It has been a long time saying among the hacker and security community that, “If you allow someone physical access to your computer, you do not own it anymore.” The sheer amount of opportunities physical access allows is monstrous, everything from plugging in malicious USB devices like Rubber Ducks to key loggers to just taking the hard drives outright and walking away.
Most businesses are used to this fact, they more commonly keep their servers in a closet, even if a few of them cannot be swayed into locking the door, or making the room serve double duty as a print room. Baby steps. But aside from the usual fuss I make about physically securing things, Today I want to talk about building construction.
No I don’t mean freshening up the office with a new coat of paint, I mean drywall. Most who have never had the opportunity to do work on their own buildings have no idea how flimsy modern walls actually are. Typical American construction for a commercial buildings consist of the outer structure being some form of block construction, steel, or combination of the two but beyond that a lot of walls are just dividers. There is a stud made of aluminum, this is just thin sheet metal channel every 16 inches, and a big sheet of drywall, which is easy to drill through, cut with a pocket knife, or saw at with hand tools. These offices, dividing walls, and rooms can be assembled at a rapid pace, which is convenient, but not terribly secure.
Back in my IT days, we had one or two instances where offices were broken into by someone just ripping the wall apart. Why go through a solid wood door and a dead bolt, when the wall can be ripped open with a claw hammer? Other creative approaches involved going through the drop ceiling. Drop ceiling, those square tiles that may be above your desk right now, is just a lightweight fiber board on an aluminum grid, easily lifted by anyone standing on a ladder. Given most walls in office buildings are little more than privacy dividers, often they only extend about 6 inches above this drop ceiling. If you pop the tile and peek up above, you find a massive chasm where all manner of building infrastructure can be observed, from one end to another, most of the time completely unimpeded.
So, aside from the burglary risk that you may be uncomfortably considering now, why do I bring this up? Well, if you open up a wall, or a ceiling, you are going to find network cable. Lots of it. Every desk with a computer gets one, or more likely, several, of these cables back to the network switch. Odds are you have a few spares here and there, just in case needs change, someone changes desks, or if there is a spare desk.
If we are to consider an enterprising individual who is intent on gaining access, this presents an amazing opportunity. There is no need to go through Internet firewalls, know passwords, or take unnecessary risk if you can skip those steps and get attached to the internal network. Drill the wall, clean up the cut some, and snag one of the cables, and you are in. All that is required after that is punching a jack onto the new cable end, and installing a wall plate if you want to maintain access without arousing suspicion. Given how frequently some of these cables go unused, there is a great chance no one would notice, if the attacker is careful enough to grab one that isn’t being used.
It sounds like a ton of work, and maybe some are willing to believe no-one would go to these lengths, but it isn’t new, nor even rare.
This isn’t the only method, or attack vector someone could use to get into your cables, network, or attain physical access. There isn’t a fix-all for this, except for getting evaluated by an experienced security engineer, and knowing all the risks. Some helpful things to include could be a mac-filtering strategy such as cisco’s port-security method, or making sure all your cables are run in metal conduit within the walls. Your internal network shouldn’t be considered completely and totally safe, either. If you have a file share, for example, it is prudent to limit permissions to users only. Simple enough for every day users, who have everything cached in their machines, but frustrating to a would-be cyber-criminal.
Fully and completely guarding yourself against physical-access attacks like this requires some creative thinking, and experienced advice from your technical staff/IT company.