Think about every cool heist movie you've seen. The thieves rarely hack their way past lasers from a van across the street. They walk in. They smile at the receptionist. They wear a fake badge. Physical attacks work the same way in real life, and they're often way easier than breaking encryption or guessing passwords. This topic is all about how adversaries use the physical world to compromise systems, what vulnerabilities they exploit, and how to size up the risk.
Common Physical Attacks
Most physical attacks start with social engineering, which means manipulating people instead of machines. Humans are polite, trusting, and helpful by default, and adversaries take advantage of that. Even the best locks and cameras can't help if someone holds the door open for a stranger carrying a pizza box.
Here are the main physical attacks you need to know.
Piggybacking
Piggybacking is when an adversary uses social engineering to trick an authorized person into letting them into a restricted area. The key word is trick. The authorized person actively grants access because they think the adversary belongs there.
Common piggybacking moves:
- Carrying something bulky (boxes, coffee trays, a ladder) so an employee feels obligated to hold the door open
- Pretending to be an employee who forgot their badge ("Ugh, I left it on my desk, can you let me in real quick?")
- Posing as a maintenance worker, electrician, or HVAC tech who needs to "check something"
Tailgating
Tailgating is similar but sneakier. Here, the adversary slips into a restricted area by following closely behind an authorized person without that person knowing. No conversation, no social engineering. You badge in, the door starts closing, and someone catches it behind you before it locks.
The difference to remember: piggybacking involves consent (you were tricked into helping). Tailgating involves no consent (they snuck in behind you).
Shoulder Surfing
Shoulder surfing is exactly what it sounds like. An adversary watches you while you type a password, enter a PIN at an ATM, or pull up sensitive info on your screen. They might be standing behind you in line, sitting at the next table in a coffee shop, or even using a small camera to record you so they can replay it later and grab the details.
This one is easy to underestimate because it feels low-tech, but a single observed password can unlock an entire account.
Dumpster Diving
Dumpster diving means literally going through someone's trash to find useful information. Adversaries look for:
- Printed emails or memos
- Old invoices with account numbers
- Sticky notes with passwords
- Org charts that reveal who works where
- Discarded hard drives or USB drives
Anything that ends up in the trash without being shredded or wiped is fair game.
Card Cloning
Card cloning is when an adversary copies an authorized user's access card (the kind you tap or swipe to open a door). Once cloned, the adversary has the same access as the real user. Modern RFID badges can be scanned from a short distance with a hidden reader, so an attacker could clone your badge just by standing close to you in an elevator.
How Threats Exploit Physical Vulnerabilities
Before you can defend a space, you need to understand the terms.
Threats are anything that could cause harm. That includes human adversaries (thieves, spies, disgruntled employees) but also natural disasters like floods, fires, earthquakes, and hurricanes. A server room doesn't care whether it's destroyed by a burglar with a hammer or a burst water pipe. Either way, the data is gone.
Vulnerabilities are the weaknesses or flaws that a threat can take advantage of. An unlocked door is a vulnerability. An exposed USB port is a vulnerability. A server room with no fire suppression is a vulnerability.
When a threat successfully exploits a vulnerability, you get a compromise. Common compromises include:
- Unauthorized access to sensitive data or restricted physical spaces
- Disruption of services
- Theft or destruction of digital or physical resources
- Unauthorized modification of data
Disrupting Power
If a device has no power, it can't do its job. Adversaries who want to take a system offline don't always need to hack it. They can just kill the electricity. Ways to disrupt power include:
- Flipping or damaging fuses and breakers in an electrical box
- Unplugging or cutting electrical wiring
- Damaging larger infrastructure like substations and transformers
A hospital that loses power to its servers can't access patient records. An online store whose data center goes dark can't process orders. Power is a single point of failure that's surprisingly easy to attack physically.
Stealing or Copying Sensitive Information
Once an adversary is inside a space with sensitive info, the damage can be huge. They might photograph documents, grab a laptop off a desk, snap pictures of a whiteboard, or copy files onto a thumb drive. The actual time they need to be inside might only be a few minutes.
Direct Access to Devices and Ports
This is where physical access gets really dangerous. If an adversary can touch a computer's ports, they can:
- Plug in a keylogger, a small device that records every keystroke (including passwords)
- Insert a USB drive loaded with malware that runs automatically
- Connect external storage to copy huge amounts of data quickly
- Destroy the device with physical force, taking the data and any services it provided down with it
A laptop with exposed USB ports sitting at an unattended desk is a serious risk, even if the building has a locked front door.
Why Physical Access Beats Technical Controls
Here's the big idea behind this whole topic: physical access to a device often lets an adversary bypass technical controls entirely. You can have the strongest firewall, the longest password, and the best encryption, but if someone walks up to your server with a screwdriver, none of that matters as much as you'd hope.
That's why assessing physical risk matters. You're looking at how exposed your important stuff is and how likely it is that something bad happens.
Assessing and Documenting Risk
Not every vulnerability is equally scary. When you assess risk, you're weighing two things: how sensitive or valuable the asset is, and how easily an adversary could reach it. Risks generally fall into three buckets.
High Risk
High risk means sensitive information or critical systems are sitting in a physical space without proper access controls. The asset is valuable and the path to reach it is wide open.
Illustrative example: A server that stores customer data is in a room with no lock, and that room is reached through an unmonitored hallway. Anybody who wanders down the hall can walk right in. Customer data is highly sensitive, so the impact would be severe if it were stolen, modified, or destroyed.
When you document this, you'd flag it as a top priority. Recommended fixes might include a locked door, badge access, cameras in the hallway, and logging who enters and exits.
Moderate Risk
Moderate risk shows up when a part of the organization that isn't itself critical is left exposed in a way that could give an adversary a foothold to reach more important systems. The asset itself isn't the prize. It's the stepping stone.
Illustrative example: An office has a reception area that anyone can walk into. Beyond reception, access is controlled with badges. The receptionist's computer connects to the internal wireless network and has exposed USB ports. An adversary could walk in, pretend to be a visitor, and quickly plug a malicious USB into the receptionist's computer. From there, they're on the internal network and might be able to reach the systems that actually matter.
The receptionist's computer isn't the target. It's the doorway. That's what makes this a moderate risk worth documenting.
Low Risk
Low risk means the asset isn't very valuable and the vulnerability probably won't be exploited. You still note it, but it's not where you spend your defense budget.
Illustrative example: Employees in a badge-access office leave their laptops on their desks when they all go to lunch together. The laptops aren't physically locked to the desks with security cables. However, the laptops don't contain sensitive data, and the office requires badge access to enter. The chance of someone slipping in and grabbing a laptop during the lunch hour is small, and even if they did, the loss would be limited to the hardware itself.
You'd probably recommend laptop cables as a cheap improvement, but it's not an urgent fix.
How to Document Risk
When you write up a physical risk assessment, you typically include:
- The asset at risk (server, workstation, file cabinet, etc.)
- The vulnerability (no lock, exposed USB ports, unmonitored access)
- The threats that could exploit it (intruders, insiders, natural disasters)
- The potential impact (data theft, service disruption, destruction)
- The risk level (high, moderate, low)
- Recommended mitigations
Good documentation helps an organization decide where to spend time and money, since you can't fix everything at once. The pattern is always the same: figure out what's valuable, figure out how exposed it is, and rank the problems so the worst ones get handled first.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
access token | A credential or device used by an authorized individual to gain entry to a restricted area. |
card cloning | A physical attack where an adversary makes an unauthorized copy of an authorized user's access card to gain access to restricted resources. |
controlled access | Security mechanisms that monitor and regulate entry to physical spaces or resources. |
data theft | The unauthorized taking or copying of sensitive information from a system or location. |
disruption of services | Interruption or unavailability of digital services provided by computers or network systems. |
dumpster diving | A physical attack where an adversary searches through a target's physical trash to find information that could be used to achieve their goals. |
foothold | An initial point of access or compromise that an adversary uses to gain entry to a system or network for further exploitation. |
keylogger | Software or hardware that logs user keystrokes and sends the information to an adversary, often used to extract usernames and passwords. |
malware | Malicious software designed to harm, exploit, or compromise computer systems and networks. |
natural disasters | Uncontrolled natural events such as floods, earthquakes, or storms that can cause physical damage or destruction to computing infrastructure. |
physical access | Direct contact with or proximity to devices and systems that can allow adversaries to bypass technical controls and security layers. |
physical vulnerabilities | Weaknesses in physical security that allow unauthorized access to devices, systems, or sensitive information in physical spaces. |
piggybacking | A physical attack where an adversary uses social engineering to manipulate an authorized individual into granting access to a restricted area. |
power disruption | The interruption of electrical power to a device, rendering it and its services unavailable. |
restricted access | Security measures that limit who can enter or use specific physical spaces or resources. |
sensitive data | Information that requires protection from unauthorized access, such as personal credentials, financial information, or private communications. |
shoulder surfing | A physical attack where an adversary watches a user access sensitive information, sometimes using a camera to record it for later use. |
social engineering attacks | Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links. |
tailgating | A physical attack where an adversary gains unauthorized access to a restricted area by following closely behind an authorized individual without their awareness. |
technical controls | Security measures implemented through technology to protect systems and data from unauthorized access. |
threat | A potential attack or harmful action that could exploit a vulnerability. |
unauthorized access | Gaining entry to sensitive data or restricted physical spaces without proper permission or authorization. |
vulnerability | Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security. |
vulnerable asset | A resource, device, or system that has weaknesses that could be exploited by an adversary. |