By: Matt Millen
Conversations about information security often focus on digital threats like ransomware, phishing campaigns, and zero-day exploits. While these risks are significant, they can overshadow a more fundamental vulnerability: physical access. If an unauthorized individual can get inside your facility, they don’t need to rely on remote attacks or sophisticated malware to compromise your systems. A cloned badge, an unattended workstation, or even a well-meaning employee holding a door open can be enough to bypass millions of dollars in cybersecurity investment. The risk is even greater when you factor in malicious insiders who already have legitimate access and the ability to move freely without raising suspicion.
At Pellera, we empower you to see security from every angle. Our physical penetration tests reveal where technology, physical barriers, and human behavior intersect, and where those intersections create vulnerabilities, often creating direct paths for attackers to reach critical systems. This post will walk you through a real-world engagement, highlight common physical security risks, and provide actionable steps to fortify your defenses.
Putting Security to the Test: A Real-World Scenario
We were recently tasked with assessing a facility marketed as “highly secure,” equipped with modern access controls and on-site security personnel. Our goal was to show how a determined attacker could bypass these defenses and gain access to critical systems, demonstrating the tangible impact of physical security attacks.
The Power of Reconnaissance
Before arriving on site, our team conducted thorough reconnaissance to using publicly available information. As is often the case, we uncovered a significant amount of sensitive information the organization had unintentionally exposed online.
Key exposures identified during this phase included:
- High-resolution photos of employee badges on LinkedIn and Facebook.
- Publicly available building maps showing layouts and entry points.
- Interior photos and videos posted by employees, clients, and business partners.
- Employee uniforms available for purchase from public sources.
This intelligence allowed us to plan with precision. We knew the badge technology in use, identified physical security measures like anti-tailgate turnstiles at entrances, and even produced a convincing replica of an employee badge before arriving to the client’s facility.
From the Sidewalk to the Server Room
On the day of the test, we arrived with a long-range RFID reader concealed in a standard backpack. Our tooling allowed us to covertly capture authentication data from active employee badges and write it on our cloned badge. This simple action allowed us to bypass the facility’s main entrance controls and walk in completely undetected.
Once inside, we blended in naturally. Employees assumed anyone with a functioning badge belonged there. Using the building maps we found online, we navigated directly to a networking closet. Using a traveler’s hook (a small tool with a sharp tip used to manipulate exposed and vulnerable door latches), we were able to bypass the lock and place a rogue device on a network switch. With no Network Access Control (NAC) in place, the device immediately obtained an internal IP address and established a remote connection to our cloud VPN endpoint, giving us full access to the internal network.
From there, we quickly escalated our privileges by exploiting weaknesses in the Active Directory environment, moving from unauthenticated access to full domain administrator control. With this level of compromise, deploying ransomware or exfiltrating sensitive data was entirely within reach.
Exposing Deeper Vulnerabilities
To demonstrate the further impact of the risk, we moved deeper into the facility. Our goal was to show how an attacker could layer multiple techniques to reach sensitive information and systems. We found unlocked workstations, unsecured keys, passwords on sticky notes, and open filing cabinets containing employee and client data in HR and finance offices. We also strategically placed malicious USB devices throughout the building to create additional methods of network access.
Our final objective was the on-site data center, considered the corporate crown jewels. Although protected with a strike plate guard, a poor door seal allowed us to quickly deploy an under-the-door tool (UDT) to bypass the lock entirely. Within the data center, we had unrestricted access to the core IT infrastructure. This outcome underscores the real risk: when physical security fails, every layer of digital security is put at risk.
Uncovering the Cracks in the Armor
Physical penetration tests consistently show that security failures are rarely caused by a single issue. Instead, they arise from the overlap of human behavior, procedural gaps, and technical weaknesses. These seemingly small vulnerabilities can compound into organization-wide risks. These weaknesses generally fall into two areas: gaps in employee security awareness and gaps in physical security controls.
Gaps in Employee Security Awareness:
Human Nature
The most common initial access mechanism in physical penetration tests is exploitation of human behavior. People hold doors open, avoid awkward moments, and assume the person behind them belongs there. A smile, a busy hallway, someone carrying boxes or coffee, or a badge on a lanyard that looks “about right” lowers defenses. This is exactly what makes tailgating (following an employee through a secured door without badging in) and piggybacking (slipping in while someone holds the door open) so effective.
Exploiting the human element can be made far more effective compounded with physical control gaps like slow-closing doors or a lack of propped-open door alarms. Simple tools like magnetic door-catch (a modified cabinet latch attached to a magnet and fitted with rubber) can help an attacker to keep a door propped open enough to reduce the likelihood or raising suspicion when tailgating.
Authority and Conflict Avoidance
A confident demeanor, a uniform, or even a clipboard can create instant credibility. Most people are hesitant to challenge someone who looks like they belong. Add a quick purpose statement like “facilities sent me to check on the badge reader by HR, something about it having a mind of it’s own” and most people will not challenge it. Employees do not want to create a scene or be wrong in front of peers. That hesitation can be all an attacker needs to bypass barriers.
Online Exposure Risks
In the age of social media, organizations often share far more than they realize. High-resolution photos of badges, interior spaces, and equipment appear on company websites, LinkedIn profiles, and partner marketing. These images can reveal badge designs, security controls, floor layouts, and even details about vendors with access to the facility. Attackers use this information to craft credible pretexts, clone credentials, and plan routes long before they ever set foot onsite.
Normalizing Risky Habits
Over time, small security deviations in security become normalized. A door that doesn’t fully latch, a contractor who looks familiar, or a workstation left unlocked stops drawing attention once it happens often enough. In busy environments, an unfamiliar face blends into the background, and in hybrid workplaces, people assume someone else has already verified visitors. These habits are compounded by everyday oversights — badges left on desks, keys left in cabinet locks, or sensitive papers sitting out in the open. None of these behaviors are malicious, but together they create an environment where an attacker can move freely and gather valuable information without challenge.
Gaps in Physical Security Control:
Door Hardware Weaknesses
Large facilities often struggle with consistent quality control on door hardware. Small issues like improperly seated doors, exposed or unprotected latches, and poor seals may go unnoticed during daily operations but create easy opportunities for bypass. Accessibility requirements, such as ADA-mandated lever handles, can also introduce weaknesses if they aren’t paired with proper protective measures. Together, these gaps allow attackers to slip past what appear to be secure barriers using simple tools.
There are many tools that assist us in exploiting door-hardware weaknesses, none more valuable than the under-door tool (UDT). The UDT is composed of a long piece of wire with a pull string, specifically designed to fit under a door and allow the operator to pull the door handle on the opposite side. Easily concealed in a backpack, this tool has consistently gotten us to our objectives in major office buildings, secure warehouses, bank branches, and even casinos.
Exit Functionality Weakness
Fire and life-safety codes require doors to release quickly in an emergency, usually via request-to-exit (REX) sensors or crash bars. Those systems serve an essential purpose, but when they’re poorly configured or improperly installed they can create exploitable openings. Gaps in seals or strike plates, improperly seated hardware, and incorrectly mounted REX sensors all increase the risk that an attacker can manipulate the door’s functionality without force. Compliance features designed to keep people safe can unintentionally weaken perimeter security if they aren’t paired with appropriate protective measures and monitoring.
Access Control Badge Weaknesses
Long-range badge capture tools can read and replicate many common employee badges from a distance, meaning an attacker doesn’t always need direct contact to bypass electronic access controls. More often than not, we find client badge systems utilize legacy designs that use static identifiers or weak protocols with little-to-no cryptographic protection, making it trivial to capture and reproduce badge credentials. At Pellera, we maintain purpose-built long-range readers used in our engagements, built by adapting legitimate long-range reader hardware and integrating commercially available capture boards such as Doppleganger — hardware that’s openly sold to the public via the Practical Physical Exploitation store. In our testing, these readers have captured common badge formats at distances up to roughly two feet while concealed in an ordinary laptop bag or backpack, which is precisely what makes the threat practical and easy for motivated attackers or penetration testers alike. This is not to say that this is the only method of capturing badges for replay or cloning. Mainstream tools like the Flipper Zero make copying a variety of badge technologies easy, effectively lowering the bar for entry.
Ineffective Security Barriers
Anti-tailgating turnstiles or similar devices are often installed but rarely monitored in practice, offering little resistance to a motivated attacker. Even when these systems are designed to trigger alerts on unintended use, we frequently find they don’t, either due to misconfiguration or weaknesses in the product itself. This reinforces the importance of regularly testing barriers to confirm they actually perform as intended and provide more than a false sense of security.
Weak Access Control Oversight
Unrevoked guest badges, recycled cards, or lingering ex-employee credentials are frequently left accessible, granting intruders easy entry. Additionally, badge activity logs rarely trigger real-time action. We often uncover “impossible” reads such as off-shift access or credentials used in role-mismatched locations that suggest credential duplication, yet these go uninvestigated.
The vulnerabilities described here are not an all-inclusive list. They represent just a few of the recurring weaknesses we encounter most often across various industries and environments when performing physical security assessments. Each organization is unique, and new gaps appear based on facility design, business operations, and how employees interact with controls day to day. The value of these examples isn’t in checking off boxes, but in recognizing patterns, whether it’s a door that doesn’t close properly, a badge system running on outdated technology, or employees normalizing risky behavior. These patterns are exactly what make physical testing so critical.
Recommendations: Build a Multi-Layered Defense
Closing gaps in physical security requires a proactive partnership between your people, process, and technology. The goal isn’t to eliminate every risk. Rather, it is to build a culture of security so robust that attackers move on to easier targets. The good news is that most common weaknesses can be addressed with straightforward improvements and a culture of continuous improvement.
- Strengthen Security Awareness: Train your team to recognize and challenge suspicious behaviors like tailgating. Foster a culture where employees feel comfortable questioning unfamiliar faces or contractors without worrying about being rude. Awareness also extends to daily habits, like locking cabinets and securing workstations, and avoiding posting photos of badges and sensitive office areas online. Creating a culture where employees see themselves as part of the security perimeter is one of the most effective defenses any organization can build.
- Upgrade Your Badge Technology: Replace low-frequency proximity cards or legacy iCLASS credentials with modern, encrypted platforms such as HID SEOS with Elite Keys or iCLASS SE that implement AES-based cryptography. These platforms provide mutual authentication between card and reader, making them resistant to cloning and adversary-in-the-middle (AITM) attacks that plague older systems. Additionally, clean up credential management to include proper logging, revoke unused badges, and ensure guest or contractor cards are properly secured.
- Audit Your Physical Security Mechanisms: Don’t assume your physical barriers are working as designed. Regularly review and test door seals, latch plates, closing mechanisms, REX sensors, crash bars, and turnstiles. The only way to know if they’ll hold against an attacker is to test them under real-world conditions, including during a physical penetration test.
- Harden Your IT Security Defenses: Since physical access often leads to network access, it’s vital to have strong internal defenses. Controls like Network Access Control (NAC), endpoint hardening, and proper workstation lock policies help limit the damage when an attacker does get inside. Pair those with continuous security assessments, including penetration testing of Active Directory and internal systems, to ensure weaknesses are caught before they’re exploited.
Test, Learn, Strengthen, Repeat
Physical security should not be an afterthought. It is the foundation upon which your entire security posture is built. A cloned badge, a bypassed door, or an employee’s moment of trust can be all it takes to undermine every control you have in place.
Physical penetration testing provides the clarity you need to see our vulnerabilities before a real adversary does. Security isn’t a one-time exercise; it is a continuous journey of improvement. Regular testing helps identify new weaknesses, confirm whether remediation of identified issues is sufficient, and reinforce awareness over time. The cycle is simple: Test, Learn, Strengthen, Repeat.
By partnering with Pellera, you can build momentum toward a stronger, more resilient organization. If you’re ready to elevate your approach to physical security, let’s have a conversation.
