While connection vulnerabilities provide armchair hackers an easy inroad, physically infiltrating a facility to facilitate data theft or destruction is still “crazy easy” for a skilled adversary, according to Chris Nickerson, founder of information security firm Lares Consulting.
Access control, badge systems, and other intrusion prevention and detection systems rarely stop his team from getting where they want in a facility and doing what they would need to do to compromise its network.
Roger Johnston, PhD, founder and CEO of Right Brain Sekurity, holds a similar view of device vulnerability. As the former head of the vulnerability assessment team at Argonne National Laboratory, he has conducted vulnerability assessments on more than a thousand physical security and nuclear safeguard devices, systems, and programs. It’s his opinion that all security technologies and devices can be defeated—usually “fairly easily.”
In addition to not undergoing a rigorous vulnerability assessment by the manufacturer, there is a problem with chain of custody, which fails to get much attention, according to Johnston. “The typical security manufacturer isn’t likely to have good insider threat security,” so product tampering at the source is a risk. In November 2017, for example, it was discovered that preinstalled software in some Android phones was sending data to China, including information on where users went, whom they talked to, and text message content.
“Then [the security device] will sit on loading docks, and then sit again, sometimes for months, somewhere at the end user, and only then is it installed,” said Johnston. “But no one knows what the interior is supposed to look like, and manufacturers don’t supply pictures, so it’s impossible to tell signs of tampering.” A skilled adversary can install a man-in-the-middle (MiM) attack or compromise a device in some other way with just a few minutes of access, he noted.
Additionally, security product design often facilitates tampering by using housing that is thicker than necessary in order to make servicing devices easier. “So there is all kinds of physical room inside it for someone to put in a device to capture data and conduct MiM attacks. And end users don’t usually go around and check for alien material inside their security devices, so you have successful attacks,” said Johnston.
When physical devices fail, it can often render other security investment moot. For example, organizations are putting a lot of faith in encryption and authentication technologies. But companies often remain vulnerable because encryption can’t correct underlying vulnerabilities.
“Data encryption and authentication provides reliable security if and only if the sender and the receiver are physically secure, the insider threat has been mitigated, and there’s a secure cradle-to-grave chain of custody on the hardware and software; usually none of these is true,” Johnston explained.
True security requires a secure chain of custody right from the factory, effective tamper detection built into devices, and manufacturers conducting independent and imaginative vulnerability assessments. But all three are almost universally lacking for most security devices, Johnston warns.
Vulnerabilities of some kind extend to all popular security technologies—prox cards, biometrics, even emerging retail favorites like RFID, says Johnston. RFID attacks can be performed at each stage: during communication, at the tag level, and on the tag reader. “It’s easy to shield from an RFID device. You can block, jam, or counterfeit RFID signature. People are sometimes regarding RFID as a higher-security approach, but it’s just a bar code and maybe worse because it’s not hard to hard to spoof RFID from across the room or from the parking lot,” he said.
The vulnerability of RFID relates to what Johnston thinks is the most common mistake in retail—confusing inventory systems with retail security equipment. “It’s thinking that, because they know where parts and pallets are and can keep track of things, that it can act as a security system,” said Johnston. “You can have both security and inventory with the same system, but you need to analyze it as an inventory system and then separately analyze it as a security system. Too often, retailers will just look at it as an inventory system but also use it for security. Or else retailers buy it for inventory, and there is a case of mission creep, and they start to use it for security.”
Compounding the problem is that inventory folks often have the money to buy all the hardware, with security being an afterthought. “But you need to build the security piece in from scratch,” said Johnston. “You can’t Band-Aid security onto an inventory system.”
More broadly, he says that loss prevention executives need to be careful not to assign security technology powers it doesn’t possess and must recognize that security devices themselves are often not secure, which makes them vulnerable to spoofing.
Accept Defeat—And Win—Against Physical Security Threats and Vulnerabilities
Although device security is a technology problem, both Johnston and Nickerson suggested the need to address it culturally. Their domains are different—Johnston’s is vulnerability assessments, and Nickerson’s is penetration exercises—but both strategies require a retailer to be OK with learning about their weaknesses. That can be a struggle.
“Even if you can’t redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don’t have to spend a ton of money,” said Johnston, who recommends that organizations perform their own frequent, imaginative, independent vulnerability assessments to find security weaknesses.
He suggested picking individuals from outside the LP department who seem psychologically predisposed to finding problems and suggesting solutions. “Pick people from the mailroom or the graphic arts department, the smart, creative types who are always finding loopholes.” These are just the kind of people who in a vulnerability assessment (VA) can provide fresh insight into how creative adversaries might defeat your security systems, said Johnston.
“The problem at a lot of organizations is that they’re afraid to encourage employees to think about these kinds of things, and they’re also afraid of what they’ll find,” Johnston added. It doesn’t help that in physical security, unlike cyber security, making changes is sometimes viewed as admitting to past negligence. “Some organizations will even halt a VA once they find vulnerabilities because really what they wanted was to rubber stamp their program and to say they looked at it,” he said.
Johnston said retailers should strive to develop a culture where uncovering vulnerabilities is seen as positive—and to be willing to accept that a legitimate vulnerability assessment will always find attack possibilities. “And you don’t have to find every vulnerability for it to be worthwhile,” he added. “At least you can go after the low-hanging fruit, and say that this attack and this attack are the most likely, so you can make some valuable, practical changes.”
Nickerson sees a similar mindset holding organizations back from undertaking much-needed physical penetration testing; many don’t want to see the expensive technology they bought easily compromised. But it’s a shortsighted attitude that practitioners and their organization’s need to rid themselves of, Nickerson suggested. Don’t think of a red team’s success as security’s failure. Instead, see it as new information to help adjust and improve security. “The more we think from an adversarial perspective, the more we can know if we’re getting what we want out of our systems,” he advised in his conference presentation “Breaking Physical Access.”
Looking at your security devices from the perspective of attackers will always point out flaws, but knowing whether it’s worth addressing them requires a detailed risk assessment, something else Johnston thinks that LP practitioners could do better. “There aren’t good or bad security devices. It depends on what you need. However, ‘we don’t want stuff stolen’ is sometimes the extent of the risk assessment,” said Johnston. “But when you’re looking for the best car, it depends on what you want the car to do. Is it to win the Indianapolis 500? Is it to impress the neighbors?” So even though a security system will have its vulnerabilities, “it may be the right system given the adversaries you have, the budget you’ve got, and what you’re protecting,” said Johnston.
Johnston and Nickerson suggest that to successfully harden a system or device against physical security threats and vulnerabilities requires LP to first acknowledge that they are a possibility—and then be willing to gain a deeper, more honest, understanding of their technology. Learn how it can be attacked. Understand the intricacies of what systems can—and can’t—do. And appreciate which threats devices can and can’t protect against.
“But it’s often way less thought out than that,” said Johnston. “It’s people in charge of security buying something because the salesperson says it’s good. I actually see the whole thing more as a security culture deficit rather than a device security issue.”
Read more about the risks and vulnerabilities of network security devices in an in-depth post, “Security’s Security,” which was originally published in 2017. This excerpt was updated March 21, 2019.