Australian telecommunications provider Vocus has launched an audit of physical security at one of its data centers in New Zealand, after a disgruntled customer highlighted that a door to the facility was left wide open for months.
A video tweeted by Liam Farr, an experienced data center engineer and CEO of Maxum Data, shows that the outer door to the facility – supposedly protected by a digital lock – opened with a single push. The same was true for the entrance to the building itself.
According to Farr, the doors remained broken for around six months, something that was reported multiple times.
After the tweet went viral, Vocus told ITnews Australia it would conduct an investigation. At the same time, the company downplayed the issue on Twitter: “Rest assured the DC was NOT insecure. The facility has 2FA card and biometric security, secure mantrap areas, 24/7 surveillance and has NOT been accessed by any unauthorized persons.”
“How to break into a datacenter”
Data center operators often go to great lengths to highlight the physical security features of their facilities – like CCTV cameras, fences, biometric locks and man-traps. Some go further, housing servers in nuclear bunkers, hiring armed guards and installing faraday cages for the IT equipment to make it resistant to Electromagnetic Pulse (EMP) effects.
DCD has previously suggested that operators adopt these measures not because they are important, but because they are easy to demonstrate, unlike cyber security features.
The data center security blunder at Vocus seems to confirm this viewpoint: physical security is not a serious concern for colocation providers. For around six months, visitors could gain access to the 7A facility near Auckland without having any keys, or facing any security personnel (see below).
While potential attackers couldn’t have accessed the server floor itself, the oversight would make common penetration tactics like tailgaiting – the practice of following a legitimate employee into a restricted area through the door they just opened - much easier.
The video has been seen nearly 40,000 times at the time of writing.
ITnews Australia noted that the complaint from Farr caused Vocus to use its New Zealand-focused Twitter account for the first time in 18 months.