Access Control: Combo Reader / Controllers Tutorial

Author: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

********** *** ********** ** *** ******* ** *** ****** **** means ** *** ** ******** ****, **********, ** ******** *******. When *** ****** *** ********** *** ******** *******, **** **** is *********. *** ********* **** ** ******** ** *** ****** or ****** ****, *** ** *** ********** ********* ** ********* ****** such ******, ** ****** ******* ********** ** ***** *** ****.

*******, **** *** ****** *** *** ********** *** *** **** device, ** ****** ********** *** *************. ** ******* **** * combo **** *** *** ****, **** *** ******** ****** ******, or **** ** ****** *** *** ******** ******* **** * wide **** ****? ***** **** ********* ******* *** ********* **** as *** ***** ** *** ***** *****, * ****** **** ******* the **** ** *** *** **** *** *** ***** *** without **********.

****** ****

**** ****** ********** ***** ******* * '**********', ***** *********** **** ********, *** * '******', ***** ** *** ******* ********** *********. *************, ***** ********** have **** ********, ******** ***** **** **** **** ** ** ********* and *********.

*******, ******* ****** ************* ***** '***********' ***** **** ***** *********** and ******* **** * ****** ****. ***** ******** ***** '*************' compatible ******** ******* *** *** **********, *** *** * ****** box ** ******* **** ** ********** ****** ** ***.

*** ** *** ****** ***** ******** ** * ***** **** is ****** **** *** ***********, ******** *** **** ******** ** ***** ** **** '********* readers' **** ******* '***** *****' *********. ******, *** ****** **** includes * ****** ** ****** ******** *** *********** **** ******** is ********** ** *** **** ****: **** ********** *********.

 

Hardware *******

*** **** ** ******* ******** **** ********** *** **** ** risk ********* ********. *** ***** **** ******* ********* *****, **** maglocks, ******** *** ********** *** ********* ***** ** *** ***** and ***** **** ** ** *********. *******, ******** ******* *** generally *** ********** ** ********** *******, *** ******* ***** *********.

********:**** **** ******** *** ************* ******* *** *** '******** *******' from *** **********, *** ********** **** ** * ***** ** the ***** *******, *** ******** *** ********** ****** *** *******. The ***** ***** ************* ******* **** ********:

******** *******:******* ** *** **** ** ****** *** **** *****, **** simply ***** **** ******** ** ****** ****** ***** ********** *** door ** ****. ** **** *****, *** ****** ** ********* until *** ****** ****** ******* * **** ** ****. ****, the ********** ****** ***** ** *** ******, ******** *** **** lock ** ***** ****** ******* *** ******.

***** ******, **** ******* *** **** ** ******** *** ********** free *************; ** *** ********** ** ****, *** ****** ******* unpowered *** *** **** ***** *****. ** ****, ** ***** require ** ********** ** ***** ****** *** ********* ** ***** wires ***** *** ****** ** ***** ** '******' *** ****. While ***** * *************, **** ***** ** ********* ******** **** familiarity **** **** ** *** *******.

Tamper *************

********* ** ***** *********** ********* ******* * '****** ******' **** detects ******* ******* ** *** ********** **** *** ****, *** locks *** *** **** **** ******* ********** ***** ** *******. This ****** ****** *** **** ******* ***** ******** **** ***** authorities/operators **** *** ********** ** ***** ********:

***** *** ********* ***** ** ****** ******, **** *** *** mechanical **** ***** *****, ****** *** ** '******* ******' **** uses ** ** ******* ** ****** ********. ** *** ****, using **** ***** ****** * ******** **** ** ********** *** ********** and ****, **** ****.

****

*** ******* ************* ** ***** ***** ***** ***** **** ****** cost **** *********** *******. *** *******:

********: ** *** **** ***** ~$***, *** ****** * *** ****** at ~$** ***** ****** $***.  *******, ****** *** ******** ***** cost ** ******* *** ****** *** *** ~$** - ~$*** to *** ****, *** * ***** ******* ** *** $****.

*****: * ****** **** *** ***** ***** ~$***. *********** *** installation **** ** ******* ********* ******* ** $** - $*** savings *** ****.

External **********

** ******** ***** *** *************** ** * ***** **** *** high, ********** *** **** ****** ************ ******* ***************** ******* *** ****. ************* ************* ******** **** **** ********* ******* *** **** ***** ** environmental ********** ******* ******** *** **** - ****** ******* ** optical *******.

***** ********** *** ** ***** ** *******, *** * ********* designed **** ********* ****** ***** ** ****** *******, *** ********* mount **** * ****** ******* **** **** ********** **** ***** fasteners.

*******, ****** ********** *** *********, ********** **** ***** *** ***** cost ** ****** ***. ********** **** ******* ~$** - $*** each, ********* ********** *** ******* ** ***** * '*****' **** to ***** ****. 

***************

*********** ***** *****, ***** ***** ****** **** ** **** ** *** to ****** ******** ******** ***** **** ** *** *** ********:

  • ******** *****:******* ***** ****** * ******** *** ****** ******* ****** ** security *** *** ****** ***** ********* ** '*****' *********** **** video ************ *** ****** ***** *** *** ***** ** ****** attempts.
  • ***** **** ********: *** **** ** ****** ********* ******** ** *** ***** ** recommend ***** **** ** ******* ***** ******* ** **** *** security.
  • ** **** ********:******* ***** *** ******* ***** ***** **** ***** *******, **** should ** ******* ** '**** ********' ******* ****** ** ********** or ************* ****** *******. ***** *** **** ** *****, ***** it ******** ** *** **** ****** *** ***** **********.

Brute *****: *** **** ****

***** ***** ***** ***** ***** ************* **** *** **** **** standard ***********, *** ******* ****** ** ********** ***** ******* *************** brute ***** *******. ***** ***** **** *** ********** ** ******, most ******* **** *** **** *** **** *** **** *** knowledge ** ******* ****, ****** ******** ******* ** ****** *** opening ******. 

*** ********* ***** ***** ***** ***** ****** ** ****** ** part ** * ****** ****** ** ********** ******* '******** ********' of *** ****** *******. ** ** ******** ****** **** ***** through ******** * ********** *** *** ****, *** ********* *** use ***** ***** ** ***** **** *** ****, **** *** issue ** ********.

Comments (8)

The technical advantages of having a single, integrated, intelligent IP device at the door are manifold. But what will drive adoption is simply cost savings (which is potentially more attractive than modeled in this very good article). Security is a matter of degree, not absolute. I expect the inevitable additional functionality and lower cost will prevail over perceived security vulnerabilities which can be effectively mitigated.

We currently have our multi-door microcontrollers in close proximity to the BA/FA alarm control panel and recieve an input signal in the micro's when there is a fire alarm. The exterior doors then unlock to assist firefighters with access. How would this work with the controllers at the door?

Hi

There are ways to do this:

The Maglock can be controlled by an independent power supply. The Alarm/Fire system can activate that relay in case of fire to open the door...

The Fire Alarm dry contact signal can be translated into a digital signal to the server signaling it to open the door.. We don't like this idea but it is doable

If the door/controller powers the Maglock through PoE, then have the Fire Alarm relay cut power to the PoE switch thereby removing power fomr the controller, hence the Maglock...

As for tampering with the Reader/comtroller to removepower fromthe Maglock, we use ISONAS and they have adevice that effectively address the tampering isue...

I was looking at some all-in-one units for home use, from Samsung and Dahua. They typically look like this:

I believe in these that the reader, controller and strike are all in one unit. After reading the article, I am thinking that having the strike integrated may actually be a good thing, since it makes it harder to attack the leads which control the strike.

Is that right or are there new vulnerabilities that are introduced?

Units like you list above do not use an electric strike. The lock latch is retracted or the handle retracts the latch when the lever handle is turned.

Think of a 'hotel style' lock. That is essentially what your standalone unit examples are.

Ok, let me have the bad news, what sucks about them? :)

No need to reply, found this excellent article:

Hotel Access Control Explained

Nice article. Thank you for exploring the risk issues.

A point you didn't address is the case where there's now IP outside the door. If the thing is PoE powered or has a LAN connection, there's the added issue that the net could be the target. Yes, we still bring Bubba to use the prybar but now after that even the low end thieves have a kid on the team with a Rasperry Pi and a a 12 volt battery in their backpack, ready to do rude things over the network drop. There are reports of people accessing devices outside the building for net access, I don't think that's too far-fetched.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Outdoor Camera Mounting Hardware Guide on Feb 21, 2019
Mounting cameras outdoors can be challenging, requiring understanding different types of equipment and methods. In this guide, we teach this...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...
BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video security world". According to Meraki, their magic is their management...
Nortek Mobile Access Reader BluePass Examined on Feb 12, 2019
Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass...
Dahua Intercom Tested on Feb 07, 2019
Video intercoms are a growing market with video surveillance manufacturers expanding into this niche. IPVM is continuing its series of video...
HID Launches Origo To Fix Mobile Credential Problems on Feb 05, 2019
HID is releasing Origo, an overhaul of its mobile credential platform, this time drastically restructuring the way it is priced and packaged. HID's...
Hikvision HDTVI Power Over Coax Tested on Feb 05, 2019
After years of delay, Hikvision's Power Over Coax (PoC) HDTVI models are finally shipping, aiming to make HD analog installs as simple as PoE, with...
8MP HD Analog Tested (Dahua / Hikvision) on Jan 30, 2019
HD analog has promised higher resolution for years, but has lagged substantially behind for years. Now, both Dahua and Hikvision have started...

Most Recent Industry Reports

Outdoor Camera Mounting Hardware Guide on Feb 21, 2019
Mounting cameras outdoors can be challenging, requiring understanding different types of equipment and methods. In this guide, we teach this...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...
First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
ADI 'SAVE BIG' On FLIR And Hikvision Examined on Feb 20, 2019
One is a major US defense supplier. The other is owned by the Chinese government. But you can "SAVE BIG" on both at ADI. In this note, we...
BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Sales Cuts At Rasilient on Feb 19, 2019
Over the past 2 years, video surveillance storage specialist Rasilient has expanded its workforce significantly, aiming to build its own branded...
Exacq Raises VMS Software Pricing Twice in Less Than a Year on Feb 18, 2019
Most VMSes regularly release new features, but rarely increase their prices. For the 3rd time in 4 years, and 2nd time in 8 months, since being...
Axis IR Multi Imager Camera Tested (P3717-PLE) on Feb 18, 2019
Axis has released their first IR multi imager, the P3717-PLE, a repositionable model listing 360° IR illumination and flexible positioning,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact