Join or Sign in

Register for your free membership or if you are already a member,
sign in using your preferred method below.

To check your latest product inquiries, manage newsletter preference, update personal / company profile, or download member-exclusive reports, log in to your account now!
Login asmag.comMember Registration

Hacking access control in enterprise environments

Hacking access control in enterprise environments
Physical access control systems (PACS) are an important part of any enterprise environment’s overall security plan. Controlling who accesses what, where and when helps keep a facility secure, while also controlling flow and keeping track of those on the premises. Unfortunately, enterprises often install systems without having them thoroughly tested before deployment, thus leaving vulnerabilities in the system and, therefore, open to attack.

With different ways PACS are vulnerable in enterprise environments, security personnel need to know what they can do to guard against such attacks.

Overlooking the cyber component

Cyberattacks are often overlooked during the planning and execution of a PACS. Such a system relies heavily on IT; however, there is a general lack of understanding of IT in the security industry.

PACS is usually installed by a third-party contractor whose job is done once the system has been installed; however, there is not necessarily a security step that is involved in the installation. Furthermore, although these systems rely on pieces of cyber and network, there are rarely cybersecurity professionals involved in the design, planning, or deployment of such systems. What ends up happening is different people are made responsible for maintaining these pieces, but usually somebody doesn’t look at this holistically.

Trying to secure against only one type of attack method does not do the end user any good. By only focusing on getting the latest and greatest credentials and card stock because they have yet to be cloned, enterprises are leaving the rest of its infrastructure open to a lot of vulnerabilities that could actually end up being much worse.

But why does this happen? Perhaps it is due to the lack of persons in the industry that understand how the system should encompass everything together. Without a cyber representative involved in the network set up of a PACS to ensure the proper security measures were put in place, the resulting network ends up with system weaknesses, making it easily accessible to hackers.

Attacking a PACS

There are many different ways to attack a PACS, some more sophisticated than other. Many of these methods in fact are quite simple. This is why security operators must do everything possible to keep their network secure and PACS safeguarded.

Proxmark 3

The Proxmark 3 is advertised as a research tool, used to study RFID and near-field communications (NFC) systems. However, one quick search online will pull up dozens of “how to” methods for using the Proxmark 3 to clone RFID cards. This method does not require in-depth knowledge of hacking or technology. The Proxmark 3 simply needs to come into contact with an access control card. However, in order to use the Proxmark 3 the user must carry with it a power source and antenna. This could look conspicuous and is therefore not the most ideal way to steal card data.


The BLEKey is a small device designed to attach to an RFID reader by connecting to the lines carrying Wiegand data — the device only needs to connect to three wires and gets its power from the reader. Once attached, the BLEKey stores card information from successful reads by the reader. By making use of Bluetooth Low Energy (BLE) the device can sync with a phone app and allow the phone to replay the last successful card read. This method of attack highlights the unencrypted nature of the Wiegand protocol used by access control readers. To prevent attackers from attaching a BLEKey, users should install a tamper alarm on the reader, which would alert the user in the event the reader is being tampered with.

Request to exit (REX) devices

REX devices are not always very intelligent, therefore, hacking them can be quite easy. Many REX devices use motion detection versus something like an exit button. While this makes exiting more hassle free, it makes tricking these devices just as easy. Items such as coat hangers or balloons can be used to trigger the motion detector to open the door. Since the device detects motion from these items, the device will not detect it as a forced entry. One way companies can try to prevent this type of attack is by raising the level of the motion detection beam to make it more difficult to access from the other side.

Getting access control codes

Securing the network on which a PACS runs is a critical part of securing the overall PACS; however, a lack of IT/cyber knowledge during installation often leaves these networks vulnerable. Once a hacker gets into the network of an access control controller they can pretty much find out all the information they need to take control of the PACS. Information such as the area the controller controls, IPs for other controllers and servers, card numbers and access logs, and passwords can all be found on a single controller. Many controllers allow anonymous FTP, which even as a backup leaves the system open to attack.

The server

Corporate IT usually runs the access control server, which to them is just one of many servers. In a DNS server the PACS server is often labeled “access control,” making it easy to find within the network.

From outside the corporate network, Shodan, a search engine allows people to search for vulnerable servers. Calling it a “dark Google,” Shodan allows users to search for routers, servers, etc., that are connected to the internet. While this website is used mostly by cybersecurity professionals to find vulnerabilities, it is also used by hackers to gain access to unsuspecting networks.

Educate and protect

In the end, these types of PACS attacks are very preventable. From the cyber side a lot of it is just configuration. There are easy ways to segment this all through the network and then apply some basic security controls to it at the network level that will really shut down these attacks from a lot of different avenues.

One thing to note is the need for more user education. More education is imperative to ensure PACS are equipped with the proper security measures. This does not just include security personal within the enterprise environment, but employees and security guards as well. In fact, educating the guard staff and the rest of the physical security team to the unique attacks that are pointed at them is often overlooked. Despite these vulnerabilities, by being aware of the types of attacks a PACS is open to, taking the appropriate steps to securing the system on the network side, and educating users, enterprises have all the tools necessary to protect their systems from future attacks

Product Adopted:

Share to:
Comments ( 0 )