Access Control: Combo Reader / Controllers Tutorial

Author: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

********** *** ********** ** the ******* ** *** locked **** ***** ** can ** ******** ****, vandalized, ** ******** *******. When *** ****** *** controller *** ******** *******, this **** ** *********. The ********* **** ** isolated ** *** ****** or ****** ****, *** if *** ********** ********* is ********* ****** **** ******, it ****** ******* ********** to ***** *** ****.

*******, **** *** ****** and *** ********** *** the **** ******, ** attack ********** *** *************. If ******* **** * combo **** *** *** wall, **** *** ******** remain ******, ** **** it ****** *** *** security ******* **** * wide **** ****? ***** some ********* ******* *** potential **** ** *** great ** *** ***** *****, a ****** **** ******* the **** ** *** the **** *** *** doors *** ******* **********.

****** ****

**** ****** ********** ***** feature * '**********', ***** *********** **** ********, and * '******', ***** ** *** primary ********** *********. *************, these ********** **** **** ********, distinct ***** **** **** need ** ** ********* and *********.

*******, ******* ****** ************* offer '***********' ***** **** merge *********** *** ******* into * ****** ****. These ******** ***** '*************' compatible ******** ******* *** two **********, *** *** a ****** *** ** install **** ** ********** cables ** ***.

*** ** *** ****** known ******** ** * combo **** ** ****** **** *** ***********, ******** *** **** approach ** ***** ** many '********* *******' **** feature '***** *****' *********. Indeed, *** ****** **** includes * ****** ** output ******** *** *********** door ******** ** ********** to *** **** ****: door ********** *********.

 

Hardware *******

*** **** ** ******* hardware **** ********** *** type ** **** ********* presents. *** ***** **** require ********* *****, **** maglocks, ******** *** ********** can ********* ***** ** the ***** *** ***** them ** ** *********. However, ******** ******* *** generally *** ********** ** controller *******, *** ******* power *********.

********:**** **** ******** *** independently ******* *** *** 'passthru *******' **** *** controller, *** ********** **** as * ***** ** the ***** *******, *** removing *** ********** ****** the *******. *** ***** below ************* ******* **** weakness:

******** *******:******* ** *** **** or ****** *** **** locks, **** ****** ***** door ******** ** ****** secure ***** ********** *** door ** ****. ** most *****, *** ****** is ********* ***** *** access ****** ******* * door ** ****. ****, the ********** ****** ***** to *** ******, ******** the **** **** ** swing ****** ******* *** strike.

***** ******, **** ******* the **** ** ******** the ********** **** *************; if *** ********** ** gone, *** ****** ******* unpowered *** *** **** stays *****. ** ****, it ***** ******* ** additional ** ***** ****** and ********* ** ***** wires ***** *** ****** in ***** ** '******' the ****. ***** ***** a *************, **** ***** of ********* ******** **** familiarity **** **** ** not *******.

Tamper *************

********* ** ***** *********** typically ******* * '****** switch' **** ******* ******* removal ** *** ********** from *** ****, *** locks *** *** **** from ******* ********** ***** if *******. **** ****** switch *** **** ******* alarm ******** **** ***** authorities/operators **** *** ********** is ***** ********:

***** *** ********* ***** of ****** ******, **** are *** ********** **** shown *****, ****** *** an '******* ******' **** uses ** ** ******* to ****** ********. ** any ****, ***** **** input ****** * ******** **** in ********** *** ********** and ****, **** ****.

****

*** ******* ************* ** using ***** ***** ***** from ****** **** **** traditional *******. *** *******:

********: ** *** **** ***** ~$300, *** ****** * R10 ****** ** ~$** costs ****** $***.  *******, adding *** ******** ***** cost ** ******* *** device *** *** ~$** - ~$*** ** *** cost, *** * ***** between ** *** $****.

*****: * ****** **** HID ***** ***** ~$***. Eliminating *** ************ **** of ******* ********* ******* in $** - $*** savings *** ****.

External **********

** ******** ***** *** vulnerabilities ** * ***** unit *** ****, ********** the **** ****** ************ ******* ***************** ******* *** ****. These******** ************* ******** **** **** biometric ******* *** **** serve ** ************* ********** against ******** *** **** - ****** ******* ** optical *******.

***** ********** *** ** metal ** *******, *** a ********* ******** **** withstand ****** ***** ** prybar *******, *** ********* mount **** * ****** surface **** **** ********** wall ***** *********.

*******, ****** ********** *** expensive, ********** **** ***** and ***** **** ** access ***. ********** **** between ~$** - $*** each, ********* ********** *** savings ** ***** * 'combo' **** ** ***** with. 

***************

*********** ***** *****, ***** units ****** **** ** used ** *** ** ****** security ******** ***** **** do *** *** ********:

  • ******** *****:******* ***** ****** * building *** ****** ******* layers ** ******** *** are ****** ***** ********* to '*****' *********** **** video ************ *** ****** staff *** *** ***** to ****** ********.
  • ***** **** ********: *** **** ** ****** defeating ******** ** *** great ** ********* ***** them ** ******* ***** relying ** **** *** security.
  • ** **** ********:******* ***** *** ******* known ***** **** ***** readers, **** ****** ** avoided ** '**** ********' designs ****** ** ********** or ************* ****** *******. While *** **** ** minor, ***** ** ******** is *** **** ****** for ***** **********.

Brute *****: *** **** ****

***** ***** ***** ***** raise ************* **** *** seen **** ******** ***********, the ******* ****** ** controlled ***** ******* *************** brute ***** *******. ***** combo **** *** ********** to ******, **** ******* will *** **** *** time *** **** *** knowledge ** ******* ****, rather ******** ******* ** attack *** ******* ******. 

*** ********* ***** ***** combo ***** ****** ** raised ** **** ** a ****** ****** ** evaluating ******* '******** ********' of *** ****** *******. If ** ******** ****** gain ***** ******* ******** a ********** *** *** wall, *** ********* *** use ***** ***** ** knock **** *** ****, then *** ***** ** academic.

Comments (8)

The technical advantages of having a single, integrated, intelligent IP device at the door are manifold. But what will drive adoption is simply cost savings (which is potentially more attractive than modeled in this very good article). Security is a matter of degree, not absolute. I expect the inevitable additional functionality and lower cost will prevail over perceived security vulnerabilities which can be effectively mitigated.

We currently have our multi-door microcontrollers in close proximity to the BA/FA alarm control panel and recieve an input signal in the micro's when there is a fire alarm. The exterior doors then unlock to assist firefighters with access. How would this work with the controllers at the door?

Hi

There are ways to do this:

The Maglock can be controlled by an independent power supply. The Alarm/Fire system can activate that relay in case of fire to open the door...

The Fire Alarm dry contact signal can be translated into a digital signal to the server signaling it to open the door.. We don't like this idea but it is doable

If the door/controller powers the Maglock through PoE, then have the Fire Alarm relay cut power to the PoE switch thereby removing power fomr the controller, hence the Maglock...

As for tampering with the Reader/comtroller to removepower fromthe Maglock, we use ISONAS and they have adevice that effectively address the tampering isue...

I was looking at some all-in-one units for home use, from Samsung and Dahua. They typically look like this:

I believe in these that the reader, controller and strike are all in one unit. After reading the article, I am thinking that having the strike integrated may actually be a good thing, since it makes it harder to attack the leads which control the strike.

Is that right or are there new vulnerabilities that are introduced?

Units like you list above do not use an electric strike. The lock latch is retracted or the handle retracts the latch when the lever handle is turned.

Think of a 'hotel style' lock. That is essentially what your standalone unit examples are.

Ok, let me have the bad news, what sucks about them? :)

No need to reply, found this excellent article:

Hotel Access Control Explained

Nice article. Thank you for exploring the risk issues.

A point you didn't address is the case where there's now IP outside the door. If the thing is PoE powered or has a LAN connection, there's the added issue that the net could be the target. Yes, we still bring Bubba to use the prybar but now after that even the low end thieves have a kid on the team with a Rasperry Pi and a a 12 volt battery in their backpack, ready to do rude things over the network drop. There are reports of people accessing devices outside the building for net access, I don't think that's too far-fetched.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Control Course Spring 2019 - Last Chance on Apr 18, 2019
This is the last chance to register for the Spring Access Control Course. IPVM offers the most comprehensive access control course in the...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Axis Supports HD Analog on Apr 15, 2019
In 2017, Axis declared 'Everything is IP': Now, in 2019, Axis has released support for HD analog, with their new encoders.  Why the change?...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Pole Mount Camera Installation Guide on Apr 11, 2019
Poles are a popular but challenging choice for deploying surveillance cameras outdoors. Poles are indispensable for putting cameras at the right...
Spring 2019 50+ New Products Directory on Apr 08, 2019
We are compiling a list of new products for Spring 2019 and have over 50 already. Contrast to Fall 2018 New Products Directory and Spring 2018...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe.  They have already released their Gatekeeper Halberd...
Airship VMS Profile on Apr 03, 2019
Airship has been developing VMS software for over 10 years, however, with no outside investment, and minimal marketing, the company is not well...
Silicon Valley Access Startup Proxy Raises $13.6 Million on Mar 28, 2019
This mobile-credential based access startup just raised $13.6 million in funding.  Further, they claim that their technology can free businesses...

Most Recent Industry Reports

The Fastest Growing Video Surveillance Sales Organization Ever - Verkada on Apr 17, 2019
Verkada has the fastest growing video surveillance sales organization ever. In less than 2 years, they already have more salespeople in the US...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Securadyne CEO: IPVM 'Entertaining For An Ignorant Few' on Apr 16, 2019
Securadyne's CEO Carey Boethel is unhappy with IPVM's report - Failed Integrator Rollup, Securadyne Sells to Guard Giant Allied. Indeed, he...
Dahua Repositionable IR Multi-Imager Camera Tested on Apr 16, 2019
Dahua has released their first repositionable multi-imager camera, the Multi-Flex 4x2MP, claiming integrated IR, true WDR, and flexible...
Strong ISC West 2019 For Manufacturers But Concerns For 2020 March Move on Apr 16, 2019
ISC West 2019 was strong for manufacturers, according to new IPVM survey results of 100+ manufacturers, consistent with 2018 results. However,...
Axis Supports HD Analog on Apr 15, 2019
In 2017, Axis declared 'Everything is IP': Now, in 2019, Axis has released support for HD analog, with their new encoders.  Why the change?...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
UK Camera Commissioner Calls for Regulating Facial Recognition on Apr 15, 2019
IPVM interviewed Tony Porter, the UK’s surveillance camera commissioner after he recently called for regulations on facial recognition in the...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Pole Mount Camera Installation Guide on Apr 11, 2019
Poles are a popular but challenging choice for deploying surveillance cameras outdoors. Poles are indispensable for putting cameras at the right...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact