Lock Picking could be a pen tester’s best friend

Jul 30, 2013

By Alan Phillips

Black Hat USA. Monday, July 30th 2013 and it's lunch time. Beyond my burger I notice Benjamin Vallens siting down alongside an impressive array of keys and interesting looking metal tools.  After enquiring about these objects, I soon learn that he is attending a two-day training workshop put on by The CORE Group which teaches the finer points of picking locks.

Penetration testing  

                        Benjamin Vallens preparing to pick a lock

Benjamin has crossed the border from California to attend the training course and he tells me that this full set of tools and sample locks had been provided as part of the deal.  In a short space of time he shows me how he has learned to break the kind of lock used on most filing cabinets. That took about five seconds of wiggling a piece of metal around inside the lock. Not bad for a rookie and it actually looks pretty simple with the right tools.

He goes on to demonstrate some of the other kinds of locks that he was about to learn how to break, and said this included the digital kind. Now, of course, the physical side is an important part of security and particularly for jobs that involve on-site social engineering.

Picture an on-site job where the undercover consultant manages to physically get within inches of the server holding the most sensitive of company information, but is confronted by a lock. With these skills in the bag, the consultant does not have to try another attack vector (or give up), but can attempt to go ahead and pick that lock there and then. 

Lock Picker

                                          Tools of the trade

Also, this lock picking lark seems to leave the lock intact with no obvious tampering evidence to be seen.

With penetration tests becoming more realistic and detailed, these skills are certainly complementary to the digital side of penetration testers' skills set.

To find out how 7Safe can help your organisation by using the latest penetration testing techniques to improve information security and resilience, contact us now.




July HACKsight