Physical Security Basics - From Shoulder Surfing to USB Attacks

About 12 min read

Cybersecurity discussions tend to focus on software vulnerabilities and network attacks, but physical security breaches remain one of the most effective and underestimated attack vectors. The 2023 Verizon Data Breach Investigations Report found that physical actions were involved in 9% of all breaches, and the US Department of Homeland Security's red team tests show a 90% success rate for social engineering-based physical intrusions. From shoulder surfing in coffee shops to weaponized USB drives scattered in parking lots, attackers exploit the gap between digital defenses and physical reality. This article examines the mechanics of physical security threats and provides actionable countermeasures for both individuals and organizations.

The Reality of Shoulder Surfing

Visual Eavesdropping Techniques and Statistics

Shoulder surfing is the technique of stealing credentials by watching someone's screen or keyboard from behind or beside them. It looks low-tech, but its effectiveness is significant. A 2022 University of Munich study reported that 73% of subjects did not check their surroundings when entering smartphone PINs in public, and trained observers could accurately read 64% of 6-digit PINs from a single observation. While ATM PIN theft is a classic technique, modern targets include password entry at cafes and coworking spaces, and smartphone use on trains.

Evolving Visual Attacks

Modern shoulder surfing goes beyond the naked eye. Techniques include photographing screens from tens of meters away with telephoto lenses, and indirectly viewing through reflective surfaces like windows, sunglasses, and smartphone screens. In 2023, an Israeli research team published a technique for estimating keystrokes from Wi-Fi signal reflection patterns. While accuracy is limited, it represents a new threat that doesn't require physical line of sight. As a countermeasure, privacy filters are the most immediately effective. 3M research reports that privacy filters can reduce visual eavesdropping risk by 96%.

USB Drop Attacks and Malicious Devices

Why People Plug In Found USB Drives

A USB drop attack involves deliberately leaving malware-loaded USB drives in parking lots or office lobbies, hoping someone will plug them into a computer. A 2016 University of Illinois experiment scattered 297 USB drives across campus, and 48% were actually connected to computers. The first USB was connected in just 6 minutes. Human curiosity and the goodwill of wanting to return it to its owner are the psychological factors that make this attack succeed.

BadUSB and Rubber Ducky

More dangerous than simple malware-loaded USBs are firmware-level attacks called BadUSB. By rewriting USB device firmware to make it recognized as a keyboard or network adapter, it bypasses OS security mechanisms. Hak5's USB Rubber Ducky is a penetration testing tool using this principle, capable of auto-executing scripts within seconds of insertion. As of 2024, it costs about $80, making the cost extremely low for attackers. As countermeasures, restricting USB device classes through Windows Group Policy or macOS profiles to block unauthorized device connections is effective.

Tailgating and Physical Intrusion

The Psychology of Piggybacking

Tailgating (piggybacking) is the technique of passing through a door right behind an authorized person to illegally enter a building. The everyday courtesy of holding the door becomes a security hole. A Ponemon Institute survey found that 71% of employees reported holding the door for strangers. Attackers create situations where doors are naturally opened for them by carrying items in both hands or pretending to be on a phone call. The reality is that carrying a large cardboard box and saying "delivery" will get most people to open the door without suspicion.

Damage Scenarios After Physical Intrusion

An attacker who has entered a building can perform a wide range of actions: stealing information from unattended computers, installing eavesdropping devices on network ports, physically accessing server rooms, and photographing documents and whiteboards. The 2019 Equifax data breach investigation identified inadequate physical access controls as one factor in the breach's expansion. Particularly dangerous is the installation of small devices (about Raspberry Pi size) that connect directly to the network. This allows attackers to maintain persistent remote access to the internal network, potentially exfiltrating data for months before discovery.

Screen Lock and Clean Desk Policy

The 5-Second Rule When Leaving Your Desk

Screen locking is the most basic and effective physical security measure. On Windows, Win+L, and on macOS, Ctrl+Command+Q instantly locks the screen. SANS Institute recommends setting auto-lock timeout to within 5 minutes, but ideally you should develop the habit of manually locking when leaving your desk. The complacency of "just going to the bathroom" or "just getting coffee" becomes the entry point for data leaks. Cases of confidential information being taken from unlocked computers repeatedly appear in insider threat investigation reports.

Information Leaks Prevented by Clean Desk

A clean desk policy is a rule to clear confidential documents and storage media from desks when leaving or at end of day. It is a basic security control recommended by ISO 27001, but compliance rates remain low. A PwC survey found that 58% of employees reported leaving confidential documents on their desks. Physical information sources exist everywhere: passwords on sticky notes, printed emails, meeting materials, and whiteboards with guest Wi-Fi passwords. Always be aware of the risk of third parties such as cleaning staff and visitors seeing these.

Mobile Device Physical Security

Theft and loss of smartphones and laptops are the most frequent incidents in physical security. According to Kensington's 2023 report, approximately 700,000 laptops are lost or stolen at airports in the US alone each year. Enabling device encryption (BitLocker, FileVault) makes data access difficult even if stolen. Always configure remote wipe capabilities (Find My iPhone, Find My Device). Use Kensington locks for laptops and develop the habit of physically securing them even during temporary absences at cafes and meeting rooms.

For travel security, see also travel cybersecurity. To systematically learn about physical security measures, physical security guides (Amazon) are helpful.

Organizational Physical Security Strategy

Designing Defense in Depth

Physical security should also follow the defense in depth principle. Security levels increase progressively: building perimeter (fences, surveillance cameras), entrance (reception, ID badges), floor (IC card authentication), and server room (biometric authentication, two-person rule). The design should ensure that even if one layer is breached, the next layer stops the intrusion. Google's data centers implement 6 layers of physical security, requiring multiple authentications including iris scans to reach the server room.

Take Action Now

1. Set auto-lock to within 5 minutes and develop the habit of manually locking (Win+L / Ctrl+Cmd+Q) when leaving your desk
2. Enable device encryption and remote wipe on your smartphone and laptop
3. Never plug unknown USB drives into your computer. If found, deliver them to the IT department
4. Set unique strong passwords for each service with Passtsuku.com to prevent damage escalation from password reuse even if a device is stolen

Frequently Asked Questions

What is the most effective way to prevent shoulder surfing?

Privacy filters are the most immediately effective. 3M research reports a 96% reduction in visual eavesdropping risk. Additionally, check your surroundings when entering passwords in public, and prioritize authentication methods like biometrics or passkeys that are safe even if observed.

What should I do with a found USB drive?

Never plug it into your computer. It could be a USB drop attack. If found at work, deliver it to IT or security. If found in public, turn it in to facility management or leave it.

Which is more important, physical security or cybersecurity?

Both are essential. No matter how strong your firewalls or passwords are, they are meaningless if an attacker can physically access your servers. Conversely, a physically secure environment is powerless against network attacks. It is important to build security from both physical and cyber perspectives using a defense-in-depth approach.