Hidden in Plain Sight: The Unseen IoT Vulnerabilities in Building Access Control

Building access control systems like smart locks and badge readers are a critical component of physical security. Without implementing something that ensures unauthorized people can’t enter a facility where they aren’t supposed to be, organizations risk granting access to secure spaces to potentially malicious actors. 

Also called physical access control systems, building access control devices are included within the Internet of Things (IoT). This is especially true when remote monitoring is added into the mix, but also because the list of authorized users needs to be maintained and checked against a central database. As IoT devices, building access control systems face the same challenges as IP cameras, smart thermometers, and other connected devices. 

These challenges include poor security practices in firmware, limited support from vendors, and insecure communication protocols. Despite this, building access control systems play a crucial role in securing corporate offices and restricting access to sensitive information. It’s thus vital for cybersecurity teams to ensure that these devices are protected like any other device on the network.

What are Building Access Control Systems? 

Building access control systems is a global term used to describe technologies that govern who can and cannot enter a physical location. A building access control system generally involves two components working in tandem: a physical device that is used as the access point and the software that determines who does and does not have access. 

The physical devices include door readers that work using biometrics like fingerprints or facial identification, swipe cards, keypads, RFID, or smart locks that offer options like mobile credentials, key cards, key fobs, and even touchless unlocking capabilities. No matter which way authorized users are authenticated, this information is validated against a database to ensure that the person trying to access the physical space is allowed to be there. 

These systems can cost businesses anywhere from $2,000 to $5,500 per door for installation and hardware, not including any ongoing maintenance costs or the price of software to manage the system. The overall cost of a physical access control system can thus be many thousands of dollars depending on how many doors need to be protected within a facility. 

Building access control systems comprise a critical piece of physical security strategy. Ensuring only authorized personnel can access a facility helps businesses in many industries keep their employees safe and ensures that they can perform their work without potentially dangerous individuals gaining access. These systems are also interconnected with other technologies, such as video monitoring, and are internet-accessible to enable remote monitoring. As a result, they function as IoT devices. This puts them at risk.

Security Vulnerabilities in Building Access Control Systems 

Building access control systems like biometric readers and smart locks suffer from the same sort of cybersecurity weaknesses that plague other IoT systems. In some cases, these vulnerabilities take an extremely long time to be resolved. Take the example of Nortek’s Linear building access control products. There were vulnerabilities identified at the 2019 ICS Cyber Security Conference that were only patched this year – nearly five years after they were first revealed. 

There were also issues identified in Sceiner smart locks last year. The smart locks are sold under different brand names, and feature the hardware lock and a mobile application that unlocks the reader. Problems were identified in both the lock firmware and the mobile application, such as using a single AES key for communication, plaintext message processing, and insecure communication protocol versions. These issues make the locks vulnerable to man-in-the-middle attacks and allow attackers who successfully breach the lock to gain entrance into a secure facility. 

Lastly, Axis Communications revealed in 2023 a serious issue in its network door controller. With access to a specific cord in the device, attackers can use a heap-based buffer overflow vulnerability to override the door lock and also manipulate access logs to hide their tracks. This is more of a concern for physical infiltration than a cyberattack moving laterally through the network, but that doesn’t make it any less of a security risk. 

How Should Organizations Protect Building Access Systems? 

As previously stated, building access control systems suffer from many of the same weaknesses that other IoT devices have. This includes poor security practices related to firmware, lax encryption standards, and insecure communication protocols. As a result, organizations need to ensure that their physical access control systems are as secure as possible. 

It’s a well-known fact that IoT devices can be used as a beachhead for lateral movement deeper into the network. This is often because IoT devices lack standard security measures, and are network-accessible with minimal protections against malicious code taking root and spreading deeper into the corporate network. 

Building access control systems, especially network-accessible devices, present the same risk. To that end, cybersecurity teams need to ensure that building access control systems have firmware that is as up-to-date as possible, is limited in its connection to the rest of the network, and has strictly limited permissions. If access control systems must be accessible from the internet, there should be strict limits on which workstations can access them and have multi-layer access to those devices. Furthermore, their communication protocols need to be as secure as possible to ensure that traffic isn’t intercepted. 

For anyone who has secured IoT devices in the past, this advice should seem familiar. Building access control systems need to be treated the same as IP cameras, remote sensors, and other connected devices. 

How Asimily Helps Secure Building Access Control Systems 

Asimily’s IoT security platform was designed to simplify IoT security. With Asimily, security teams charged with physical access security gain unparalleled visibility into IoT devices – like building access control systems – on their networks to ensure they have insight into device type and any associated vulnerabilities. Asimily’s anomalous behavior detection technology offers clues into whether a device is compromised, empowering security teams with intelligence to act on possible attacks in progress.

Further, Asimily’s continuous intelligence empowers teams to monitor traffic from building access control devices and vulnerabilities without interruption. This ensures that security teams can act quickly on potential issues. Security teams can also use Asimily’s Risk Simulator to assess options for mitigating the risk from hardware or software vulnerabilities. Simulating a fix first can help determine criticality and whether attackers will even try to breach the system. That’s critical information when deciding how to improve corporate security posture.

Asimily enables security teams with the ability to pinpoint potential weaknesses, vulnerabilities, and their severity with laser precision, all while contextualizing the data to help you prioritize remediation and reduce true risk. With Asimily, customers can provide secure remote access and protect what really matters.

Building access control systems presents a risk profile similar to many IoT devices. With Asimily, teams can ensure that their buildings remain secure and access is afforded only to those who are supposed to be there. Keeping building access limited to authorized personnel can and will be vital now and in the future. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.

IoT Device Security in 2024 The High Cost of Doing Nothing | Asimily

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.