Why Your Physical Access Control System Is Probably Wide Open

TLDR: Most physical access control systems are installed with zero regard for basic security, relying on insecure, unshielded Wiegand wiring that is trivial to tap. By failing to use supervised protocols like OSDP and neglecting proper tamper detection, organizations leave their doors vulnerable to simple replay and bypass attacks. Pentesters should prioritize auditing these physical layers, as they often provide the easiest path into a secure facility.

Physical security is the ultimate blind spot for many security teams. We spend thousands of hours hardening cloud infrastructure and patching web applications, yet we leave the front door of the office connected to a legacy communication protocol designed in 1975. During a recent engagement, I walked into a facility and realized that the entire access control system was essentially a series of unshielded, exposed wires running through drop ceilings. If you can access the wiring, you own the door.

The Wiegand Weakness

The Wiegand protocol is the industry standard for connecting badge readers to controllers, and it is fundamentally broken. It transmits data in a cleartext, unidirectional format that lacks any form of authentication or encryption. When a user presents a badge, the reader sends the facility code and badge ID as a stream of pulses. Because there is no handshake, any device capable of reading these pulses can capture the credentials.

For a pentester, this is a goldmine. You do not need to be a master of hardware hacking to exploit this. You can use a simple ESP32 or a dedicated HID reader to tap into the data lines. Once you have the facility code and badge ID, cloning a card is trivial. You can purchase blank cards and a writer on any major marketplace, program them with the captured data, and walk through the door as if you were an employee.

Moving Beyond the Basics

The industry has known about these flaws for decades, yet the transition to secure alternatives is painfully slow. The Open Supervised Device Protocol (OSDP) was developed to replace Wiegand, offering bidirectional communication, 128-bit encryption, and built-in tamper detection. Despite these clear advantages, adoption remains low. Many installers avoid OSDP because it requires more configuration and a higher level of technical competence than simply stripping two wires and twisting them together.

If you are performing a physical security assessment, start by looking for the reader wiring. If you see a bundle of thin, unshielded wires, you are looking at a Wiegand setup. If you see a more robust, shielded cable, check the controller side. Even if the system supports OSDP, it is often configured in a "compatibility mode" that reverts to Wiegand-like behavior to support older readers. This is a configuration failure that you should document in every report.

The Hidden Attack Surface

Beyond the protocol itself, the physical installation is often a disaster. I have seen power supplies for magnetic locks hidden in drop ceilings with no battery backup. If the power goes out, the lock fails safe and the door pops open. This is a life-safety requirement in many jurisdictions, but it is also a massive security hole. If you can trigger a power failure or simply wait for one, you have bypassed the electronic lock entirely.

Another common oversight is the lack of supervision on door contacts and Request to Exit (REX) sensors. Supervision uses resistors in series or parallel to create a specific resistance value for the circuit. The controller monitors this resistance. If an attacker cuts the wire, the resistance goes to infinity. If they short it, it goes to zero. If the system is not configured to alert on these changes, an attacker can bypass the sensor without triggering an alarm.

Auditing for Real-World Risk

When you are on-site, do not just test the software. Test the hardware. Use a multimeter to check the resistance on the door contact loops. If you see a simple open/closed circuit without supervision, you have found a vulnerability. Check the badge readers for tamper switches. If you can remove the reader from the wall without triggering an alert in the security operations center, the system is not being monitored correctly.

Defenders need to stop treating physical security as a "set it and forget it" deployment. If you are managing an access control system, you must audit your user list, verify that your battery backups are actually functional, and ensure that your readers are configured to reject legacy Wiegand formats. If your system supports OSDP, enable it and enforce encryption.

Stop relying on the assumption that the physical layer is secure by default. It is not. Every time you walk through a badge-access door, look at the reader and the surrounding hardware. If you can see the screws, or if the wiring is exposed, you are looking at a potential entry point. Start treating these systems with the same level of scrutiny you apply to your network perimeter, because for an attacker, the physical path is often the path of least resistance.