Access Control: Combo Reader / Controllers TutorialBy: Brian Rhodes, Published on Jul 22, 2013
Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.
Installing the controller on the outside of the locked door means it can be tampered with, vandalized, or forcibly removed. When the reader and controller are separate devices, this risk is minimized. The vandalism risk is isolated to the reader or locked door, and if the credential interface is destroyed during such attach, it simply becomes impossible to enter the door.
However, when the reader and the controller are the same device, an attack introduces new possibilities. If someone rips a combo unit off the wall, will the hardware remain locked, or will it unlock and let security threats into a wide open door? While some designers dismiss the potential risk as too great to use these units, a closer look reveals the risk is not the same for all doors and without safeguards.
Most access controlled doors feature a 'controller', which coordinates door function, and a 'reader', which is the primary credential interface. Traditionally, these components have been separate, distinct boxes that each need to be specified and installed.
However, several access manufacturers offer 'combination' units that merge controllers and readers into a single unit. These products offer 'preconfigured' compatible function between the two components, and are a single box to install with no additional cables to run.
One of the better known examples of a combo unit is the HID Edge EVO Combo series, although the same approach is found in many 'biometric readers' that feature 'stand alone' operation. Indeed, any reader that includes a series of output contacts for controlling door hardware is vulnerable to the same risk: door controller tampering.
The type of locking hardware used determines the type of risk tampering presents. For locks that require continual power, like maglocks, removing the controller can interrupt power to the locks and cause them to be unsecured. However, electric strikes are generally not vulenrable to controller removal, but outside power tampering.
Maglocks: Even when maglocks are independently powered and not 'passthru powered' from the controller, the controller acts as a relay in the power circuit, and removing the controller breaks the circuit. The image below schematically depicts this weakness:
Electric Strikes: Strikes do not lock or unlock the door locks, they simply allow door hardware to remain secure while permitting the door to open. In most cases, the strike is unpowered until the access system permits a door to open. Then, the controller routes power to the strike, enabling the door lock to swing freely through the strike.
While subtle, this changes the risk of knocking the controller free significantly; if the controller is gone, the strike remains unpowered and the door stays locks. In fact, it would require an additional DC power source and knowledge of which wires power the strike in order to 'unlock' the door. While still a vulnerability, this level of knowledge requires lock familiarity that most do not possess.
Designers of combo controllers typically include a 'tamper switch' that detects illicit removal of the controller from the wall, and locks out the door from further credential reads if tripped. This tamper switch can also trigger alarm messages that alert authorities/operators that the controller is being attacked:
There are different forms of tamper switch, some are the mechanical type shown above, others are an 'optical tamper' that uses an IR emitter to detect movement. In any case, using this input serves a valuable role in protecting the controller and door, from risk.
The central consideration in using combo units comes from saving cost over traditional methods. For example:
Separate: An HID Edge costs ~$300, and adding a R10 reader at ~$80 costs nearly $400. However, adding the addition labor cost of hanging two device can add ~$50 - ~$100 to the cost, for a total between in the $400s.
Combo: A single unit HID EHR40 costs ~$350. Eliminating the installation cost of another component results in $50 - $100 savings per unit.
If concerns about the vulnerabilities of a combo unit are high, installing the unit inside an additional durable enclosure commonly reduces the risk. These security enclosures are commonly used with biometric readers and also serve as environmental protection against moisture and dirt - common enemies of optical readers.
These enclosures may be metal or plastic, but a generally designed with withstand direct blows or prybar attacks, and generally mount over a larger surface area with additional wall mount fasteners.
However, adding enclosures are expensive, increasing both parts and labor cost to access job. Enclosures cost between ~$50 - $200 each, typically mitigating the savings of using a 'combo' unit to begin with.
Considering these risks, combo units should only be used on low to medium security interior doors that do not use maglocks:
- Interior Doors: Usually doors within a building are behind several layers of security and are within close proximity to 'other' protections like video surveillance and nearby staff who can react to tamper attempts.
- Never with Maglocks: the risk of tamper defeating maglocks is too great to recommend using them to control doors relying on them for security.
- No High Security: Because there are several known risks with combo readers, they should be avoided in 'high security' designs common to government or institutional access designs. While the risk is minor, avoid it entirely is the best answer for these situations.
Brute Force: The Real Risk
While using combo units raise vulnerability risk not seen with standard controllers, the biggest threat to controlled doors remains unsophisticated brute force attacks. While combo unit are vulnerable to tamper, most threats will not take the time nor have the knowledge to exploit them, rather choosing instead to attack the opening itself.
The potential risks using combo units should be raised as part of a larger effort in evaluating general 'security hardness' of the entire opening. If an attacker cannot gain entry through knocking a controller off the wall, but otherwise can use brute force to knock down the door, then the issue is academic.