Brake_Biometric_lock_3

Red Team vs. Smart Lock: Breaking into a Biometric Access Control System with a Paperclip

Red Team testing is when pentesters finally get the chance to legally feel like characters from Mission Impossible. Our tasks often involve physical penetration of an object’s premises—preferably without dramatic ceiling descents or alerting the security team. These projects teach us to view access control systems through the eyes of an intruder, spotting even the tiniest flaws.

So, guess what happened when Bastion moved to a new office? We couldn’t miss the opportunity for an internal pentest. While sysadmins unpacked servers, we were planning how to “get to know” the new ACS (Access Control Systems). After all, who better to test the security of a security company than its own experts?

When the contractor installed biometric terminals on the doors of a few critical rooms, they immediately caught our attention. We—Bastion’s hardware and software hacking experts Ivan Glinkin and Alexey Petrenko—were ready.

The office got some expensive gadgets: 7-inch screens, wide-angle cameras, and IR illumination for pitch-black conditions. According to the manufacturer, these terminals could identify individuals within fractions of a second with 99% accuracy, memorize thousands of faces, and even work with COVID masks.

Brake_Biometric_lock_1
Biometric Terminal in Focus: It Doesn’t Recognize Me

At first glance, the system seemed solid—a glossy black panel with a big screen, exuding confidence. Below the facial recognition module was a smart card reader, ready to embrace an NFC token.

Inside the premises, there was an exit button, while a controller (NC-8000-D) set in the server room, tasked with maintaining the smart card database and logging every event via the Wiegand protocol.

Brake_Biometric_lock_2
How to Get Inside Without a Key?

“Open Sesame”

Access control systems should always be examined as a whole. So, we obtained documentation for all ACS components and began analyzing the architecture.

The ACS implementation occurred in two phases. First, contractors deployed a basic access control system: they installed the controller in the server room, integrated it with a card reader, and laid kilometers of cables throughout the office.

Brake_Biometric_lock_3

The magnetic card reader operated on a simple principle: it retrieved card data and sent it to the NC-8000-D controller, which verified the card in the database and made an access decision. Commands to open doors were transmitted via separate wires—this backend approach was fairly secure.

In the second phase, the ACS was supplemented with a facial recognition module that could operate autonomously. We decided to closely inspect this integration and physically examine the equipment.

Brake_Biometric_lock_4

The biometric module was mounted on the wall with the bare minimum: a rail fastened to the wall held the reader’s casing. There was no anti-tamper protection—apparently, the developers assumed intruders would be so awestruck by the device’s price tag that they wouldn’t dare touch it.

Brake_Biometric_lock_5

The manufacturer had included an alarm with a button to trigger upon removal, but this didn’t count. Anyone with a thin metal ruler could slip it into the gap, block the button during removal, and secure the alarm in the “pressed” state with ordinary tape. Incidentally, the contractors hadn’t even connected the alarm.

Brake_Biometric_lock_6

We carefully removed the device and found a bundle of unprotected wires. We examined the wires, cross-checked with the datasheet, and took another look. A simple paperclip short-circuited the contacts, and voilà—the door opened.

Logo
Repeat Performance: A House of Cards Security System

Revealing the Magic

The biometric ACS was equipped with an internal relay that activated upon successful facial recognition, short-circuiting the output contacts. Inside the room was a standard exit button, identical to those found in apartment buildings. The integrators had connected the relay contacts in parallel with the exit button.

The manufacturer marketed the system as a standalone “all-in-one” solution: buy they install it and forget about it. However, the integrator added a vulnerable module to the more complex ACS, effectively turning the security system into a house of cards.

To compromise such a lock, you don’t even need to remove the terminal from the wall.

Brake_Biometric_lock_7
The necessary wires can be identified not just by their markings but also by measuring voltage—control contacts typically carry 3–5V.

In solid buildings, wires are hidden inside concrete walls, providing minimal physical access. However, in modern office spaces with glass partitions, wiring is routed through metal conduits that can be opened with bare hands. Gaining access to the wires in these conduits and short-circuiting the necessary ones is all it takes.

Brake_Biometric_lock_8
As a result, a simple relay triggered by a magnet can be hidden inside the cable conduit, creating an effective hardware backdoor.

Research Findings

From budget-friendly solutions for small businesses to premium systems, access control manufacturers frequently repeat the same mistakes when integrating controllers and readers.

Brake_Biometric_lock_9

Even a quick look at a random wiring diagram from a product page on a marketplace reveals a familiar pattern: wires from the control block to the magnetic reader are directly connected to the button and the lock. A cursory analysis of the diagram immediately uncovers at least two critical vulnerabilities that can render the entire system useless with a simple screwdriver.

 

Key Vulnerabilities:

1. The Exit Button: One contact of the button is grounded, while the other connects to the lock’s “open” contact. To unlock the door, an attacker doesn’t need an access card or code—simply removing the device’s cover and shorting the “open” and “push” contacts mimics pressing the button. The signal is sent to the control unit, which then unlocks the door.

 

2. Signal Exploitation: When the system receives a signal (whether via button press or card read), it sends the signal through the “push” connection. This could be a PLO signal or simply a reset of the “push.” The signal reaches the magnetic lock and unlocks it.
In theory, the “push” contact always carries a positive voltage. Grounding it immediately opens the door. Shorting the “ground” and “open” or “ground” and “push” contacts is enough to bypass the system.

 

The issue isn’t limited to a specific lock or biometric terminal. In the pursuit of easy installation and lower costs, manufacturers often opt for architectures with direct control wiring.

Brake_Biometric_lock_10

Such systems are inherently vulnerable by design—they can only deter casual intruders unfamiliar with access control system principles. For this reason, evaluating both the functional capabilities and the wiring architecture of access control systems is crucial. The simplicity of wiring can reveal the true level of security far better than the manufacturer’s marketing materials.

 

Proper ACS Architecture

Even high-end access control systems can have vulnerabilities. A sleek terminal with advanced biometrics does not ensure security if installers leave the control wires exposed, or if manufacturers skimp on secure communication protocols between components.

Brake_Biometric_lock_11

Best Practices for ACS Design:

  • Separate Components: The reader (card or biometric) should only collect data and send it to a central server via a secure channel. The server checks the information against a database and sends an unlock command through a separate secure channel.
  • Centralized Control: Exit buttons should also be connected to the central controller rather than directly to the lock.

Security measures are always a compromise between safety, convenience, and cost. However, certain compromises, like directly wiring an exit button to a lock, are unacceptable for genuinely secure environments.

Even vulnerable ACS architectures can be reinforced. Security is always a combination of measures, where ACS is complemented by:

  • Proper video surveillance.
  • Log analysis.
  • Regular audits.
  • Competent physical security personnel.

 

Translated by the author from the original article.