Not Your Average Bug Bounty: Compromise High Security Datacenter
Discovery & Impact
During an on-site social engineering test, NetSPI successfully gained unauthorized access to a high-security datacenter. We identified and reported weaknesses in the on-site security policies and controls. We demonstrated how social engineering can be used to bypass even the most sophisticated physical and technical security controls.
Remediation Outcome
We provided the client with recommendations on how to address the security gaps we observed while on-site. The main vulnerability we exploited was the fact that procedures for scheduling and confirming vendor visits were poorly defined.
Pretext: Identify a believable reason for being on-site. After looking at an approved list of vendors, we identified a national pest control company.
We mocked up confirmation and scheduling emails that imitated the company, confirming an appointment for the next day. Then crafted an email chain using a lookalike domain to make it appear as if the communications were coming from someone internally.
They replied to the email about the fake appointment, and we were in. We purchased screen-printed shirts, rented a similar company vehicle, and purchased a static cling with the logo all within two days and for less than $150.
Given our prework, they were expecting us. Without question, they swiped their badge, scanned their retinas, and opened the doors for us. Within minutes, we were on the datacenter floor, and even gained access to the ceilings with network cable access.
After the engagement, we wanted to push a little further given the access we were able to achieve. We went back in and attempted to print a document.
They gave us temporary network credentials and we convinced the contact to let us email him the attachment, which he opened and printed for us.
We then left the site undetected.
Not Your Average Bug Bounty: How an Email, a Shirt, and a Sticker Compromised a High Security Datacenter 
Social Engineering 
Security Assessments