2.2: Physical Vulnerabilities and Attacks

Essential Questions

  • How can an attacker with no credentials walk right into a secure building by simply carrying a box?
  • Why is a discarded sticky note with a password on it considered a significant security risk?
  • How does leaving a computer unlocked for just a few minutes create an opportunity for data theft or malware installation?
  • What is the difference between "piggybacking" and "tailgating," and why are both effective social engineering tactics?
  • How do security professionals determine if an unlocked server room is a "high" risk versus a "moderate" one?
  • Beyond malicious actors, what other kinds of physical threats can disrupt or destroy critical digital assets?

Overview

As a member of the physical security team at Xtensr Research Labs, you've been tasked with your first major project: conducting a vulnerability assessment of a newly acquired building. Armed with a clipboard and a critical eye, you begin your walkthrough. The first thing you notice is the main entrance, where an employee, arms full with a laptop and coffee, holds the door for a person behind them without checking their badge. A few minutes later, you see a visitor in the lobby craning their neck to watch an employee type a password at the reception desk.

Your tour continues. You find a printed document in a recycling bin containing what looks like old network diagrams. Down a quiet hallway, you discover the door to a server room is propped open with a wedge to improve air circulation. Inside, critical systems hum away, their USB ports openly accessible. Each of these observations represents a physical vulnerability, a crack in the armor that protects the company's most valuable digital assets. An unlocked door or an exposed USB port can be just as devastating as a software flaw.

This lesson moves cybersecurity from the purely digital realm into the physical world we inhabit. You will learn to identify the common, and often subtle, ways adversaries exploit physical spaces. We'll dissect social engineering attacks like piggybacking and shoulder surfing, and understand the value of information that can be found through dumpster diving. You will learn to think about threats not just as malicious hackers, but also as environmental factors like fires or floods. Finally, you will learn the professional practice of assessing and documenting these physical risks, determining their potential impact and likelihood, so that you can prioritize what to fix first.

An illustration of a person in a suit tailgating an authorized employee through a secure badge-access door. The authorized employee is distracted and does not notice.

Identifying Common Physical Attacks (2.2.A)

Physical attacks often rely on clever manipulation of human nature rather than technical prowess. An adversary's goal is to bypass physical barriers by exploiting our natural tendencies to be helpful, polite, or simply unobservant. These social engineering tactics are remarkably effective.

One of the most common attacks is piggybacking. This occurs when an adversary, often with a convincing pretext, manipulates an authorized person into granting them access. Imagine an attacker dressed as a courier, carrying a large, awkward package. They wait by a secure door until an employee approaches. The employee, wanting to be helpful, holds the door open for them. The attacker has successfully bypassed the badge reader without ever needing a card. A similar attack, tailgating, is more opportunistic and relies on stealth. The attacker simply waits for an authorized person to open a door and slips in behind them before the door closes, hoping the person is too distracted to notice.

Shoulder surfing is an attack focused on information gathering. An adversary simply looks over a person's shoulder to observe them entering sensitive information, such as a password, a PIN at an ATM, or a code to unlock a phone. More sophisticated versions of this attack might use a camera with a zoom lens from a distance or a hidden camera planted near a keyboard to record the keystrokes for later analysis. This is a low-tech way to steal high-value credentials.

The information we discard can be just as valuable. In a dumpster diving attack, an adversary goes through a target's physical trash searching for sensitive documents. They might find old bills, internal memos, network diagrams, or sticky notes with passwords—anything that could help them build a profile of the organization or an individual for a future attack. Finally, for access control systems that use swipe cards, card cloning is a significant threat. An adversary with a portable card skimmer can covertly copy the data from an authorized user's access card with just a brief moment of proximity, creating a perfect duplicate they can use to freely access restricted areas.

An interactive "Security Awareness Challenge" named "2.2-spot-the-attack". The UI presents a series of short, animated scenes of an office environment. For example, one scene shows a person following another through a door. Another shows someone looking at their phone screen near another person. The learner must click on the scene and correctly identify the attack being depicted ("Tailgating," "Shoulder Surfing," etc.) from a multiple-choice list. Feedback explains the tell-tale signs of the attack.

A22_SpotTheAttackACTIVITY
Complete the activity below.
Scenario 1 of 6Score: 0 points
📦

Delivery Person at Reception

A person in a delivery uniform approaches the front door carrying a large package. An employee is about to enter with their badge.

What type of physical attack is being attempted? (Select all that apply)

How Threats Exploit Physical Vulnerabilities (2.2.B)

A vulnerability is a passive weakness; it only becomes a risk when a threat actively exploits it. In the physical domain, threats can be human adversaries, but they can also be non-malicious events like natural disasters. Both can lead to the loss, damage, or disruption of critical assets.

When an adversary gains unauthorized physical access, they can bypass many of the technical controls that protect a system. For example, if they can walk into an unlocked server room, they have direct physical access to the devices. With this access, they can plug in a malicious USB drive containing malware, such as a keylogger to capture data or a RAT to gain remote control. They could also simply unplug or cut wiring, disrupting power and causing a denial of service. In a worst-case scenario, they could physically destroy a server, making all the data and services it provides permanently unavailable.

Consider the vulnerability of an exposed, unattended workstation. An attacker with just a few minutes alone with the machine can install malware, steal data by copying it to an external drive, or reconfigure the system to be less secure. The threat isn't just a malicious outsider. A disgruntled insider, who already has authorized access to the building, poses a significant threat if they can get physical access to systems beyond their normal permissions.

It's also crucial to consider non-human threats. A fire, flood, or earthquake can destroy an entire data center, leading to a catastrophic loss of availability and data, unless proper environmental controls and disaster recovery plans are in place. A simple power outage, whether caused by a storm or a deliberate act of sabotage on the power grid, can bring a business to a standstill if there are no backup power sources like an uninterruptible power supply (UPS) or a generator. A successful security plan must account for both malicious actions and environmental hazards.

A diagram showing a threat (a burglar icon) exploiting a vulnerability (an unlocked server room door) to compromise an asset (a server rack), resulting in data theft

Assessing and Documenting Physical Risks (2.2.C)

Once you've identified a list of physical vulnerabilities, you can't fix everything at once. You need a structured way to prioritize. This is done through risk assessment, where you evaluate the likelihood and impact of each vulnerability being exploited. This process allows you to focus your resources on the most significant dangers first.

The risk level is determined by how sensitive the exposed asset is and how easily an attacker could get to it. For example, a server containing confidential customer data located in a room with no lock, in a hallway with no cameras, represents a high risk. The impact of a compromise would be severe (data breach, regulatory fines, reputational damage), and the likelihood of an attacker succeeding is high due to the lack of controls.

A moderate risk might be a situation where a non-critical system could be used as a stepping stone for a larger attack. Consider the receptionist's computer from our overview. The computer itself may not contain sensitive data, but it's connected to the internal network. An attacker who gains access to it via an exposed USB port could use it as an initial foothold to launch attacks against more valuable targets on the network. The immediate impact is lower, but it opens the door to a more severe compromise.

A low risk involves a low-value asset and a low likelihood of exploitation. Imagine employees leaving their laptops on their desks in a secure, badge-access-only office when they go to lunch. If the laptops themselves are encrypted and don't contain sensitive local data, the risk of theft is present but might be considered low. While stealing the laptop would be an inconvenience, the actual data is protected, and the attacker would have had to bypass the building's primary access controls already.

Documenting these assessments is critical. A formal risk register should be created, listing each vulnerability, the assets it affects, the potential threats, and your assessment of the likelihood and impact. This document provides a clear, justifiable basis for your security improvement plan.

A "Physical Risk Calculator" tool named "2.2-risk-assessor". The UI presents a scenario (e.g., "An unlocked cabinet contains employee records"). The learner uses two sliders, "Likelihood of Discovery & Exploitation" (1-5) and "Impact of Compromise" (1-5). Based on the combined score, the tool displays a qualitative risk rating (e.g., Low, Medium, High, Critical) and a short, generated text explaining the reasoning, such as: "This is a HIGH risk because the asset is sensitive and the vulnerability is easily exploited."

A22_RiskAssessorACTIVITY
Complete the activity below.
Scenario 1/5

Unlocked Cabinet with Employee Records

A filing cabinet in the HR office contains employee personal information including social security numbers, addresses, and salary information. The cabinet is frequently left unlocked during business hours.

Asset Value:

High - Contains sensitive personal and financial data

Vulnerability:

No physical access controls during business hours

Threat:

Unauthorized access by employees, visitors, or intruders

1/5
1/5
MinimalMinorModerateMajorSevere
Risk Score:1
Low Risk

Further Reading & Resources

References

AP Cybersecurity Curriculum

Made with ❤️ for students by students

This is an independent educational resource and is not affiliated with, endorsed by, or sponsored by the College Board. APÂŽ is a trademark registered by the College Board, which is not affiliated with, and does not endorse, this website.

Quick Links

HomeLessonsAboutContact

Get in Touch

Contact form will load when visible.

Š 2025 AP Cybersecurity Curriculum. All rights reserved.
Privacy PolicyTerms of Service