Access Control: A Fancy Facade

by P9a3

We all have become accustomed to access control systems.

These are your elaborate card readers, automated door locks, and entry monitoring systems that are employed in nearly all major businesses today.  In this article, I will give you a basic overview of how they work, and a common physical security flaw that many of these systems contain.

In a nutshell, your basic card access system is as follows.

Various doors are provided a card reader, electronic lock, request to exit switch, and finally, a magnetic relay to monitor the door's open or closed position.

Most installations are as follows: A controller is installed in a remote location, usually an IT closet (telecommunications room).

A card reader or biometric reader is installed at the door to be controlled.  This door is then equipped with an electronic means of locking and unlocking using the following: Either an electronic lock is wired from the handle to a splice point at the electronic hinge (usually the one level with the door handle), a strike plate is installed at the side opposite the hinge, or a magnetic holder is bolted to the door and the door frame (usually top center inside).

Next, an infrared "request to exit" sensor is then mounted on the secure side of the door to provide a means of exiting without a card read, or a second set of wires are connected in the handle itself like the lock power.

Finally, a magnetic switch (relay) is installed in the top of the door frame (or the side), along with a small magnet in the door itself to monitor the door's open/closed state.

Along with all of this, some sort of network and/or computer is usually linked to the system to store and maintain logs of the activity taking place on all of the doors within the system.  This computer is also used to create credentials and set the various lock/unlock procedures, and may or may not provide alerts through a network or the company's LAN to some sort of administrator whose duty is to read the logs and make sure no funny business is taking place at these secured locations.

A proper entry routine should go as follows.

The employee is issued a card to provide access to various areas of the building that he or she should have the need to be in.  Their card is presented to the card reader at the door, and is then verified by the controller.

Upon verification, the controller sends a low-voltage signal to a relay in a power supply - usually located in the same room as the controller, but at times located directly above or near the door itself - and in turn, the relay allows a higher voltage to pass to the lock in the door, powering the coil and unlocking the mechanical lock.

The door is then opened by the employee, removing the magnet from a position close enough to hold the relay contact installed in the door frame, and the controller receives this signal.  The controller then logs the time, date, card, and whether the door was shut again or kept open.

Next, the user does his or her business in the room and decides to leave.

On the secure side of the door, a Passive Infrared (PIR) sensor detects the presence of this individual approaching and tells the controller that a person is attempting to exit.

When the door is opened again, breaking the relay contact, a valid "request to exit" has just occurred and again the controller logs the time, date, and whether the door was closed again or left open.

If there is no PIR installed on the inside, it usually means that the electronic lock has a request to exit contact built into it and when the door handle is turned or the "crash bar" pushed, this same request to exit signal is sent to the controller verifying that someone was exiting, and the door was not forced open.

If no request to exit signal is sent, the controller assumes the door was forced open, and makes a log of this event.  This will likely occur when there is no valid card read or no card read at all, and the door is opened from the outside.

When most people see a card reader system in place, they automatically assume that this is also a security system that is remotely monitoring door states, and immediately alerting the proper authorities of unapproved entry.

While this is possible, I'm here as an installer of such systems to tell you that nine times out of ten, this is not the case.

In fact, nine times out of ten, the logs of "forced entry" or faults are either ignored, or not even looked at by someone with the knowledge to fully understand what they mean.  Security systems are therefore usually a separate system, or only interfaced with the outer perimeter doors and windows of a building, and remotely monitored by a separate "monitoring station" upon being armed, which is usually after hours when no one is using the building.

No one wants the police called at 11:00 am because a request to exit device malfunctioned in a random office space.

As an installer, I can safely say that access control systems are expensive to install, and a lot of work goes into the process of installing them from start to finish.

With that being said, we all know you get what you pay for, and the contractors installing these systems, as well as the owner footing the bill, will always be on the lookout for the cheapest route, and usually will not go out of their budget to make the physical install more secure when the money is not there to do so.

Plus, as I stated before, these are usually not meant to serve as a security system.  They are simply there to remove the need to issue keys and easily monitor who is going in and out of sensitive areas of the building's core, as well as provide a deterrent to people gaining unauthorized access to certain areas.

Here is where your major security flaw comes into play.

Each door that is secured and part of the access control system has a set of cables run through the ceilings and/or walls - from the controller and the power supplies to the door.  This typically is all low-voltage cabling, and therefore it is not required to be contained in metal conduit as it possesses no real life or safety threat to people.  Each door will have sets of cables run directly from its various devices back to the controller and/or power supplies.  The controlled doors in the building do not share these cables with one another.

Here is a brief rundown of the most common cable types you will come in contact with:

The card reader communication cable.  This will usually contain anywhere from four to eight conductors that range from 16 to 20 gauge in size within the cable itself, and will usually be shielded.  This cable will be used to power the reader, send and receive data from the controller/reader, and possibly send and receive data from the request to exit devices, door contacts, and/or locks.  This cable will run from the controller through the ceiling, then down the wall to the reader's location at the door.

The magnetic relay contact cable.  This will almost always be a two conductor cable ranging from 16 to 20 gauge in size and will be run to the top inside of the door frame to the relay device and be used to send the relay contact's open/closed state to the controller.

A four conductor cable that runs on the secure side of the door and powers the request to exit PIR and sends its contact states to the controller.  Keep in mind, as I said before, that if the request to exit switch is built into the door handle, this device will not exist and therefore no cable will be installed.  Instead, another two conductor cable will be run with the lock cable, or within the same cable as the lock power.

Last is our door lock cable.  This will likely be a two conductor cable if the request to exit is not built into the door handle.  If the exit request is built in, another two conductors will be within this cable, making it a four conductor, or you will see two cables, each two conductor running down the door frame that range anywhere from 14 to 18 gauge in size, but could be as large as 12 gauge or as small as 20 gauge, or a hybrid of these sizes.  This cable will run down the frame of the door, usually on the hinge side, and use what is called a "transfer hinge" to continue its travel through the door to the handle itself.  If the door uses a "strike" lock, the door lock cable will be run down the side opposite the hinge and tied directly to this device.

Here is where a very low-tech problem comes into play.  Before continuing, I'd like to say that I in no way encourage anyone to break into places where they don't belong, and/or cause damage, theft, etc.  However, if you are the owner of such a building and actually care about how secure your building is, I would advise you take a look around.

As an installer of such systems, the proper technique for running these critical cables is to never ever run them through a "drop tile" or accessible ceiling on the unsecured side of the door, for the obvious reason that they can be tampered with!

Take our lock cable, for example.

This cable is easy to identify as it usually runs into the wall on the hinge side of the door to make its way down to the transfer hinge.  If this wire is stripped down to its copper conductors (RED = Positive, BLACK = Negative), I can now place my own 18 to 24 VDC across the line and presto!  The door will unlock.

As there is no voltage on the line and an open relay on the other end, no problems will occur.

Most places of business have accessible ceilings for maintenance, and are low enough to reach up into from a chair.  Many times, the walls are not built to full height unless they are a fire or sound wall and required to be so.

In any case, this is why these cables should not be run on the unsecured side, but I can tell you from personal experience that they most often are, simply to save time and money.

If not, you are still likely to have a wall that is not full height that will provide anyone with even a small amount of determination easy access, and not just to your control cables, but entire rooms if a one-time break-in was on someone's agenda.

I have used this simple technique on more than one occasion to open doors in buildings where I needed access, but didn't want to spend the time to have personnel or security come and let me in.

The only problem in doing so is the forced entry log.

At this point, the controller has been given no request to exit, and when the door is opened, a logged forced entry will be made.  As I said before, this is rarely monitored by an actual person, and will likely never be looked into until some damage or theft has occurred.

With that being said, a little recon on your part would be a good idea before attempting such an act.  There are options to program card readers to beep during forced door events or when a door is left propped open for long periods of time to allow someone to regain access.

Let's say for a minute, I did want access to such a room, and I knew the reader would beep to alert people nearby that I was up to no good.  I would likely find your card reader wire, score back the outer jacket, and simply cut the red wire to remove the positive power and shut the reader off.  Depending on how important it was for me to cover my tracks, this could easily be spliced back together when I was ready to leave and the door was closed again.

The request to exit wires can also be tampered with to trick the controller into thinking the door was not forced, but rather, someone was simply exiting.

This is especially easy when the "rex" wire is run with the lock power to the handle.

The handle works like a switch and simply puts the two wires together.  Shorting the wires yourself before applying power to the lock and pulling the door open will look no different to the controller than someone leaving the room legitimately.

Another tampering method might be to bring along my own magnet, to close the door monitoring relay or open it at my own discretion.  Maybe even just to see what I was in for prior to attempting a forced entry.

Either way, I'd like to stress again, that interior doors employing card access are not usually part of a security system, and more often than not go unnoticed for some time unless there is 24-hour security on site, or an overzealous IT guy who understands the system and is at the computer when the door is opened.

Again, a little recon work is all it takes to fill in a few of these unknowns.  Sensitive areas such as data centers and server rooms are far too often vulnerable to all of these methods and more, and have information and equipment that deserve more protection.

Keep in mind that this is all very basic.

Government contractors and companies who have reason to be concerned with extra security and have sufficient capital will be concerned.  They tend to invest in such things as competent people to monitor these systems, as well as the added features such as audible alarms and more technical devices such as balanced door contacts, cameras that are synched with door position, motion sensors, and a whole host of others.

This article will not get you in and out of your local bank, nor any secure place for that matter.  This article is simply a starting point to get you thinking about what it means to have secure areas, as opposed to access-controlled areas.

Far too often, people have no concept of the difference and assume a level of security that just isn't there.