Pentester Rob Shapland has been breaking into buildings for the last 17 years. He warns that, while sometimes the only thing you need is a cup of coffee or a hard hat and clipboard, AI is providing new opportunities for social engineers.
Clients typically pay Shapland to trick his way into their company headquarters using social engineering techniques.
As a trained computer hacker, he adds that, like the criminals he’s fighting against, he often mixes digital techniques with physical ones.
The physical pentester uses an example from a recent job he was working on for a company, where the aim was to break into the CEO’s email account.
“I managed to get in successfully by cloning his voice, calling the service desk, and asking for a password reset.”
“His voice was on a YouTube video. Just a promotional video about the company. There was, like, a five-minute video of him. I took a sample of that voice and used a cloning tool to create a replica.
He adds that in these situations, the hacker can either type out what they want to say, or hook it into ChatGPT, and it will respond.
“You just give it a prompt, ‘I am trying to get my password reset,’ and it will respond for you. And then it speaks in his voice to their service desk. I got the reset.”
Shapland said that he used ElevenLabs voice AI – a legitimate voiceover tool that can be exploited for ill gain.
“You need around 10 seconds of audio to create a decent clone, but the more footage you have, the better it sounds,” he says.
Layering physical hacking with AI
The major trend for Shapland is the combination of AI cloning with physical break-in techniques. He adds that he even uses consumer chatbots now to stress-test break-in ideas.
“There are certain things it won't do. I was planning a physical intrusion the other day, and I put together a rough plan of what I wanted to do and asked for any further suggestions. And the chatbot replied: ‘I can't help you break into a building, but, you know, if you were doing something very similar, this is what I would do.’ The AI sort of finds its own way around things sometimes – you don’t even need to make it help you.”
Shapland is aware of chatbots on the dark web that have guardrails turned off, “ones that will design malware.”
However, in general, he believes that the cybersecurity industry tends to overstate the extent to which criminals are using AI.
“They're experimenting. But there’s going to be a major change over the next few years. It will get to the point where a fake video conference could be completely indistinguishable from real.
“So, you know, I could be talking to you right now, and you wouldn't have a clue whether it was me or not.
The pentester points to the release of Sora 2 last autumn and the amount of realistic “made-up videos” that are now flooding his social media feeds.
“And people really believe them.”
Employee cyber training needs to be memorable
In revealing some of the tricks of his trade, Shapland – an adept computer hacker who was trained by his then-boss to work on the physical side – hopes to raise cyber awareness in organizations.
He films most of his break-ins covertly, using HD cameras hidden in ties or spectacles and then plays them back later to employees. Watching the mistakes they make is far more memorable than a ten-minute cyber quiz, he claims.
“In the training I'll go, okay, sit everyone in a room for an hour and scare them. They can see “That's me letting the person in. That's my desk!” That sticks with them for years.
“I think training has become boring and a compliance tick box, and it needs to actually be effective,” he says.
Midnight in the war room
Shapland shares further techniques in Semperis' upcoming cyber warfare documentary Midnight in the War Room, set to premiere on August 5th at Black Hat USA in Las Vegas.
The film features leading voices in cybersecurity and national security, including Chris Inglis, the first US National Cyber Director; Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency; former CIA Director David Petraeus, and Marcus Hutchins, an independent security researcher who helped stop the infamous malware WannaCry.
“The documentary shows all the different areas of cyber. I think that's unusual. Most documentaries will focus on a single attack or a single part of cybersecurity, whether that be the ethical hacker or the defender, so that’s really exciting to be involved in,” he says.
In a couple of clips, Shapland explains how social engineering works. In one sequence, he goes online and looks at an employee’s social media page. In a holiday shot, she’s posing outside the hotel she stayed at.
He clocks the location and the hotel, studies its branding, and then carefully crafts an email to the women, pretending to be the manager and informing her of some items that she may have left behind. One click on the image and the payload is downloaded.
“It’s trying to get that perspective of how simple it can be for criminals to target certain people and understand how the process works from start to finish,” he explains.
How to break into buildings
The documentary gives some insight into how he successfully infiltrates workplaces.
Surprisingly, there’s little need for Shapland to utilize his technical ability once he enters a building, as biometric and facial recognition technology are used too infrequently to warrant bypass.
“I've probably done 200 building intrusions overall, and I’ve only had facial recognition in one of them. It's really unusual because it's slow, and people need to get in and out of the building. And so for the vast majority of buildings, you just have your normal scanners, keyobs, etc.. So AI makes no difference with that at all,” he says.
So, what are the most effective ways of breaking into a building?
Tried and trusted methods, he says, exploit people’s helpfulness and good nature. For instance, an imposter can pose as an employee by creating a fake company badge or pass, using LinkedIn to search for the right branding.
The pass won't release the door, but you can tailgate a legitimate employee by carrying two coffees and asking if they will hold the door open.
“Really, people want to be nice, they want to be helpful, so they let you in.”
A less risky technique, he adds, is to book an appointment as a visitor of some sort – a landlord, a surveyor, or a cleaner (he has a number of outfits which seem to come as part of the job).
“You could be doing an inspection of the windows or whatever it is you've researched about the company. Even better, if you can pre-book the visit, arrive at the building, walk in, and then you do the bad thing on the side while you're doing the thing you're supposed to be there for and this is less risky than tailgating.
Shapland adds that the nature of his work means that he’s always thinking like a hacker.
“I was chatting with someone yesterday whose dad was a fire extinguisher inspector, and I thought, ‘Oh that's quite a good pretext, a fire inspector!’”
Taking on different roles, wearing different guises, and filming the outcomes, his work is comparable to the life of an actor. He agrees and adds that one of his contractors is actually a working actress.
“You are playing a role. Absolutely. And I find that before I get there, I feel really nervous, and I worry that everything's going to go wrong. They're going to spot that I'm not a cleaner or I'm not an IT person or whatever.
“But then I step through the door, and it's like stepping into a role. You're just suddenly like, ‘Right, I'm playing this role. As long as I'm confident in the outfit that I've prepared and how I'm going to act when I get in there and what I'm going to do, then it will generally go well.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked