Un pro de l'intrusion nous dévoile son arsenal

In this detailed discussion, professional intrusion tester Alexandre reveals the hidden vulnerabilities of physical security systems. While most people feel secure behind armored doors and complex locks, Alexandre’s job is to prove that almost any barrier can be bypassed. He is hired by banks, data centers, and large corporations to test their defenses by infiltrating server rooms and executive offices. His work demonstrates that security is rarely absolute; rather, it is a matter of how much time and effort an intruder is willing to expend. **The Mechanics of Lockpicking** Alexandre explains that lockpicking relies on the inherent manufacturing imperfections of locks. In theory, all pins in a lock should align perfectly to allow it to turn, but in reality, there are tiny discrepancies. By applying slight rotational tension with a "tension tool" and using a "pick" to lift individual pins, an intruder can feel which pin is binding and set it into place. Alexandre notes that basic picking techniques can open approximately 30% to 40% of the locks currently used in France. However, he clarifies that while many things can be opened, it is not always easy or fast. High-quality armored doors and multi-point locks are still valuable because they force an intruder to spend more time and use more sophisticated methods, increasing the chance of detection. **Vulnerabilities in Padlocks and Key Boxes** The conversation moves to common security hardware like padlocks and key boxes, which Alexandre describes as often having significant flaws. Many padlocks have a design defect where there is excess space in the lower part of the mechanism. This allows for a technique called "combing," where a specialized tool pushes all the pins simultaneously into the upper chamber, bypassing the need for a specific key combination. Even high-tech electronic padlocks, such as those using fingerprints, are susceptible to "shimming"—a method where a thin piece of metal is slid into the latch to retract it directly, completely ignoring the electronic security layer. Key boxes, frequently used for property rentals, are also criticized. Alexandre argues they increase the "attack surface" by placing the key right next to the door it protects. He demonstrates how a thin metal blade can be used to feel the internal rotation of the code wheels. By identifying "flat spots" on the internal axle, an intruder can decode the combination in seconds. He advises clients to remove these boxes or switch to high-end, recessed models that use vault-like mechanisms which are much harder to manipulate. **The Danger of Digital Footprints** One of the most modern and overlooked security risks is the habit of posting photos of keys on social media. Alexandre warns that a key is essentially a physical password. Using a proof-of-concept app called "Key Decoder," he demonstrates how a simple photograph can be used to replicate a key with extreme precision. By using a standard item like a credit card in the photo as a scale reference, the app can measure the depth of the key's cuts to within a tenth of a millimeter. This is well within the tolerance levels of most locks. He recounts a real mission where he decoded a hotel’s master key from a distance, then fashioned a functional replica out of a plastic sheet using a simple hole punch. **Advanced Intrusion and Social Engineering** Physical security is as much about psychology as it is about hardware. Alexandre explains that having a physical key provides an intruder with immediate "hierarchical authority." In an office environment, employees rarely question someone who has a key, assuming they must be a high-level manager or authorized personnel. He describes the "noise" strategy used in his missions, where he intentionally triggers alarms or acts out "rocambolesque" scenarios—like delivering a Christmas tree—to test how staff react under pressure. The goal is to create a learning experience for the company, showing them that "security through obscurity" is a failed concept. He also showcases the "under-the-door" tool, a simple wire used to grab the internal door handle from the outside. This tool bypassed a €10,000 high-security door because the system was designed to monitor entries via badges but ignored exits. By pulling the internal handle, the intruder makes the system believe someone is simply leaving, which does not trigger alarms or cameras. **Electronic Tools and Impressioning** The discussion concludes with high-tech tools like the Flipper Zero and the "impressioning" technique. The Flipper Zero can be used to analyze and replay unencrypted radio signals from security guard walkie-talkies. In a real scenario, an intruder could record a guard saying "all clear" and replay it later to mask an actual intrusion. Finally, Alexandre demonstrates "impressioning," which he considers the pinnacle of lock manipulation. This involves using a specialized tool with movable "elevators" that adjust themselves as the tool is wiggled inside the lock. Within minutes, the tool takes the shape of the actual key, allowing the intruder to not only open the door but also walk away with a functional template for a permanent key. This method is highly reliable and eliminates the uncertainty associated with traditional picking. Ultimately, Alexandre emphasizes that true security requires constant vigilance, investment in high-quality hardware, and a move away from predictable, easily bypassed systems.