Beyond the Badge: Why Physical Red Teaming Needs a Reality Check

TLDR: Physical red teaming often devolves into a theater of "pwnage" that fails to drive actual security improvements. By shifting focus from simple bypasses to actionable, risk-based findings, researchers can bridge the gap between finding a vulnerability and getting it fixed. This post breaks down common physical attack vectors like under-door tools and badge cloning, and explains how to turn these findings into meaningful organizational upgrades.

Physical security assessments are frequently treated as a checkbox exercise. A consultant walks in, uses an under-door tool to bypass a latch, and leaves a report that gets buried in a folder. This approach is a failure of the red team mission. If the goal is to improve security, finding the hole is only the first step. The real work is convincing stakeholders that the hole matters and providing a path to remediation that doesn't break the bank or the business process.

The Mechanics of Physical Bypass

Most physical security failures stem from a fundamental misunderstanding of how door hardware interacts with access control systems. When we look at common bypass tools like the latch-jim or the shove-it, we are exploiting the mechanical limitations of poorly installed or misaligned door hardware.

The under-door tool is a classic for a reason. It exploits the gap between the door and the floor to manipulate the interior handle. If a door has a lever-style handle on the inside, it is almost always vulnerable unless it is specifically designed to be "dead-latched" or requires a specific mechanical action to release.

Another frequent target is the Passive Infrared (PIR) sensor used for "request to exit" (REX) functionality. These sensors detect motion and heat to unlock the door. A simple can of compressed air, when turned upside down, releases a cloud of cold gas. Because the sensor is looking for a temperature differential against the ambient room temperature, the cold gas triggers the sensor, causing the door to unlock. This is a trivial bypass, yet it remains prevalent in office buildings and data centers worldwide.

Technical Depth: PACS Interception

Physical Access Control Systems (PACS) often rely on legacy communication protocols that are inherently insecure. When we talk about ESPKey or similar hardware implants, we are talking about intercepting the Wiegand protocol. Wiegand is essentially clear-text data. When a badge is swiped, the reader sends a stream of bits to the controller.

If you can gain access to the wiring between the reader and the controller, you can tap into those lines. An implant like an ESPKey sits in the middle, reads the Wiegand data, and broadcasts it over Wi-Fi. The technical flow is straightforward:

# Example of capturing Wiegand data via an implant
# The implant acts as a bridge between the reader and the controller
# Data is then exfiltrated to a web interface or mobile app
# No complex exploit required, just physical access to the wiring

Once you have the badge data, you can either clone it to a new card using a Proxmark3 or simply replay the captured signal to the controller to trigger an unlock. This is a classic Broken Access Control scenario, where the physical layer provides zero protection against signal interception.

Real-World Applicability and Risk

During an engagement, the goal should be to demonstrate impact, not just access. If you can clone a badge, don't just open the door. Map out the facility. Identify where the high-value assets are. Use the access to perform social engineering. If you can walk into a server room, you have effectively compromised the entire network.

The impact of these vulnerabilities is often underestimated by management. They see a door as a door. You need to show them that the door is a network entry point. When you report these findings, use the language of the business. Don't just say "I bypassed the door." Say "I gained unauthorized access to the server room, which allows for the physical installation of network implants, bypassing all logical perimeter defenses."

The Defensive Angle

Defenders need to move away from relying on legacy hardware. If you are still using Wiegand, you are already behind. Transitioning to OSDP (Open Supervised Device Protocol) provides encrypted communication between the reader and the controller, which effectively kills the Wiegand interception attack.

For door hardware, the fix is often mechanical. Install door shrouds to prevent the use of under-door tools. Ensure that all doors are properly aligned and that latch guards are installed. For REX sensors, ensure they are configured to be less sensitive to environmental changes or, better yet, use a dual-technology sensor that requires both motion and a secondary confirmation.

Moving Forward

Red teaming is not about being the smartest person in the room. It is about being the most effective. If your findings don't lead to a change in the organization's security posture, you haven't done your job. The next time you are in the field, look for the low-hanging fruit that actually matters. Find the doors that are consistently left propped open, the badge readers that are easily accessible, and the hardware that is end-of-life.

Don't just report the vulnerability. Report the solution. If you can show a facility manager how a $25 door shroud prevents a $10,000 theft, you have won. That is how you turn a simple exploit into a lasting upgrade. Keep testing, keep finding, and most importantly, keep helping the organization get better.