• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Physical > Request to Exit Sensor Bypass

Request to Exit Sensor Bypass

November 6, 2014 By RSM Author

(Originally published by @coldfusion39)

When performing Physical Attack and Penetration Tests, we occasionally find ourselves on the wrong side of a locked door.  The exterior or public side, of these doors is often controlled by an Access Control System utilizing either a Prox or iClass card reader. Due to various fire codes and regulations, the secured side of these doors does not always require the employee to “badge out”, it just magically unlocks; it’s hard and crunchy security on the outside, soft and chewy security on the inside. So how do these doors keep unauthorized personnel out, while still allowing anyone to exit?

hid reader

Companies often use devices known as REX (“Request to Exit”) sensors. These sensors are similar in functionality and purpose to the motion detectors that automatically open main doors at major retailers like Target, Wal-Mart, and CVS among others. The main difference between these devices, security REX devices do not trigger solely on motion alone.

REX

The most common REX sensors use a technology called Passive Infrared or PIR. Motion is registered when the device detects a temperature change within its configured field of view. ” Change in temperature…” is the key phrase here. The fact that these sensors can be bypassed is not new knowledge. One of the more common methods involves using a straightened metal coat hanger and taping a hand warming pack taped to one end. The technique requires an attacker to slide the end of the coat hanger, with the hand warming pack, under or between the door and move it around to simulating motion and as well as heat.

Passive Infrared Old Method

hot pack heating element

While effective, there are some significant drawbacks to this particular technique. Sliding the coat hanger under the door can be difficult, especially if the door was installed correctly with a tight fitting door jam, or if the door has weather stripping. More importantly, who wants to carry around a metal coat hanger and take the time to unbend it during an engagement? Fortunately, a better solution exists. Remember that security REX sensors require motion and a change in temperature, not necessarily an increase.

CO2 Air duster

Anyone that has ever used a can of compressed air knows that if you turn the can upside down and pull the trigger a large cloud of cold air shoots out of the nozzle. Using this knowledge (and the little red straw!) it is possible to trigger a PIR REX sensor from a considerable distance. The red straw is smaller in diameter (3 mm) compared to a warming pack and coat hanger (6 mm) which could make a significant difference when attempting to bypass doors with weather stripping. Also, walking around with a can of compressed air (as compared to a wire coat hanger) less likely to draw attention in a corporate or office environment. It’s much easier to develop a cover story (“I’m from IT. We’re cleaning keyboards today…”).

Triggering PIR REX

co2 cold air

Feel free to tuck this door bypass technique into your physical security bag of tricks. There is always more than one way to enter a building. Sometimes it’s easy as having someone hold the door open for you…

examples of poor security

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

RSM Author

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.