Skip to Main Content
August 27, 2019

Three Most Common Physical Security Flaws (and How to Fix Them)

Written by David Boyd
Penetration Testing Physical Security Security Testing & Analysis

When it comes to physical security, the most common things we see are hardware vulnerabilities or human error (through social engineering attacks, failure to follow security guidelines, or no knowledge of security protocols). We have successfully broken into everything from locally run neighborhood shops to banks, power plants, hospitals, factories, law firms, and everything in between—usually due to a mix of hardware and human flaws.

Physical security is miles ahead of where it was years ago. Companies spend tens of thousands of dollars a year on physical security, installing card readers, cameras, locks, guards, and more. Oftentimes, however, they can be defeated by things like social engineering, bad installation, a ten-dollar piece of metal, or a can of compressed air.

The hardware that protects your physical security is often as important as the policies you put into place. You can have all of the properly written and fully fleshed-out and followed policies you want, but if the physical controls in place are not correctly configured or installed, your organization is still vulnerable to a physical attack.

Here are a few of the most common physical vulnerabilities we see out in the wild.

REX (Request-to-Exit) Sensors

Figure 1 – A Wild REX Sensor Eagerly Waits to be Helpful

These simple, passive, infrared thermal sensors are one of the most common devices seen in buildings all over the world. If you are walking out of a badged area, and you hear a click as you approach the door, can hit a button to exit the door, or do not have to swipe your badge to exit, your environment probably has REX sensors installed. Convenient, right?


Technicians typically install REX sensors in a way to maximize the area in which movement can be detected. While there are several things to keep in mind, such as building code and Americans with Disabilities Act (ADA) regulations, REX sensors are often found to be insecurely installed. The problem is that REX sensors are often installed too close to a door frame, which leads to the ability to activate the sensor from the wrong side of the door. We have seen some that could be activated by pushing a thin item (printer paper, envelopes, etc.) through a gap in the door. The most common method is a can of compressed air. Turn it upside down and spray some cold air toward the sensor. Your $200 REX sensor/magnetic lock setup can be bested by an $8 can of compressed air.

Figure 2 – Compressed Air: A Story in Pictures


This one is, admittedly, a bit tricky. Turning the sensor so that it is not directly accessible from the wrong side of the door is a good way to mitigate this issue. The addition of static charge push bars or installing a pressure-sensitive mat on the secured side of the door is another way to add additional security.

Improperly Hung Doors/Improperly Installed Door Hardware

Figure 3 – Check Your Doors!

This one is admittedly kind of a catch all. Truthfully, doors can be a pain to install and maintain. Occasionally, they can be installed incorrectly. Buildings tend to move a bit with age, foundations shift, etc. All of this can lead to doors becoming a huge vulnerability in your workspace.


Figure 4 - Dead Latch Plunger Example

Gaps in the door edges (including underneath), doors missing dead latch plungers, improperly fitted door latches; all of these are very common issues we have encountered with door installations. Those lever style door handles you see on doors in every corporate office are great targets for an under-the-door tool. Slip a tool through the gap, catch the handle, and you’re in.

Figure 5 – Under the Door, Under the Door

On double doors with a crash bar, if the gap is too big, a simple piece of wire can slip through and push the handle in.

Figure 6 – DDT, Not Just a Wrestling Move

Congratulations, we are now in a place we don’t belong.


For all doors, inventorying and reviewing the existing door and handle hardware is a good start, ensuring that the door latch is aligned property and that the dead latch catches correctly when the door is closed. For doors with a large gap underneath, installing a dynamic door bottom can help prevent tools for getting underneath.

Figure 7 – Dynamic Door Bottom: Close That Gap!

For double doors, ensure the doors are installed correctly to prevent an unnecessary gap, and if needed, install a metal security plate to help prevent tools from being pushed through any gap that may be present. For doors with the lever-style door handle, installing a door handle shroud, a block or guard on the inside of the door, or even installing the door handle at ninety degrees can all help mitigate the issue. Keep in mind that ADA regulations may prevent some of these, so check with your local labor laws.

Radio-Frequency Identification (RFID) Badge Readers

Card reader access doors with electronic strike plates. What used to be one of the easiest access control solutions across companies everywhere has quickly become yet another way for an unauthorized individual to get into your building.

Figure 8 – Easy, Convenient, Vulnerable


Low-frequency (LF) proximity cards/keyfobs and card readers are the most common type of electronic access-controlled doors. LF credentials provide no cryptography when transmitting the card ID to the reader and can easily be intercepted for subsequent cloning.

Figure 9 – The Best Part of Waking Up? Cloners in Your Cup


While moving to high-frequency (HF) used to be preferred, it can be expensive and time consuming—and has recently become cloneable. Auditing your card reader access, setting up monitored alerts to generate after a certain threshold (such as when someone enters a space too often in a short span of time, etc.), and providing employees with an RFID blocking badge holder are all ways that can help mitigate the threat of badge cloning.

Ensuring your employees are receiving proper training on identifying common social engineering tactics will also help mitigate several of these issues. Understanding the first places we look when performing modern physical penetration tests can help guide your focus when developing your own security program.

We see continual changes in the physical security sector and publish regular updates. You can see our first post on physical security here.