(Originally published by @coldfusion39)
When performing Physical Attack and Penetration Tests, we occasionally find ourselves on the wrong side of a locked door. The exterior or public side, of these doors is often controlled by an Access Control System utilizing either a Prox or iClass card reader. Due to various fire codes and regulations, the secured side of these doors does not always require the employee to “badge out”, it just magically unlocks; it’s hard and crunchy security on the outside, soft and chewy security on the inside. So how do these doors keep unauthorized personnel out, while still allowing anyone to exit?
Companies often use devices known as REX (“Request to Exit”) sensors. These sensors are similar in functionality and purpose to the motion detectors that automatically open main doors at major retailers like Target, Wal-Mart, and CVS among others. The main difference between these devices, security REX devices do not trigger solely on motion alone.
The most common REX sensors use a technology called Passive Infrared or PIR. Motion is registered when the device detects a temperature change within its configured field of view. ” Change in temperature…” is the key phrase here. The fact that these sensors can be bypassed is not new knowledge. One of the more common methods involves using a straightened metal coat hanger and taping a hand warming pack taped to one end. The technique requires an attacker to slide the end of the coat hanger, with the hand warming pack, under or between the door and move it around to simulating motion and as well as heat.
While effective, there are some significant drawbacks to this particular technique. Sliding the coat hanger under the door can be difficult, especially if the door was installed correctly with a tight fitting door jam, or if the door has weather stripping. More importantly, who wants to carry around a metal coat hanger and take the time to unbend it during an engagement? Fortunately, a better solution exists. Remember that security REX sensors require motion and a change in temperature, not necessarily an increase.
Anyone that has ever used a can of compressed air knows that if you turn the can upside down and pull the trigger a large cloud of cold air shoots out of the nozzle. Using this knowledge (and the little red straw!) it is possible to trigger a PIR REX sensor from a considerable distance. The red straw is smaller in diameter (3 mm) compared to a warming pack and coat hanger (6 mm) which could make a significant difference when attempting to bypass doors with weather stripping. Also, walking around with a can of compressed air (as compared to a wire coat hanger) less likely to draw attention in a corporate or office environment. It’s much easier to develop a cover story (“I’m from IT. We’re cleaning keyboards today…”).
Feel free to tuck this door bypass technique into your physical security bag of tricks. There is always more than one way to enter a building. Sometimes it’s easy as having someone hold the door open for you…