The previous lesson explored digital exposures — the logical attack surface reachable over networks. But physical access remains the ultimate privilege escalation vector. An attacker with unsupervised physical access to a device can bypass operating system authentication, extract encryption keys from memory, install hardware keyloggers, or simply steal the device outright. Data centers protected by badge readers and CCTV can be defeated by tailgating, and unattended conference room IP phones can become network pivots.
An unencrypted laptop left in a taxi is not a lost device — it is a data breach. Full-disk encryption (BitLocker, LUKS, FileVault) is the minimum defense against device theft. But physical attacks go beyond theft: a server with an exposed USB port can be booted from a malicious USB drive; RAM can be frozen and extracted to recover encryption keys (cold boot attack); and hardware implants can intercept keystrokes at the firmware level. For high-security environments, tamper-evident seals and Trusted Platform Module (TPM) with Secure Boot are essential.
Physical security for facilities involves layers: perimeter (fencing, bollards, lighting), building entry (badge readers, mantraps, reception), interior (locked server rooms, surveillance, motion sensors), and asset-level (cable locks, rack-level access control). A mantrap — a two-door vestibule where the second door only opens after the first closes — defeats tailgating. However, even the best mantrap fails if the emergency exit is propped open for a smoke break.
Physical penetration testing consistently reveals that social engineering defeats physical controls. An attacker carrying a box of donuts and saying 'I'm from the fire extinguisher inspection company — can someone let me into the server room?' succeeds more often than sophisticated lock-picking tools. Train all employees, not just security guards, to challenge unauthorized individuals.
| Physical Attack Type | Target | Required Access | Mitigation Control | Detection Method |
|---|---|---|---|---|
| Device theft | Unencrypted laptop/phone | Momentary unsupervised access | Full-disk encryption, remote wipe capability | Mobile device management (MDM) alerts on missing check-in |
| Cold boot attack | RAM contents (encryption keys) | Physical access + compressed air can | TPM with measured boot, memory soldering | Chassis intrusion detection switch |
| USB Rubber Ducky | Unlocked workstation | Seconds of keyboard access | USB port lockdown, auto-lock after 2 min idle | EDR alert on rapid keystroke injection patterns |
| Tailgating | Secured facility | Following authorized person | Mantrap, turnstile, security guard verification | Video analytics detecting two people on one badge swipe |
| ATM/PoS skimming | Payment terminals | Installation of overlay device | Tamper-evident casing, active terminal monitoring | Customer fraud reports, terminal voltage anomaly detection |
⚠️ The convergence of physical and logical security is accelerating with IoT. A compromised smart thermostat can provide an attacker with temperature data confirming server room occupancy patterns — enabling a precisely timed physical intrusion. Secure and segment all building management systems on the network.
Verify exercises to earn ★ 130 XP and unlock next lab level.