Access Control: Combo Reader / Controllers Tutorial

By: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

Installing the controller on the outside of the locked door means it can be tampered with, vandalized, or forcibly removed. When the reader and controller are separate devices, this risk is minimized. The vandalism risk is isolated to the reader or locked door, and if the credential interface is destroyed during such attach, it simply becomes impossible to enter the door.

However, when the reader and the controller are the same device, an attack introduces new possibilities. If someone rips a combo unit off the wall, will the hardware remain locked, or will it unlock and let security threats into a wide open door? While some designers dismiss the potential risk as too great to use these units, a closer look reveals the risk is not the same for all doors and without safeguards.

Hybrid Unit

Most access controlled doors feature a 'controller', which coordinates door function, and a 'reader', which is the primary credential interface. Traditionally, these components have been separate, distinct boxes that each need to be specified and installed.

However, several access manufacturers offer 'combination' units that merge controllers and readers into a single unit. These products offer 'preconfigured' compatible function between the two components, and are a single box to install with no additional cables to run.

One of the better known examples of a combo unit is the HID Edge EVO Combo series, although the same approach is found in many 'biometric readers' that feature 'stand alone' operation. Indeed, any reader that includes a series of output contacts for controlling door hardware is vulnerable to the same risk: door controller tampering.

 

Hardware Matters

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

The type of locking hardware used determines the type of risk tampering presents. For locks that require continual power, like maglocks, removing the controller can interrupt power to the locks and cause them to be unsecured. However, electric strikes are generally not vulenrable to controller removal, but outside power tampering.

Maglocks: Even when maglocks are independently powered and not 'passthru powered' from the controller, the controller acts as a relay in the power circuit, and removing the controller breaks the circuit. The image below schematically depicts this weakness:

Electric Strikes: Strikes do not lock or unlock the door locks, they simply allow door hardware to remain secure while permitting the door to open. In most cases, the strike is unpowered until the access system permits a door to open. Then, the controller routes power to the strike, enabling the door lock to swing freely through the strike.

While subtle, this changes the risk of knocking the controller free significantly; if the controller is gone, the strike remains unpowered and the door stays locks. In fact, it would require an additional DC power source and knowledge of which wires power the strike in order to 'unlock' the door. While still a vulnerability, this level of knowledge requires lock familiarity that most do not possess.

Tamper Vulnerability

Designers of combo controllers typically include a 'tamper switch' that detects illicit removal of the controller from the wall, and locks out the door from further credential reads if tripped. This tamper switch can also trigger alarm messages that alert authorities/operators that the controller is being attacked:

There are different forms of tamper switch, some are the mechanical type shown above, others are an 'optical tamper' that uses an IR emitter to detect movement. In any case, using this input serves a valuable role in protecting the controller and door, from risk.

Cost

The central consideration in using combo units comes from saving cost over traditional methods. For example:

Separate: An HID Edge costs ~$300, and adding a R10 reader at ~$80 costs nearly $400.  However, adding the addition labor cost of hanging two device can add ~$50 - ~$100 to the cost, for a total between in the $400s.

Combo: A single unit HID EHR40 costs ~$350. Eliminating the installation cost of another component results in $50 - $100 savings per unit.

External Protection

If concerns about the vulnerabilities of a combo unit are high, installing the unit inside an additional durable enclosure commonly reduces the risk. These security enclosures are commonly used with biometric readers and also serve as environmental protection against moisture and dirt - common enemies of optical readers.

These enclosures may be metal or plastic, but a generally designed with withstand direct blows or prybar attacks, and generally mount over a larger surface area with additional wall mount fasteners.

However, adding enclosures are expensive, increasing both parts and labor cost to access job. Enclosures cost between ~$50 - $200 each, typically mitigating the savings of using a 'combo' unit to begin with. 

Recommendations

Considering these risks, combo units should only be used on low to medium security interior doors that do not use maglocks:

  • Interior Doors: Usually doors within a building are behind several layers of security and are within close proximity to 'other' protections like video surveillance and nearby staff who can react to tamper attempts.
  • Never with Maglocks: the risk of tamper defeating maglocks is too great to recommend using them to control doors relying on them for security.
  • No High Security: Because there are several known risks with combo readers, they should be avoided in 'high security' designs common to government or institutional access designs. While the risk is minor, avoid it entirely is the best answer for these situations.

Brute Force: The Real Risk

While using combo units raise vulnerability risk not seen with standard controllers, the biggest threat to controlled doors remains unsophisticated brute force attacks. While combo unit are vulnerable to tamper, most threats will not take the time nor have the knowledge to exploit them, rather choosing instead to attack the opening itself. 

The potential risks using combo units should be raised as part of a larger effort in evaluating general 'security hardness' of the entire opening. If an attacker cannot gain entry through knocking a controller off the wall, but otherwise can use brute force to knock down the door, then the issue is academic.

4 reports cite this report:

Secured Combo Controller - Hartmann Access Profile on Dec 12, 2016
Typically, combo controllers are risky, because they combine sensitive door controllers with readers on the exposed unsecured side of the...
Isonas Opens Up Access on Apr 06, 2016
Move over, HID, Mercury Security, and Axis? Isonas has declared itself completely open to integrating with access platforms. Not only is Isonas...
"Future-Proofing" Access Control Guide on Jul 30, 2015
Its one of the most misused phrases around: "Future-proof". However, even without the crystal ball and wizards, designing access control to be...
The Coolest New Access Control Product In Years is from Tyco on Oct 22, 2014
Cool. Access control. Tyco. 3 things that you or I may have never contemplated together. In this note, we examine Tyco's new access control...
Comments (8) : PRO Members only. Login. or Join.

Related Reports

Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...
Assa Acquires LifeSafety Power on Sep 04, 2019
Assa Abloy is acquiring LifeSafety Power, adding to their growing collection of access control brands like Mercury, August, Pioneer Doors, and...
Mobile Access Control Guide on Aug 28, 2019
One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards. But how does this...
ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
ProdataKey (PDK) Access Company Profile on Aug 09, 2019
Utah based ProdataKey touts low cost cloud access, wireless controllers, and no dealer required national distribution availability. But how does...
Axis Door Station A8207-VE Tested on Aug 07, 2019
Axis newest door station, the A8207-VE, claims to deliver "video surveillance, two-way communication, and access control" in a single device. But...

Most Recent Industry Reports

ONVIF Suspends Huawei on Sep 20, 2019
Huawei has been 'suspended', and effectively expelled, from ONVIF so long as US sanctions remain on the mega Chinese manufacturer. Inside this...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Axis Perimeter Defender Improves, Yet Worse Than Dahua and Wyze on Sep 19, 2019
While Axis Perimeter Defender analytics improved from our 2018 testing, the market has improved much faster, with much less expensive offerings...
Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Uniview Prime Series 4K Camera Tested on Sep 18, 2019
Is the new Uniview 'Prime' better than the more expensive existing Uniview 'Pro'? In August, IPVM tested Uniview 4K 'Pro' but members advocated...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Vivotek "Neural Network-Powered Detection Engine" Analytics Tested on Sep 17, 2019
Vivotek has released "a neural network-powered detection engine", named Smart Motion Detection, claiming that "swaying vegetation, vehicles passing...
Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...