Access Control: Combo Reader / Controllers Tutorial

By: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

Installing the controller on the outside of the locked door means it can be tampered with, vandalized, or forcibly removed. When the reader and controller are separate devices, this risk is minimized. The vandalism risk is isolated to the reader or locked door, and if the credential interface is destroyed during such attach, it simply becomes impossible to enter the door.

However, when the reader and the controller are the same device, an attack introduces new possibilities. If someone rips a combo unit off the wall, will the hardware remain locked, or will it unlock and let security threats into a wide open door? While some designers dismiss the potential risk as too great to use these units, a closer look reveals the risk is not the same for all doors and without safeguards.

Hybrid Unit

Most access controlled doors feature a 'controller', which coordinates door function, and a 'reader', which is the primary credential interface. Traditionally, these components have been separate, distinct boxes that each need to be specified and installed.

However, several access manufacturers offer 'combination' units that merge controllers and readers into a single unit. These products offer 'preconfigured' compatible function between the two components, and are a single box to install with no additional cables to run.

One of the better known examples of a combo unit is the HID Edge EVO Combo series, although the same approach is found in many 'biometric readers' that feature 'stand alone' operation. Indeed, any reader that includes a series of output contacts for controlling door hardware is vulnerable to the same risk: door controller tampering.

 

Hardware Matters

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

The type of locking hardware used determines the type of risk tampering presents. For locks that require continual power, like maglocks, removing the controller can interrupt power to the locks and cause them to be unsecured. However, electric strikes are generally not vulenrable to controller removal, but outside power tampering.

Maglocks: Even when maglocks are independently powered and not 'passthru powered' from the controller, the controller acts as a relay in the power circuit, and removing the controller breaks the circuit. The image below schematically depicts this weakness:

Electric Strikes: Strikes do not lock or unlock the door locks, they simply allow door hardware to remain secure while permitting the door to open. In most cases, the strike is unpowered until the access system permits a door to open. Then, the controller routes power to the strike, enabling the door lock to swing freely through the strike.

While subtle, this changes the risk of knocking the controller free significantly; if the controller is gone, the strike remains unpowered and the door stays locks. In fact, it would require an additional DC power source and knowledge of which wires power the strike in order to 'unlock' the door. While still a vulnerability, this level of knowledge requires lock familiarity that most do not possess.

Tamper Vulnerability

Designers of combo controllers typically include a 'tamper switch' that detects illicit removal of the controller from the wall, and locks out the door from further credential reads if tripped. This tamper switch can also trigger alarm messages that alert authorities/operators that the controller is being attacked:

There are different forms of tamper switch, some are the mechanical type shown above, others are an 'optical tamper' that uses an IR emitter to detect movement. In any case, using this input serves a valuable role in protecting the controller and door, from risk.

Cost

The central consideration in using combo units comes from saving cost over traditional methods. For example:

Separate: An HID Edge costs ~$300, and adding a R10 reader at ~$80 costs nearly $400.  However, adding the addition labor cost of hanging two device can add ~$50 - ~$100 to the cost, for a total between in the $400s.

Combo: A single unit HID EHR40 costs ~$350. Eliminating the installation cost of another component results in $50 - $100 savings per unit.

External Protection

If concerns about the vulnerabilities of a combo unit are high, installing the unit inside an additional durable enclosure commonly reduces the risk. These security enclosures are commonly used with biometric readers and also serve as environmental protection against moisture and dirt - common enemies of optical readers.

These enclosures may be metal or plastic, but a generally designed with withstand direct blows or prybar attacks, and generally mount over a larger surface area with additional wall mount fasteners.

However, adding enclosures are expensive, increasing both parts and labor cost to access job. Enclosures cost between ~$50 - $200 each, typically mitigating the savings of using a 'combo' unit to begin with. 

Recommendations

Considering these risks, combo units should only be used on low to medium security interior doors that do not use maglocks:

  • Interior Doors: Usually doors within a building are behind several layers of security and are within close proximity to 'other' protections like video surveillance and nearby staff who can react to tamper attempts.
  • Never with Maglocks: the risk of tamper defeating maglocks is too great to recommend using them to control doors relying on them for security.
  • No High Security: Because there are several known risks with combo readers, they should be avoided in 'high security' designs common to government or institutional access designs. While the risk is minor, avoid it entirely is the best answer for these situations.

Brute Force: The Real Risk

While using combo units raise vulnerability risk not seen with standard controllers, the biggest threat to controlled doors remains unsophisticated brute force attacks. While combo unit are vulnerable to tamper, most threats will not take the time nor have the knowledge to exploit them, rather choosing instead to attack the opening itself. 

The potential risks using combo units should be raised as part of a larger effort in evaluating general 'security hardness' of the entire opening. If an attacker cannot gain entry through knocking a controller off the wall, but otherwise can use brute force to knock down the door, then the issue is academic.

5 reports cite this report:

Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems...
Secured Combo Controller - Hartmann Access Profile on Dec 12, 2016
Typically, combo controllers are risky, because they combine sensitive door...
Isonas Opens Up Access on Apr 06, 2016
Move over, HID, Mercury Security, and Axis? Isonas has declared itself...
"Future-Proofing" Access Control Guide on Jul 30, 2015
Its one of the most misused phrases around: "Future-proof". However, even...
The Coolest New Access Control Product In Years is from Tyco on Oct 22, 2014
Cool. Access control. Tyco. 3 things that you or I may have never...
Comments (10) : Members only. Login. or Join.

Related Reports

Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
How Mobile Access Control Can and Cannot Help With Coronavirus on Mar 23, 2020
With coronavirus concerns continuing to rise, many access control companies...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including...
Coronavirus Shuts Down ADT Door Knockers on Mar 26, 2020
Coronavirus has another victim - this time, alarm giant ADT has stopped all...
Hands-Free Bathroom Doors For Coronavirus Mitigation on Apr 10, 2020
Coronavirus has increased concerns about picking up germs, especially from...
Hazardous & Explosion Proof Access Control Tutorial on Feb 27, 2020
Controlling access to hazardous environments requires equipment meeting...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Axis License Plate Verifier Tested on Jul 21, 2020
Axis has historically left license plate verification to their partners, but...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry,...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...

Recent Reports

VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...