🔓 From Locks and Keys to Credentials and Clouds

This post explores the cyber risks created by modern PACS deployments and how Zero Trust principles help prevent physical systems from becoming digital liabilities.

🧠 Why Attackers Target Physical Access Systems

• Badge cloning: Tools like Proxmark3 or Flipper Zero can clone legacy 125kHz RFID cards in seconds.
• Credential relay: Using mobile relays, attackers capture NFC signals and replay them from a different location.
• Controller exposure: Many PACS panels are on flat networks or exposed to the internet with default credentials.
• Cloud misconfigurations: Cloud-based access control platforms often lack MFA or role-based admin separation.

Compromise here isn’t theoretical—it’s happening. Once inside, attackers can move laterally, access sensitive systems, or even disable alarms and surveillance.

🛠️ Real-World Case Study

In a 2023 breach, a retail chain experienced a physical intrusion after attackers accessed the cloud admin portal of its access control vendor using stolen credentials (no MFA). From there, they unlocked rear doors at multiple locations remotely—timing the intrusion with unmonitored hours.

This attack required no technical compromise of the physical devices—only abuse of poor identity and access hygiene in the cloud admin tier.

🧱 Applying Zero Trust to Access Control

Zero Trust isn’t just for networks—it applies to buildings too. Here’s how:

• Strong identity: Use modern credentials like encrypted badges, mobile tokens with biometric unlock, or FIDO2 for admin access.
• Least privilege: Grant physical access by role, time, and zone—just like you would with digital access.
• Context-aware access: Require MFA or re-authentication for high-risk actions like remote unlocking.
• Segmentation: Isolate PACS panels on separate VLANs or OT networks. Never expose them to the public internet.
• Logging & monitoring: Treat badge use like a login event. Monitor access attempts, alert on anomalies, and retain logs.

⚠️ Common Pitfalls to Avoid

• Using legacy unencrypted RFID cards (e.g., HID Prox)
• Relying on shared admin credentials with no audit trail
• Exposing access panels to public IPs “for convenience”
• Skipping firmware updates due to vendor dependency

Modern physical systems must be treated as cyber assets. If it connects, it’s a target.

📣 Final Thought

The door is no longer just a physical boundary—it’s part of your digital threat surface. A modern attacker doesn’t pick locks—they pick credentials and cloud consoles.

Want help evaluating the security posture of your access control systems? Let’s talk.