All You Need Is... Air

by lg0p89

To the tune of The Beverly Hillbillies theme:

	Let me tell you about a can of air.
	We used this to break into there.
	The can of air was in the supply closet,
	It just took a f our seconds to open the door.

	Air, that is.  Human necessity.  Smells real good.
	With this simple can, it just took a few seconds
	To enter any secured room, it was sure the ticket.
	From now on, I don't need a damn key.
	To get into any office, you won't see me.

Recently, I came across a rather interesting physical attack to gain access to most facilities.

The attack parameter is pretty basic.  This works on the doors in facilities that do not require a key or badge to be scanned in and out of the area.  So this works on doors which only require access one way (usually in).  These doors generally require the user as they advance to the door to remove their badge and swipe it near the sensor.

The door may then be opened by the user, presuming the user has access.  The general layout consists of two glass doors, side-by-side.  The badge reader is engaged and the doors may be opened after the lock is disengaged, allowing the user to be able to enter.

For this attack, the user doesn't need to be on the authorized list, or any list for that matter.  They don't need to attempt to piggyback in.  All the unauthorized user needs is a can of air.  They can get this from the office supply closet or from the local super store for $5.  That is it.  The user has to walk into the building, confident they are supposed to be there, and walk past the receptionist or security station.  The confidential aspect of the attacker's swagger is key.  They don't have to overly sell it, but just act like the others who are supposed to be there.  As they approach the door to the restricted area, they need approximately five seconds to complete the attack, start to finish.  They should perhaps stand back while others pass through the door, or stay away from the area until the attacker has time to compromise the "lock" unnoticed by anyone on either side of the door.

Once the coast is clear, the attacker pulls the can of air (generally used to clean off electronics) from their coat or pocket, push the red tube into the spray nozzle, and hold the can upside down.  The red tube is placed between the doors or, if there is only one, above the door between the door and the door entry frame, and sprayed while the can is upside down.  The spray period may be a second, maybe two at the most.  The door is immediately pulled and opened.

Yeah for the red team!

How This Works

Generally, the glass doors are a valid locking mechanism.  You have to have a valid badge in your possession.  This is passed in front of the badge reader, using the RF chip in your ID, which unlocks the door.  The user opens the door and starts or continues their day.  Pretty boring, I know.  When someone inside the building attempts to leave, they simply walk up to the double doors, push, and the doors open.  What allows this to happen is relatively simple.  For ease of use, there is not a system in place to badge out.  As the doors are locked, there has to be some form of a mechanism to unlock these.

It turns out there is a sensor above the door.  To test this in any building is easy.  Start walking up to the door.  From four meters out, start looking above the door.  There should be an opaque piece of plastic above the door.  Keep watching this as you walk up.  At approximately two or three meters, you will hear a clicking noise or a red or green light will become lit.

With either mechanism, the sensor is indicating to you that it recognizes an object is close to the door and the sensor needs to send a command to the door lock to disengage for a limited amount of time, so the user is able to exit.  This sensor, generally IR, is scanning for persons approaching the door, so the sensor may send a command to unlock the door.  The attacker holds the can upside down (this is important) and sprays it toward the sensor.

The important parts of the attack are social engineering (fitting in with the others), and mechanical (spraying the canned air toward the sensor).  As the attacker slides the red tube through or above the door towards the sensor and sprays, the action creates a small cloud.  The sensor, sending out the IR, reads this as an object (or human) proximate to the door.  As it is supposed to work, the person leaving should pull the door and leave.  As the attacker is seeking to get in, all they have to do is pull the door.  It opens with ease.

The entire attack should take all of five seconds.  This works on most doors.  If there is a badge reader on both side of the door (ingress and egress), this won't work.  This is surprisingly cheap and easily done in a wonderful showcase.