Physical Security and Pentesting

49 readers
1 users here now

[email protected] is a community dedicated to physical security and penetration testing.

Rules:

  1. Be kind to each other.
  2. Don't break into systems that aren't yours without permission.

Sites of Interest:

Here are various stores that sell lock picking and physec testing tools:

founded 5 months ago
MODERATORS
1
4
Welcome and FAQ (lemmy.blahaj.zone)
submitted 5 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]
 
 

Welcome!

Welcome to [email protected]! This community was created to replace r/physec, which has permanently gone dark since 12 June 2023 in protest of Reddit's API pricing change.

As our title indicates, we're here to talk about physical security (keeping physical objects and spaces secure from people not authorized to be in them) and physical penetration testing (learning how malicious parties exploit weaknesses in physical security, and having trustworthy people use those methods against physical security systems to improve those systems). This includes the development of individual skills; security equipment, systems, and practices; and the wider industry as a whole.

Please ask meta questions about this community in the comments of this post.

Frequently Asked Questions

Aren't you just teaching people how to do crime?

Rogues are very keen in their profession, and know already much more than we can teach them. — Alfred Charles Hobbs

Criminals already know to do crime. They don't need our help. We need to understand how criminals break in so that we can develop effective countermeasures. Security research is necessary to uncover vulnerabilities that manufactures have missed or willingly ignore. Too often is "security through obscurity" used as an excuse for hiding problems instead of fixing them.

How do I get a job in physical pentesting?

Great question. We'll let you know if we figure it out. The industry is small, new, and does not have a well-developed entry pipeline. Career discussion is encouraged here.

2
 
 

The wide plastic tube that Peterson ships many of its tools in (and that you can also purchase separately, albeit with a large minimum order quantity) is also ideal for storing the standard six-die set of dice used in many tabletop role playing games. I suspect the overlap between physical security nerds and TTRPG players is significant enough for this to be rather useful.

3
 
 

The Open Organization Of Lockpickers (TOOOL) is a fantastic organization dedicated to advancing the public's knowledge of locks and lock picking. They have a limited edition pride shirt that you can order until September 5.

4
 
 

Recently a friend asked me how important it was to keep her hotel room key (a high coercivity magstripe card) away from magnets. Realizing that I don't have data on this but do have a magstripe encoder, a LoCo (low coercivity) card, and a HiCo card, I figured I would test each of the cards against a variety of things that could be encountered in daily use and storage.

Background

The magnetic stripe on a magstripe card or ticket is made using one of two magnetic mixtures: one with high coercivity and one with low coercivity. Coercivity is a property of magnetic materials: it is the field strength required to demagnetize a magnetic material that has been previously magnetized.

Cards with high coercivity (resp. low coercivity) stripes are often referred to as "HiCo" (resp. "LoCo") cards. Often, the magstripe on HiCo cards is black and that of LoCo cards is brown. Conventional wisdom is that HiCo magstripes are used on cards intended for permanent use (like payment cards and identity/access control credentials) while LoCo magstripes are used on paper tickets and disposable plastic cards (like those that would be found in a hotel's access control system). That said, I have found hotel room keys and even paper tickets (used in a French parking garage) with HiCo magstripes. To my knowledge, HiCo cards are more widely available than LoCo cards and the price differential per card is probably not incredibly significant.

Results

for LoCo cards

  • Storing atop an inactive (i.e. powered on but screen off, not playing audio) non-MagSafe iPhone for about 8 hours: no effect
  • Storing in a large stack of cards including HiCo cards, LoCo cards, and RFID cards for 6 days: no effect
  • Wiping against a refrigerator magnet: data corrupted
  • Wiping against the cap over the speaker of a Western Electric G3 telephone handset while playing milliwatt tone (a very loud 1000 Hz tone): data corrupted
  • Wiping against the cap over the speaker of a Western Electric G3 handset while playing nothing: no effect
  • Wiping against the cap over the speaker of a Western Electric G3 handset while playing reorder tone: no effect

for HiCo cards

Everything discussed above does not affect data on a HiCo card.