πPhysical
Definitions
Clandestine: Forensically undetectable (i.e. using a keyed alike key)
Covert: Stealthy but forensically detectable (i.e. traditional lockpicking)
Overt: Signs of entry are immediately obvious, frequently destructive (i.e. cutting a padlock)
Strong Side: Opposite of the hinge side of a door, it opens away from this side
Weak Side: Hinge side of a door, it opens towards this side
Bypasses
I LOVE BYPASSES I LOVE BYPASSES
Door Handles
Under the Door Tool (UDT)
Tool to fish a line under a door and operate a lever handle (as required by ADA, some analysis with questionable advice) from the other side. Upgrade with an expandable key clip! You can also defeat crash bars with this upgrade. This attack is clandestine, perhaps unless a wedge or crowbar is used to lift the door up to aid access and the door or threshold is damaged as a result.
There are a few remediation options, the first is handle selection. Handles without hooks or bends at the end prevent the UDT from turning it all the way. A great option is switching to a rabbeted threshold to prevent anyone from being able to insert anything under the door!
As a mitigation option, you can install a handle shroud like this. It doesn't work in all cases, see the upgrade video above for a way to defeat.
Double Door Tool (DDT)
Very simple tool, just insert in the gap between the door, rotate, and pull on the crash bar (required by code) to open. I don't know if anyone other than Sparrow sells them.
Remediation is to remove the gap between doors which is easier said than done. There may be a way to retrofit a mullion. Another option is check and make sure that the crash bar is in fact required by code and remove it if possible.
Hinges
Weak side attack, knock out the door pins and remove the door. Hammerless tools like these are extremely useful, as is a wheel bar like this for moving the door.
This can be mitigated by installing security door pins, but attacker can always just remove them.
The remediation is to install security screws like these so that even if a door pins are removed it can't be trivially removed from the frame.
Latches
Latches are very frequently vulnerable, the biggest security feature is an auxiliary latch which when depressed prevents the locking latch from opening until the handle is turned.
Remediation is pretty much always to make sure the latching system is functional and the strikeplate is properly installed such that the auxiliary latch is depressed when the door is closed. To this end, an auxiliary latch that is separate from the locking latch is preferred.
There are a few mitigations, tightening up the tolerances of the door helps make attacks harder, and a plate can be installed on either side of the door to make access to the latch harder (attached to the frame for the strong side and the door for the weak side).
Loiding (Carding)
Covert or clandestine attack (latch or frame may be scratched with some tools) from the strong side of the door, just stick an object in there and actuate the latch. From the strong side this is traditionally done with thing plastic sheets like these. There are tons of other tools like shove knifes/jims, and field expediant tools like piano (or perhaps better yet, guitar) wire. @redteamwynns has an awesome tactic here of using cutting mats with a notch cut into them.
Traveler Hook
Covert attack, I think. Technically not loiding and I love these things.
Locks
J-tool
Another very simple tool, this one is inserted in between the gap between two doors and rotates a thumb lock.
Remediation is similar to the DDT, if possible retrofit a mullion to prevent access to the lock.
Entry Systems
Request to Exit Sensors (REX or RtE)
REX sensors are devices typically placed above an exit door that unlocks it when someone from the inside approaches, which is usually done detecting large temperature differences. They are required by code in most cases. Defeating them is straightforward, by spraying a cryogenic liquid (classically canned air, but other options exist and have their advantages such as med spray or r134) though a gap in the door and its frame. This attack is clandestine, as the liquid will evaporate rapidly thereby removing any trace of the attack.
One mitigation is to implement a sequential authorization system, placing a second sensor farther away from the door and requiring a previous activation of that device before allowing the sensor by the door to activate. Sites may or may not be conducive to this installation, as there needs to be a reasonable distance between the sensors to prevent them both from being activated by an attacker at the door.
Another option available for some sensors is to tune the detection area and sensitivity to both prevent nuisance unlocks and make exploitation harder.
Alarms
Magnetically disabling Reed sensors
Covert attack, as long as you don't leave the magnet, residue, or scratch the frame with your super magnet. Most sensors seem to be Reed sensors, which are normally open and are closed with a magnet. Taping a magnet onto the sensor disables it. Using a search pole like this or magnetic viewing film, you can identify the sensor location from the other side of a door and disable it with a strong magnet such as this.
The only remediation is to switch to a bipolar sensor, which isn't realistic in many cases. Mitigations are defense in depth (make sure people can't just tape a magnet onto the sensor when they're authorized to be there), and moving the magnet part of the sensor system as far away as possible to keep attackers from being able to open the door (or window) a little before the sensor triggers. I also have a very mean idea to place decoy magnets on the sensor side of the door to force attackers to guess a location to try to disable with a magnet before opening the door (and setting off the alarm if they're wrong). It would require moving the sensor for a retrofit though.
Motion detectors
Most motion detectors are powered by the same technology as the Request to Exit sensors described above, detecting large changes in temperature in the observed region. To defeat them, one can use a space blanket (also called a survival blanket) to hide their thermal signature, then cover the sensor with the blanket to neutralize it.
Keyed Alike Systems
This 7-pin tubular lock is required by ASME standards (reference 2.27.8) for use by firefighters and emergency personnel, it's bitting code is 6143521 per the Fort Lock standard. Because of confusion around that standard sometimes it will be coded the opposite direction, these keys will be sold as reverse FEO-K1 or as FEO-K2. If purchased from a low quality supplier, bitting depths may be incorrect, again due to confusion around the Chicago Ace and Fort Lock standards. Some localities (such as Phoenix, AZ) have caught on to how widespread knowledge of this key is and have mandated a different key that is hopefully better secured.
Garage Doors
Covert or clandestine attack (weather stripping may be damaged). Using a ripcord or field expedient tool, fish the pull cord through the weather stripping on the top of the door, pull to unlock and lift the door up.
Remediation: Put a pool noodle round the pull cord (TODO find source for this), although this might not be 100% effective.
Mitigation: Install a deadbolt like this one as a lockout when the door isn't in use. (Probably best to turn the door off when the deadbolt is locked).
References
"Physical Security Bypasses" - redteamwynns THOTCON 0xc
Vulnerability Assessment of Physical Protection Systems - Garcia
The Design and Evaluation of Physical Protection Systems - Garcia
Last updated