Why Your Physical Security Audit Is Failing: Lessons from Latch Slipping and Beyond

TLDR: Physical security often relies on hardware that is improperly installed or easily bypassed by simple tools. This post breaks down common vulnerabilities in door latches, pushbars, and request-to-exit sensors that allow unauthorized access. Pentesters should prioritize identifying these installation flaws during physical assessments to demonstrate real-world risk to clients.

Most security professionals spend their careers obsessing over network perimeters, cloud misconfigurations, and application-layer vulnerabilities. Yet, a single, poorly installed door latch can render an entire multi-million dollar security stack irrelevant. If you are conducting a physical penetration test, you are likely looking for the same low-hanging fruit that has been exploited for decades. The reality is that many facilities are wide open because the people installing the hardware do not understand the security implications of their work.

The Mechanics of Latch Slipping and Shoving

At the heart of many physical access control failures is the humble door latch. When a door is not installed with the correct tolerances, the latch does not fully engage with the strike plate. This creates a gap that allows an attacker to manipulate the latch directly. Latch slipping involves using a thin, flexible tool to depress the latch bolt, while latch shoving targets the deadlatch—the small, spring-loaded pin that is supposed to prevent the latch from being depressed when the door is closed.

If the deadlatch is not properly actuated because the strike plate is misaligned or the door frame is warped, the latch remains vulnerable. A simple piece of plastic or a shim can bypass these doors in seconds. During a red team engagement, you should be looking for doors where the latch is visible or where the gap between the door and the frame is wide enough to insert a tool. If you can see the latch, you can likely bypass it.

Exploiting Request-to-Exit (REX) Sensors

Request-to-Exit sensors are designed to unlock a door automatically when someone approaches from the inside. Most of these sensors rely on Passive Infrared (PIR) technology to detect motion. The flaw here is that these sensors are often mounted in a way that allows them to be triggered from the outside. If you can slide a tool or even a piece of wire under the door to create a heat signature or movement in the sensor's field of view, the door will unlock.

Some advanced sensors use both PIR and radar to detect actual movement toward the door, which makes them significantly harder to spoof. However, many facilities opt for the cheaper, single-technology sensors. When testing these, focus on the gap at the bottom of the door. If you can manipulate the environment on the other side of the door, you can force the REX sensor to trigger. This is a classic example of Broken Access Control where the system trusts the sensor input without verifying the intent or location of the person triggering it.

The Hidden Risk of Enterphones and Elevators

Enterphones are frequently keyed-alike, meaning a single master key can open almost every unit of a specific brand within a building. Once you have access to the internal circuitry of an enterphone, you can often jump the connection to trigger the door release. This is not a sophisticated exploit; it is a failure of supply chain security and hardware management.

Elevators present a similar problem. Many service keys for elevator floor lockouts are widely available or easily replicated. If you are performing a physical assessment, do not assume that a locked elevator floor is secure. If you can gain access to the elevator car's maintenance panel or use a common service key, you can bypass floor restrictions entirely. The goal of these tests is to show the client that their reliance on "security through obscurity" or simple hardware locks is not a substitute for a layered defense.

Hardening the Perimeter

Defenders need to stop treating physical security as an afterthought. The most effective remediation is often the most boring: proper installation. Ensure that door gaps are minimized, strike plates are correctly aligned, and deadlatches are fully actuated when the door is closed. Retrofits like latch guards can provide a layer of protection, but they are not a silver bullet. If an attacker can reach behind the guard with a tool, the door is still vulnerable.

For high-security areas, move away from REX sensors that rely solely on PIR. If you must use them, ensure they are positioned so they cannot be triggered from the outside. Consider implementing a Zero Trust approach to physical access, where even if a door is unlocked, the user must still authenticate via a badge or biometric reader to enter a sensitive zone.

What to Do Next

When you are on-site, stop looking at the badge reader and start looking at the door frame. Take photos of the gaps, the strike plates, and the REX sensor placement. Document every instance where the hardware is not performing its intended function. Your report should not just list the vulnerabilities; it should explain the mechanical failure that allowed the bypass. If you can demonstrate how a simple, inexpensive tool can grant access to a server room or a restricted office, you will get the attention of the stakeholders who can actually authorize the necessary hardware upgrades.

Physical security is a constant game of cat and mouse. Every time a new, more secure lock is introduced, someone finds a way to bypass it. Your job is to ensure that your client is not relying on the weakest link in that chain. Keep testing, keep documenting, and keep pushing for better standards in hardware installation. The next time you walk through a building, look at the doors. You might be surprised at how many of them are just waiting for someone to notice the gap.