Access Control: Combo Reader / Controllers Tutorial

Author: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

********** *** ********** ** *** ******* ** *** ****** **** means ** *** ** ******** ****, **********, ** ******** *******. When *** ****** *** ********** *** ******** *******, **** **** is *********. *** ********* **** ** ******** ** *** ****** or ****** ****, *** ** *** ********** ********* ** ********* ****** such ******, ** ****** ******* ********** ** ***** *** ****.

*******, **** *** ****** *** *** ********** *** *** **** device, ** ****** ********** *** *************. ** ******* **** * combo **** *** *** ****, **** *** ******** ****** ******, or **** ** ****** *** *** ******** ******* **** * wide **** ****? ***** **** ********* ******* *** ********* **** as *** ***** ** *** ***** *****, * ****** **** ******* the **** ** *** *** **** *** *** ***** *** without **********.

****** ****

**** ****** ********** ***** ******* * '**********', ***** *********** **** ********, *** * '******', ***** ** *** ******* ********** *********. *************, ***** ********** have **** ********, ******** ***** **** **** **** ** ** ********* and *********.

*******, ******* ****** ************* ***** '***********' ***** **** ***** *********** and ******* **** * ****** ****. ***** ******** ***** '*************' compatible ******** ******* *** *** **********, *** *** * ****** box ** ******* **** ** ********** ****** ** ***.

*** ** *** ****** ***** ******** ** * ***** **** is ****** **** *** ***********, ******** *** **** ******** ** ***** ** **** '********* readers' **** ******* '***** *****' *********. ******, *** ****** **** includes * ****** ** ****** ******** *** *********** **** ******** is ********** ** *** **** ****: **** ********** *********.

 

Hardware *******

*** **** ** ******* ******** **** ********** *** **** ** risk ********* ********. *** ***** **** ******* ********* *****, **** maglocks, ******** *** ********** *** ********* ***** ** *** ***** and ***** **** ** ** *********. *******, ******** ******* *** generally *** ********** ** ********** *******, *** ******* ***** *********.

********:**** **** ******** *** ************* ******* *** *** '******** *******' from *** **********, *** ********** **** ** * ***** ** the ***** *******, *** ******** *** ********** ****** *** *******. The ***** ***** ************* ******* **** ********:

******** *******:******* ** *** **** ** ****** *** **** *****, **** simply ***** **** ******** ** ****** ****** ***** ********** *** door ** ****. ** **** *****, *** ****** ** ********* until *** ****** ****** ******* * **** ** ****. ****, the ********** ****** ***** ** *** ******, ******** *** **** lock ** ***** ****** ******* *** ******.

***** ******, **** ******* *** **** ** ******** *** ********** free *************; ** *** ********** ** ****, *** ****** ******* unpowered *** *** **** ***** *****. ** ****, ** ***** require ** ********** ** ***** ****** *** ********* ** ***** wires ***** *** ****** ** ***** ** '******' *** ****. While ***** * *************, **** ***** ** ********* ******** **** familiarity **** **** ** *** *******.

Tamper *************

********* ** ***** *********** ********* ******* * '****** ******' **** detects ******* ******* ** *** ********** **** *** ****, *** locks *** *** **** **** ******* ********** ***** ** *******. This ****** ****** *** **** ******* ***** ******** **** ***** authorities/operators **** *** ********** ** ***** ********:

***** *** ********* ***** ** ****** ******, **** *** *** mechanical **** ***** *****, ****** *** ** '******* ******' **** uses ** ** ******* ** ****** ********. ** *** ****, using **** ***** ****** * ******** **** ** ********** *** ********** and ****, **** ****.

****

*** ******* ************* ** ***** ***** ***** ***** **** ****** cost **** *********** *******. *** *******:

********: ** *** **** ***** ~$***, *** ****** * *** ****** at ~$** ***** ****** $***.  *******, ****** *** ******** ***** cost ** ******* *** ****** *** *** ~$** - ~$*** to *** ****, *** * ***** ******* ** *** $****.

*****: * ****** **** *** ***** ***** ~$***. *********** *** installation **** ** ******* ********* ******* ** $** - $*** savings *** ****.

External **********

** ******** ***** *** *************** ** * ***** **** *** high, ********** *** **** ****** ************ ******* ***************** ******* *** ****. ************* ************* ******** **** **** ********* ******* *** **** ***** ** environmental ********** ******* ******** *** **** - ****** ******* ** optical *******.

***** ********** *** ** ***** ** *******, *** * ********* designed **** ********* ****** ***** ** ****** *******, *** ********* mount **** * ****** ******* **** **** ********** **** ***** fasteners.

*******, ****** ********** *** *********, ********** **** ***** *** ***** cost ** ****** ***. ********** **** ******* ~$** - $*** each, ********* ********** *** ******* ** ***** * '*****' **** to ***** ****. 

***************

*********** ***** *****, ***** ***** ****** **** ** **** ** *** to ****** ******** ******** ***** **** ** *** *** ********:

  • ******** *****:******* ***** ****** * ******** *** ****** ******* ****** ** security *** *** ****** ***** ********* ** '*****' *********** **** video ************ *** ****** ***** *** *** ***** ** ****** attempts.
  • ***** **** ********: *** **** ** ****** ********* ******** ** *** ***** ** recommend ***** **** ** ******* ***** ******* ** **** *** security.
  • ** **** ********:******* ***** *** ******* ***** ***** **** ***** *******, **** should ** ******* ** '**** ********' ******* ****** ** ********** or ************* ****** *******. ***** *** **** ** *****, ***** it ******** ** *** **** ****** *** ***** **********.

Brute *****: *** **** ****

***** ***** ***** ***** ***** ************* **** *** **** **** standard ***********, *** ******* ****** ** ********** ***** ******* *************** brute ***** *******. ***** ***** **** *** ********** ** ******, most ******* **** *** **** *** **** *** **** *** knowledge ** ******* ****, ****** ******** ******* ** ****** *** opening ******. 

*** ********* ***** ***** ***** ***** ****** ** ****** ** part ** * ****** ****** ** ********** ******* '******** ********' of *** ****** *******. ** ** ******** ****** **** ***** through ******** * ********** *** *** ****, *** ********* *** use ***** ***** ** ***** **** *** ****, **** *** issue ** ********.

Comments (8)

The technical advantages of having a single, integrated, intelligent IP device at the door are manifold. But what will drive adoption is simply cost savings (which is potentially more attractive than modeled in this very good article). Security is a matter of degree, not absolute. I expect the inevitable additional functionality and lower cost will prevail over perceived security vulnerabilities which can be effectively mitigated.

We currently have our multi-door microcontrollers in close proximity to the BA/FA alarm control panel and recieve an input signal in the micro's when there is a fire alarm. The exterior doors then unlock to assist firefighters with access. How would this work with the controllers at the door?

Hi

There are ways to do this:

The Maglock can be controlled by an independent power supply. The Alarm/Fire system can activate that relay in case of fire to open the door...

The Fire Alarm dry contact signal can be translated into a digital signal to the server signaling it to open the door.. We don't like this idea but it is doable

If the door/controller powers the Maglock through PoE, then have the Fire Alarm relay cut power to the PoE switch thereby removing power fomr the controller, hence the Maglock...

As for tampering with the Reader/comtroller to removepower fromthe Maglock, we use ISONAS and they have adevice that effectively address the tampering isue...

I was looking at some all-in-one units for home use, from Samsung and Dahua. They typically look like this:

I believe in these that the reader, controller and strike are all in one unit. After reading the article, I am thinking that having the strike integrated may actually be a good thing, since it makes it harder to attack the leads which control the strike.

Is that right or are there new vulnerabilities that are introduced?

Units like you list above do not use an electric strike. The lock latch is retracted or the handle retracts the latch when the lever handle is turned.

Think of a 'hotel style' lock. That is essentially what your standalone unit examples are.

Ok, let me have the bad news, what sucks about them? :)

No need to reply, found this excellent article:

Hotel Access Control Explained

Nice article. Thank you for exploring the risk issues.

A point you didn't address is the case where there's now IP outside the door. If the thing is PoE powered or has a LAN connection, there's the added issue that the net could be the target. Yes, we still bring Bubba to use the prybar but now after that even the low end thieves have a kid on the team with a Rasperry Pi and a a 12 volt battery in their backpack, ready to do rude things over the network drop. There are reports of people accessing devices outside the building for net access, I don't think that's too far-fetched.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Axis Releases First New Access Controller In 5 Years (A1601) on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test). Now, Axis has released its second...
Access Control - Time & Attendance, Mustering and Mantraps Guide on Jun 13, 2018
Electronic access offers features that traditional mechanical locks cannot. While these features may not be as fundamental as keeping doors secure,...
ReconaSense - The AI / Access Control / Analytics / IoT / Video Company Profile on Jun 12, 2018
One company's ISC West booth stood out for displaying a light-up tower of buzzwords. The company, ReconaSense, pledged to be 'making sense of it...
Introducing Effective PPF (ePPF) - Improving Video Surveillance Designs on Jun 11, 2018
Pixel density (PPF / PPM) is the best metric the industry has to define and project video quality. It allows simple communication of estimated...
Powerline Networking For Video Surveillance Advocated By Comtrend on Jun 08, 2018
Powerline networking, using existing electrical wiring, has been around for many years. Indeed, over the years, some video surveillance providers...
The Benefits of An Access Control Test Door on Jun 08, 2018
Security system dealers can benefit from having their own access control test door both for demonstrations and training. Inside, we explain the...
H.265 / HEVC Codec Tutorial on Jun 07, 2018
H.265 support has improved significantly in 2018, with H.265 camera/VMS compatibility increased compared to only a year ago, and more manufacturers...
Princeton Identity Access 200 Iris Scanners Examined on Jun 05, 2018
Iris recently registered a big jump as a preferred biometric in our Favorite Biometrics survey, but access-ready options can be difficult to...
Keypads For Access Control Tutorial on May 31, 2018
Keypad readers present huge risks to even the best access systems. If deployed improperly, keypads let people through locked doors almost as if...
Ambitious Mobile Access Startup: Openpath on May 24, 2018
This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small...

Most Recent Industry Reports

July 2018 IP Networking Course on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save. This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Amazon Ring Launches $10 Monthly Professional Alarm Monitoring on Jun 15, 2018
Amazon's Ring has announced an alarm system with 24/7 professional alarm monitoring for $10 per month, a fraction of the $30+ per month traditional...
Axis Releases First New Access Controller In 5 Years (A1601) on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test). Now, Axis has released its second...
Hikvision 12MP Fisheye Camera Tested (DS-2CD63C2F-IV) on Jun 14, 2018
Hikvision's DS-2CD63C2F-IV is their flagship panoramic camera, with a 12MP imager, 15m integrated IR, smart codec, and more. We tested the 63C2 in...
Four Major Outdoor Camera Install Problems on Jun 14, 2018
Over 140 integrators told us the top four camera installation mistakes that lead to unexpected problems and failures. Their comments often...
Security Sales Course Summer 2018 on Jun 14, 2018
Based on member's interest, IPVM is offering a security sales course this summer. Register Now - IPVM Security Sales Course Summer...
China Public Video Surveillance Guide: From Skynet to Sharp Eyes on Jun 14, 2018
China is expanding its video surveillance network to achieve “100%” nationwide coverage by 2020, including facial recognition capabilities and a...
IPVM For PR / Marketing People on Jun 13, 2018
This post helps PR and Marketing people understand and productively work with IPVM (as much as possible given our independent, often critical,...
Avigilon H4 Multi-Sensor Adds 32MP, H.265, Analytics on Jun 13, 2018
Avigilon has announced the H4 Multisensor, the successor to their repositionable multi imager line, adding features like H.265, integrated IR,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact