Introduction

What Is “No-Tech Hacking?”

When I got into this field, I knew I would have to stay ahead of the tech curve. I spent many sleepless nights worming through my home network trying to learn the ropes. My practice paid off. After years of hard work and dedicated study, I founded a small but elite pen testing team. I was good, my foo strong. Networks fell prostrate before me. My co-workers looked up to me, and I thought I was The Man. Then I met Vince.

In his mid-40s, hawk-eyed, and vaguely European looking, Vince blended in with the corporate crowd; he was most often seen in a black leather trench coat, a nice dress shirt, dark slacks, black wing tips and the occasional black fedora. He had a definite aura. Tales of his exploits were legendary. Some said he had been a fed, working deep-black projects for the government. Other insisted he was some kind of mercenary genius, selling his dark secrets to the highest bidder.

He was brilliant. He could do interesting and seemingly impossible things. He could pick locks, short-circuit electronic systems, and pluck information out of the air with fancy electronic gear. He once showed me a system he built called a “van Eck” something-or-other.¹ It could sniff the electromagnetic radiation coming from a CRT and reassemble it, allowing him to eavesdrop on someone’s computer monitor from a quarter mile away. He taught me that a black-and-white TV could be used to monitor 900MHz cellular phone conversations. I still remember hunching over a table in my basement going at the UHF tuner post of an old black-and-white TV with a pair of needle-nosed pliers. When I heard a cellular phone conversation coming through that old TV’s speaker, I decided then and there I would learn everything I could from Vince.

I was incredibly intimidated before our first gig. Fortunately, we had different roles. I was to perform an internal assessment, which emulated an insider threat. If an employee went rogue, he could do unspeakable damage to a network. In order to properly emulate this, our clients provided us a workspace, a network jack, and the username and password of a legitimate, non-administrative user. I was tasked with leveraging those credentials to gain administrative control of critical network systems. If I gained access to confidential records stored within a corporate database, for example, my efforts were considered successful. I had a near-perfect record with internal assessments and was confident in my abilities.

Vince was to perform a physical assessment that emulated an external physical threat. The facility had top-notch physical security. They had poured a ton of money into expensive locks, sensors, and surveillance gear. I knew Vince would obliterate them all with his high-tech superpowers. The gig looked to be a real slam-dunk with him working the physical and me working the internal. We were the “dream team” of security geeks.

When Vince insisted I help him with the physical part of the assessment, I just about fell over. I imagined a James Bond movie, with Vince as “Q” and myself (of course) as James Bond in ninja assault gear. Vince would supply the gadgets, like the van Eck thingamabob and I would infiltrate the perimeter and spy on their surveillance monitors or something. I giggled to myself about the unnatural things we would do to the electronic keypad systems or the proximity locks. I imagined the looks on the guard’s faces when we duct-taped them to their chairs after silently rappelling down from the ceiling of the surveillance room.

I couldn’t wait to get started. I told Vince to hand over the alien gadgets we would use to pop the security. When he told me he hadn’t brought any gadgets, I laughed and poked him. I never knew Vince was a kidder. When he told me he really didn’t bring any gear, I briefly considered pushing him over, but I had heard he was a black belt in like six different martial arts, so I just politely asked him what the heck he was thinking. He said we were going to be creative. The mercenary genius, the storm center of all the swirling rumors, hadn’t brought any gear. I asked him how creative a person could be when attacking a highly secured building without any gear. He just looked at me and gave me this goofy grin. I’ll never forget that grin.

We spent the morning checking out the site. It consisted of several multistory buildings and a few employee parking lots, all enclosed by protective fencing. Everyone came and went through a front gate. Fortunately, the gate was open and unguarded. With Vince driving, we rounded one building and parked behind it, in view of the loading docks.

“There,” he said.

“Where?” I asked.

“There,” he repeated.

Vince’s sense of humor sucked sometimes. I could never quite tell when he was giving me crap. I followed the finger and saw a loading dock. Just past the bay doors, several workers carried packages around. “The loading dock?” I asked.

“That’s your way in.”

I made a “Pffft” sound.

“Exactly. Easy.” he said.

“I didn’t mean ‘Pffft’ as in easy. I meant ‘Pffft’ as in there’s people there and you said I was going in.”

“There are, and you are,” he said. Vince was helpful that way. “Just look like you belong. Say hello to the employees. Be friendly. Comment on the weather.”

I did, and I did. Then I did, and I did and I found myself inside. I walked around, picked up some blueprints of tanks and military-looking stuff, photocopied them and left. Just like that. I’m skipping the description of my heart pounding at 400 beats per minute and the thoughts of what military prison would be like and whether or not the rumors about Bubba were true, but I did it. And it was an incredible rush. It was social engineering at its simplest, and it worked wonders. No one questioned me. I suppose it was just too awkward for them. I couldn’t hide my grin as I walked to the car. Vince was nowhere to be found. He emerged from the building a few minutes later, carrying a small stack of letter-sized paper.

“How did you get in?” I asked.

“Same way you did.”

“So why didn’t you just do it yourself?” I asked. “I had to make sure it would work first.”

I was Vince’s guinea pig but it didn’t really matter. I was thrilled and ready for more. The next building we targeted looked like an absolute fortress. There were no loading docks and the only visible entrance was the front door. It was wood and steel—too much like a castle door for my taste—and approximately six inches thick, sporting a proximity card-reader device. We watched as employees swiped a badge, pulled open the doors and walked in. I suggested we tailgate. I was on a roll. Vince shook his head. He obviously had other plans. He walked towards the building and slowed as we approached the front door. Six feet from the door, he stopped. I walked a step past him and turned around, my back to the door.

“Nice weather,” he said, looking past me at the door.

“Ehrmm, yeah,” I managed.

“Good day for rock climbing.”

I began to turn around to look at the building. I hadn’t considered climbing it.

“No,” he said. “Don’t turn around. Let’s chat.”

“Chat?” I asked. “About what?”

“You see that Bears game last night?” he asked. I had no clue what he was talking about or even who the Bears were but he continued. “Man, that was something else. The way that team works together, it’s almost as if …” Vince stopped in mid-sentence as the front door opened. An employee pushed the door open, and headed towards the parking lot. “They move as a single unit,” he continued. I couldn’t help myself. I turned around. The door had already closed.

“Crap,” I said. “We could have made it inside.”

“Yes, a coat hanger.”

Vince said strange stuff sometimes. That was just part of the package. It wasn’t crazy-person stuff, it was just stuff that most people were too dense to understand. I had a pretty good idea I had just witnessed his first crazy-person moment. “Let’s go,” he said. “I need a washcloth. I need to go back to the hotel.” I had no idea why he needed a washcloth, but I was relieved to hear he was still a safe crazy person. I had heard of axe murderers, but never washcloth murderers.

We passed the ride back to the hotel in silence; Vince seemed lost in his thoughts. He pulled up in front of the hotel, parked, and told me to wait for him. He emerged a few minutes later with a wire coat hanger and a damp washcloth. He tossed them into the back seat. “This should work,” he said, sliding into his seat and closing the doors. I was afraid to ask. Pulling away from the hotel, he continued. “I should be able to get in with these.”

I gave him a look. I can’t exactly say what the look was, but I imagine it was somewhere between “I’ve had an unpleasant olfactory encounter” and “There’s a tarantula on your head.” Either way, I was pretty convinced he’d lost his mind or had it stolen by aliens. I pretended not to hear him. He continued anyhow.

“Every building has to have exits,” he said. “Federal law dictates that in the case of an emergency, exit doors must operate from the inside out without the user having any prior knowledge of its operation.” I blinked and looked up at the sky through the windshield. I wondered if the aliens were coming for me next. “Furthermore, the exit must not require the use of any key or special token. Exit doors are therefore very easy to get out of.”

“This has something to do with that door we were looking at, doesn’t it?” I asked. The words surprised me. Vince and I were close to the same operating frequency.

He looked at me, and then I knew what my look looked like. I instinctively swatted at the tarantula that I could practically feel on my head. “This has everything to do with that door,” he said, looking out the front window and hanging a left. We were headed back to the site. “The front door of that facility,” he continued, “is formidable. It uses a very heavy-duty magnetic bolting system. My guess is that it would resist the impact of a 40-mile-an-hour vehicle. The doors are very thick, probably shielded, and the prox system is expensive.”

“But you have a washcloth,” I said. I couldn’t resist.

“Exactly. Did you notice the exit mechanism on the door?”

I hadn’t, and bluffing was out of the question. “No,” I admitted.

“You need to notice everything,” he said, pausing to glare at me. I nodded and he continued. “The exit mechanism is a silver-colored metal bar about waist-high.”

I took my shot. “Oh, right. A push bar.” The term sounded technical enough.

“No, not a push bar.” Access denied. “The bar on that door is touch-sensitive. It doesn’t operate by pressure; it operates when it senses it has been touched. Very handy in a fire.” We pulled through the site’s gate and parked. Vince unbuckled and grabbed the hanger and the washcloth from the back seat. He had untwisted the hanger, creating one long straight piece of strong, thin wire. He folded it in half, laid the washcloth on one end and folded the end of the hanger around it, then bent the whole thing to form a funny 90-degree-angled white washcloth flag. I smartly avoided any comment about using it to surrender to the guards. “Let’s go,” he said.

We walked to the front door. It was nearly 6:00 P.M. and very few employees were around. He walked up to the door, jammed the washcloth end of the hangar between the doors at waist height and started twisting the hanger around. I could hear the washcloth flopping around on the other side of the door. Within seconds, I heard a muffled cla-chunk and Vince pulled the door open and walked inside. I stood there gawking at the door as it closed behind him. The door reopened, and Vince stuck his head out. “You coming?”

The customer brief was a thing to behold. After the millions of dollars they had spent to secure that building, they learned that the entire system had been defeated with a washcloth and a wire coat hanger, all for want of a $50 gap plate for the door. The executives were incredulous and demanded proof, which Vince provided in the form of a field trip. I never learned what happened as a result of that demonstration, but I will never forget the lesson I learned: the simplest solutions are often the most practical.

Sure we could have messed with the prox system, figured out the magnetic tolerances on the lock or scaled the walls and used our welding torches—just like in the movies—to cut a hole in the ceiling, but we didn’t have to. This is the essence of no-tech hacking. It requires technical knowledge to reap the full benefit of a no-tech attack, but technical knowledge is not required to repeat it. Worst of all, despite the simplicity, a no-tech attack is perhaps the most deadly and misunderstood.

Through the years, I’ve learned to follow Vince’s advice. I now notice everything and I try to keep complicated thinking reigned in. Now, I’m hardly ever off duty. I constantly see new attack vectors, the most dangerous of which can be executed by anyone possessing the will to do so.