Access Control Exploits: Risky PIRs?

Author: Brian Rhodes, Published on Dec 09, 2012

A panicked end user called us this week about a surprisingly simple way their access control system was compromised. After they shared the details, it became clear that almost any electronic access control system can be impacted. Even though the fix is simple, your systems may be at risk. In the note below, we share the details and the recommended solution.

The Target

The end user, who runs a series of food/coffee shops in urban locations, shared a recent event where a maglock secured door was inadvertently made to open after hours without any physical force, fake credentials, or tampering. Mechanical locks that should have kept the door secure after hours were not locked, and the door was open to anyone who pulled it.

With the door unsecured, unrestricted and unsupervised access into the building was possible. In this event, entry was only detected by a separate intrusion alarm system picking up on motion. Alarm sirens sounded, police were quickly dispatched to the scene, and the event was quickly controlled.

The customer immediately investigated the security failure, seeking to understand how the event was possible. Their findings were shocking in how simple the exploit was to carry out, and how a huge number of doors could be at risk regardless of which system controls it.

The Exploit

The event occurred in a large city where transients and homeless often take refuge in door stoops at night. In this event, a homeless individual was sleeping on a piece of cardboard just outside the controlled opening. This person was able to slide this cardboard under the door sweep, into the coffee shop. Because this door was being secured with a maglock, local AHJs required it have a 'request to exit' PIR mounted above the inside door frame, so the maglock releases in an emergency egress situation.

This PIR, which does not detect anything outside the door, was tripped by the body-temperature warmed piece of cardboard slid under the door. Due to the cardboard's contrast of heat and motion on the cold floor, the PIR sensor was tripped and released the maglock. This in turn left the door unsecured, and the homeless individual was able to enter the store unabated. The image below is a standard configuration of a maglock/RTE PIR:

rte pir

The root cause of the problem was not a malfunctioning RTE PIR - in fact, the device functioned exactly as it should have. The root cause was established to be two otherwise minor elements of the situation:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

1. The door was not mechanically secured by a lock after hours, as closing procedures required. If the shop staff had simply locked the door as required, it would not have been unsecured during non-operating hours.

2. The bottom door sweep/threshold was not properly adjusted and permitted the cardboard to be inserted into a the gap. While it seems like a minor piece of weather-stripping, the bottom door sweep closes any gap and will prevent items like paper, cardboard, or other items from entering the secured area.

The Solution

The customer was advised, and quickly implemented a series of changes that prevent future issues. First, the bottom door sweeps were replaced and adjusted to prevent any gaps, and the access control system was reconfigured to turn-off the PIR RTE during unoccupied hours.

Because the door in question is not an employee entrance, an emergency exit, nor is the room it is associated with occupied during 'closed hours', simply turning off the RTE during overnight hours is not a problem and has been signed off by the local fire marshal. If required, the customer was prepared to install additional 'push button' emergency door releases to facilitate emergency exit.

The Lesson Learned

While the end user experienced no loss as a result of this event, it was operationally disruptive and could have been very costly. The cost to fix the issue turned out to be less than $50 in door accessories and less than 5 minutes of configuration changes to the access control system.

Despite the close call, the event serves as a reminder that big problems can be avoided with proper programming and hardware adjustment. Because this particular exploit could be used on any access control system, it is especially worth addressing before becoming an issue.

Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

ACRE Acquires RS2, Explains Acquisition Strategy on Apr 19, 2019
ACRE continues to buy, now acquiring RS2, just 5 months after buying Open Options. One is a small access control manufacturer from Texas, the...
Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
Register for the Spring Access Control Course. IPVM offers the most comprehensive access control course in the industry. Unlike manufacturer...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Spring 2019 50+ New Products Directory on Apr 08, 2019
We are compiling a list of new products for Spring 2019 and have over 50 already. Contrast to Fall 2018 New Products Directory and Spring 2018...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe.  They have already released their Gatekeeper Halberd...
Airship VMS Profile on Apr 03, 2019
Airship has been developing VMS software for over 10 years, however, with no outside investment, and minimal marketing, the company is not well...
Silicon Valley Access Startup Proxy Raises $13.6 Million on Mar 28, 2019
This mobile-credential based access startup just raised $13.6 million in funding.  Further, they claim that their technology can free businesses...
Casino Security Consultant Carl Lindgren Interview on Mar 26, 2019
For more than 20 years, Carl Lindgren worked as a casino surveillance pro, while being active (and sometimes outspoken) on various online video...

Most Recent Industry Reports

H.265 Usage Statistics on Apr 19, 2019
H.265 has been available in IP cameras for more than 5 years and, in the past few years, the number of manufacturers supporting this codec has...
ACRE Acquires RS2, Explains Acquisition Strategy on Apr 19, 2019
ACRE continues to buy, now acquiring RS2, just 5 months after buying Open Options. One is a small access control manufacturer from Texas, the...
Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
Register for the Spring Access Control Course. IPVM offers the most comprehensive access control course in the industry. Unlike manufacturer...
Riser vs Plenum Cabling Explained on Apr 18, 2019
You could be spending twice as much for cable as you need. The difference between 'plenum' rated cable and 'riser' rated cable is subtle, but the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...
Milestone Drops IFSEC on Apr 18, 2019
Milestone has dropped out of Europe's largest annual security trade show (IFSEC 2019), telling IPVM that they "have found that IFSEC in EMEA no...
The Fastest Growing Video Surveillance Sales Organization Ever - Verkada on Apr 17, 2019
Verkada has the fastest growing video surveillance sales organization ever. In less than 2 years, they already have more salespeople in the US...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Securadyne CEO: IPVM 'Entertaining For An Ignorant Few' on Apr 16, 2019
Securadyne's CEO Carey Boethel is unhappy with IPVM's report - Failed Integrator Rollup, Securadyne Sells to Guard Giant Allied. Indeed, he...
Dahua Repositionable IR Multi-Imager Camera Tested on Apr 16, 2019
Dahua has released their first repositionable multi-imager camera, the Multi-Flex 4x2MP, claiming integrated IR, true WDR, and flexible...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact