How a well meaning manager gave me all their building door codes and Wi-Fi passwords
Every so often you hear about how attackers aren’t necessarily abusing exploits in software to gain access anymore, but instead are targeting what they describe as the weakest link; well meaning people. According to an article by Spacelift, “Human error (including social engineering) caused 68% of data breaches in 2024”. That’s a crazy stat right there and in a well intentioned interaction, I witnessed it for myself.
“Human error (including social engineering) caused 68% of data breaches in 2024”
While at a conference my friend was serving at, I found myself in the media room. This room was where they ran all the production workflows for any event that was taking place in the auditorium. It had all the buildings servers, vision mixers, audio mixers, you name it. My friend whom I was there with, serves on the media team of his church, and part of the crew hosting the event was the same team that does production for his church. Basically, the church was hosting a conference and they needed a bigger building, so again, I found myself in the media room because our wives were attending the conference and my friend was serving.
When we walked in, he introduced me to the guys there and told them why I was there. They all said what’s up and turned back to work as the main event was about to begin. I took a seat and watched them work. Some of the lads disappeared into the auditorium with their cameras, others remained on the video and audio switchers to direct the show, and there was one guy on his laptop in the back.
After a few minutes, I got bored. I had my laptop with me so I decided to pull it out and hack away as I had unfinished work on my server at home. I use Tailscale and RustDesk to connect to my server remotely, incase you were wondering. To my surprise, the building did not have any guest Wi-Fi. Everyone seemed busy, so I sat there a little longer until things slowed down a little bit. It was at this point that I remembered the guy on the desk in the back that was working on his laptop. I walked up to him and asked him for the Wi-Fi password which, with a smile, he said would be willing to share with me. He asked me for a moment as he “looked” for it.
Now, I’m a tech savy guy. I know that on a Macbook you can access the password of a network in KeyChain Access utility. I don’t expect most people to know this from the top of their heads. Instead, I expected him to write it down on the piece of paper that was next to him. However, he turned his laptop to show me the password, and again, with a smile, said, “Here it is! This one right there”. Looking at the screen, in horror, I saw the list of all the Wi-Fi networks in the building with their corresponding passwords saved as an entry in the Notes application. But not only that, right underneath was a list of all the doors in the building with their corresponding codes! This list included the back gate, staff office doors, and the maintenance code for all doors.
I looked at him and said thanks as I seemingly ignored everything else that was on his laptop screen. I tried memorizing the password as I did not have my laptop in hand to just note it down (see what I did there?), but my mind couldn’t focus as my eyes kept on bouncing around the screen reading everything else. In a moment of hesitation, I politely asked if I could take a picture of the password to which he agreed. All he asked of me was not to share the password with anyone as he chuckled. I took the picture, assured him that I wouldn’t share anything with anyone, and walked away thanking him for his help.
This was a well meaning guy. All he wanted to do was help a brother out. In helping out, he also exposed information that could lead to the entire building being “compromised”. This post isn’t to bash the guy. My intention is to raise awareness.
Train your people on the basics. Teach them to be suspicious of strangers. The heart of the average person is one that wants to help, but that is unfortunately what is exploited by malicious actors time and time again.
Moral of the story; basic cybersecurity training is essential for people at all levels. Your security team can only do so much to protect your assets. Humans are the weakest link, strengthen them.