Server-room lock was nothing but a crock
- Reference: 1776326410
- News link: https://www.theregister.co.uk/2026/04/16/pwned_server_room_lock_lol/
- Source link:
Our tall tech tale of woe comes courtesy of a reader we’ll Regomize as Pete. Pete used to work at a company that handled parking fees and was trying to secure ISO 27001 certification for its security controls.
One vulnerability that showed up as part of the initial security screening was that the server room network was connected to the production datacenter network, so anyone entering that room could get all kinds of access. The solution: put a lock on the server room door.
[1]
The lock that Pete’s company bought used two-factor authentication. First, the entrant would have to swipe an ID card. Then, they’d have to enter a four-digit PIN. If someone entered the wrong code, the failed attempt would be logged.
[2]
[3]
On the day when the auditor was to come to the office, the team performed a final drill, which looked good at first. First, the CTO swiped their pass, entered the correct PIN, and gained access. Then a senior sysop swiped a card, entered the wrong passcode, and was denied entry. A junior sysop repeated the process and was also denied, as expected.
However, the junior sysop then decided to try bashing the buttons on the keypad without swiping a card first. To his surprise, the door unlocked itself. The senior sysop was able to reproduce this unexpected behavior.
[4]
Apparently, the problem was that if you entered more than 10 or 11 digits, the lock would become overloaded and open. If you entered the expected four digits and they were wrong or you didn’t swipe a card, the lock would stay closed.
[5]The company's biggest security hole lived in the breakroom
[6]Sticky-note security turned gym into hall of '80s horrors
[7]Windows Update is a torture chamber for seldom-used PCs
[8]Windows takes a crash dump after one McDonald's order too many
With the inspection due that day, the company was faced with a major problem, which they solved by strategically withholding some information. When the auditor arrived, the senior sysop demonstrated the lock by only entering a four-digit PIN number every time. It worked as expected and the auditor signed off on the certification.
The vendor who supplied the lock was unable to fix the problem because they weren’t the manufacturer. Supposedly, the lock manufacturer was on the hook to provide a replacement, but that didn’t happen while Pete worked there.
As far as he knows, no one ever exploited this physical security vuln, but it’s still distressing. Just remember: All the cybersecurity in the world breaks down if you don't have physical security.
Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity available upon request. ®
Get our [9]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aeCzQLmKMrJHrpqrHvJfegAAAg8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aeCzQLmKMrJHrpqrHvJfegAAAg8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aeCzQLmKMrJHrpqrHvJfegAAAg8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aeCzQLmKMrJHrpqrHvJfegAAAg8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/04/02/pwned/
[6] https://www.theregister.com/2026/04/09/pwned/
[7] https://www.theregister.com/2026/04/14/windows_update_torture/
[8] https://www.theregister.com/2026/04/15/windows_mcdonalds_bork/
[9] https://whitepapers.theregister.com/
Re: Just walk in like you own the place
> a couple of guys in overalls, carrying tools walked in
Just like with a hi-vis and a clipboard :)
Re: Just walk in like you own the place
Same thing happened at the University, two men in white coats walked in to a lab and loaded an expensive piece of kit onto a trolly then walked out - nobody thought to ask for any ID or anything.
ISO certification VS security
An ISO certification is not about having the best possible security, it is crudely speaking a certification that you have change management process, where there is continuous improvement and management reporting.
The reason why they should not have the ISO certification is that their screening process did not detect that the manufacture of the lock, was not able to support them after they bought the lock, or that they change process did not detect this before installing the lock.
Something is missing in the story I think, why would it be a problem that the previous lock was controlled by the data center network, is that not suppose the be the most controlled and regulated network and therefor very secure and reliable?
Re: ISO certification VS security
The less generous assessment from a friend who was an ISO9000 consultant was "It won't stop screwups but you'll know whose fault it was"
"Don't pound on mouse like a wild monkey"
I'm reminded of the old bug report you used to be able to find in Sunsolve (fantastic resource, which of course Oracle killed). "Workaround: don't pound on mouse like a wild monkey".
For context, mashing the mouse buttons in CDE could cause the calendar manager (dtcm) to crash. They did fix the bug, but the workaround was also listed in the bug report.
Re: "Don't pound on mouse like a wild monkey"
Inexplicably that remarkable piece of sage advice immediately flashed the Orange Idjit into my aging mind.
I suppose when he is not grabbing pussy, he is pounding mice - not that Minnie would be remotely satisfied by his reputed endowment.
Lockpicking lawyer, is that you?
Well done
Well done to the junior sysop for applying the monkey test - a key part of QA.
I have a lockpick set in my laptop bag
and i know how to pick basic locks.
Amazing how many keys get "lost" in dysfunctional departments.
Just walk in like you own the place
This is many, many years sinceupon, while an uncle of mine was a) still alive and b) still working.
He was working at the Design Centre and I remember him recounting a time when the place has an exhibition of very upmarket showers in the foyer.
A Transit pulled up and a couple of guys in overalls, carrying tools walked in. They proceeded to carefully dismantle one shower and carry the parts out to the transit. Helpful folk held the door open for them as they took bigger bits out.
They sheeted the load down and drove off.
They'd simply walked in and nicked it!