Fiveable

🔒AP Cybersecurity Unit 2 Review

QR code for AP Cybersecurity practice questions

2.2 Physical Vulnerabilities and Attacks

2.2 Physical Vulnerabilities and Attacks

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides
Pep mascot

TLDR

Physical attacks let adversaries reach devices and data in person, often by manipulating people instead of breaking through technical defenses. In AP Cybersecurity you need to identify common physical attacks like piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning, explain how threats exploit physical vulnerabilities, and rank those vulnerabilities as high, moderate, or low risk.

Pep mascot
more resources to help you study

Why This Matters for the AP Cybersecurity Exam

This topic builds the adversarial thinking that runs through all of Unit 2. Securing a physical space is the first layer of defense because someone with physical access to a device can often skip past firewalls, passwords, and encryption.

When you can name a physical attack, connect a threat to the vulnerability it exploits, and judge how serious the risk is, you are practicing the exact reasoning the AP Cybersecurity course wants: spot the weakness, predict how an adversary would use it, and decide what to protect first. These skills carry directly into the next topics on protecting and detecting physical attacks.

Key Takeaways

  • Most physical attacks start with social engineering, which targets trusting, helpful people rather than machines.
  • Piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning are the named physical attacks to recognize and tell apart.
  • Threats include human adversaries and natural disasters; vulnerabilities are the weaknesses those threats exploit to cause a compromise.
  • Physical access to a device can bypass many technical controls, so an unlocked door can undo strong digital security.
  • Risk is judged by combining how valuable an asset is with how easily an adversary could reach it, then ranking it high, moderate, or low.

Common Physical Attacks

Most physical attacks start with social engineering, which means manipulating people instead of machines. People tend to be polite, trusting, and helpful by default, and adversaries take advantage of that. Even strong locks and cameras cannot help if someone holds the door open for a stranger carrying a pizza box.

Here are the main physical attacks to know.

Piggybacking

Piggybacking is when an adversary uses social engineering to trick an authorized person into letting them into a restricted area. The key word is trick. The authorized person actively grants access because they think the adversary belongs there.

Common piggybacking moves:

  • Carrying something bulky (boxes, coffee trays, a ladder) so an employee feels obligated to hold the door open
  • Pretending to be an employee who forgot their badge ("I left it on my desk, can you let me in real quick?")
  • Posing as a maintenance worker, electrician, or HVAC tech who needs to check something

Tailgating

Tailgating is similar but sneakier. Here, the adversary slips into a restricted area by following closely behind an authorized person without that person knowing. No conversation, no manipulation. You badge in, the door starts closing, and someone catches it behind you before it locks.

The difference to remember: piggybacking involves consent, since you were tricked into helping. Tailgating involves no consent, since they snuck in behind you.

Shoulder Surfing

Shoulder surfing is exactly what it sounds like. An adversary watches you while you type a password, enter a PIN at an ATM, or pull up sensitive info on your screen. They might be standing behind you in line, sitting at the next table in a coffee shop, or even using a small camera to record you so they can replay it later and grab the details.

This one is easy to underestimate because it feels low-tech, but a single observed password can unlock an entire account.

Dumpster Diving

Dumpster diving means going through someone's trash to find useful information. Adversaries look for:

  • Printed emails or memos
  • Old invoices with account numbers
  • Sticky notes with passwords
  • Org charts that reveal who works where
  • Discarded hard drives or USB drives

Anything that ends up in the trash without being shredded or wiped is fair game.

Card Cloning

Card cloning is when an adversary copies an authorized user's access card, the kind you tap or swipe to open a door. Once cloned, the adversary has the same access as the real user. Some RFID badges can be scanned from a short distance with a hidden reader, so an attacker could copy a badge just by standing close to someone.

How Threats Exploit Physical Vulnerabilities

Before you can defend a space, you need to be clear on the terms.

Threats are anything that could cause harm. That includes human adversaries (thieves, spies, disgruntled employees) but also natural disasters like floods, fires, earthquakes, and hurricanes. A server room does not care whether it is harmed by a burglar with a hammer or a burst water pipe. Either way, the data is gone.

Vulnerabilities are the weaknesses or flaws that a threat can take advantage of. An unlocked door is a vulnerability. An exposed USB port is a vulnerability. A server room with no fire suppression is a vulnerability.

When a threat successfully exploits a vulnerability, you get a compromise. Common compromises include:

  • Unauthorized access to sensitive data or restricted physical spaces
  • Disruption of services
  • Theft or destruction of digital or physical resources
  • Unauthorized modification of data

Disrupting Power

If a device has no power, it cannot do its job. Adversaries who want to take a system offline do not always need to hack it. They can just cut the electricity. Ways to disrupt power include:

  • Flipping or damaging fuses and breakers in an electrical box
  • Unplugging or cutting electrical wiring
  • Damaging larger infrastructure like substations and transformers

A hospital that loses power to its servers cannot access patient records. An online store whose data center goes dark cannot process orders. Power is a single point of failure that is surprisingly easy to attack physically.

Stealing or Copying Sensitive Information

Once an adversary is inside a space with sensitive info, the damage can be huge. They might photograph documents, grab a laptop off a desk, snap pictures of a whiteboard, or copy files onto a thumb drive. The time they need to be inside might only be a few minutes.

Direct Access to Devices and Ports

This is where physical access gets really dangerous. If an adversary can touch a computer's ports, they can:

  • Plug in a keylogger, a small device that records every keystroke (including passwords)
  • Insert a USB drive loaded with malware
  • Connect external storage to copy large amounts of data quickly
  • harm the device with physical force, taking the data and any services it provided down with it

A laptop with exposed USB ports sitting at an unattended desk is a serious risk, even if the building has a locked front door.

Why Physical Access Beats Technical Controls

The big idea behind this whole topic: physical access to a device often lets an adversary bypass technical controls entirely. You can have a strong firewall, a long password, and solid encryption, but if someone walks up to your server with a screwdriver, none of that protects you the way you would hope.

That is why assessing physical risk matters. You are looking at how exposed your important assets are and how likely it is that something bad happens.

Assessing and Documenting Risk

Not every vulnerability is equally serious. When you assess risk, you weigh two things: how sensitive or valuable the asset is, and how easily an adversary could reach it. Risks generally fall into three levels.

High Risk

High risk means sensitive information or critical systems are sitting in a physical space without proper access controls. The asset is valuable and the path to reach it is wide open.

Example: A server that stores customer data is in a room with no lock, and that room is reached through an unmonitored hallway. Anyone who wanders down the hall can walk right in. Customer data is highly sensitive, so the impact would be severe if it were stolen, modified, or harmed.

When you document this, you would flag it as a top priority. Possible fixes include a locked door, badge access, cameras in the hallway, and logging who enters and exits.

Moderate Risk

Moderate risk shows up when a part of the organization that is not itself critical is left exposed in a way that could give an adversary a foothold to reach more important systems. The asset itself is not the prize. It is the stepping stone.

Example: An office has a reception area that anyone can walk into. Beyond reception, access is controlled with badges. The receptionist's computer connects to the internal wireless network and has exposed USB ports. An adversary could walk in, pretend to be a visitor, and quickly plug a malicious USB into the receptionist's computer. From there, they are on the internal network and might be able to reach the systems that actually matter.

The receptionist's computer is not the target. It is the doorway. That is what makes this a moderate risk worth documenting.

Low Risk

Low risk means the asset is not very valuable and the vulnerability probably will not be exploited. You still note it, but it is not where you spend your defense budget.

Example: Employees in a badge-access office leave their laptops on their desks when they all go to lunch together. The laptops are not physically locked to the desks with security cables. However, the laptops do not contain sensitive data, and the office requires badge access to enter. The chance of someone slipping in and grabbing a laptop during the lunch hour is small, and even if they did, the loss would be limited to the hardware itself.

You might recommend laptop cables as a cheap improvement, but it is not an urgent fix.

How to Document Risk

When you write up a physical risk assessment, you typically include:

  • The asset at risk (server, workstation, file cabinet, and so on)
  • The vulnerability (no lock, exposed USB ports, unmonitored access)
  • The threats that could exploit it (intruders, insiders, natural disasters)
  • The potential impact (data theft, service disruption, destruction)
  • The risk level (high, moderate, low)
  • Recommended mitigations

Good documentation helps an organization decide where to spend time and money, since you cannot fix everything at once. The pattern is always the same: figure out what is valuable, figure out how exposed it is, and rank the problems so the worst ones get handled first.

How to Use This on the AP Cybersecurity Exam

Identifying Attacks

Be ready to match a short scenario to the correct attack name. The cleanest way to tell them apart:

  • Piggybacking: the authorized person is tricked into granting access (involves social engineering and consent).
  • Tailgating: the adversary slips in behind someone without that person noticing (no consent).
  • Shoulder surfing: the adversary watches or records someone entering sensitive info.
  • Dumpster diving: the adversary searches discarded materials for useful information.
  • Card cloning: the adversary copies an access card to gain the same access as the real user.

Connecting Threats to Vulnerabilities

When a prompt describes a setup, practice naming the vulnerability, the threat that could exploit it, and the compromise that would result. For example, an exposed USB port (vulnerability) lets an intruder (threat) plug in a keylogger or malware (compromise). Keep threats and vulnerabilities separate in your wording, since they are different ideas.

Assessing Risk

If you are asked to assess a physical vulnerability, justify your rating using both factors: the value or sensitivity of the asset and how easy it is to reach. Saying "high risk because sensitive customer data is stored behind an unlocked door in an unmonitored hallway" is stronger than just naming the level. Pair your rating with a mitigation that actually matches the vulnerability.

Common Trap

Do not assume strong digital security cancels out a physical weakness. A long password and a firewall do not help if an adversary has hands-on access to the device, so always check the physical layer first.

Common Misconceptions

  • Piggybacking and tailgating are not the same. Piggybacking uses social engineering so the authorized person knowingly grants access; tailgating means slipping in unnoticed with no consent.
  • Threats and vulnerabilities are different. A threat is what could cause harm (an intruder or a flood), while a vulnerability is the weakness that lets it happen (an unlocked door).
  • Threats are not only human. Natural disasters like fires, floods, and earthquakes count as threats because they can damage devices and disrupt services.
  • Strong technical controls do not cover physical gaps. Encryption and firewalls do not stop someone who can physically touch the device.
  • Risk level is not based on asset value alone. You combine how valuable the asset is with how likely the vulnerability is to be exploited, which is why an exposed but low-value laptop can still be low risk.

Vocabulary

The following words are mentioned explicitly in the AP® course framework for this topic.

Term

Definition

access token

A credential or device used by an authorized individual to gain entry to a restricted area.

card cloning

A physical attack where an adversary makes an unauthorized copy of an authorized user's access card to gain access to restricted resources.

controlled access

Security mechanisms that monitor and regulate entry to physical spaces or resources.

data theft

The unauthorized taking or copying of sensitive information from a system or location.

disruption of services

Interruption or unavailability of digital services provided by computers or network systems.

dumpster diving

A physical attack where an adversary searches through a target's physical trash to find information that could be used to achieve their goals.

foothold

An initial point of access or compromise that an adversary uses to gain entry to a system or network for further exploitation.

keylogger

Software or hardware that logs user keystrokes and sends the information to an adversary, often used to extract usernames and passwords.

malware

Malicious software designed to harm, exploit, or compromise computer systems and networks.

natural disasters

Uncontrolled natural events such as floods, earthquakes, or storms that can cause physical damage or destruction to computing infrastructure.

physical access

Direct contact with or proximity to devices and systems that can allow adversaries to bypass technical controls and security layers.

physical vulnerabilities

Weaknesses in physical security that allow unauthorized access to devices, systems, or sensitive information in physical spaces.

piggybacking

A physical attack where an adversary uses social engineering to manipulate an authorized individual into granting access to a restricted area.

power disruption

The interruption of electrical power to a device, rendering it and its services unavailable.

restricted access

Security measures that limit who can enter or use specific physical spaces or resources.

sensitive data

Information that requires protection from unauthorized access, such as personal credentials, financial information, or private communications.

shoulder surfing

A physical attack where an adversary watches a user access sensitive information, sometimes using a camera to record it for later use.

social engineering attacks

Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links.

tailgating

A physical attack where an adversary gains unauthorized access to a restricted area by following closely behind an authorized individual without their awareness.

technical controls

Security measures implemented through technology to protect systems and data from unauthorized access.

threat

A potential attack or harmful action that could exploit a vulnerability.

unauthorized access

Gaining entry to sensitive data or restricted physical spaces without proper permission or authorization.

vulnerability

Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security.

vulnerable asset

A resource, device, or system that has weaknesses that could be exploited by an adversary.

Frequently Asked Questions

What is the difference between piggybacking and tailgating in AP Cybersecurity?

Piggybacking involves social engineering, where an adversary tricks an authorized person into knowingly granting them access to a restricted area. Tailgating is when an adversary slips into a restricted area by following closely behind an authorized person without that person's awareness or consent.

What are the physical attacks students need to know for AP Cybersecurity 2.2?

The five named physical attacks in topic 2.2 are piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning. Most of these attacks rely on social engineering, which targets people's trust and helpfulness rather than technical systems.

How do you assess high, moderate, and low physical risk in AP Cybersecurity?

Risk level is determined by combining how sensitive or valuable an asset is with how easily an adversary could reach it. High risk means sensitive systems are exposed without proper access controls, moderate risk means a less critical asset could serve as a foothold to reach more important systems, and low risk means the asset has limited value and the vulnerability is unlikely to be exploited.

Why is physical access to a device considered so dangerous in cybersecurity?

Physical access to a device can allow an adversary to bypass many technical controls like firewalls, passwords, and encryption. With direct access to a device's ports, an adversary can plug in a keylogger, insert malware via an external drive, copy data, or physically destroy the device entirely.

What counts as a threat versus a vulnerability in AP Cybersecurity 2.2?

Threats are anything that could cause harm, including human adversaries and natural disasters like floods or fires. Vulnerabilities are the weaknesses or flaws that a threat can exploit, such as an unlocked door or an exposed USB port, and when a threat successfully exploits a vulnerability the result is a compromise.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot