Physical Security

Blog post by Robert Marsh (University of Salford)

An often-overlooked part of security in the digital world is the physical security of our offices and storage units. Several videos from the recent DEF CON event have been published online that delve deeper into the physical security realm.

There are a host of potential pitfalls when it comes to physical security, such as: locks, doors, documents, cameras, keys, notes and more. Many of us come in to contact with these things every day and take for granted the security implications that they have or the protection that they should be providing.

A good example of this is how easy it is to gain access through a locked door by using something as simple as a hook or string. In a recent video titled ‘Bypass 101’ at DEF CON 2020 [1], Karen Ng shows how to bypass many types of locked doors in under a minute using extremely simple methods.

She also provides information on how to get bypass multicombination access panels by using UV ink or powder. As people input the correct keycode over and over again, the UV material will rub away without the person noticing. When Karen revisits the access panel at a later date the keys that light up under UV light are the ones not in the combination.

These extremely simple but effective methods highlight how easy it can be for an attacker to bypass what most would consider tough protection. An even more ingenious method that Karen showed in her video related to how emergency exit-only door sensors could be triggered by spraying canned air through the gap.

Preston Thomas and Bill Graydon focused on the area of lockpicking and lock security in their DEF CON videos [2,3]. Preston showed how cheaper locks are often very easy to lockpick due to flaws during manufacturing, he also pointed out that older locks that have worn also suffer from similar issues that make them simpler to lockpick.

Bill Graydon’s approach is far more scientific, by understanding locks in a more technical manner he shows how it is possible to use information theory to produce different types of keys that can work on locks, such as master keys or change keys. Bill also took part in a further DEF CON session answering the audience’s questions.

In this Q & A session he said that the industry appears to be taking lockpicking too seriously as a bypass method to gain entry to a business’s premises, he noted that it is often far easier and much more likely that a criminal would use brute force. Stating further that the police will often recommend window bars, or shutters whereas a more technical security audit team will recommend technology that doesn’t defend against the most realistic threat model.

Using Bill’s logic, we can surmise that small to medium-sized enterprises are unlikely to be facing sophisticated hackers or skilled lockpickers, it is much more likely that an attacker would be an opportunist or a career criminal who lives in the area.

Understanding this means we should pay more attention to the physical strength of our security, ensuring that all windows and doors are strongly secured and barred. That nothing is left visible through windows that would appeal to an opportunist.

Another area that is often overlooked by a business is shredding documents and storing waste securely. It is much more likely that sensitive material or documentation will be found in a waste bin at the rear of a building than it being stolen from a desk in an office. Another common mistake made is security cameras that are not placed correctly or are not present at all, security cameras can be a great deterrent to all types of criminals [6].

The Metropolitan Police have provided several guides online about crime prevention [5]. They state that large moveable objects near the business, such as wheelie bins, should be stored/locked away as criminals often use them to gain entry to less secure areas of the building. The MP also encourage the use of smoke-generating devices that trigger when a burglary is occurring, the smoke does not damage equipment or stock but can foil a crime by hindering the perpetrator’s vision.

Conclusion: Ensuring that your business is secure from burglary and opportunist criminals is just as important as improving the internal digital security. In many circumstances, a physical attack on the business can be avoided much more simply than we assume.


[1] DEF CON Safe Mode Lock Bypass Village – Karen Ng – Bypass 101:

[2] DEF CON Safe Mode Lockpick Village – Preston Thomas -Intro To Lockpicking

[3] DEF CON Safe Mode – Bill Graydon – Exploiting Key Space Vulnerabilities in the Physical World

[4] DEF CON Safe Mode – Bill Graydon – Exploiting Key Space Vulnerabilities in the Physical World Q&A

[5]  How to keep burglars out of your business

[6] How surveillance cameras can help prevent and solve crime