AP Cybersecurity 2.2: Physical Vulnerabilities and Attacks
Topic 2.2: Physical Vulnerabilities and Attacks
Piggybacking, tailgating, shoulder surfing, dumpster diving, card cloning, and physical exploitation mechanisms — the attack vectors that bypass every digital control. Learn to classify, map to CIA violations, assess risk level, and select the correct defense.
Topic 2.2 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 2.2.A.2 | Piggybacking: social engineering to get authorized person to grant access (boxes, maintenance pretext, forgotten token) | Section 3 |
| 2.2.A.3 | Tailgating: following authorized individual without their awareness | Section 3 |
| 2.2.A.4 | Shoulder surfing: watching user access sensitive info; may use camera | Section 3 |
| 2.2.A.5 | Dumpster diving: searching target’s trash for useful information | Section 3 |
| 2.2.A.6 | Card cloning: copying authorized user’s access card | Section 3 |
| 2.2.B.1 | Threats = human adversaries AND natural disasters; natural disasters cause physical damage and service disruption | Section 5 |
| 2.2.B.2 | Four compromises: unauthorized access • disruption of services • theft/destruction • unauthorized modification of data | Section 5 |
| 2.2.B.3 | Power disruption via electrical box, wiring, substations, transformers → Availability violation | Section 5 |
| 2.2.B.4–B.5 | Sensitive area access; keylogger/malware drive; physical destruction → CIA violations | Section 5 |
| 2.2.C.2 | High: sensitive info exposed without restricted access (server, no lock, unmonitored hallway) | Section 6 |
| 2.2.C.3 | Moderate: foothold access (reception computer + USB + internal network) | Section 6 |
| 2.2.C.4 | Low: low-value + unlikely exploitation (unsecured laptops in badge-access office, no sensitive data) | Section 6 |
Source: AP Cybersecurity CED, Effective Fall 2026. AP Skills: 1.C Evaluate likelihood/impact • 1.D Document risks
- 2.2.1 — Learning Objectives (3 min)
- 2.2.2 — Why Physical Security Is Foundational (5 min)
- 2.2.3 — The Six Physical Attack Types (15 min)
- 2.2.4 — Piggybacking vs. Tailgating: The Critical Distinction (5 min)
- 2.2.5 — How Threats Exploit Vulnerabilities (8 min)
- 2.2.6 — Physical Risk Assessment: High/Moderate/Low (8 min)
- 2.2.7 — Worked Scenarios (10 min)
- 2.2.8 — Quick Reference & FAQ (6 min)
Students answer independently before the lesson. No notes.
- An employee holds a secure door open for a person carrying a large box who says “Thanks, maintenance sent me.” Is this piggybacking or tailgating? What is the single fact that determines your answer?
- An attacker cuts power to a building’s server room. Which CIA property is most directly violated? Defend your answer in one sentence.
- A security assessment finds a printer in the reception area with USB ports and a network connection. The printer stores no sensitive data. Rate it: High, Moderate, or Low risk? Why?
Answers: (1) Piggybacking — employee knowingly held door. (2) Availability — systems become inaccessible. (3) Moderate — network connection = foothold.
12.2.1 — Learning Objectives
- Identify and precisely distinguish piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning (2.2.A)
- Explain how threats exploit physical vulnerabilities through power disruption, port access, and keylogger installation (2.2.B)
- Assess and document physical risks using the high/moderate/low classification framework with CED criteria (2.2.C)
- Map each physical attack type to the CIA property or properties it violates
- Select the most effective physical control for each attack vector and explain why it directly addresses the mechanism
22.2.2 — Why Physical Security Is Foundational
Full-disk encryption bypassed: Attacker boots from USB drive, mounts the encrypted drive using a live OS, extracts encryption key from RAM via cold boot attack. 30 seconds of physical access defeats industry-standard encryption.
MFA bypassed: Attacker with physical server access resets the OS administrator password directly. MFA never activates — the authentication system is bypassed at a lower level.
Network segmentation bypassed: A rogue network device plugged into an interior switch creates an unmonitored wireless access point inside the segmented network. All firewall rules become irrelevant.
When a scenario describes an attacker with physical access to a device, the correct answer about their capabilities is always: they can bypass most or all digital controls.
32.2.3 — The Six Physical Attack Types (LO 2.2.A)
The AP CED defines specific physical attack techniques. Know each one: precise definition, distinguishing feature, CIA property violated, and the direct defense. Classification accuracy on exam scenarios depends on knowing these exactly.
✎ Before matching — which attack requires authorized-person cooperation? Which requires absolutely no cooperation? Which targets discarded materials?
Match each physical attack type to its most precise defining characteristic.
42.2.4 — Piggybacking vs. Tailgating: The Critical Distinction
The single question to ask: Does the authorized person know someone is following them? YES = Piggybacking. NO = Tailgating. Everything else is secondary to this distinction.
| Factor | Piggybacking | Tailgating |
|---|---|---|
| Authorized person awareness | ✓ YES — they know | ✗ NO — they don't know |
| Authorized person cooperation | ✓ YES — they cooperate (even if tricked) | ✗ NO — no cooperation needed |
| Social engineering required | ✓ YES — victim must be manipulated | ✗ NO — timing-based entry |
| Primary defense | Security awareness training (human behavior change) | Access control vestibule/mantrap (mechanical prevention) |
| Why mantraps help/don't fully solve it | Mantrap helps but attacker can still be authenticated by the cooperative authorized person inside the vestibule | Mantrap completely prevents it — mechanical door sequence requires individual authentication |
A contractor at Xtensr Labs stands near the entrance with a large equipment case. When an employee badges in, the contractor says: "Thanks — maintenance sent me to check the server cooling." The employee holds the door open. The contractor enters. What attack type is this, and what is the primary defense?
52.2.5 — How Threats Exploit Physical Vulnerabilities (LO 2.2.B)
The CED (2.2.B) defines the threats and resulting compromises from physical vulnerabilities. These are distinct testable concepts beyond the six attack types.
Physical vulnerabilities can result in four distinct types of compromise — all four are testable:
(1) Unauthorized access to sensitive data or restricted physical spaces
(2) Disruption of services — systems become unavailable
(3) Theft or destruction of digital or physical resources
(4) Unauthorized modification of data — integrity violation
| Exploitation Method | What It Enables | CIA Impact | Defense |
|---|---|---|---|
| Power Disruption (2.2.B.3) | Adversary damages fuses or breakers in an electrical box, unplugs or cuts electrical wiring, or damages power distribution systems like substations and transformers | Availability — devices and services become inaccessible | UPS, generators, redundant power, physical security of electrical infrastructure |
| Port Access — Keylogger (2.2.B.5) | Attacker inserts a hardware keylogger between keyboard and computer, capturing all keystrokes including credentials | Confidentiality — credentials captured covertly over extended periods | Disable USB ports; physical USB port blockers; device tamper inspection policy |
| Port Access — Malware Drive (2.2.B.5) | Attacker inserts USB drive preloaded with malware, establishing backdoor access or exfiltrating data | All three — malware enables data theft, tampering, and disruption | Disable USB auto-run and external storage; endpoint detection; USB drop awareness training |
| Physical Destruction (2.2.B.5) | Attacker destroys hardware, cutting cables, smashing servers, disabling systems | Availability — services become permanently unavailable until hardware replaced | Physical access controls, redundant systems, geographic distribution of critical infrastructure |
Power disruption attacks violate Availability, not Confidentiality. When power is cut, devices become inaccessible — that is an availability violation. The attack does not inherently expose data to unauthorized access. Always map the CIA violation to the consequence (what the attack achieves), not the method used.
A security textbook states: "Power disruption attacks are primarily a threat to data Confidentiality because when power is cut, an attacker can more easily access unprotected systems before backup power activates." Which response correctly identifies the error?
62.2.6 — Physical Risk Assessment: High / Moderate / Low (LO 2.2.C)
The AP CED requires students to assess physical vulnerabilities using a specific three-level framework. These are not informal labels — the CED defines criteria for each level.
The "foothold" concept is explicitly tested. A vulnerability that doesn't directly expose sensitive data can still be Moderate risk if it enables an attacker to reach sensitive data. A printer with network access and document memory is not itself sensitive — but it's a foothold to the internal network and stored scanned documents. That combination = Moderate, not Low.
✎ Predict first: A printer in an open area stores scanned documents and connects to the internal network. Is the printer itself sensitive, or is it a foothold? Which risk level applies?
During the Xtensr Labs physical security assessment, you discover the lobby printer is accessible to all visitors, retains scanned document images in internal memory, and has an active network connection. How do you classify this risk, and why?
72.2.7 — Worked Scenarios
Attacker watches a researcher enter their PIN at the server room keypad from a position 4 feet away
Attack: Shoulder Surfing. CIA: Confidentiality — the attacker learned credentials they should not know. This is the reconnaissance phase of a larger attack chain.
Attacker uses the observed PIN with a previously cloned badge copy to enter the server room at 2 AM
Attack: Card Cloning (for the card) + shoulder surfing result (for the PIN). CIA: All three. The attacker now has full physical access — enabling any CIA violation they choose.
Attacker inserts a hardware keylogger between a workstation keyboard and the computer
Attack: Port Access Exploitation (keylogger). CIA: Confidentiality — all future keystrokes including passwords are captured. The keylogger will operate silently for weeks.
Attacker disconnects the server room UPS backup battery
Attack: Power Disruption. CIA: Availability — the server room loses battery protection; any future power outage causes unplanned server downtime and potential data corruption.
This scenario shows how physical attacks chain: Shoulder surfing enables card cloning completion → card + PIN enables physical access → access enables port exploitation + power disruption. Each prior attack enables the next. Defending at any point breaks the chain — which is why defense-in-depth at the physical layer is critical.
Which of the following statements about dumpster diving and card cloning are TRUE?
I. Dumpster diving primarily violates Confidentiality because the attacker gains unauthorized access to information they should not have.
II. Adding a PIN requirement entirely defeats card cloning as an attack vector.
III. A cross-cut shredder is more effective than a strip shredder for defending against dumpster diving because strip-shredded documents can be reconstructed.
You are completing the Xtensr Labs assessment. You identify two vulnerabilities:
A: Server room with research data — single keycard, no camera, no motion sensor.
B: Employee laptops in a badge-access office — not cable-locked to desks, contain no sensitive data.
Which risk classification correctly applies to each?
An employee at a bank enters their PIN at an ATM. A person standing in line 3 feet behind watches the keypad. The bank wants to implement a control that most directly prevents this attack. Which control should they choose?
Which scenario most directly illustrates the port access exploitation mechanism described in CED 2.2.B.5?
✎ Predict first: A security researcher searches the organization's trash. What does the attack type tell you about the organization's current document disposal practices?
Before a security assessment, a researcher reviews Xtensr Labs' trash bins and recovers: an org chart showing all security personnel and their access levels, a sticky note with a network administrator password, three hard drives labeled "Decommissioned — Wipe Pending," and a USB drive. What attack type, CIA violation, and most effective set of organizational controls apply?
Which sequence of attack types and corresponding defenses most accurately maps this incident?
82.2.8 — Quick Reference & FAQ
5 attacks (2.2.A): Piggybacking, Tailgating, Shoulder Surfing, Dumpster Diving, Card Cloning
4 compromise types (2.2.B.2): Unauthorized access • Disruption of services • Theft/destruction • Unauthorized modification
Physical threats include (2.2.B.1): Human adversaries and natural disasters
Power disruption (2.2.B.3): electrical box, substations, transformers → Availability violation
Risk levels (2.2.C): High = sensitive exposed • Moderate = foothold • Low = low value + unlikely
| Attack | Authorized Cooperation? | CIA Violated | Primary Defense |
|---|---|---|---|
| Piggybacking | YES — knowingly | All three | Security awareness training; visitor escort policy |
| Tailgating | NO — unaware | All three | Access control vestibule (mantrap); turnstiles; guards |
| Shoulder Surfing | N/A — target unaware | Confidentiality | Privacy screens; keypad hoods; physical barriers |
| Dumpster Diving | N/A — unknowingly discards | Confidentiality | Cross-cut shredding; secure media destruction; clean desk policy |
| Card Cloning | N/A — covert capture | All three | Card + PIN two-factor; RFID-blocking; access log monitoring |
| Power Disruption | N/A — infrastructure attack | Availability | UPS; generators; physical security of electrical systems |
| Port Access (Keylogger) | N/A — brief physical access | Confidentiality | Disable/block USB ports; device tamper inspection |
-
What is the single most important distinguishing factor between piggybacking and tailgating?
Whether the authorized person is aware and cooperates. Piggybacking: they know someone is following and allow it. Tailgating: they have no idea. This determines the primary defense: training changes human behavior (piggybacking); mantraps change physical mechanics (tailgating).
-
Is card cloning the same as badge theft?
No — they are fundamentally different. Badge theft physically takes the card. Card cloning copies the card's data without ever taking it — the legitimate user continues using their original card while the attacker uses a duplicate. Access logs can detect cloning by flagging the same badge ID appearing at two locations simultaneously — an impossible travel indicator for physical access.
-
Why is dumpster diving classified as a physical attack if the attacker never enters the building?
Dumpster diving exploits a physical vulnerability — the failure to control the disposal of physical materials. The attack does not require building entry because the sensitive material has already left the building through the disposal process. This is why shredding policies and secure media destruction are classified as physical security controls: they prevent sensitive material from entering the physical disposal stream where it becomes publicly accessible.
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.
+Continue Learning
Students submit before leaving.
- Explain (a) the key distinguishing feature between piggybacking and tailgating, and (b) why this distinction matters for choosing a defense. (AP Skill: Analyze Risk)
- A flood destroys three servers and disrupts access to the customer database for two weeks. Is this a physical security threat? Which of the four CED compromise types occurred? (AP Skill: Analyze Risk)
- An adversary damages the electrical box, cutting power to all servers. (a) What CED mechanism? (b) Which CIA property? (c) What control prevents the availability impact? (AP Skill: Analyze Risk)
- Rate each: (a) Database server with 50,000 records in an unlocked room off an unmonitored hallway. (b) Photocopier in a badge-access office with network connection and document memory. (AP Skill: Analyze Risk)
- An attacker shoulder-surfs a badge PIN, then uses a cloned card with that PIN to enter the server room after hours. Map each action to the six cyberattack phases. (AP Skill: Analyze Risk)
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]