His video would have been 40 seconds long though.

@@SianaGearz true

Looked for this comment, found it

Same, Rob G

Yep

That's exactly the use case for them... It's not meant to be a secure only lock (even by the fact it needs power to secure the door)

Yes but the switch is a fake of the MK series from the UK.. Like the Metallica song goes: "SAD BUT TRUUE!!"

At least some of those higher end systems are also capable of associating RFID tags with employee names, so there would be a log showing which employee (name and/or ID) entered which door at which date and time, possibly even indicating in red when someone access it outside defined "business hours". I've seen such systems in use in large office and school buildings!

Security torx screws are useless! All it takes is a small flathead to reliably remove security screws. I can’t remember the last time I have used a security driver...

Do RC I swear I knew I’ve seen this somewhere. I knew it was lpl, I just can’t find the video he did about this

oh, *Lock Picking Lawyer* ...? Worked that one out after reading another comment; why couldn't you have just said that...?

If i remember correctly, in the UK there is supposed to be a "break glass" emergency release next to the door (the older sort have actual glass in them that breaks when you press hard, and when the glass is broken, it operates a switch which releases the door, the newer ones have a plastic peice in them which drops down slightly when you activate it) and the "break glass" emergency release is supposed to be wired so that even if the control system for the lock became unresponsive (to where the normal way of releasing the door doesnt work) the emergency release would still work (in the case of this lock the emergency release would go between the lock itself and the power supply)

thats called osdp

Yes, although this is standard for magnetic locks unless you added in a battery backup. There are other types of locks that require a power supply in order to unlock so these will remain locked in the event of a power outage but they would then also require a mechanical override such as a door handle to allow the door to open in the event of a failure/emergency.

Failsafe vs fail secure. safety vs security

There was already a platsic sheet in place so it's still in there

Potentially depending on how strong the magnet and handle are but they usually aren't too bad if properly installed. However this kit is also available with other locks including drop bolts and various latches which would also be affected by the flawed architecture, it's not only available as a maglock.

Unfortunately protecting the screw isn't really sufficient as the plastic keypad could be easily pulled/smashed off of the wall. The flaw with this system is an architectural issue - a secure door entry system carries out all authentication and control of the lock from a controller in secure location. The keypad should just be a dumb keypad/RFID reader that sends the data to the controller over an (ideally encrypted) digital link.

At 6:20 I temporarily connected it by using a couple of Wago terminals, at 13:29 I show myself replacing these red wires with a piece of proper mains flex wired directly into the power supply as it should really be earthed and having that pair of single insulated wires outside of the enclosure isn't compliant with regulations in the UK.

Sure, the average burglar won't have a manual but that doesn't really excuse this flaw, if someone wanted to target a specific lock they could fairly easily figure it out and if enough of these locks ended up in the wild, the process of bypassing them could become common knowledge. As for the 240v comment, the keypad is a 12v device so there's no risk of coming into contact with the mains.

That would make it harder but then there's still nothing stopping someone simply cutting the wires and joining them together that way. IMO the only way to do this securely is to have the PIN validation and lock control handled by a controller on the secure side of the door and have the external device simply be a dumb keypad that sends the key presses and card data to the controller on the inside of the door.

Works great on my parents side gate , they love it. Open your mind!! Do you find things difficult?

@paulattree4171 I'm an engineer Paul, so no i don't find things difficult. Open my mind to what? The fact that it is not earthed which by the way is UK regs and the chasis can become live at any time? This is a dangerous product when not earthed. Not difficult to know that if you have the knowledge.

The issue is that the processing is done on the insecure side of the door, even with a better screw, the outside unit could still be forced off the wall with a crowbar.etc. For a system like this to be secure, the external unit should purely read PIN numbers and card data and send it over an encrypted digital connection to a controller on the secure side of the door, this controller is what validates the data and ultimately controls the door lock. That way, if you force the external reader off the wall, all you'll have access to is a digital connection that you can't compromise by simply shorting wires out.

Power passed into the control input is purely a signal to control the output, it does not pass through or power the device so this wouldn't work. You'd probably be better off with a higher end access control system that has a proper battery backup facility.

@@camerongray1515 ok but for what's is that batery you have connected on 13:13 seconds on control + and-

That was just to provide a 12v supply to those pins to demonstrate how they'll trigger the lock to open, if the power supply wasn't plugged in, that battery would do nothing.

@@camerongray1515 thanks for the info👍

With the commercial systems I've seen (Paxton being one that I've personally worked with) the difference is with the architecture. With the higher end systems, the actual controller that connects to the lock and that handles the logic is separate from the keypad. The controller can therefore be stored in a "secure" location (often even simply on the wall inside the door) then all the keypad does is send keystrokes or card information to the controller. The controller then handles all authentication. If someone is able to break the keypad off the wall, all they have access to is a digital connection which if designed correctly, cannot be used to open the door.

I agree they are able to do oh so much more but your getting what you pay for you pay little you get little. But even the high ends have draw backs its a give and take world i guess. And i did enjoy the video it just had me thinking how to over come some of short coming to make it a little better and keep it cheap. I used to install the bigger much much bigger system and miles of wire in nursing homes and businesses about, wow... 20years ago. But thank you for the video and ill be checking out more for sure.

Another issue with it is that a magnet could be used to activate the relay in the keypad, which causes the door to unlock

Unfortunately the issue goes beyond how it is installed, in my opinion there would be no safe way to install this system as the wiring to open the door will always have to be connected to the reader on the outside fo the door. In my mind, the only way to correctly do this is to have a dumb card reader/keypad on the outside of the door connected over a digital connection to a controller in a secure location with the controller switching the power to the lock. That way, if the card reader is removed, the attacker will only have access to this digital connection which can't simply be shorted out to unlock the door.

@@camerongray1515 I totally agree. I have those cheap ACS installed on my clients, as much as possible, no wirings must be easily accessible outside, if possible, chip a portion of the wall to submerge all the wirings or even the reader/keypad itself. We have better ACS systems thou most of my clients prefer this type of ACS. The price of good ACS comes in to factor as well.

​@@JericDacara I think my fear with mounting it that way would still be that at least with this one, it's only made of plastic so simply smashing it with a hammer from the front could give access to the wiring inside. I definitely agree that the "proper" systems can be significantly more expensive though.

That's exactly how the professional systems work - there is a control unit located on the "secure" side of the door (or even locked away separately) that handles all authentication and connects to the lock (often also has a battery backup). The card reader/pin pad.etc then connects to this unit using a digital connection that simply sends key presses/card data, if someone were to break off the keypad/card reader, the most they can do is access these digital lines which are of much less use for opening the door. Suspect you may be able to brute force codes by simulating a keypad on these digital lines although this could be mostly solved by rate limiting.

@@camerongray1515 there is an attack that someone has done with the better systems, where they installed a device of some sort (which essentially grabs the credentials when someone scans a card, and can then use that credential to unlock the door for the attacker)

That's definitely true, they can often be defeated with fairly standard card cloning type stuff, but that would take a lot more effort, skill and hardware than something like this that could likely be done purely with physical brute force. Card cloning can usually be overcome by additionally requiring a PIN after scanning a card essentially implementing 2FA. This is standard in most higher security applications.

They could and assuming you'd need to use both locks or if this is only used as a sort of basic form of access control when the main lock is unlocked then it's not necessarily dreadful assuming the risks have been considered. The issue is people fitting these in situations where they're the only form of lock on something that should be kept secure. I've seen these things used on "secure" car parks and doors to apartment buildings as the primary lock.

@@camerongray1515 I get what you're saying because there are some access control systems that are lot more secure for example Paxton net2 access control uses proximity readers and proximity fobs and it's configure the on a PC which I think is pretty cool what I'm going to be getting for my shed is a Paxton switch 2 controller to use on my shed but I also have a padlock installed on the shed door which makes it extra secure

Yeah, those systems do it correctly by keeping the actual brains that control the lock in a secure location so if someone were to remove the reader, there's not much they can do as it's a digital connection. I've used Paxton net2 briefly in a commercial office (although admittedly just to enrol a card, I didn't actually install it). My fear with the cheaper systems like the one shown in this video is that people see the Paxton systems in use in commercial settings then see the cheap devices on Amazon and think of them as being the same thing.

Interesting, I imagine it's more of an attempt to seal it against moisture rather than any sort of security improvement. If the device is architected the same as the one I showed here (i.e. where all the processing is done by the external keypad) then you're still vulnerable if an attacker can get to the cable.

Just got one too and my back is fully open Seperate question though and maybe this is my being stupid. I can't get it to power with a 12v batter back connected to the PSC

A high end system will have the digital processing logic running on a controller in a secure location, on the outside of the door you would have a dumb keypad that would send a digital signal to the controller containing card information/pressed buttons. If an attacker were to remove the keypad, all they would have access to is this digital connection which can't simply be shorted out. With the system shown here, the system simply sends an open signal directly to the relay which can be shorted out easily.

With this it's very much down to the system architecture rather than the actual physical hardness. Even a cheap plastic keypad can be perfectly secure if the actual processing is done on the inside of the door and all the keypad does is send a digital signal of keypresses/card information to a controller in a secure location. A super robust metal keypad is still flawed if it's possible to simply short some wires inside to open the door. The issue with the system I demonstrated here is that the wiring behind the keypad has a wire that can simply trigger the door to open. If all there is behind a keypad is a digital connection to an external controller, it's not going to be possible to attack this without simply brute forcing codes down it and even that could be prevented if the digital signals are encrypted. At that point, it would be easier to physically break the door down rather than to bother attacking the access control.

@@camerongray1515 Hmm.. Since I got your attention on this, and indeed you seem to be one of a few that actually plays with this stuff like me, could you do a very very simple test? Place the keypad behind a piece of 3/4" thick board like what you used to mount it but try to trigger the keypad by putting the fob to the board instead of direct to the face of the keypad. Will it pick up the signal THROUGH a WALL? That is the experiment. See, IF that is possible, you can HIDE the keypad INSIDE the wall but behind a skin thin enough to allow the RF signal to pick up the fob but thick enough to still be THE WALL. Inside a house or office the wall hiding the keypad face would be drywall or plasterboard as is called in some places. But on a BRICK exterior though? Hmm, a thin fake brick tile in front of the keypad hidden inside a recess in the wall? You can test this by placing a ceramic tile or piece of plasterboard in front of the keypad and try to trigger it with the fob. See, that is the idea I have to resolve the OBVIOUS device next to a door conundrum I am having in a bad neighborhood where break ins ARE prevalent. The door and prison lock then become real secure if the thief can not SEE a keypad or keylock switch to try and tamper with. And yes.. a controller placed in a secure location is key here lol! I have read some keypads with RFID sensors, allow you to remove the RFID sensor part and place it remotely some where to trigger the keypad too, but without the keypad electronics being present at the remote location, without having to buy some expensive networked access control system to achieve this. The manual PDF states you can place the plastic RFID sensor that just has the 2 wires attached to it, to say the outside of your front door with the keypad on the inside in a secure location. The keypad is made of plastic too so that makes sense no? BUT, can you HIDE the sensor behind say plasterboard or a thin brick and have it still work? THAT is the experiment I am wanting you to try since you DO have a keypad like that. Shoud be simple and real quick to know if the RFID signal is strong enough to pick up through tile, brick or plaster or wood panel.

Unfortunately I can't really test much with this since I'm currently using the power supply for another project and the rest of the parts are stored away although I imagine it's very dependant on the reader and fob used as to how strong the signal is. That said, a properly designed system with a reader that has a purely digital interface to a securely stored controller should be totally secure and can't be tampered with from the reader. Systems like these are commonly deployed in many high security applications such as datacenters without issue. I can't imagine hiding the reader to have any real benefit from a security perspective. You'd also realistically need some sort of manual override in the event of a system failure (either to cut power in the event of a fail safe lock or some sort of manual key lock if a fail secure lock is used). This is likely to be a much more likely plan of attack, the average burglar isn't going to be attempting to exploit a controller through an externally accessible digital connection.

Additionally, in high security environments it's important to have multiple factor authentication, you'd usually have both a key fob/card and then have to enter a PIN into the reader. This prevents people being able to use stolen/cloned cards as they won't know the PIN. Therefore you'd need to have an accessible keypad to enter the PIN.

The issue is greater than just the screw, even if the keypad was mounted flush, it could still be destroyed by hitting it hard enough which would expose the wiring. The way this should be done (as is the case with professional systems) is that the device on the outside should purely read card details and key presses and send these over a digital connection to a device on the "secure" side of the door which checks the code/card and operates the lock. With this, even if the card reader is totally ripped off the wall, all an attacker will have access to is this digital connection which can't simply be shorted out to open the door. The worst that could be done would be to attach a device to this digital connection to brute force a code but even this could be resolved by using encryption across this link.

This system doesn't have any sort of ability to use a "slave reader" and it clearly is designed to have the keypad on the insecure side of the door and the push to exit button on the secure side which is the issue. The way to do this correctly is to have an access controller where the actual processing is carried out by a device in a secure location which is connected to a dumb keypad on the outside of the door over a digital link. IMO there is no way to install the system shown in this video without it being vulnerable.

It's not like I forced you to watch the video... The point is to demonstrate the issue to people who don't understand the security risk of such locks and end up using them where they're not suitable. It's not like I'm trying to act like some sort of security defeating god... No need to flex that you can assemble an undefeatable door, I'm not saying that I can defeat anything that's designed properly!

@@camerongray1515 Gotcha.