Pentester Rob Shapland has been breaking into buildings for 17 years using social engineering techniques. AI is now making his job significantly easier. For example, he recently cloned a CEO’s voice from a YouTube promotional video using ElevenLabs, hooked it into ChatGPT, and successfully called the service desk to reset the executive’s password. He needed only 10 seconds of audio to create a decent clone. This update from CyberNews explains how to get employees on board to prevent attacks.
Shapland uses consumer chatbots to stress-test break-in ideas, with AI sometimes finding its own workarounds when it claims it can’t help. He films break-ins covertly using HD cameras hidden in ties or spectacles for employee training.
Why it matters
AI is enabling criminals to combine digital and physical techniques with unprecedented ease. Voice cloning requires minimal footage, and chatbots actively help plan intrusions by suggesting methods while claiming they can’t assist. As Sora 2 floods social feeds with realistic fake videos, Shapland warns that within years, fake video conferences could become completely indistinguishable from real ones.
Layering physical hacking with AI
The major trend for Shapland is the combination of AI cloning with physical break-in techniques. He adds that he even uses consumer chatbots now to stress-test break-in ideas.
“There are certain things it won’t do. I was planning a physical intrusion the other day, and I put together a rough plan of what I wanted to do and asked for any further suggestions. And the chatbot replied: ‘I can’t help you break into a building, but, you know, if you were doing something very similar, this is what I would do.’ The AI sort of finds its own way around things sometimes – you don’t even need to make it help you.”
Shapland is aware of chatbots on the dark web that have guardrails turned off, “ones that will design malware.”
However, in general, he believes that the cybersecurity industry tends to overstate the extent to which criminals are using AI.
“They’re experimenting. But there’s going to be a major change over the next few years. It will get to the point where a fake video conference could be completely indistinguishable from real.
“So, you know, I could be talking to you right now, and you wouldn’t have a clue whether it was me or not.
The pentester points to the release of Sora 2 last autumn and the amount of realistic “made-up videos” that are now flooding his social media feeds.
“And people really believe them.”
Employee cyber training needs to be memorable
In revealing some of the tricks of his trade, Shapland – an adept computer hacker who was trained by his then-boss to work on the physical side – hopes to raise cyber awareness in organizations.
He films most of his break-ins covertly, using HD cameras hidden in ties or spectacles and then plays them back later to employees. Watching the mistakes they make is far more memorable than a ten-minute cyber quiz, he claims.
“In the training I’ll go, okay, sit everyone in a room for an hour and scare them. They can see, “That’s me letting the person in. That’s my desk!” That sticks with them for years.
“I think training has become boring and a compliance tick box, and it needs to actually be effective,” he says.
Midnight in the war room
Shapland shares further techniques in Semperis’ upcoming cyber warfare documentary Midnight in the War Room, set to premiere on August 5th at Black Hat USA in Las Vegas.
The film features leading voices in cybersecurity and national security, including Chris Inglis, the first US National Cyber Director; Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency; former CIA Director David Petraeus, and Marcus Hutchins, an independent security researcher who helped stop the infamous malware WannaCry.
“The documentary shows all the different areas of cyber. I think that’s unusual. Most documentaries will focus on a single attack or a single part of cybersecurity, whether that be the ethical hacker or the defender, so that’s really exciting to be involved in,” he says.
In a couple of clips, Shapland explains how social engineering works. In one sequence, he goes online and looks at an employee’s social media page. In a holiday shot, she’s posing outside the hotel she stayed at.
He clocks the location and the hotel, studies its branding, and then carefully crafts an email to the women, pretending to be the manager and informing her of some items that she may have left behind. One click on the image and the payload is downloaded.
“It’s trying to get that perspective of how simple it can be for criminals to target certain people and understand how the process works from start to finish,” he explains.
How to break into buildings
The documentary gives some insight into how he successfully infiltrates workplaces.
Surprisingly, there’s little need for Shapland to utilize his technical ability once he enters a building, as biometric and facial recognition technology are used too infrequently to warrant bypass.
“I’ve probably done 200 building intrusions overall, and I’ve only had facial recognition in one of them. It’s really unusual because it’s slow, and people need to get in and out of the building. And so for the vast majority of buildings, you just have your normal scanners, keyfobs, etc.. So AI makes no difference with that at all,” he says.
So, what are the most effective ways of breaking into a building?
Tried and trusted methods, he says, exploit people’s helpfulness and good nature. For instance, an imposter can pose as an employee by creating a fake company badge or pass, using LinkedIn to search for the right branding.
The pass won’t release the door, but you can tailgate a legitimate employee by carrying two coffees and asking if they will hold the door open.
“Really, people want to be nice, they want to be helpful, so they let you in.”
A less risky technique, he adds, is to book an appointment as a visitor of some sort – a landlord, a surveyor, or a cleaner (he has a number of outfits which seem to come as part of the job).
“You could be doing an inspection of the windows or whatever it is you’ve researched about the company. Even better, if you can pre-book the visit, arrive at the building, walk in, and then you do the bad thing on the side while you’re doing the thing you’re supposed to be there for and this is less risky than tailgating.
Shapland adds that the nature of his work means that he’s always thinking like a hacker.
“I was chatting with someone yesterday whose dad was a fire extinguisher inspector, and I thought, ‘Oh that’s quite a good pretext, a fire inspector!’”
Taking on different roles, wearing different guises, and filming the outcomes, his work is comparable to the life of an actor. He agrees and adds that one of his contractors is actually a working actress.
“You are playing a role. Absolutely. And I find that before I get there, I feel really nervous, and I worry that everything’s going to go wrong. They’re going to spot that I’m not a cleaner or I’m not an IT person or whatever.
“But then I step through the door, and it’s like stepping into a role. You’re just suddenly like, ‘Right, I’m playing this role. As long as I’m confident in the outfit that I’ve prepared and how I’m going to act when I get in there and what I’m going to do, then it will generally go well.”
