Breaking Down Office Security: What We Discovered During Our "Break-In"

Richard Tan -

When you think of office security, you probably picture high-tech firewalls and complex passwords, right? But what about the simpler tools we rely on daily, like lanyards and RFID cards? Sometimes, the real weak spots aren’t in the IT infrastructure at all - they’re in the everyday interactions and routines we take for granted.

Our team recently conducted a physical security assessment for a client, testing just how easy it might be for an outsider to slip in undetected. From cloned badges to unnoticed USB drops, here’s a behind-the-scenes look at what we found and some thoughts on easy ways to boost office security.

Setting the Stage

Before starting, we coordinated closely with our client to establish what was in-scope and what was off-limits. We came armed with our “get-out-of-jail” letter - a signed agreement giving us permission to do a little mischief (all in the name of security, of course). With everything set, we began our assessment by blending into the lobby, coffees in hand, watching employee routines, badge usage, and access points.

Right away, we noticed that everyone wore their RFID badges on company-branded lanyards - with details we could find online thanks to the company’s public photos and videos. We also noted the building used low-frequency RFID access cards, which are notoriously vulnerable to cloning.

Low frequency RFID card reader identified

Cloning Badges on the Fly

Knowing the facility used low-frequency RFID badges (which are less secure than high-frequency alternatives), I was able to borrow a HID MaxiProx 5375 RFID reader from a mate at short notice. This device is no small fry - it’s a long-range, low-frequency RFID reader known for being able to capture credentials up to 1.5m away, perfect for what we wanted to achieve.

HID MaxiProx 5375 with Tusk

To make it portable and stealthy, we stashed the reader in a laptop sling bag and paired it with Tusk, a mobile credential-capturing tool, which helped us monitor real-time captures on our phone.

The next morning, we arrived just as the lobby was buzzing with employees heading to work. Our long-range RFID reader, discreetly tucked into a laptop bag, was set to capture access card information. In one elevator ride, we managed to clone several badges simply by standing close to other employees. Using a Proxmark device, we transferred these credentials onto blank cards and gained access to multiple floors in the building. Yes, it was that simple!

Captured card credentials
Cloning access cards with a Proxmark

We were then able to access most areas without issue, including a restricted room housing sensitive documents. It was a reminder of how an unauthorised person can slip in under the radar - and how easy it can be to bypass access controls when people are polite or simply don’t notice.

Testing Tailgating

Once inside, we couldn’t resist testing a classic office security weak spot: tailgating. By following employees through secured doors or just looking like we belonged, we moved between floors with ease. Occasionally, we’d get a curious look, but no one actually stopped us. In fact, a few friendly faces held doors open for us, unaware we were unapproved visitors.

This experience highlighted a simple reality: even the best access controls can be easily bypassed if people aren’t aware of the risks of tailgating. Fostering a culture where employees feel comfortable politely verifying others' access could make a significant difference in a company's security posture.

USB Drops and Network Ports

To see if employees would take the bait, we left a few USB drives around meeting rooms and common areas, each prepped with files embedded with canary tokens -a little alarm that would let us know if someone tried to open them. In a real scenario, these files could contain malware, creating an entry point into the network.

Document embedded with canary tokens

Although we didn’t receive any alerts from our USBs (either due to user caution or possibly a corporate firewall blocking our outbound canary callbacks), the risk is real. It only takes one person’s curiosity to create a potential vulnerability.

While roaming around, we also noticed unsecured Ethernet ports in multiple meeting and training rooms. A quick test showed these ports provided instant access to the corporate network, allowing us to access various resources like domain controllers and user machines. For an attacker, a single, concealed device plugged into these ports could provide remote access to the network - a serious concern with a relatively simple fix.

Open Meetings, Open Risks

Each meeting room was equipped with a video conferencing system, and, to our surprise, we could join multiple active meetings without a password.  A specific meeting we joined was an induction meeting for new employees, allowing us to overhear sensitive company information, including introductions to key team members and an overview of internal policies.

It’s easy to forget how common virtual meetings have become, and without basic security, these devices can become entry points for eavesdropping on sensitive discussions. A simple password requirement would close this gap, helping keep private conversations private.

Gauging Employee Vigilance

For the final part of our assessment, we decided to blend in while moving around the office, sitting at employee tables, and even striking up casual conversations at one instance. Though we did catch a few suspicious glances, no one questioned our presence.

This experience was a reminder of how valuable employee vigilance can be. Empowering employees to trust their instincts and feel comfortable asking about unfamiliar faces could go a long way in keeping an office secure.

Wrapping It Up: Key Lessons from the Field

Overall, these kind of assessments showed just how easy it can be for security to fall through the cracks in everyday office life. Here are some straightforward takeaways:

  • Tailgating Awareness Matters: Encourage employees to politely verify unfamiliar people and remind them of the importance of wearing visible badges.
  • Be Careful with USBs: Educate employees on the risks of unknown USB drives to prevent a potential malware disaster.
  • Secure Ethernet Ports Everywhere: Lock down Ethernet ports with 802.1x port security and require passwords for video conferencing devices.
  • Encourage Friendly Vigilance: A quick question like “Can I help you?” could be all it takes to deter unauthorised access.
  • Upgrade Low-Frequency RFID Cards: Low-frequency RFID systems, like the one we tested, are highly vulnerable to cloning attacks. Upgrading to encrypted, high-frequency RFID systems can make unauthorised cloning far more difficult, adding a valuable layer of protection.

In the end, security is everyone’s responsibility, and the smallest actions can often make the biggest difference. From access cards to USB drives, it’s clear that some of the most effective security measures don’t require advanced tech - they just need a bit of awareness, a dose of curiosity, and a culture where it’s okay to ask questions.