The Attack that Started in the Home Office
Summer 2023. Somewhere in Las Vegas. A security researcher sits in front of his laptop—no tools in hand, no badge, no clipboard. Just a browser, a few specialized search operators, and a LinkedIn account. Target: A Fortune 500 company. Time limit: 72 hours until the scheduled on-site engagement.
What he finds is staggering. Complete org charts through LinkedIn connections. The names of the security guards, mentioned by name in a Glassdoor review. Photos of the reception desk—posted by the marketing team on Instagram. Two exposed Building Management Systems on Shodan, reachable without any authentication. And a job posting for a security engineer that names the access control system used, including its version number.
Before he even sets foot out the door, he has created a complete Attack Surface Map. The subsequent on-site engagement takes less than four hours.
This sequence is not an isolated incident. It is the standard operating procedure in modern Red Team engagements—and it always begins where you least expect it: on the public internet.
A comparable approach has become known to wider circles since the Cloudflare security incident of 2022: attackers targeted employee structures and location data via OSINT to initiate SIM swapping attacks—as a precursor to deeper compromises. Learn more about the incident here.
Why Traditional Access Control Fails Here
The paradigm of physical security is based on a simple axiom: Control the access points. Revolving doors, card readers, security personnel. Those who overcome these barriers are in. Those who don't—aren't.
This model has a blind spot: it only begins at the door. An attacker begins weeks earlier.
Digital reconnaissance is not a new technique—but it has changed dramatically in the last five years. Social media, professional networks, review platforms, and IoT search engines have created a public data landscape that was previously only available to state actors. Today, anyone who is serious uses it.
The problem isn't that attackers have become cleverer. The problem is that companies publish their own attack surface online—through job ads, social media, employee profiles, and forgotten IoT devices.
The Anatomy of a Remote Recon Attack
Professional Red Teams follow a structured Kill Chain. Each phase provides data that refines the next phase—until the picture is complete.
Phase 1 – LinkedIn as an Org Chart Substitute
LinkedIn is one of the most valuable OSINT tools for attackers. Not because it contains vulnerabilities—but because employees voluntarily share information that would be considered confidential in any other context.
- Complete Departmental Structure: Who is the CISO? Who is the facility manager? Who is new to the company—and therefore easier to manipulate?
- Technology Stack: Skills fields often name specific systems: "Lenel S2", "Genetec", "Honeywell Pro-Watch".
- Commuter Patterns: Check-ins, comments on delays, and location data in posts reveal when which employees are where.
- Direct Contact Points: Who works at the reception? Who is responsible for visitor registration?
# From company name to full personnel tree
Target: ACME Corp London
Transforms: LinkedIn → Employees → Roles → Departments
Output: 18 employees, 4 security-relevant roles,
2 shift leads identified (posts with timestamps)
Phase 2 – Shodan and the Forgotten Devices
Shodan is a search engine for the Internet of Things—and for physical security teams, it’s one of the most dangerous tools in existence. Try Shodan.io now...
Building Management Systems (BMS/BAS) control access controls, HVAC, elevators, and alarm systems. In many companies, they are directly or indirectly connected to the internet—often as forgotten legacies following network restructuring.
# Typical queries for exposed BMS
Query: "BACnet" city:"London" port:47808
Query: "Niagara" http.title:"Tridium" org:"[TARGET]"
Query: product:"Honeywell" "Access Control" country:UK
→ Results: IP addresses, firmware versions, known CVEs
What an attacker gains in this phase is not necessarily direct access—but precise knowledge: What technology is installed? What firmware version is running? Are there known CVEs? This knowledge defines the attack strategy for the on-site engagement.
Phase 3 – Google Dorks and Visitor Registration
Many companies use cloud-based visitor registration systems. Some are indexed via Google due to incorrect configuration. What this means: An attacker can view visitor lists, extract employee names from greeting emails, or find valid appointments to use for signing in on a clipboard.
site:envoy.com OR site:greetly.com "[Company Name]"
intitle:"Visitor Sign-In" "London"
filetype:pdf "visitor log" "[Target Company]"
→ Potential results: Names, departments, appointment purposes
Phase 4 – Google Street View as a Reconnaissance Tool
Street View allows for a complete external survey of the target without a physical presence. Combined with satellite data (Google Earth, Bing Maps), an attacker maps the entire perimeter:
- Camera Angles and Blind Spots: Where are external cameras mounted? Which areas are not covered?
- Entrances and Emergency Exits: Main entrance, delivery entrance, smoking area—a classic social engineering entry point.
- Perimeter Vulnerabilities: Where do fences run? Are there gaps? Where do employees park?
- Signage: Hints at installed systems, such as "Secured by [Manufacturer]".
The smoking area is not a security problem—it is a physical social engineering vector. Employees open the door for someone who is "just going out for a quick smoke." No badge check, no verification. This exact area is visible on Street View—and is planned into every serious engagement.
Phase 5 – Data Brokers, Geofencing, and Commuter Patterns
Advanced attackers use commercially available geofencing data to reconstruct movement patterns. Which mobile devices appear regularly at the location at 07:45 AM? This data is legally available for purchase—and allows for the mapping of shift schedules.
Furthermore, Glassdoor and Kununu reviews provide an often underestimated intelligence channel: employees describe the security culture, frustration points with internal processes, and the leadership style of security personnel. Information that flows directly into the pretext design.
OSINT Vectors: Risk Matrix for Security Professionals
| Source | Information Gained | Risk | Mitigatable? |
|---|---|---|---|
| Org charts, technologies, shift plans | HIGH | Partially | |
| Shodan / Censys | Exposed BMS, CVEs, firmware versions | HIGH | Yes |
| Job Ads | Systems used, version numbers | HIGH | Yes |
| Google Street View | Camera angles, entrances, perimeter | MEDIUM | No |
| Glassdoor / Kununu | Security culture, process weaknesses | MEDIUM | Partially |
| Social Media | Interior shots, badge photos, layouts | MEDIUM | Yes |
| Data Brokers | Movement patterns, shift schedules | MEDIUM | Limited |
| Visitor Management (public) | Employee names, appointment structures | LOW | Yes |
How to Reduce Your Digital Attack Surface
The good news: Most OSINT exposure is avoidable. It doesn't arise from attacks—but from internal processes that didn't have security as a criterion. This means it can be addressed through policy changes without major investment.
Immediate Actions (Quick Wins)
- Shodan Self-Scan: Scan your own IP range on Shodan and Censys. Any exposed BMS or OT device must be immediately placed behind a firewall or disconnected.
- Clean up Job Ads: Remove all references to specific product names, version numbers, or manufacturers. "Experience with access control systems" is sufficient.
- Social Media Policy: Interior shots of the office, close-ups of badges, and photos of tech racks have no place on Instagram. Written policy + awareness training.
- Audit Visitor Registration: Ensure that no cloud-based visitor management data is publicly indexed. Google Dork test:
site:[provider.com] "[your company name]" - LinkedIn Visibility Settings: Define which company information may be visible in employee profiles—especially critical for roles with physical security access.
Medium-term Actions (30–90 Days)
- Conduct OSINT Self-Audit: Commission a Red Team or conduct structured internal reconnaissance. What can an attacker find about you in 48 hours?
- BMS Segmentation: Building Management Systems belong in an isolated OT network without a direct internet connection. BACnet/IP and Niagara installations are common vulnerabilities.
- Awareness Training with OSINT Focus: Training should explicitly show what information employees unconsciously disclose—using real screenshots from your own company.
- Physical Security Review: Combine OSINT findings with a physical walkthrough. Do the identified vulnerabilities align with what an auditor confirms on-site?
Physical security doesn't start at the entrance door—it starts with the question: What does an attacker already know about us before they arrive? OSINT hygiene is not an IT task. It is a company-wide security discipline.
Conclusion: The Attack Begins Online, Not at Your Door
The classic distinction between "digital" and "physical" attack is obsolete. Modern Red Teams think in Kill Chains that run seamlessly from a Google search to a badge cloner. The OSINT step is not preparation—it is the attack.
Companies that invest exclusively in locks, cameras, and access systems without knowing their digital reconnaissance exposure are creating a false sense of security. They are building a fortress—and posting the floor plan on the internet.
A professional physical pentesting engagement therefore always begins with a structured OSINT phase. Not because that's just how it's done—but because that's how attackers do it.
Do you know what an attacker can find out about your company in 48 hours?
We conduct structured OSINT audits and physical pentesting engagements—from remote recon to documented on-site testing.
Request a free initial consultation →