Power Out. Lock Open. Nobody Intended It—But Everyone Built It This Way.
The Red Team spends two hours finding the right fuse box. Then, it takes four seconds. Pull the breaker for the hallway, the REX sensor loses power, the maglock releases—and the server room door stands wide open. No badge, no manipulation, no social engineering required. Just a fuse and the knowledge of how the door is configured upon power loss.
This isn't an exotic attack vector. It is the direct consequence of a planning decision made in thousands of buildings exactly this way—often without anyone consciously thinking about it. The question of whether a door opens or remains locked during a power outage is not a design preference; it is a normative requirement. Depending on the door type, these requirements point in opposite directions.
The real problem isn't that doors open during a power failure. The problem is that most operators don't know which of their doors are configured in which way—and no one has ever tested what happens when a single fuse is tripped.
Fail-Safe vs. Fail-Secure: A Core Concept with Far-Reaching Consequences
Before diving into attack vectors, two terms must be understood precisely—as they are regularly confused in practice, and this confusion has direct security consequences.
Both principles are normatively required—but for different door types. The problem arises when these requirements meet in the same building, the same hallway, sometimes even the same door assembly. And when no one has a complete overview of which door is configured in which way.
A typical office building has both: escape route doors that must open during power failure, and fire doors that must remain closed. Security architecture is born from the interplay of both—and errors in planning or maintenance create gaps in both directions.
Door Types, Norms, and the Legally Enforced Dilemma
To understand the attack vectors, you must know which doors in a building fall under which regime. While the regulatory landscape is complex, the security-relevant core statements are clear.
The Legally Enforced Dilemma: Security vs. Safety
Fire safety and physical security pull in opposite directions—and both are mandatory.
Escape doors must open during power loss so people can flee. Fire doors must stay closed during power loss so fire doesn't spread. Both requirements are legally binding and safety-critical.
For an attacker, this means: Fail-Safe doors are structurally vulnerable via power interruption—not as a design flaw, but as a legally required feature. Anyone who knows which doors fall under which regime knows which doors can be opened by cutting the power.
The actual vulnerability isn't the principle itself; it’s the lack of documentation, missing UPS protection, and the operator's ignorance regarding how their doors react.
The Full Attack Chain: From Fuse Box to Open Door
The insidious thing about this vector: It leaves no badge log entry in the access control system. The door opened due to a power failure—this is an operational state, not a security event from the ACS perspective. Only a combined alarm from a door contact and power-loss detection would trigger a warning.
# Prerequisite: Fail-Safe door, access to electrical panel
Target Door Type: Fail-Safe strike or Maglock
Tool: Access to building circuit breaker panel
Action: Trip breaker for target circuit
Reaction: Maglock de-energized → Door opens by spring mechanism
Window: Until fuse is reset or alarm is investigated
→ No badge, no ACS log, no alarm (without contact sensors + power monitoring)
Vulnerability Matrix: Success Rate in Audits
| Vulnerability | Attack Vector | Audit Frequency | Risk |
|---|---|---|---|
| Unsecured Fuse Box / Sub-panel | Direct power outage for target area without access hurdle | Very Common | CRITICAL |
| Fail-Safe Door without UPS | Any external power cut opens the door uncontrollably | Standard | CRITICAL |
| No Door Contact / Power Monitoring | Opening via power loss generates no alert in the ACS | Very Common | HIGH |
| Misconfigured Fire/Escape Door | Door blocks escape route during power loss (Fail-Secure used instead) | Occasional | HIGH |
| Missing Door Type Documentation | Operator doesn't know door behavior; no targeted testing possible | Common | MEDIUM |
| UPS Present but Untested | UPS fails during real power loss; Fail-Safe behavior still occurs | Occasional | MEDIUM |
How to Systematically Eliminate Power-Loss Attacks
The challenge: eliminating Fail-Safe isn't an option—it's legally required. The solution isn't found in a different configuration, but in hardening the environment. Whoever controls the power controls the door. Therefore, the power must be protected.
- Create a Door Type Inventory: Document every controlled door: type (egress, fire, combined), strike principle (Fail-Safe/Fail-Secure), associated circuit, and UPS status. Without this list, targeted hardening is impossible.
- Secure Fuse Boxes and Distribution Panels: Electrical panels in public areas must be under access control. An open panel in the hallway next to a secured door bypasses the entire ACS. Locks, cameras, and tamper alarms are the minimum.
- UPS for Critical Fail-Safe Doors: Maglocks and Fail-Safe strikes in security-critical zones must be fed via an Uninterruptible Power Supply (UPS). The UPS must be tested regularly—an unverified UPS is not a security measure.
- Door Contact Sensors with Power Correlation: Every opening must be registered in the SIEM or alarm system—even without a badge read. A door contact that triggers simultaneously with a reported power loss in that circuit is a precise indicator of this vector.
- Audit Combined Doors with Specialists: Doors meeting both fire and escape requirements belong in the hands of certified safety planners. Errors here are common, hard to detect, and can cost lives.
- Power Failure Simulation in Pentests: A Physical Security Audit that doesn't explicitly test this vector is incomplete. Tripping a breaker under controlled conditions shows within minutes which doors are affected. We perform this test as a standard part of physical audits.
Fail-Safe is not a vulnerability—it's a life-saving feature. The vulnerability is unsecured access to the power supply, missing UPS, and lack of monitoring. Closing these three gaps neutralizes the attack vector without compromising life safety.
Conclusion: The Weak Link isn't the Law—It's the Gap Between Planning and Operation
The law forces operators to build escape doors as Fail-Safe. This is correct—it saves lives. But the same law creates an attack vector if the power holding those doors closed is not protected.
In practice, whoever knows the fuse box and can map the circuit to the target door has a reliable, low-trace access vector in any building operating Fail-Safe doors without securing the power supply. That describes a lot of buildings.
The most dangerous statement in this context is: "We built it this way because the code required it." Codes define minimum requirements—not a complete security architecture. What the code doesn't forbid, you still have to think about. Fail-Safe plus an open fuse box is compliant, but it's still a gap.
Do You Know Which of Your Doors Open During a Power Failure—and Who Has Access to the Panel?
We test power-loss vectors, verify door configurations, and provide a complete Fail-Safe/Fail-Secure inventory of your building.
Request Physical Security Audit →