Deepfakes and the Erosion of Reality: What Physical Security Must Learn from Cyber Attacks

In the seventeenth chapter of ALGORITHMUS, Dr. Raphael Nagel frames deepfakes and cyber conflict as symptoms of a deeper condition: the erosion of the shared reality on which institutions, contracts and security operations have historically relied. For most of the past two decades, that erosion has been discussed as a problem of information, of elections, of newsrooms. It is now also a problem of perimeters, turnstiles, loading bays and control rooms. At Quarero Robotics we observe, across European client sites, a quiet migration of techniques that were developed for cyber attacks into the physical domain. Synthetic voices call security desks. Forged video feeds are replayed into camera inputs. Identity documents, issued by a real authority but bound to a generated face, appear at reception. The attacker no longer has to climb a fence when a convincing image of an authorised engineer will open the door.

The converged threat model

Nagel's analysis insists that the danger of synthetic media is not a single spectacular fraud but the cumulative collapse of verification. When any photograph, any voice recording and any video stream can be plausibly fabricated, the default assumption of authenticity that underpins daily operations becomes unsafe. Physical security has historically relied on exactly that default. A guard recognises a face, a reader accepts a badge, a camera records a corridor, and these signals are treated as evidence. The converged threat model we work with at Quarero Robotics assumes, instead, that every channel is potentially compromised and that authenticity must be reconstructed from the correlation of independent signals rather than asserted by any one of them.

In practice this means treating the perimeter as a cyber-physical system. A spoofed sensor is equivalent to a spoofed packet. A synthetic identity presented at an access point is equivalent to a forged credential on an API. A phone call to the control room, requesting that a door be opened for a contractor running late, is a social-engineering payload whose delivery channel happens to be audio. The techniques are continuous with those catalogued in the cyber literature for a decade. The response, however, has lagged, because physical security teams and information security teams still often report through separate lines and speak different vocabularies.

Three attack patterns already visible in the field

The first pattern is sensor spoofing. Cameras, intercoms and some biometric readers ingest signals that can be replayed, injected or generated. A looped video segment fed into a surveillance bus can hide motion in a corridor for the minutes required to move through it. A synthesised face, presented on a high-resolution display, can defeat a facial recognition reader that was specified for a world in which such displays were rare and expensive. The countermeasure is not a better single sensor but a refusal to trust any single sensor.

The second pattern is synthetic identity at the access point. Here the attacker combines a genuine-looking document, a generated portrait and, increasingly, a live voice model trained on publicly available recordings. A human receptionist under time pressure, or a poorly configured automated gate, will often accept the combination. The attacker is not breaking the rules of the identity check. The attacker is satisfying them with fabricated inputs.

The third pattern is the hybrid operation, in which a social-engineering call, a spoofed email and a physical approach are choreographed. A control-room operator receives an urgent voice message, apparently from a known manager, authorising an exception. Within minutes, a courier arrives at a side entrance with matching paperwork. Each element reinforces the others. Nagel's point about the erosion of reality applies precisely here: the attack works because the operator's environment has been saturated with coherent but fabricated signals.

Why physical security must borrow from cyber doctrine

Information security learned, painfully, that prevention alone is insufficient and that detection, response and assumed-breach thinking must sit alongside it. Physical security is in the early phase of the same curve. The assumption that a guarded site is a trusted site, and that anything inside the fence is by definition legitimate, has the same structural weakness as the old castle-and-moat model of network security. Once the attacker is inside, there are few internal checks.

Zero-trust principles translate naturally to the physical domain. Every request to open a door, to grant escorted access, to override an alarm, can be treated as an authorisation event that must be independently verified rather than implicitly granted. Continuous authentication, familiar from enterprise networks, has a physical analogue in continuous presence verification: the person who entered the building ten minutes ago should still be behaviourally consistent with the person now approaching a restricted area. These are not exotic ideas. They are the same ideas, expressed in a different medium.

Multimodal verification in autonomous security robots

The operational contribution Quarero Robotics makes to this problem is multimodal verification embedded in autonomous platforms. A security robot patrolling a logistics site does not depend on any single channel to establish what it is seeing. Visual input is correlated with thermal signatures, with lidar geometry, with acoustic patterns and with the state of the surrounding access-control and network-monitoring systems. A display replaying a looped image does not produce the thermal profile of a human body. A synthesised voice does not produce the spatial acoustic signature of a person standing in a specific corridor. A forged badge does not produce the network traffic pattern of a genuine device checking in to the site infrastructure.

None of these individual checks is decisive. Any of them can, in principle, be defeated by a sufficiently determined attacker. Their value lies in combination. An adversary who must simultaneously falsify video, thermal, acoustic, lidar and network signals, in a consistent way, across a moving platform, faces a far harder problem than one who must fool a single camera. This is the same logic that underpins multi-factor authentication in information systems, applied to the built environment.

A further element, central to how Quarero Robotics designs its fleets, is temporal consistency. Autonomous patrols accumulate a baseline of what a site looks, sounds and behaves like across days, weeks and seasons. Deviations from that baseline, rather than matches against a static rule set, trigger escalation. A deepfake can imitate a single moment. It is much harder to imitate the long, boring continuity of a real place.

Governance, evidence and the European context

Nagel is careful to distinguish between technical capability and institutional readiness. A site can be equipped with excellent sensors and still be defenceless if its procedures assume that recorded footage is self-evidently true, or that a voice on the telephone is self-evidently the person it claims to be. European operators, working under the AI Act, NIS2 and sector-specific critical-infrastructure regimes, have both an obligation and an opportunity to codify new evidentiary standards. What counts as a verified identity at a gate? What counts as a trustworthy camera feed in an incident report? What chain of custody applies to recordings that may later be contested in court?

Autonomous security robotics, properly governed, can support rather than complicate this work. Every observation is logged with its sensor provenance, its model version and its confidence estimate. Every escalation is auditable. When a human operator intervenes, the system records why. This is not a marketing feature. It is the minimum an operator should expect from any system that participates in security decisions in an environment where synthetic media is now a routine component of attacks.

The lesson Dr. Nagel draws in ALGORITHMUS is uncomfortable but clarifying. The erosion of reality is not a future scenario. It is the present operating condition of any organisation whose security posture depends on images, voices or documents being what they appear to be. Physical security cannot be defended by treating deepfakes as somebody else's problem, any more than information security could be defended, a generation ago, by treating the internet as a novelty for the marketing department. The techniques, the adversaries and increasingly the toolchains are shared. Quarero Robotics approaches this convergence as an engineering discipline rather than a narrative. Multimodal sensing, zero-trust procedures at physical access points, continuous behavioural baselines and rigorous logging are the concrete instruments through which autonomous security robots can restore a defensible version of ground truth on a site. None of this removes the need for trained human judgement. It does, however, give that judgement something more reliable than a single camera feed to work with. For European operators in particular, who must reconcile demanding regulation with a threat landscape that does not wait for legislation, the practical question is no longer whether to treat physical and cyber security as one discipline. It is how quickly the operating model, the evidence standards and the deployed systems can be brought into line with that reality. Quarero Robotics continues to build its platforms on the assumption that this alignment is overdue, and that the organisations which complete it first will set the standard against which the rest are measured.