Access Control Exploits: Risky PIRs?

By: Brian Rhodes, Published on Dec 09, 2012

A panicked end user called us this week about a surprisingly simple way their access control system was compromised. After they shared the details, it became clear that almost any electronic access control system can be impacted. Even though the fix is simple, your systems may be at risk. In the note below, we share the details and the recommended solution.

The Target

The end user, who runs a series of food/coffee shops in urban locations, shared a recent event where a maglock secured door was inadvertently made to open after hours without any physical force, fake credentials, or tampering. Mechanical locks that should have kept the door secure after hours were not locked, and the door was open to anyone who pulled it.

With the door unsecured, unrestricted and unsupervised access into the building was possible. In this event, entry was only detected by a separate intrusion alarm system picking up on motion. Alarm sirens sounded, police were quickly dispatched to the scene, and the event was quickly controlled.

The customer immediately investigated the security failure, seeking to understand how the event was possible. Their findings were shocking in how simple the exploit was to carry out, and how a huge number of doors could be at risk regardless of which system controls it.

The Exploit

The event occurred in a large city where transients and homeless often take refuge in door stoops at night. In this event, a homeless individual was sleeping on a piece of cardboard just outside the controlled opening. This person was able to slide this cardboard under the door sweep, into the coffee shop. Because this door was being secured with a maglock, local AHJs required it have a 'request to exit' PIR mounted above the inside door frame, so the maglock releases in an emergency egress situation.

This PIR, which does not detect anything outside the door, was tripped by the body-temperature warmed piece of cardboard slid under the door. Due to the cardboard's contrast of heat and motion on the cold floor, the PIR sensor was tripped and released the maglock. This in turn left the door unsecured, and the homeless individual was able to enter the store unabated. The image below is a standard configuration of a maglock/RTE PIR:

rte pir

The root cause of the problem was not a malfunctioning RTE PIR - in fact, the device functioned exactly as it should have. The root cause was established to be two otherwise minor elements of the situation:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

1. The door was not mechanically secured by a lock after hours, as closing procedures required. If the shop staff had simply locked the door as required, it would not have been unsecured during non-operating hours.

2. The bottom door sweep/threshold was not properly adjusted and permitted the cardboard to be inserted into a the gap. While it seems like a minor piece of weather-stripping, the bottom door sweep closes any gap and will prevent items like paper, cardboard, or other items from entering the secured area.

The Solution

The customer was advised, and quickly implemented a series of changes that prevent future issues. First, the bottom door sweeps were replaced and adjusted to prevent any gaps, and the access control system was reconfigured to turn-off the PIR RTE during unoccupied hours.

Because the door in question is not an employee entrance, an emergency exit, nor is the room it is associated with occupied during 'closed hours', simply turning off the RTE during overnight hours is not a problem and has been signed off by the local fire marshal. If required, the customer was prepared to install additional 'push button' emergency door releases to facilitate emergency exit.

The Lesson Learned

While the end user experienced no loss as a result of this event, it was operationally disruptive and could have been very costly. The cost to fix the issue turned out to be less than $50 in door accessories and less than 5 minutes of configuration changes to the access control system.

Despite the close call, the event serves as a reminder that big problems can be avoided with proper programming and hardware adjustment. Because this particular exploit could be used on any access control system, it is especially worth addressing before becoming an issue.

Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Dumber Techs, Bad Box Movers, Says Australian Distributor on Jun 10, 2019
Techs today are "dumber" than they used to be, despite better education and training and that makes a typical day "frustrating" for one...
OSDP Access Control Guide on Jun 04, 2019
Access control readers and controllers need to communicate. While Wiegand has been the de facto standard for decades, OSDP aims to solve major...
Vidsys New President Interviewed on May 31, 2019
A decade ago, PSIM was hot with projections then of a billion dollar market by now. This has not come close to happening. However, Vidsys, one of...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
Access Control Request to Exit (RTE) Tutorial on May 13, 2019
For access controlled doors, especially those with maglocks, 'Request to Exit', or 'RTE' devices are required to override electrified locks to...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...

Most Recent Industry Reports

Sighthound Transforms Into Enterprise AI Provider on Jun 14, 2019
Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...
ADT Eliminating Acquired Brands, Unifying Under 'Commercial' Brand on Jun 14, 2019
ADT is eliminating the brands of the many integrators it has acquired over the past few years, including Red Hawk, Aronson Security Group (ASG),...
NSA Director Keynoting Dahua and Hikvision Sponsored Cybersecurity Conference on Jun 13, 2019
The technical director for the NSA’s Cybersecurity Threat Operations Center will be keynoting a physical security cybersecurity conference that is...
Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019
An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed.  The project contract was awarded, had its...
False Verkada 'Unrivaled' Low Light Performance Claim Removed on Jun 12, 2019
Verkada falsely claimed that it delivered 'UNRIVALED LOW LIGHT PERFORMANCE' until IPVM questioned. In fact, Verkada's low light performance is...
Manufacturer Favorability Guide 2019 on Jun 12, 2019
The 259 page PDF guide may be downloaded inside by all IPVM members. It includes our manufacturer favorability rankings and individual...
Camera Course Summer 2019 - Register Now on Jun 12, 2019
Register for the Summer 2019 Camera Course.  This is the only independent surveillance camera course, based on in-depth product and technology...
Favorite Wireless Manufacturers 2019 on Jun 12, 2019
Many wireless options exist for video surveillance but how are integrator's overall favorites? 170 integrators answered the question: What is...
Carnegie Mellon AI Startup Zensors Profile on Jun 11, 2019
Zensors is a startup formed by Carnegie Mellon graduates from a Carnegie Mellon research project, offering customized models per camera that they...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact