Pen testers arrested after breaking into courthouse that hired them

A thief cutting a lock to break into a building

Two security specialists have been arrested after physically breaking into a US courthouse, something they claim was part of the cyber security penetration assessment they were hired to complete.

Dallas' State Court Administration (SCA) hired the two specialists through a third-party to conduct a penetration test of the electronic records held by the Dallas County Courthouse. However, authorities were alerted when the two men were found attempting to breaking into the site using an assortment of burglary tools.

The two men later claimed they were hired to test the courthouse alarm system, and how responsive the police were, according to the Des Moines Register.

The SCA, which governs courthouses in the state, confirmed they had hired the pen-testers from security firm Coalfire to "attempt unauthorised access to court records through various means" and ascertain vulnerabilities.

"SCA did not intent, or anticipate, those efforts to include forced entry into a building," the organisation added in a statement.

"SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff's Office and the Dallas County Attorney as they pursue this investigation."

It's currently unclear what the agreement stipulated, however, the two specialists remain adamant that by physically breaking into the site they were operating under the boundaries of the contract.

The testing of physical defences forms an integral part of many cyber security strategies, particularly in locations housing highly sensitive data, as there are often security vulnerabilities that can only be exploited by being in close proximity to target devices.

Nvidia, for example, last month disclosed five dangerous vulnerabilities in its GeForce, Quadro and Tesla graphics processing units (GPUs), with the most severe flaw allowing an attacker to install malware on a victim's machine.

These flaws, however, required hackers to be physically close to target devices, meaning an organisation hoping to protect themselves from attacks would need to invest in physical defences just as much as cyber defences.

"Coalfire is a global cybersecurity firm that has conducted over 10,000 security assessments since 2001," a spokesperson told IT Pro.

"We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with the utmost integrity and in alignment with the objectives of our client.

"However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter."

The two pen-testers, Justin Wynn and Gary Demercurio, have been charged with third-degree burglary and possession of burglary tools. They are set to return to the Dallas County Courthouse for a preliminary hearing on 23 September.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.