04 November 2010

A simple social engineering test

I was reading something this morning that made me recall an incident that occurred last summer while I was attending The Next HOPE at the Hotel Pennsylvania in New York City.

I was away from my room for a while and as I returned, the maid was cleaning my room.  She told me that she was finishing up and it would just be a minute or two, so I figured I would just wait outside the door.  This got me thinking about the possibility of doing this outside any room.  Simply walking through the door while it was open would be an easy way to gain entry without having to worry about door locks or keycards or other forms of physical security.  Very basic social engineering, but might it actually work?  Unfortunately, as a part of my job I just don't get any opportunities to practice social engineering, so I'm more or less a novice.  So I made it a point to see if it would work on my own room; I figured what the heck, it's not as if I can get "caught" since it is my room.

In a couple of minutes, she indicated to me that she was finished so I started to go through the door when she pulled it shut and told me that she needed for me to verify my key was working before I could enter!  From the perspective of a potential attacker, this is a plan foiled.  Time to move on to another maid or another hotel.  But from my perspective, as the actual occupant of the room, I was thrilled.  I tested the key, showed her that it was indeed my room, and then personally thanked her for validating my status.

I hope that this maid checked my key because it's the hotel's policy to do so; or perhaps this woman was simply more vigilant than most.  Still, you most often read about failures to prevent social engineering.  These experiences are useful for teaching lessons, and make great stories to tell.  But it's not often that we get to read about the successes that stop social engineering attempts.  A duller story, perhaps, but a lesson learned nonetheless.
Post a Comment