Physical security systems are generally designed to monitor egress and/or enable controlled entry to buildings and infrastructure.
They also prevent unauthorised access to things like industrial control systems, smart energy assets, military installations and so on.
Yet, physical barriers are no good to anyone if they can be easily hacked.
Over recent years, CyTAL has become heavily involved in designing cyber-security requirements for physical security.
Such arrangements are designed to encourage manufacturers of cyber physical systems to improve the security of their solutions, whilst also making it easier for customers to find and select the right product.
As is the case with most technology today, cyber physical systems are becoming more and more involved – with many now offering a facility to talk to the cloud, whilst others exhibit biometrics and AI features.
Even end devices (like video cameras, readers and keypads) are a lot smarter than they look and could therefore be a point of weakness.
If you’re not seeking formal certification, but simply want to put your cyber physical product/system through its paces, come and talk to us.
Interfaces between products and systems have never been so important to protect and this is where CyTAL really leads the way.
Our advanced security software allows vendors and end-users to assess such interfaces, prioritise previously unknown security issues and then tackle them before they become exposed to the outside world.
When Physical Security Meets Cyber Threats
Access control systems are the frontline defense protecting buildings, data centers, critical infrastructure, and sensitive facilities. But as these systems become increasingly connected and sophisticated, they’ve evolved from simple physical barriers into complex cyber-physical systems that present significant security challenges.
Modern Physical Access Control Systems (PACS) integrate card readers, biometric scanners, control panels, networked cameras, and cloud management platforms. They use advanced protocols, support remote configuration, and often connect to broader building management and IT systems. This connectivity and complexity creates an expanded attack surface that threat actors are actively exploiting.
A compromised access control system doesn’t just mean an unlocked door it can provide attackers with physical access to critical infrastructure, IT assets, and sensitive areas, while also exposing data about personnel movements, security configurations, and operational patterns.
The Protocol Evolution Challenge
The access control industry is undergoing a significant protocol transition that brings both opportunities and risks:
Legacy Protocols:
- Wiegand – The decades-old standard still widely deployed, offering no encryption or authentication
- Proprietary protocols – Vendor-specific implementations with unknown security characteristics
Modern Protocols:
- OSDP (Open Supervised Device Protocol) – The emerging industry standard offering encrypted, bi-directional communication
- BACnet – For integration with building automation systems
- MQTT/REST APIs – For cloud-connected and IoT-enabled access control
- Mobile access protocols – Bluetooth Low Energy (BLE), NFC, and smartphone-based credentials
Each protocol has distinct security implications. While modern protocols like OSDP offer enhanced security features including encryption and authentication, their increased complexity introduces new vulnerability risks. Implementation flaws in these sophisticated protocols can create backdoors that undermine the very security they’re designed to provide.
Security Challenges in Modern Access Control
Protocol Implementation Vulnerabilities
Moving from simple Wiegand to complex OSDP implementations significantly increases code complexity. Research has shown that this complexity introduces implementation bugs and vulnerabilities that can be exploited to bypass access controls, manipulate configurations, or compromise entire systems.
IT/OT Convergence Risks
Access control systems now bridge physical security (OT) and IT networks. They connect to Active Directory, interface with video management systems, and integrate with cloud platforms. Each integration point is a potential vulnerability.
Cloud and Remote Access
Cloud-managed access control offers operational benefits but expands the attack surface. Remote configuration capabilities, while convenient, can be exploited if protocol security is inadequate.
Biometric and AI Features
Advanced features like facial recognition, behavioural analytics, and AI-powered threat detection add processing complexity and data privacy concerns that require careful security consideration.
Supply Chain Complexity
Modern PACS involve multiple vendors card readers from one manufacturer, control panels from another, and software from a third. Each component and interface must be secure.
Our Expertise
CyTAL has extensive experience in access control and cyber-physical security. We’ve been instrumental in designing cybersecurity requirements and certification schemes for physical security systems, working with industry bodies and standards organisations to raise the security baseline across the sector.
We help access control manufacturers, system integrators, and facility operators to:
Test Protocol Implementations
Whether you’re implementing OSDP, Wiegand, or proprietary protocols, we identify vulnerabilities in your protocol stack before attackers do. Our testing reveals implementation flaws, encryption weaknesses, and authentication bypasses.
Secure Product Development
We work with manufacturers throughout the development lifecycle from architecture review to pre-deployment validation ensuring security is built in from the start.
Achieve Certification Requirements
We guide you through certification processes and help you meet emerging security standards for physical security products.
Validate System Integrations
When multiple vendors’ products must work together securely, we test the interfaces and integration points to identify weaknesses in the broader system.
Assess Deployed Systems
For organisations operating access control infrastructure, we evaluate your current security posture and identify vulnerabilities in deployed systems.
ProtoCrawler: Purpose-Built for Access Control Protocols
ProtoCrawler is our advanced fuzzing platform designed to discover vulnerabilities in both legacy and modern access control protocols. Unlike generic security testing tools, ProtoCrawler understands the deep semantics of access control communication, enabling it to find critical implementation flaws that other approaches miss.
ProtoCrawler excels at testing:
- OSDP implementations (including encryption and authentication mechanisms)
- Wiegand interface implementations
- Proprietary access control protocols
- Mobile credential protocols (BLE, NFC)
- Cloud API interfaces
- Integration protocols (BACnet, MQTT)
By fuzzing at the protocol level, we uncover vulnerabilities like:
- Authentication bypass vulnerabilities
- Encryption implementation flaws
- Command injection vulnerabilities
- Buffer overflows and memory corruption
- State machine errors
- Privilege escalation issues
Explore supported protocols: View our protocol library
Real-World Security Impact
The vulnerabilities we discover have serious consequences for physical security:
- Unauthorised access – Protocol flaws can allow attackers to bypass authentication and gain physical entry
- Credential theft – Weak encryption or implementation errors can expose credential data
- Remote exploitation – Vulnerabilities in cloud-connected systems can be exploited remotely
- Configuration tampering – Attackers may modify access policies, unlock doors, or disable security features
- Denial of service – Systems can be crashed or disabled, creating security gaps
- Lateral movement – Compromised access control systems can provide attackers with footholds into broader IT networks
Industry Leadership and Standards Development
CyTAL doesn’t just test products we help shape the security standards that protect the industry. Our work with certification schemes and industry bodies ensures that security requirements evolve to address emerging threats.
We understand the balance between security, usability, and operational requirements. Our recommendations are practical and implementable, reflecting real-world deployment constraints.
Why This Matters Now
The shift from legacy Wiegand to modern protocols like OSDP is accelerating. Organisations are upgrading systems and deploying new installations with advanced capabilities. This transition period creates risk new protocols are more complex, and the industry is still learning how to implement them securely.
Recent security research has demonstrated that even well intentioned security improvements can introduce new vulnerabilities if implementation isn’t thoroughly tested. The complexity of modern access control systems means that traditional security testing approaches are insufficient.
The cost of discovering vulnerabilities after deployment particularly in critical infrastructure or high-security facilities is enormous. Physical security breaches can have severe consequences for safety, operations, and regulatory compliance.
Protect Your Access Control Systems
Whether you’re developing new products, integrating systems, or securing deployed infrastructure, CyTAL can help you:
- Identify and remediate protocol implementation vulnerabilities
- Validate security of OSDP and other modern protocol implementations
- Test legacy system security and plan secure migrations
- Assess security of integrated multi-vendor systems
- Meet certification and compliance requirements
- Implement security best practices throughout the development lifecycle
Contact us to discuss how we can help secure your access control systems.
Applications we secure: Building Access Control | Data Center Security | Critical Infrastructure Protection | Campus Security | Government Facilities | Industrial Site Access | Multi-Tenant Buildings | Smart Building Integration