Access Control: Combo Reader / Controllers Tutorial

By: Brian Rhodes, Published on Jul 22, 2013

Economical or foolhardy? Industry professionals are torn on combination door readers. These units typically integrate credential readers and door controllers into a single unit hung outside the door. Does the tampering risk also mean they are a security risk? We look at the units in this note, weigh the pros and cons, and address whether and where the risk is worth the benefit.

The Risk

Installing the controller on the outside of the locked door means it can be tampered with, vandalized, or forcibly removed. When the reader and controller are separate devices, this risk is minimized. The vandalism risk is isolated to the reader or locked door, and if the credential interface is destroyed during such attach, it simply becomes impossible to enter the door.

However, when the reader and the controller are the same device, an attack introduces new possibilities. If someone rips a combo unit off the wall, will the hardware remain locked, or will it unlock and let security threats into a wide open door? While some designers dismiss the potential risk as too great to use these units, a closer look reveals the risk is not the same for all doors and without safeguards.

Hybrid Unit

Most access controlled doors feature a 'controller', which coordinates door function, and a 'reader', which is the primary credential interface. Traditionally, these components have been separate, distinct boxes that each need to be specified and installed.

However, several access manufacturers offer 'combination' units that merge controllers and readers into a single unit. These products offer 'preconfigured' compatible function between the two components, and are a single box to install with no additional cables to run.

One of the better known examples of a combo unit is the HID Edge EVO Combo series, although the same approach is found in many 'biometric readers' that feature 'stand alone' operation. Indeed, any reader that includes a series of output contacts for controlling door hardware is vulnerable to the same risk: door controller tampering.

 

Hardware Matters

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

The type of locking hardware used determines the type of risk tampering presents. For locks that require continual power, like maglocks, removing the controller can interrupt power to the locks and cause them to be unsecured. However, electric strikes are generally not vulenrable to controller removal, but outside power tampering.

Maglocks: Even when maglocks are independently powered and not 'passthru powered' from the controller, the controller acts as a relay in the power circuit, and removing the controller breaks the circuit. The image below schematically depicts this weakness:

Electric Strikes: Strikes do not lock or unlock the door locks, they simply allow door hardware to remain secure while permitting the door to open. In most cases, the strike is unpowered until the access system permits a door to open. Then, the controller routes power to the strike, enabling the door lock to swing freely through the strike.

While subtle, this changes the risk of knocking the controller free significantly; if the controller is gone, the strike remains unpowered and the door stays locks. In fact, it would require an additional DC power source and knowledge of which wires power the strike in order to 'unlock' the door. While still a vulnerability, this level of knowledge requires lock familiarity that most do not possess.

Tamper Vulnerability

Designers of combo controllers typically include a 'tamper switch' that detects illicit removal of the controller from the wall, and locks out the door from further credential reads if tripped. This tamper switch can also trigger alarm messages that alert authorities/operators that the controller is being attacked:

There are different forms of tamper switch, some are the mechanical type shown above, others are an 'optical tamper' that uses an IR emitter to detect movement. In any case, using this input serves a valuable role in protecting the controller and door, from risk.

Cost

The central consideration in using combo units comes from saving cost over traditional methods. For example:

Separate: An HID Edge costs ~$300, and adding a R10 reader at ~$80 costs nearly $400.  However, adding the addition labor cost of hanging two device can add ~$50 - ~$100 to the cost, for a total between in the $400s.

Combo: A single unit HID EHR40 costs ~$350. Eliminating the installation cost of another component results in $50 - $100 savings per unit.

External Protection

If concerns about the vulnerabilities of a combo unit are high, installing the unit inside an additional durable enclosure commonly reduces the risk. These security enclosures are commonly used with biometric readers and also serve as environmental protection against moisture and dirt - common enemies of optical readers.

These enclosures may be metal or plastic, but a generally designed with withstand direct blows or prybar attacks, and generally mount over a larger surface area with additional wall mount fasteners.

However, adding enclosures are expensive, increasing both parts and labor cost to access job. Enclosures cost between ~$50 - $200 each, typically mitigating the savings of using a 'combo' unit to begin with. 

Recommendations

Considering these risks, combo units should only be used on low to medium security interior doors that do not use maglocks:

  • Interior Doors: Usually doors within a building are behind several layers of security and are within close proximity to 'other' protections like video surveillance and nearby staff who can react to tamper attempts.
  • Never with Maglocks: the risk of tamper defeating maglocks is too great to recommend using them to control doors relying on them for security.
  • No High Security: Because there are several known risks with combo readers, they should be avoided in 'high security' designs common to government or institutional access designs. While the risk is minor, avoid it entirely is the best answer for these situations.

Brute Force: The Real Risk

While using combo units raise vulnerability risk not seen with standard controllers, the biggest threat to controlled doors remains unsophisticated brute force attacks. While combo unit are vulnerable to tamper, most threats will not take the time nor have the knowledge to exploit them, rather choosing instead to attack the opening itself. 

The potential risks using combo units should be raised as part of a larger effort in evaluating general 'security hardness' of the entire opening. If an attacker cannot gain entry through knocking a controller off the wall, but otherwise can use brute force to knock down the door, then the issue is academic.

5 reports cite this report:

Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Secured Combo Controller - Hartmann Access Profile on Dec 12, 2016
Typically, combo controllers are risky, because they combine sensitive door controllers with readers on the exposed unsecured side of the...
Isonas Opens Up Access on Apr 06, 2016
Move over, HID, Mercury Security, and Axis? Isonas has declared itself completely open to integrating with access platforms. Not only is Isonas...
"Future-Proofing" Access Control Guide on Jul 30, 2015
Its one of the most misused phrases around: "Future-proof". However, even without the crystal ball and wizards, designing access control to be...
The Coolest New Access Control Product In Years is from Tyco on Oct 22, 2014
Cool. Access control. Tyco. 3 things that you or I may have never contemplated together. In this note, we examine Tyco's new access control...
Comments (10) : PRO Members only. Login. or Join.

Related Reports

Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Access Control Turnstiles Guide on Jan 28, 2019
Turnstiles control pedestrian access to secured areas, essentially becoming moving portions of fences, walls, or barricades for physically stop...
Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and...
Access Control Mustering Guide on Sep 30, 2019
In emergencies, determining where employees are located can be critical for knowing whether they are in danger. Access systems can be used for...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...
Glass Doors and Access Control Tutorial on Nov 21, 2019
One of the biggest access challenges are locking and securing glass doors. Unlike wood or steel doors that can be modified to work with...
Hotel Access Control Explained on Dec 23, 2019
Hotel access control does not work like typical commercial access control because doors in hotels are not typically directly connected to a central...
Low-Tech Access Control: Master Keying Explained on Jan 09, 2020
Mechanical keys are one of the most fundamental forms of access control. 'Master Keying' can allow individually different credential keys to...

Most Recent Industry Reports

"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Clearview AI Alarm - NY Times Report Says "Might End Privacy" on Jan 20, 2020
Over the weekend, the NY Times released a report titled "The Secretive Company That Might End Privacy as We Know It" about a company named...
Favorite Camera Manufacturers 2020 on Jan 20, 2020
The past 2 years of US bans and sanctions have shaken the video surveillance industry but what impact would this have on integrators' favorite...