Building Entrance Securit...

Many buildings, including apartment and condo complexes, are still relying upon the old 125 KHz RFID key fobs as part of their access control systems. As I wrote in an article in 2018, these are easily and quickly duplicated at kiosks in grocery and DIY stores which means there is no viable key control.

These low security fobs were in use at my condo complex so I convinced our Management to upgrade to the newer encrypted HID tags to prevent cloning or hacking. Entry to our facility is also controlled by a telephone intercom made by Keri Systems. This is typical technology for apartment buildings as part of most access control systems. When a visitor presses the call button, the tenant can “buzz them in” by triggering the electric strike on the front door. Keri is a significant supplier of intercoms.

Many of these systems, including ours, have a U.S. Postal Service lock that allows a mailman to control the door by activating an internal micro-switch within the panel. This “bypass lock” circumvents all of the building entry security. It is a fundamental issue that needs to be addressed nationwide because every facility can be affected. The combination of a post office lock, door override switch, and the ability to easily open many of these intercom cabinets provides an immediate security red flag. It creates the equivalent of a universal master key to every location that has an intercom system protected by a lock that may cost less than ten dollars.

In contrast, most commercial buildings utilize a KnoxBox or similar secure separate key vault to store keys or key fobs to open outside doors. They are protected by a higher-security Underwriters Laboratory-rated (UL 437) lock. These boxes are mounted into outside walls and can be extremely difficult to compromise. Unfortunately this is typically not the case with the intercom consoles because most manufacturers have chosen to supply inexpensive locks to secure their enclosures.

I analyzed the security of the cabinet lock, internal access to the postal lock micro-switch, and the ability to easily obtain keys for our system from Amazon, CompX, and other national suppliers. It is obvious there are two critical security issues that could permit someone to easily defeat all of the access control technology for our building (or other facilities with similar systems) in seconds and allow an intruder to enter without any credentials. It is clear that manufacturers supplying low-security cabinet locks, coupled with door access override with bypass locks, had not “connected the dots” nor had imagined that criminals could exploit this security flaw in an otherwise protected access control system.

Major players in the industry include Keri Systems, Linear, Doorking, Mircom, Kantech (Division of Tyco), and Select Engineered Systems. I spoke with Ken Geiszler, the CEO of Keri Systems and alerted him to the design issues in their particular enclosure. He immediately organized a zoom call with their senior engineers to discuss their choice of locks and the integration of postal service access into their cabinets. They recognized the security issues and the ability to compromise a facility. They admitted that they, like most other manufacturers, were not lock experts and were not aware of the vulnerability of the hardware they had been supplying to their customers.

Every facility manager needs to pay attention to this issue because of the prevalence of these and like systems throughout the country and the ability to completely circumvent the apparent security of buildings against unauthorized entry.

The lock on the intercom cabinet is the security problem

All of the high-security door locks, deadbolts, advanced RFID key fobs, cameras, key control, and sophisticated access control systems for any building are essentially meaningless if any of their critical components are protected by a low security device that will allow access to the control electronics at the heart of the system. Like many manufacturers, the Keri Entraguard-type technology is a critical piece of any security scheme. These intercom systems are typically located at the entrance to a building, or outside where they are readily accessible to the public. Especially when that insecurity is coupled with the installation of a postal lock, the ability to circumvent all entry security is very simple and can be accomplished in seconds. Even if a panel does not contain a bypass lock, the internal wiring can easily allow the same result: triggering electric strikes or garage door control. The good news for thieves: virtually all of the wiring schematics for these systems can be found on the Internet.

The keys for these and many other panels can be ordered from Amazon, which I did last week for about twenty dollars. It turns out that not only is Keri using the same key for all of their panels, but a lot of other companies are as well, from office equipment to file cabinets to phone cabinets and HVAC systems. I searched for the two industry leaders: Door King and Linear and found their keys and documentation are easily accessed.

The kind of lock that Keri and other manufacturers supply can be easily identified and circumvented. For many, it is a simple single-bitted wafer lock. For our system it took me about fifteen seconds to open it, either by picking or with a standard automotive shim of .010” thickness, with no evidence of entry. While some vendors may utilize what are known as double-bitted locks, they do not offer any more appreciable security because the basic mechanism still relies upon low-tolerance movable wafers rather than sidebar locking systems. A variety of tools from specialty sites like Lockpicks.com and Amazon are readily available to easily open these locks. If the keys are available, then it does not matter.

I wrote about this problem last November during the presidential election because similar locks have been used to protect ballot collection boxes, and were likewise extremely easy to open The internal switch in the Keri cabinet is connected to the post office lock and can be very easily circumvented by electrically shorting two accessible and adjacent contacts. This signals the front door to open by releasing its electric strike. The insecurity of the panel also means that the post office lock can be removed, decoded, and a key produced that will open many buildings and post office collection boxes within a city. This is a significant problem for the Postal Inspection Service because possession of USPS keys can allow the theft or destruction of mail and unrestricted access to many buildings.

I suggested to Keri that they should supply UL 437-rated locks on all of their cabinets going forward and alert their installers and dealers of the vulnerability. This Underwriters Laboratories Standard is part of the High Security Standard defined for locks by the Builders Hardware Manufacturers Association (BHMA)known as 156.30. UL 437 cam locks are produced by most major manufacturers.

I received the following statement from the CEO at Keri:

“We are committed to finding a good solution that works for all segments of the market that includes the building owner, the residents and employees, the integrator who has to service the system and the manufacturer and/or lock supplier. Historically, electronic security and mechanical locking systems have been viewed as two separate segments of the security industry. The two segments need to work together to provide a more secure solution that meets the security needs of the installation but provides the means for the installation community access to the systems and to provide an adequate level of service to meet the needs of these communities. Given that this type of lock is used by manufacturers of similar equipment world-wide, I would counsel other providers to beef up the mechanical security of their systems as Keri is doing in addition to the usual work on the electronic side. Keri will be communicating with our installation partners to ensure that they know about the risks that Marc has uncovered and how we will work with them to enhance the mechanical security of the system.”

The wafer lock is a low-level device that should not be relied upon for any measure of security, especially to protect a building. It would be my suggestion that any intercom or other system (whether it contains a bypass lock or not), which has the ability to control and open doors should be upgraded with a higher security cylinder that is resistant to methods of covert and forced entry. It should also offer key control to restrict the copying of keys, similar to those that are utilized by KnoxBox for emergency building access by law enforcement agencies.

I would also urge the Postal Service to promulgate standards to require all manufacturers of any type of enclosure that contains a post office lock to mandate high security cylinders to protect their locks from unauthorized access.

This is not just a problem with the locks that Keri chose to install to protect their enclosures: it is clear that it is an industry-wide security problem with some of the vulnerabilities being shockingly easy to replicate or exploit. Once access to any of these panels is provided, all of the wiring and control relays are easily circumvented. Even more troublesome, a number of the video intercom providers secure their panels by a "hidden" screw on the bottom which can be found in just a few seconds of inspection.