Is the HAI 75A00-1 card reader secure?

[Mr Spock]

Was thinking of using these in 3 or 4 places. After getting the connection schematic from HAI i realized that anyone who can get their hands on the backside of this card reader can easily open the lock. It appears all you have to do is jumper the 12V input to the door lock output (red to white) and your done.

Am I right about this? Is this design considered secure?

 

[gatchel]

I would have to say that it's probably not the most secure design. I don't know that specific reader but there may be other more secure options where the control wiring is wired from a remote control panel that is not accessible from the unsecured side of the door. It really depends on what you consider secure. If the door is wood or has glass and I want to get in the reader is the last thing I will fuss with.

 

[Del91574]

Definately not a secure design. In the case of a true access control system, your REX and DPS are also available and easily compromised by removing the reader from the wall.

If another output and inputs were used and data was the only item at the door, that would improve it.

 

[Basildane]

Hi, First off, NEVER use the output from the reader to control the door strike. I've had readers burn up because of this, when there is a strike problem and it overloads the output from the card reader.

Much more secure to run 1 pair to a relay controlled output directly from the panel. Then use programming to control the relay based on input from the card reader.
This is much more flexible in terms of automation, more secure because pulling the reader off the wall doesn't get you access to the strike wires, and more reliable because of the decreased power load on the card reader.

 

[Del91574]

Not to argue on a poor design, but irregardless, the output on the reader would best be used to trigger an offboard relay to handle the current far better than the onboard, as well as offer a point of isolation, however, the design still provides the same gaping holes for security purposes as the triggers that would be run through the output are still subject to compromise.

Part of the appeal of using something like this reader is to knock the amount of cabling run to the door, as the most common inputs would be for a DPS and REX, both of which are still subject to compromise, which besides the relay, is far more troubling, as the door lock relay wouldn't need to be messed with if the REX were hit, it would unlock the door, bypass the DPS and trigger whatever other events were driven off the REX input.

The other option is to bend weigand data to 485 and then bring it in through a serial on the OP.

 

[Mr Spock]

Good points all.

I see two vulnerabilities with this product. This all assumes the back side can be accessed by (presumably) crowbarring the reader that is casually glued or screwed off the wall.

Breach method 1: Jumper the 12V input to door lock output.
Easiest way around this vulnerability is to do what was recommended above; using the 12V outputs from the panel to trigger my door strikes instead of the readers. I would call this a serious vulnerability with an easy and effective workaround. My strikes only use 40mA on the trigger line anyway, so the load is no problem.

Breach method 2: Access the RS485 bus and hack the HAI system.
To do this you would need some kind of laptop PC wired into the two RS485 wires and the software to emulate a card scan. I don't know how secure the HAI system is to hacking into their bus. It seems to me the only way to avoid this issue is to make access to the back side or internals as difficult as possible. Maybe putting it behind a cover plate so its inconspicuous.

So what is a DPS, REX, and weigand data? I'm new to security.

What kind of range and material penetrability does this 125kHz reader have?

Thanks.

 

[gatchel]

DPS = Door Position Switch (Door Contact)
REX= Request to EXit

125khz readers don't typically like metal Some will work with little no range. Some won't work at all.