Why Your Physical Access Control System Is Probably Just A Suggestion

TLDR: Most physical access control systems are riddled with basic configuration errors and hardware flaws that make unauthorized entry trivial. By exploiting common issues like misconfigured request-to-exit sensors, improper door hardware, and poor camera placement, attackers can bypass security without needing advanced tools. Pentesters should prioritize these low-hanging fruits during physical assessments to demonstrate real-world risk to clients.

Security researchers often obsess over the latest zero-day in a web framework or a complex chain of vulnerabilities in a cloud environment. While those are critical, the most effective way to compromise a facility is often to simply walk through the front door. Physical security is frequently treated as a checkbox exercise, leading to installations that look secure on paper but fail under the slightest pressure.

The Myth of the Secure Door

Many organizations rely on electronic access control systems that are fundamentally broken due to poor installation. The most common failure mode is a simple misconfiguration of the request-to-exit (REX) sensor. These sensors are designed to unlock a door when someone is leaving, but they are often installed in a way that allows them to be triggered from the outside.

A classic example is the "canned air" attack. By spraying a can of compressed air upside down under the door gap, an attacker can create a thermal signature that the passive infrared (PIR) sensor interprets as a person exiting. The sensor triggers, the magnetic lock releases, and the door opens. This is not a sophisticated exploit; it is a failure to understand the hardware's operating environment. If your REX sensor is visible from the outside or can be triggered by environmental changes, your electronic lock is effectively useless.

Hardware Flaws and Latch Shimming

Even when the electronics are configured correctly, the physical hardware often provides an easy path inside. Many commercial doors use standard latch bolts that are susceptible to latch shimming. If the door is not equipped with a proper deadlatch—the small, spring-loaded plunger that prevents the latch from being depressed when the door is closed—a simple piece of plastic or a shim can retract the latch bolt.

When assessing a site, look for the telltale half-moon shape of a deadlatch. If you see a standard latch without that plunger, the door can be opened in seconds. Furthermore, the use of Lishi tools has made lock picking accessible to anyone with a few minutes of practice. These tools allow a researcher to decode and pick a lock simultaneously. If a client is using cheap, generic cylinders, they are not just vulnerable to a skilled locksmith; they are vulnerable to anyone who can order a tool online.

The Surveillance Blind Spot

CCTV systems are often installed with the assumption that "more cameras equal more security." In reality, poor placement and low resolution render most systems useless for incident response. During a physical assessment, perform a walkthrough of the facility and check the footage afterward. Can you identify a person? Can you read a license plate? If the answer is no, the system is providing a false sense of security.

Attackers know how to exploit these blind spots. They will look for cameras that are poorly positioned, such as those pointing directly into a light source, which causes massive washout. They will also look for cameras that can be easily tampered with or repositioned. If you can reach a camera with a ladder or a pole, so can an intruder. Always check if the camera's field of view is obstructed by new construction, trees, or signage that has been added since the initial installation.

Threat Modeling for Physical Security

When you are reporting these findings to a client, avoid being a pedant about low-probability, low-impact issues. Focus on the vulnerabilities that align with the client's actual threat model. If the client is worried about high-end corporate espionage, they need to worry about advanced bypasses. If they are worried about a smash-and-grab, they need to worry about the strength of their door frames and the speed of their alarm response.

Use a risk matrix to prioritize your findings. If a door can be forced open with a halligan tool in under a minute, that is a high-impact finding. If a camera is slightly out of focus, that is a low-impact finding. By focusing on the most critical issues, you demonstrate that you understand the business context of the security assessment.

The Path to Remediation

Defenders must move beyond the "install and forget" mentality. Start by auditing your REX sensors to ensure they cannot be triggered from the outside. Replace standard latches with proper deadlatches and ensure that all door hardware is installed according to the manufacturer's specifications. If you have a high-security area, consider using high-security cylinders that are resistant to picking and impressioning.

Finally, test your alarm response. A security system that triggers an alarm but alerts no one is just a noise-making machine. Simulate a forced entry during your next assessment and time how long it takes for security to respond. If the answer is "they didn't," you have found your biggest vulnerability. Physical security is a process, not a product. Keep testing, keep iterating, and keep looking for the simple, stupid things that everyone else missed.