Server-room lock was nothing but a crock

The setup — and the surprise

It has been reported that a former employee who asked to be called Pete told The Register about a laughably fragile fix to a real problem. His company, a parking-fee processor chasing ISO 27001 certification, discovered their server-room network was directly tied to production. The supposed solution was simple: a two-factor door lock — swipe a card, punch a four-digit PIN, and you’re in. It sounds tidy. Until it wasn’t.

The bypass

During a pre-audit drill, a junior sysop started bashing the keypad without swiping a card — and the door popped open. Allegedly, if more than 10 or 11 digits were entered the lock’s logic became overloaded and it unlocked itself. Entering the expected four-digit code, right or wrong, behaved as intended; overwhelm the keypad and the guardrails fell away. The vendor who sold the unit reportedly wasn’t the manufacturer and couldn’t fix the fault, and it has been reported that a promised replacement from the maker never materialized while Pete was there.

Aftermath and the lesson

Faced with an imminent audit, staff demonstrated only the normal four-digit flow and the auditor signed off. Awkward? You bet. Distressing? Definitely. The emotional sting is that all the fancy cyber controls meant nothing when a flimsy bit of hardware could be walked around with a ten-second trick. What’s the takeaway? Physical security isn’t an afterthought. Certification is only as good as the reality it inspects — and security theater is still theater. Test the doors. Test the vendors. And maybe don’t trust a keypad to behave like Fort Knox just because someone swiped a card.

Sources: The Register