On This Page

Physical Penetration & Electronic Access Control Hacking

The CORE Group | August 4-7


Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network, but that doesn't make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door.

Both mechanical lock systems as well as electronic access controls will be covered in depth... and students will be provided all the tools as well as the knowledge needed to bypass them! Those who attend this course will leave with a full awareness of how to best protect buildings and grounds from unauthorized access, as well as how to compromise most existing physical security in order to gain access themselves.

This training is ideal for any individual who is tasked with making physical security decisions for existing or new facilities.

During days One and Two of this course, attendees will not only learn how to distinguish good locks and access control from poor ones, but will also become well-versed in picking and bypassing many of the most common locks in order to assess their own company's security posture or to augment their career as a penetration tester.

The training concludes on days Three and Four with an intense specialization focus: physical access control systems and electronic credentials. Students will be immersed in the world of 125KHz (low frequency) credentials, vehicle transponders, 13.56MHz (high frequency) credentials, and smart cards. Whether an enterprise is using HID Prox cards, NXP Hitag chips, Mifare credentials, or even iCLASS technology, students who take this course will be well-versed in the functionality, weaknesses, and attack vectors of such systems. From how to perform practical card cloning attacks in the field to advanced format downgrade attacks, students are prepared for real-world red team scenarios and learn how to exploit access control technology with the latest attack hardware. There are also modules detailing the backend of such systems, which opens the door to Man in the Middle and Denial of Service attacks.

Who Should Take this Course

Penetration testers, security auditors, IT professionals responsible for infrastructure oversight.

We have three promotional video clips that we've put online to help prospective students decide of this course is right for them...

Physical Penetration video (3:30)

Credential Cloning video (1:00)

Protocol Sniffing video (2:00)

Student Requirements

No prior knowledge of lockpicking or RFID is necessary.

Comfortable shoes and apparel are recommended, should the students wish to walk with the instructor during break sessions in order to observe real-world examples of phenomena documented in class.

What Students Should Bring

If students have any lockpicking or physical entry tools, that's fine... but a full suite of tools, practice locks, and other equipment will be provided.

A laptop running Windows 10 on native hardware (not in a VM) with full local admin rights is required for the electronic access control attack modules. Students will each be working with an electronic attack hardware kit, including a Proxmark3 RDV2.0 and an ESPkey. Having local admin rights on one's laptop is critical for the build environment to function properly.

What Students Will Be Provided With

Every student in our classroom makes use of a full kit of electronic attack tools, picks, bypassing tools, impressioning gear, and instructional practice locks. The student materials include:

  • Proxmark3 RDV 2.0 unit
  • ESPkey protocol interception unit *
  • A twelve-piece lockpicking toolkit with a varied blend of hooks, rakes, diamonds, and turning tools *
  • A set of training and practice locks of varying difficulty level *
  • Wafer lock tools and a sample wafer lock *
  • A door latch bypassing/loiding tool *
  • A locksmith's impressioning file
  • A pocket microscope & impressioning key gripper
  • A bypass tool for American Lock padlocks
  • A bypass tool for Adams Rite retail locks
  • A combination lock decoding and bypassing tool *
  • A set of bump keys *
  • A bump hammer
  • A lock mounting stand (for picking and impressioning)
  • A tactical pouch to contain it all when you leave the classroom and put your knowledge into action in the field *

* students retain all of these marked items after class. Students may also arrange to retain additional hardware from the classroom materials while on-site at Black Hat.


While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a GSA certified safe and vault technician and inspector. At multiple annual security conferences Deviant runs the Lockpick Village workshop area, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Babak Javadi is a noted member of the physical security community, well-recognized among both professional circles (due to the work The CORE Group) as well as in the hacker world (as the President of TOOOL, The Open Organisation Of Lockpickers.) His first foray into the world of physical security was in the third grade, where he was sent to detention for showing another student how to disassemble the doorknob on the classroom supply closet. Babak is an integral part of the numerous lockpicking workshops, training sessions, and games that are seen at annual events like DEFCON, ShmooCon, DeepSec, NotACon, QuahogCon, HOPE, and Maker Faires across the country. He likes spicy food and lead-free small arms ammunition.

Robert Pingor is Chief of The CORE Group's Law Enforcement Division. Prior to that he founded Nomad Tactical Solutions. His policing and operations background was honed during his years at the National Security Agency where he served with distinction in four different specialty units as a Corporal. Robert has extensive training in both the government and private sectors. He has instructed for the Department of Defense, the State Department, the National Security Agency, the United States Air Force, the United States Military Academy at West Point, the United States Naval Academy at Annapolis, the National Defense University, the Sig Sauer Academy and countless local law enforcement agencies. Additionally, he regularly conducts trainings for Black Hat, the SANS Institute, Google, and other technical conferences. Outside of work Robert volunteers for a variety of charities and non-profits. He runs the Future Blue Program, an organization dedicated to developing young people into competent law enforcement professionals, and he trains volunteers to fight childhood sex trafficking. His work has been featured in Recoil Magazine, Counterterrorist Magazine, Tribecca Film Festival, and the TV series The Sentinel.