Allthenticate: Physical Security

Attacks

Physical Security

Understanding

Access Control Attacks

Discover the weaknesses in access control systems and find out how to protect yourself

Access control systems are essential for managing who can enter specific areas within a facility. They are critical for ensuring security in environments ranging from corporate offices to government installations.

Access control systems are vital for protecting physical spaces - from office doors to server rooms. Traditional systems have vulnerabilities that can be exploited through cloned cards, intercepted signals, or compromised wiring. But more concerning is that these security flaws often go undetected until it's too late.

The fundamental issue: most access control hardware sits exposed on the outside of the door, making it vulnerable to physical tampering and signal interception. Additionally, the complex web of wires connecting readers, sensors and control boards creates multiple potential points of failure.

Attacks

Physical Security

Understanding

Access Control Attacks

Discover the weaknesses in access control systems and find out how to protect yourself

Attacks

Physical Security

Understanding

Access Control Attacks

Discover the weaknesses in access control systems and find out how to protect yourself

Our founder and CEO provides a history of access control attacks and explains how Allthenticate can eliminate most of them in one fell swoop. If you want to learn more about physical security bypass, our friends at the Physical Security Village gave a great DEFCON talk.

Exploit Techniques

Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.

Key Components:

External "Readers"

Reads access credentials from key cards or fobs locally and then relay the read information (typically a number) to the controller

Internal "Controllers"

Receives card numbers and ultimately makes the yes or no decision to trigger the relay, which will unlock the door. These are typically expensive and only support four doors or less

Credentials

Items used by individuals to verify their identity: just a simple number on legacy systems and cryptographic key on modern systems

Cloud Infrastructure

Software and servers that manage access data, policies, and logs. Some even permit remote unlocking and locking

Magnetic Lock (Maglock)

A magnetic lock that uses an electromagnet to lock doors hold the door "locked." However, if the power goes out, these are programmed to fail-safe, or "unlocked" for the layperson

Electric Strike

A solenoid-powered strike that will "unlock" when power is applied. Unlike the maglock, these are fail-secure when the power is off and do not require exit buttons or motion sensors

Exit Button

Because maglocks will hold the door shut when powered, buttons are required on the interior to let people escape in emergencies

Motion Detector

Similarly, for maglocks that hold the door locked when powered, motion sensors let people exit the building without much hassle

Motion detectors use infrared, microwave, or ultrasonic waves to detect movement and trigger actions like opening doors or sounding alarms, but can be exploited by actions like vaping, mitigated by additional verification methods and sensor adjustments

Wiegand Protocol

The most popular communication standard for data transmission between card readers and controllers. It is unencrypted and therefore vulnerable to man-in-the-middle (MitM) attacks

The Wiegand protocol, a widely adopted communication standard for data transmission between card readers and controllers, uses pulses to transmit binary data but is vulnerable to man-in-the-middle attacks due to clear text transmission, which can be mitigated by transitioning to secure protocols like OSDP

The most popular communication standard for data transmission between card readers and controllers. It is unencrypted and therefore vulnerable to man-in-the-middle (MitM) attacks

Open Supervised Device Protocol (OSDP)

The OSDP protocol was meant to enhance security and interoperability in access control systems through bi-directional communication and encryption

The OSDP protocol enhances security and interoperability in access control systems through bi-directional communication and encryption, allowing secure data exchange and better device monitoring, though it can still be exploited if encryption keys are compromised.

Man-in-the-Middle (MitM)

Wires between the reader and controller are susceptible to physical implants that can steal and replay employee credentials

Exploit tools

Proxmark3, Hak5 Key Croc, Wireshark

Card Cloning

Cards with no or broken encryption schemes can be trivially cloned by walking nearby and employee and wirelessly reading their badge

Exploit tools

Proxmark3, Flipper Zero, ChameleonMini

Physical Bypass

Mechanical means like using smoke trip the motion sensor, a wire to hit the exit button, or a lockpick can be used to bypass the system entirely. We recommend checking out the courses at Red Team Alliance if you're interested in learning more

Exploit tools

Lockpicking tools, Loop tools, Air Wedge, Smoke generators

Why Traditional Defenses Fall Short

Historically, standard encryption like HTTPS could be bypassed through SSL stripping downgrade attacks. Today, even two-factor authentication can be intercepted by a Web Relay MitM or by leveraging a compromised Certificate Authority. Every HTTPS site is one compromised CA and a DNS attack away from completely broken.

CARD TYPE

VULNERABILITY

Tools to Exploit

HID Prox

No Encryption

Flipper Zero

HID iClass

Leaked Key

Flipper Zero, OMNIKEY 5321v2

HID iClass SE

Leaked Key

Proxmark

HID iClass Elite

Weak Encryption

Flipper Zero, Proxmark

HID SEOS

Downgrade

& Relay Attack

Downgrade

& Relay Attack

Flipper Zero w/ NARD SAM

Mifare Classic

Weak Encryption

Flipper Zero, MFOC, MFUK

Magstripe

No Encryption

MSR605X, GitHub

Almost All Cards

Relay Attack

Proxmark

WIRE PROTOCOL

VULNERABILITY

Tools to Exploit

Wiegand

Man-in-the-Middle (MitM)

ESPKey

OSDP

Bad Initialization Vector

ESPKey

Better Technology

TECHNOLOGY

WHY WE LIKE IT

Mifare DESfire EV2 & EV3

Resistant to cloning, tampering, and relay attacks

PIV Credentials

Proper private/public keys; resistant to known attacks

Mobile Credentials

Convenient, secure, can leverage biometrics and PIN on smartphone

Attacks

Overview

Attacks

Overview

Attacks

Overview

Allthenticate eliminates the risk of Access Control Exploits.

Before writing a line of code, we analyzed and actively exploited all of the aforementioned vulnerabilities and specifically designed our patented architecture to be resistant to all of them.

Reader on the inside of the office

Our ALL-IN reader/controller is installed on the secure side of the building as a single unit, leaving no reader or wires exposed to a Man-in-the-Middle (MitM) attack.

Secure by Design

Your private keys are stored in the Secure Element (SE) on the phone — the same technology in DoD-grade smartcards. Bluetooth connections reduce friction while maintaining best-in-class security. Additionally, TrustZone and biometrics are leveraged to prevent relay attacks, software exploits, physical tampering, and device theft.

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

See Pricing

Learn More

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

See Pricing

Learn More

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

See Pricing

Learn More