Physical security in corporate environment is serious business. I spent most of my life working for small companies which didn’t really require top notch physical access constraints or security features. Last one to leave bolts the front door and turns off the light – that’s pretty much the extent of security I have witnessed at most small firms I had the pleasure to work with. But whenever I venture out into the big corporate world I am always impressed and intimidated by what they do to keep their company secrets and employees safe. Of course sometimes these impressive measures are just a facade.
Not so long ago I was visiting a certain large company and I really, really wanted to snap a picture of the number pads on their doors. Not because they were cool though. They were fairly standard actually. In fact, I was initially very impressed by how locked down the whole facility was. To get where I was going I had to pass through a security desk, a metal detector gate, and two key-code locked doors. Hell, even the restrooms in the building required you to punch in a code to get inside.
Then I got a closer look at the actual key pads next too each of the doors and noticed that some buttons were worn down more than others. In fact, it was the exact same 5 buttons on each door. I really wanted to take some pictures but I didn’t think it was appropriate, plus I thought that the security folks wouldn’t probably like some dude walking around taking pictures of their door locks. So here is a slightly exaggerated mock-up of what I have been seeing all over the building:
The buttons 5-9, 0 and * were all shiny and new. All the other keys were faded out, scratched up and darkened from use. If the key-codes were rotated regularly, then the wear and tear ought to be evenly distributed across all the keys. The pattern like the one shown above could only be produced if the same code was used for a very long time without change.
Of course a wear patter on a keypad does not necessarily give away a password. It simply helps us to narrow down our key space. The only thing we know for sure is that the pass contains only 5 characters which are 1-4 and #. We can also assume that it is likely to be 5 characters long, but it does not need to be the case. Any number of the worn out keys can repeat any number of times without significantly altering the wear pattern potentially extending our password length. In either case, we do have a significant number of combinations that we would need to try to open this door.
But… What combination would you try first?
Personally, I’d start with the infamous Space Balls combination:
Why? Well, why not. If you never change the combination on your key locks, then chances are that you are also using the simplest and easiest combo you can think of. In this case it would be 1, 2, 3, 4, #. That ladies and gentlemen was exactly the code used in the building I was visiting.
This would be a major security problem if any of these doors were facing the street or publicly accessible parts of the building. Fortunately they were not. To get to any of them you still had to go past the security desk in the main lobby and walk through a metal detector gate. Only employees and authorized guests would actually get this far – so these security systems were mostly a nuisance for the people that worked there every day. That’s likely why no one ever bothered changing the combination, or at the very least replacing the key pads.
What is the lesson here? I guess it’s that applying too many access controls to a system may actually decrease its overall security. If you make your employees change their password every week, then they will end up writing it down on a sticky note and put it on their monitor. If you force people to get through 3 pairs of security doors just so that they can reach the hallway and use a restroom, the key combos for these doors will likely use the Space Balls numbers. And if you make people carry the RSA authenticator fobs with them they will likely attach them to their laptops. Oh, and they will also tape their user names and passwords to the back so that whoever steals their laptop has all the authentication information in a neat little package. People can be quite ingenious when it comes to circumventing security measures.
But this sort of thing only happens when you let people get away with it. What you need is someone in your organization whose job it is to look for security issues like the one I described above, and fix them. Such a person must be able to inspire fear, and be able to deliver massive amounts of pain, fire and brimstone onto anyone stupid enough to tape their passwords to the monitor or attach their RSA fob to their laptop. And your local NOC dwelling BOFH is probably not the best candidate for this position because while he probably enjoys whipping lusers into shape, things like wear and tear on key locks might be out of his scope of influence. But I guess that’s just my opinion.
In the comments let’s talk about other examples of secure systems that are secure in name only. Have you ever encountered worn down key locks? How about swipe card doors that are permanently wedged open using a door stop?
How about biometrics? Have you ever worked at or visited a facility that foolishly decided to use biometric identification? If yes, tell me about the massive amounts of failure that had to come out of that experiment. Do they still use it, or did they revert to something more sane?