Physical Access Control Systems Are Still Running on 1975 Tech

TLDR: Most physical access control systems rely on the ancient, unencrypted Wiegand protocol, making them trivial to bypass with simple hardware implants. By intercepting the cleartext data between a card reader and the controller, an attacker can clone credentials or replay signals to unlock doors. Security professionals must audit their physical infrastructure for these legacy protocols and transition to encrypted alternatives like OSDP to prevent unauthorized entry.

Physical security is often the forgotten sibling of digital security. While teams spend thousands of hours hardening cloud environments and patching web applications, the physical access control system protecting the server room often runs on technology from the mid-seventies. This is not a theoretical risk. If you can access the wiring behind a card reader, you can bypass the entire authentication mechanism of a facility in seconds.

The Wiegand Weakness

The core issue is the Wiegand protocol, a communication standard developed in the 1970s that remains the industry default. Wiegand is fundamentally insecure because it lacks any form of encryption or authentication. When a user presents a badge to a reader, the reader sends the card data to the door controller as a series of electrical pulses over two wires, typically labeled Data0 and Data1.

Because this signal is unencrypted, any device capable of reading these pulses can capture the badge ID. A pentester does not need sophisticated tools to exploit this. A simple microcontroller, like an ESP32 or an Arduino, can be wired directly into the reader’s data lines. Once the device is in place, it can sniff the traffic and transmit the captured badge data over Wi-Fi or Bluetooth to a remote attacker.

The attack flow is straightforward:

1. Gain physical access to the card reader (often by simply prying it off the wall).
2. Splice into the Data0 and Data1 lines.
3. Use a Wiegand-to-Wi-Fi bridge to capture the raw binary data.
4. Replay the captured data to the controller to trigger the door strike.

The Failure of "Low-Bid" Installations

Many organizations treat access control as a commodity, leading to "minimum viable product" installations that prioritize cost over security. This manifests in several ways that make a pentester's job significantly easier.

First, the wiring is often exposed. Installers frequently run long, unshielded cable runs through drop ceilings or along exterior walls. These long runs are susceptible to electromagnetic interference (EMI) and are easy to tap. Furthermore, the lack of supervision resistors is a massive oversight. Without these resistors, the controller cannot distinguish between a legitimate reader and a tampered line. If an attacker cuts the wire or shorts the connection, the system often fails to trigger an alarm.

Second, the use of power-hungry magnetic locks creates a secondary vulnerability. These locks require significant current, and if the wiring is undersized, the voltage drop can be enough to make the lock physically unreliable. An attacker can sometimes pull on the door with enough force to pop the strike, even if the system thinks it is locked.

Moving to OSDP

The industry is slowly moving toward the Open Supervised Device Protocol (OSDP), which is the only viable replacement for Wiegand. OSDP is a bidirectional, encrypted protocol that supports AES-128 encryption. It also includes built-in support for reader tamper switches, meaning the controller will immediately know if the reader has been compromised.

However, OSDP is not a silver bullet if it is not configured correctly. Many installers fail to enable the encryption layer, leaving the system in a "cleartext" mode that is just as vulnerable as Wiegand. Furthermore, the pairing process for OSDP can be intercepted if the installer is not careful.

If you are auditing a facility, check the reader communication settings. If you see Wiegand, you have a clear path to bypass. If you see OSDP, verify that the encryption keys are actually being used.

Auditing Your Physical Perimeter

During a physical penetration test, your first step should be to identify the reader type and the controller model. If you are dealing with legacy Mercury Security or LenelS2 hardware, look for the controller cabinets. These are often located in unsecured closets or above ceiling tiles.

Once you have access to the controller, you can often find the wiring diagrams taped to the inside of the cabinet door. This is a goldmine for identifying which ports correspond to which doors. If you find an exposed reader, do not just assume it is a dead end. Use a portable reader to capture the badge ID of an employee entering the building. You can then clone that ID onto a blank card or use a Proxmark3 to emulate the credential.

Defenders should focus on three things:

1. Enable OSDP with full encryption on all new installations.
2. Install tamper switches on all readers and enclosures, and ensure they are wired to an alarm input that triggers an immediate notification.
3. Use composite access control cable with proper shielding to prevent signal leakage and EMI.

Physical security is not just about locks and keys. It is about the integrity of the data signals that control those locks. If you ignore the wiring, you are leaving the front door wide open.