaces. Where these management interfaces are accessible from the corporate network without proper segmentation, a network-layer attacker may be able to disable cooling without physical access to the facility. This represents a cross-domain risk: a network attack achieves a physical infrastructure outcome.

Fire Suppression as a Denial-of-Service Vector

Data center fire suppression systems use gaseous agents (inert gas blends, clean agent chemicals) rather than water to avoid equipment destruction. These systems are life-safety equipment and are required to activate promptly when commanded. This property is exploitable: an attacker who can reach a manual activation pull station β€” which is typically located in corridors approaching the server room, not inside it β€” can trigger a suppression discharge without breaching the server room itself. The suppression event triggers automatic safety shutdowns, initiates an alarm response, and creates an extended outage while the space is ventilated and investigated before equipment can be restarted.

Recommended Mitigations

  • Equivalent security posture for supporting infrastructure: The electrical distribution panel, HVAC plant room, and fire suppression control access points must be secured with managed access control at the same level as the server room β€” logged entry, access restricted to authorized personnel, alarming on unauthorized access attempts.
  • Network segmentation for building management systems: HVAC control systems, building management interfaces, and facilities monitoring networks must be segmented from server networks and corporate networks. Access to HVAC management should require explicit authentication from a dedicated management network, not be reachable from general corporate infrastructure.
  • Environmental monitoring with alerting: Deploy continuous monitoring for temperature, humidity, and suppression system status with automated alerting on anomalies. A temperature deviation alert provides response time before thermal shutdowns occur. Suppression system activity alerts can flag a triggered discharge immediately.
  • Fire suppression handle access control: Manual suppression activation pull stations in corridors should be in locked enclosures or in monitored areas with camera coverage and access control to prevent casual or malicious triggering.
  • Redundant power paths: Uninterruptible power supplies (UPS) and generator backup ensure that a single panel interruption does not cause immediate equipment loss. Dual-path power distribution from separate panels further reduces the impact of any single supply interruption.