Access Control: Combo Reader / Controllers Tutorial

By: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

Installing the controller on the outside of the locked door means it can be tampered with, vandalized, or forcibly removed. When the reader and controller are separate devices, this risk is minimized. The vandalism risk is isolated to the reader or locked door, and if the credential interface is destroyed during such attach, it simply becomes impossible to enter the door.

However, when the reader and the controller are the same device, an attack introduces new possibilities. If someone rips a combo unit off the wall, will the hardware remain locked, or will it unlock and let security threats into a wide open door? While some designers dismiss the potential risk as too great to use these units, a closer look reveals the risk is not the same for all doors and without safeguards.

Hybrid Unit

Most access controlled doors feature a 'controller', which coordinates door function, and a 'reader', which is the primary credential interface. Traditionally, these components have been separate, distinct boxes that each need to be specified and installed.

However, several access manufacturers offer 'combination' units that merge controllers and readers into a single unit. These products offer 'preconfigured' compatible function between the two components, and are a single box to install with no additional cables to run.

One of the better known examples of a combo unit is the HID Edge EVO Combo series, although the same approach is found in many 'biometric readers' that feature 'stand alone' operation. Indeed, any reader that includes a series of output contacts for controlling door hardware is vulnerable to the same risk: door controller tampering.

 

Hardware Matters

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

The type of locking hardware used determines the type of risk tampering presents. For locks that require continual power, like maglocks, removing the controller can interrupt power to the locks and cause them to be unsecured. However, electric strikes are generally not vulenrable to controller removal, but outside power tampering.

Maglocks: Even when maglocks are independently powered and not 'passthru powered' from the controller, the controller acts as a relay in the power circuit, and removing the controller breaks the circuit. The image below schematically depicts this weakness:

Electric Strikes: Strikes do not lock or unlock the door locks, they simply allow door hardware to remain secure while permitting the door to open. In most cases, the strike is unpowered until the access system permits a door to open. Then, the controller routes power to the strike, enabling the door lock to swing freely through the strike.

While subtle, this changes the risk of knocking the controller free significantly; if the controller is gone, the strike remains unpowered and the door stays locks. In fact, it would require an additional DC power source and knowledge of which wires power the strike in order to 'unlock' the door. While still a vulnerability, this level of knowledge requires lock familiarity that most do not possess.

Tamper Vulnerability

Designers of combo controllers typically include a 'tamper switch' that detects illicit removal of the controller from the wall, and locks out the door from further credential reads if tripped. This tamper switch can also trigger alarm messages that alert authorities/operators that the controller is being attacked:

There are different forms of tamper switch, some are the mechanical type shown above, others are an 'optical tamper' that uses an IR emitter to detect movement. In any case, using this input serves a valuable role in protecting the controller and door, from risk.

Cost

The central consideration in using combo units comes from saving cost over traditional methods. For example:

Separate: An HID Edge costs ~$300, and adding a R10 reader at ~$80 costs nearly $400.  However, adding the addition labor cost of hanging two device can add ~$50 - ~$100 to the cost, for a total between in the $400s.

Combo: A single unit HID EHR40 costs ~$350. Eliminating the installation cost of another component results in $50 - $100 savings per unit.

External Protection

If concerns about the vulnerabilities of a combo unit are high, installing the unit inside an additional durable enclosure commonly reduces the risk. These security enclosures are commonly used with biometric readers and also serve as environmental protection against moisture and dirt - common enemies of optical readers.

These enclosures may be metal or plastic, but a generally designed with withstand direct blows or prybar attacks, and generally mount over a larger surface area with additional wall mount fasteners.

However, adding enclosures are expensive, increasing both parts and labor cost to access job. Enclosures cost between ~$50 - $200 each, typically mitigating the savings of using a 'combo' unit to begin with. 

Recommendations

Considering these risks, combo units should only be used on low to medium security interior doors that do not use maglocks:

  • Interior Doors: Usually doors within a building are behind several layers of security and are within close proximity to 'other' protections like video surveillance and nearby staff who can react to tamper attempts.
  • Never with Maglocks: the risk of tamper defeating maglocks is too great to recommend using them to control doors relying on them for security.
  • No High Security: Because there are several known risks with combo readers, they should be avoided in 'high security' designs common to government or institutional access designs. While the risk is minor, avoid it entirely is the best answer for these situations.

Brute Force: The Real Risk

While using combo units raise vulnerability risk not seen with standard controllers, the biggest threat to controlled doors remains unsophisticated brute force attacks. While combo unit are vulnerable to tamper, most threats will not take the time nor have the knowledge to exploit them, rather choosing instead to attack the opening itself. 

The potential risks using combo units should be raised as part of a larger effort in evaluating general 'security hardness' of the entire opening. If an attacker cannot gain entry through knocking a controller off the wall, but otherwise can use brute force to knock down the door, then the issue is academic.

5 reports cite this report:

Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems...
Secured Combo Controller - Hartmann Access Profile on Dec 12, 2016
Typically, combo controllers are risky, because they combine sensitive door...
Isonas Opens Up Access on Apr 06, 2016
Move over, HID, Mercury Security, and Axis? Isonas has declared itself...
"Future-Proofing" Access Control Guide on Jul 30, 2015
Its one of the most misused phrases around: "Future-proof". However, even...
The Coolest New Access Control Product In Years is from Tyco on Oct 22, 2014
Cool. Access control. Tyco. 3 things that you or I may have never...
Comments (10) : Members only. Login. or Join.

Related Reports

Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry,...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Propped Doors Access Control Tutorial on Jan 07, 2020
Doors should keep 'bad guys' out, but a common access control problem is...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
Glass Doors and Access Control Tutorial on Nov 21, 2019
One of the biggest access challenges are locking and securing glass...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called...
Lock Status Monitoring Tutorial on Oct 28, 2019
Just because access doors are closed does not mean they are locked. Unless...

Recent Reports

OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...