Physical penetration testing is the most overlooked discipline in enterprise security — and one of the most revealing. While organizations invest heavily in firewalls, endpoint detection, and SIEM platforms, a successful physical intrusion can bypass every technical control in minutes. An attacker with physical access to a workstation, network port, or server room has effectively won. Physical penetration testing, conducted by authorized security professionals, exposes these vulnerabilities before a real adversary does.
What Physical Penetration Testing Covers
A comprehensive physical penetration test evaluates the full spectrum of physical security controls:
- Access control systems: Badge readers, keypads, biometric systems, and their resistance to cloning, bypass, and relay attacks
- Tailgating and piggybacking: Testing whether employees hold secure doors open for unauthorized individuals — the most consistently successful physical attack vector
- Lock picking and bypass: Evaluating physical lock quality and resistance to picking, shimming, and bypass techniques on server rooms, wiring closets, and office perimeters
- Badge cloning: Testing whether proximity card credentials can be captured and cloned to create unauthorized access credentials
- Dumpster diving: Reviewing discarded materials for sensitive information — documents, decommissioned hardware, pre-shredded materials
- USB attack surface: Testing whether employees connect unknown USB devices to workstations (rubber ducky / USB HID attacks)
- Clean desk policy: Assessing whether workstations are locked when unattended and whether sensitive materials are left accessible
- Social engineering integration: Combining physical access attempts with pretexting (impersonation of vendors, IT staff, building services)
Legal Requirements: Authorization is Non-Negotiable
Physical penetration testing has the highest potential for legal complications of any security testing discipline. The authorization letter must be comprehensive and unambiguous:
- Explicit written authorization signed by an executive with authority to authorize the engagement (typically CISO, CEO, or General Counsel)
- A "get out of jail" letter — a document the tester can present to law enforcement or security personnel if confronted, containing emergency contact information for the authorizing executive
- Precise scope definition: which buildings, floors, and areas are in scope; whether the building owner/property management has been notified; whether common areas (lobbies, parking structures) are in scope
- Clear boundaries: whether testers may pick locks, clone badges, or only attempt social engineering; whether photography is permitted; whether accessing active workstations is authorized
- A 24/7 emergency stop contact at the client organization
In New York City, physical penetration testers operate in a complex legal environment. Building owners and property management companies are separate legal entities from the tenant being tested — they have not consented to security testing of their shared building infrastructure. Carefully scoping what is tested (tenant space only vs. shared building systems) and notifying appropriate parties prevents scenarios where a legitimate security professional is arrested for trespassing.
Badge Cloning: Proxmark and Proximity Card Vulnerabilities
The majority of corporate access control deployments in NYC use proximity card (RFID) badge systems. Many legacy deployments use 125 kHz EM4100 or HID Prox cards that broadcast their card number in cleartext with no authentication — any device that can read the RF signal captures the credential.
The Proxmark3 RDV4 is the standard tool for proximity card research. In "sniff" mode, it captures card numbers when held near a badge being presented to a reader. In "simulate" mode, it replays the captured credential to unlock a reader. The attack requires only brief proximity to a target's badge — a moment in a crowded elevator, a coffee line, or a lobby is sufficient.
Modern 13.56 MHz smart card systems (HID iCLASS SE, MIFARE DESFire EV3) provide significantly stronger security through mutual authentication and cryptographic challenge-response. However, many organizations have not upgraded from legacy 125 kHz systems, and even upgraded systems sometimes retain backward compatibility with the older cards as a migration convenience — effectively providing no security benefit from the upgrade.
Common Findings in NYC Office Buildings
Fortress MSSP conducts physical penetration tests across Manhattan, Brooklyn, and the greater NYC metropolitan area. The weaknesses these assessments most commonly target include:
- Tailgating and door-holding: Employees frequently hold secure doors open for individuals who appear to belong — someone in business attire carrying a laptop bag, a person delivering boxes, or a "new employee" who seems lost. It is consistently one of the highest-yield physical attack vectors.
- Server room / network closet access via social engineering: "I'm here for the scheduled network maintenance" succeeds with alarming frequency, particularly when timed to actual vendor activity windows identified through OSINT
- Unlocked workstations: Clean desk and workstation lock policies exist on paper but are not enforced — physical walk-throughs identify active sessions left unattended
- Reception bypass in shared lobbies: Building lobbies with turnstile gates often have adjacent doors used by delivery personnel that are held by a physical lock with no badge reader backup
- Network port access in common areas: Conference rooms, phone rooms, and reception areas often have live Ethernet ports on accessible wall plates — connecting a device provides network access without any authentication
Report Structure and Integration with Logical Security
A physical penetration test report follows the same structure as a technical penetration test report:
- Executive Summary: High-level narrative of what was accessed, the potential business impact, and prioritized recommendations
- Findings: Each finding documented with: description, evidence (photographs taken with authorization, video if approved), risk rating (Critical/High/Medium/Low), and specific remediation guidance
- Attack Narrative: A chronological account of the tester's actions from initial approach to final objective — particularly valuable for demonstrating the realistic attack chain to executives
- Remediation Roadmap: Prioritized recommendations addressing both quick wins (lock policy enforcement, visitor escort procedures) and longer-term controls (badge system upgrades, CCTV expansion, mantraps)
Physical security findings directly inform technical security priorities. An attacker with physical access can plant rogue network devices, extract credentials from unlocked workstations, install hardware keyloggers, and access network infrastructure directly. The integration of physical findings with the technical security program ensures that logical controls account for the physical threat model. Fortress MSSP's penetration testing practice offers physical security assessments as standalone engagements and integrated with broader red team exercises. Contact us to discuss your physical security assessment requirements in the NYC area.