Physical Acces Control Systems are affected too
I did some consultancy for the Probation Service in England. I visited a Probation Office which used a PIN entry system for securing teh doors between the insecure offender area and the secure office area. Each member of staff had a PIN used to gain acess.
One day an offender was found in the office area unescorted. When aske how he got there he said he had been 'playing' wiht the PIN pad and the door had just opened. The PIN he said he used worked, but was not one issued by the Probatin Office to its staff. neither could the Probation Office delete it. It turned out to be the manufacturer's hard-coded access PIN to be used in case a customer got locked out. It took a bespoke software patch to fix it.
So now I advise clients to get a letter signed yb the supplier to the effect that there are no means of acess of which the customer is not aware, and in particular no hard coded PINs or master pass cards (for RFI enabled locks).
(The offender was not a violent one, forunately, but had lots of time to do a key search attack, something else to think about.)
Biting the hand that feeds IT
