Access Control Exploits: Risky PIRs?

Avatar
Brian Rhodes
Published Dec 10, 2012 00:00 AM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

A panicked end user called us this week about a surprisingly simple way their access control system was compromised. After they shared the details, it became clear that almost any electronic access control system can be impacted. Even though the fix is simple, your systems may be at risk. In the note below, we share the details and the recommended solution.

The Target

The end user, who runs a series of food/coffee shops in urban locations, shared a recent event where a maglock secured door was inadvertently made to open after hours without any physical force, fake credentials, or tampering. Mechanical locks that should have kept the door secure after hours were not locked, and the door was open to anyone who pulled it.

With the door unsecured, unrestricted and unsupervised access into the building was possible. In this event, entry was only detected by a separate intrusion alarm system picking up on motion. Alarm sirens sounded, police were quickly dispatched to the scene, and the event was quickly controlled.

The customer immediately investigated the security failure, seeking to understand how the event was possible. Their findings were shocking in how simple the exploit was to carry out, and how a huge number of doors could be at risk regardless of which system controls it.

The Exploit

The event occurred in a large city where transients and homeless often take refuge in door stoops at night. In this event, a homeless individual was sleeping on a piece of cardboard just outside the controlled opening. This person was able to slide this cardboard under the door sweep, into the coffee shop. Because this door was being secured with a maglock, local AHJs required it have a 'request to exit' PIR mounted above the inside door frame, so the maglock releases in an emergency egress situation.

This PIR, which does not detect anything outside the door, was tripped by the body-temperature warmed piece of cardboard slid under the door. Due to the cardboard's contrast of heat and motion on the cold floor, the PIR sensor was tripped and released the maglock. This in turn left the door unsecured, and the homeless individual was able to enter the store unabated. The image below is a standard configuration of a maglock/RTE PIR:

rte pir

The root cause of the problem was not a malfunctioning RTE PIR - in fact, the device functioned exactly as it should have. The root cause was established to be two otherwise minor elements of the situation:

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

1. The door was not mechanically secured by a lock after hours, as closing procedures required. If the shop staff had simply locked the door as required, it would not have been unsecured during non-operating hours.

2. The bottom door sweep/threshold was not properly adjusted and permitted the cardboard to be inserted into a the gap. While it seems like a minor piece of weather-stripping, the bottom door sweep closes any gap and will prevent items like paper, cardboard, or other items from entering the secured area.

The Solution

The customer was advised, and quickly implemented a series of changes that prevent future issues. First, the bottom door sweeps were replaced and adjusted to prevent any gaps, and the access control system was reconfigured to turn-off the PIR RTE during unoccupied hours.

Because the door in question is not an employee entrance, an emergency exit, nor is the room it is associated with occupied during 'closed hours', simply turning off the RTE during overnight hours is not a problem and has been signed off by the local fire marshal. If required, the customer was prepared to install additional 'push button' emergency door releases to facilitate emergency exit.

The Lesson Learned

While the end user experienced no loss as a result of this event, it was operationally disruptive and could have been very costly. The cost to fix the issue turned out to be less than $50 in door accessories and less than 5 minutes of configuration changes to the access control system.

Despite the close call, the event serves as a reminder that big problems can be avoided with proper programming and hardware adjustment. Because this particular exploit could be used on any access control system, it is especially worth addressing before becoming an issue.