State Department Forced Entry Testing
In order to be forced entry and ballistic resistant (FE/BR) certified, doors have to pass a grueling series of tests performed to the US State Department Forced Entry standard, SD-STD-01.01 Rev. G. This is the testing performed on doors installed in US embassies around the world, as well as other important government offices and facilities. There are three forced entry levels: five minute, fifteen minute, and sixty minute.
The Shield Embassy Series door is rated to the five (5) minute level and consists of 0.5 man-hours of attack time while the Shield Fortress Series is rated to the fifteen minute (15) level and consists of 4.5 man-hours of attack time. The State Department standard also holds an equivalency to the ASTM F3038 - 14 standard, so Shield doors also meet ASTM F30308.
Forced entry tests involve a team of attackers trying to breach the door by exploiting weak points in the allotted amount of time. A five minute test consists of a five minute attack on the lock side of the door, five minutes in the center of the door, and five minutes on the hinge side of the door. Naturally, the fifteen minute test consists of fifteen minutes spent on each attack point.
The five minute test calls for a two-man team while the fifteen minute test calls for a six-man team. A variety of tools are used in the testing, including sledge hammers, axes, pry bars, picks, wedges, and a battering ram.
Since the testing team spends five or fifteen minutes on each location, an actual intruder would need significantly more time to penetrate the door.
The attack locations are all considered dissimilar areas: hinges, seams, and the like. The goal is to open, remove, or penetrate the door to a large enough degree that they can pass a standard-sized testing object through the opening.
For the ballistic test, the doors must withstand dozens of rounds placed in specific shot patterns on the door and frame using 5.56mm and 7.62mm NATO rounds. Each shot is lined up separately and fired using a test barrel in order to keep to the requirements laid out in the standard.
Passing these tests is the ultimate seal of approval and ensures that customers know they are getting a quality product that will keep them and their families safe no matter who comes knocking at their door.
A recent article by Fortune.com covered the security risks of using IP-based and other online security systems. Last month, hackers infiltrated the smart locks used by the Seehotel Jägerwirt hotel in Austria. The hackers locked guests out of their rooms and disabled the hotel admins from using the system. This attack came at the peak of the skiing season and the hotel was fully booked. The hackers demanded a ransom to be paid in 1500 Euros worth of Bitcoin before eventually giving up control of the smart locks.
This wasn’t the first time this hotel has been compromised, and it likely won’t be the last, even if they change to a different smart lock. A Techcrunch.com article covering the Def Con hacking conference found that approximately 75% of smart locks have poor cyber security measures and are easily defeated. Thanks to Austrian fire codes, none of the guests were locked into their rooms or the hotel; the fire code mandated manual locks as backups in case of such an event. Despite the fact that nobody was in harm’s way this time, the danger is still incredibly real. In this instance, guests were locked out, separated from their belongings. This is a huge inconvenience and a financial issue for the hotel, but nobody was hurt. They very easily could have been.
The hackers had total control over the system that supported these locks. Suppose the hackers wanted to gain entry to the rooms instead of prevent it. It’s the same principal in terms of the security flaws. A hacker could disable every lock in the hotel while someone else entered the rooms as the guests slept. This scenario is far more deadly than a small ransom to let the guests back into their rooms.
We often get questions from our clients about controlling their doors with an app and the answer is always the same: no. We consider the risks of internet-based security/access control systems to be unacceptably high, which is why none of our door or locks are online. Anything connected to the internet can be hacked with relative ease, especially compared to what it would take to physically defeat our doors.
The IP connected security system used by Seehotel Jägerwirt wound up being such a hassle that the hotel will be returning to traditional locks on all their doors. Their experience with smart locks has been a costly mistake and valuable lesson that smart locks are not necessarily safe locks.