TLP: Tactical Lock Picking. A case study of a few security issues from the field. It’s not rocket surgery but I gotta tell ya, sometimes completely smashing open the illusion of security really makes me feel like a James Bond or a Jason Bourne for a few minutes, a break from being a regular guy 😉
I really like this case study because it covers a few different principles that I teach in my Urban Survival Course *** [finish course page and link to it]. So… no shit there I am…(that’s how you know it’s good) and the first obstacle I encounter, also the first principle in action, is a Traffic Control Device, aka a four-digit code keypad outside a secure hospital. While staying LEGAL, I am completely authorized to enter the facility at my leisure but I have not been given the code for the keypad outside the secure entrence, I bring bad guys there quite a bit in handcuffs. SOOOOooooo I take a look at the key pad: pictured below.
Some guidelines for four digit codes (aka Traffic control devices). I like to break down into 3 different groups or types of codes.
- “CAC” Common Access Codes: 1234, 2468, 2580 (picture it), 9876, etc.
- “SE” Socially Engineer-able Codes: Last four of address, phone number, social, birthday etc.
- “TFR” Totally Fucking Random.
So if you are attempting to GUESS a code, you might use one of the first two options to start your attack, because if they chose a Totally Fucking Random – Code (which just about NOBODY does) than it ain’t gonna help.
BUUUUUUUUUUUT there was no need to guess a code at this particular facility because we used our sweet ass detective skills, and we detected stuff. Sometimes you’re not able to guess the number of digits a code is, although yes usually it’s four. This one had three number pads that were worn out…plus a star, worn. Using a rule of thum (that most codes are 4) I felt a little not at ease, thinking maybe it is three numbers with one of them repeating. But on a hunch, knowing that there was also a Star* key worn out, I thought maybe before I start guessing a four digit code with a repeating number in it somewhere, let’s just try three of the numbers first, then the star. But where to start.
On a whim, let’s start from the top down. 367*
No need to try any further. The electric click and hum of the secure double doors went into action. Niiiiiiiice…
2-Step Rule / Same Building Same Key Rule
So no shit, I’m inside and all is well. And I find myself sitting in a chair outside someone’s ER room fucking babysitting them, and bored as hell. So I look to my left, I’m sitting at the end of a hallway outside the last room in the hall, and to my left is a door at the end of the hallway that the staff occasionally keeps walking past me, taking special key cards out and touching them to a special high tech keypad which beeps allowing them entrance. I think “Shit… How can I legally get my hands on one of those key cards…” But…. in line with the usual illusion of security… I notice that attached to the card reader is another key pad. Below:
I realize that there are no worn numbers on the key pad, probably because nobody punches the keys, they use their touch-cards to enter. And then another principle that I have kept in my back pocket for Tactical Lock Picking creeps up and slaps me in the head. “The key pad must be used for SOMETHING, you idiot” I say to myself. Principle: Same building Same Code. I lean over and punch in 367* … beep…click. Jackpot. *Many places, whether the medium is a key pad or a key or a push button code or a padlock, use the same “key” on the outside of the building as they do on certain doors further inside the building.
But I like a challenge. What if that code didn’t work. Now I’m back to acquiring a key card or another option. And yet ANOTHER principle creeps up and whispers in my ear. “Hey dummy, 2-Step Rule “. So I stand up and I look around. I’m within arms reach of the keypad still. And what do I see? Take a look with me:
You got a good look? Yeah, I got an OK-ish look also. So I leaned in. You may find this hard to believe (not) but low and behold…
Motherfuckers. HAhahahahaha. Not only is the code written down within arms reach of the door, but they marked it with a pin, as in “Oh if you forget, new guy, it’s on the cork board, up by the pin”. LMFAO. But listen (serious voice now) At least they put it up high on the top of the cork board where people (less serious voice) people can’t….cant reach?????? Bawhahahahaha! #security.
Factory Info Rule / Over Time Rule
I don’t know the best thing to name this rule, or principle, or guideline but we’re gonna run with what we brung with. Alas, because people are lazy, and because some types of locks are a pain in the ass to install and a pain in the ass to manage and change codes, people lazily leave the factory reset code the same, which is often available online with a simple google search. Look up the manufacturer, usually printed on the lock. On their website look up the model you want, by the print on the lock or if unavaliable do so by browsing the site for images that look similar. Open up the instruction and install manual and scan through it until you see the “Setting an initial code” section in the manual.
This may not surprise you but locks are mass produced. Soooo similar locks are used in many different places. This is a HUGE reason to take notes and photos of your entries and become familiar with the types of locks that you see on a regular basis.
So no shit there I am (Don’t get offended, this site is called “Uncensored”. We use big boy language here frequently) Standing by the nurses station. Behind them is a room with one of these little guys guarding the door:
I decide to chat with the nurses. It went something like this “Oh my gosh, aren’t those locks the worst? Such a hassle to punch those codes in every time… We use those at my department all the time and I hate them! ::smile, giggle::” and we go back and forth a bit “Oh yeah, and between ::soft voice:: you and me… we haven’t changed the code in at least 3 years. We just use 5-4-3-2. Crazy right??”
Here’s the kicker. After smiling, and building a quick rapport, and giving her the first half of a tit-for-tat approach taught in Social Engineering*[review book add link] I smile sweetly and genuinely and I stand quietly and make strong eye contact.
People will do almost anything to turn an awkward moment into a normal moment again, ON TOP OF already having been told one of MY “secrets” about my door lock combo.
A very standard physiological response occurs with the nurse.
- She want’s to break eye contact and doesn’t know what to say.
- She looks away, it’s quite, she looks back at me. I’m smiling. She Blushes.
- She looks down quickly thinking “I know I’m not supposed to”
- She doesn’t want to look silly, and doesn’t want to offend me.
- She breathes in, then lets it out, he shoulders drop, she quickly puts on a look of everything returning to normal, smiles, leans in towards me and says…
“Yeah! ::quietly:: We’ve been using 1-3-2-4 for YEARS now?” and we both smile and laugh.
“Security… am I right??? Hahahahaha”
One building, one visit.
Three obstacles: Outside Keypad, Inside Lounge Code, Push button nurse station lock.
Three Entries earned.
I like to live my life and operate and teach and train based on principles (for lack of a better word). Knowing what those principles are helps immensely with cataloguing situations and learning from them. And it’s easier for an idea as a “known-principle” to stand on your shoulder and whisper in your ear a short reminder as opposed to “just some thing that you learned once”
Have fun, be safe, be smart, be LEGAL, and kick ass.