Frankfurt, 2022: A Laser Pointer Opens the Door to the Server Room
The Red Team is failing. For two days. The main entrance is secured by a mantrap and biometric double-check. The underground garage features license plate recognition and dedicated security personnel. The delivery entrance is controlled with an escort requirement. Every classic attack vector is covered. Then, someone on the team discovers a mirrored vestibule at the rear of the building—and a small motion sensor visible from the outside through the glass pane.
A modified laser pointer. Aimed through the glass pane at the PIR sensor. Four seconds. The door opens.
The building had a poorly calibrated REX sensor (Request-to-Exit) in the glazed vestibule—a motion detector designed to allow people to leave the building without using a card. It was designed for infrared heat radiation. The laser pointer provided exactly what was needed—through the glass, without physical contact, without an alarm.
Total effort for entry: 4 seconds and a device costing under 15 Euros. The investment in the rest of the security architecture: six figures. The weakest link was neither the card nor the controller—it was a component resulting from fire exit regulations that was never considered a security component.
What a REX Sensor Is—and Why It’s Missing from Your Security Planning
A Request-to-Exit sensor (REX) is a component that nearly every controlled door possesses—and which appears in almost no security assessment. The logic behind it is regulatory: fire exit codes require that individuals can leave a building or secure area at any time without needing a badge. The REX sensor is the technical implementation of this mandate.
It sits on the inside of a secured door, detects an approaching person, and sends a signal to the door controller to momentarily release the lock. No badge required. No PIN. No biometric check. Approaching is enough.
The design problem is fundamental: For safety reasons (egress), the REX sensor must work before any verification has taken place. By design, it is an unsecured opening mechanism—the only question is whether an attacker can reach it from the outside.
The Accountability Gap: Between IT Security and Facility Management
REX sensors emerge from a cooperation between two worlds that rarely speak to each other: fire protection and egress regulations (the domain of Facility Management / Building Authorities) and the Access Control System (the domain of IT Security / Physical Security). The result is a gray area where no one carries overall responsibility.
In practice, this means: The Facility Manager ensures the REX sensor works. The Security Team ensures the card reader is secure. Who ensures that the REX sensor cannot be triggered from the outside through a glass pane? In most companies: no one.
Technology, Types, and Attack Vectors: How REX Sensors Actually Work
To understand the vulnerabilities, one must know the three common types of REX sensors and their physical operating principles. Each type has a different attack vector—and each is exploitable in practice.
The Full Attack Sequence: From OSINT to an Open Door
A targeted REX attack is not a random find. It is the result of a structured reconnaissance phase where the attacker systematically scans the building envelope for exposed sensors—often before even entering the grounds.
# Prerequisite: PIR sensor visible through glass pane
Tool: Focused IR laser (850–940nm) or modified pointer
Distance: 1–8m depending on glass type and sensor sensitivity
Duration: 1–4 seconds of continuous radiation
Signal: Sensor sends REX signal to controller → Door release
→ No alarm, no badge log, no video analytics triggers
The Second Vector: Compressed Air Canisters and the Cold Trick
IR lasers require a line of sight to the sensor. But what if the sensor is behind glass but no direct viewing angle is possible—perhaps because it’s side-mounted or partially obscured by a shroud? This is where an attack vector comes in that is little known in security circles but regularly works in audits: common compressed air canisters (Canned Air).
The operating principle is derived directly from physics: If a canned air canister is turned upside down and triggered, the liquid propellant—typically difluoroethane or tetrafluoroethane—is expelled instead of compressed air. This evaporates instantly upon exit, creating extreme cold, often below −40°C. A PIR sensor does not measure heat directly; it measures temperature differences. A sudden, strong burst of cold creates exactly the same electrical signal as an approaching warm body: a significant deviation from the ambient value. The sensor interprets this as motion and triggers.
A canister of canned air costs under 10 Euros, is available at any office supply store, and triggers zero suspicion during transport. It looks like cleaning supplies—and it opens secured doors. Especially effective through door gaps, ventilation slots, or low-mounted sensors that are not in the direct IR line of sight of a laser pointer.
# Prerequisite: PIR sensor reachable via door gap, vent slot, or side access
Tool: Common canned air canister, triggered upside down
Physics: Propellant evaporates on exit → Temperature below −40°C
Effect: PIR sensor registers strong temp difference = motion detection
Signal: REX trigger → Door release
→ No line of sight needed. No alarm. Under 10 Euros. Low profile transport.
REX triggers are often not logged—because they are considered normal exit procedures. An attacker entering through a triggered REX sensor is invisible in the access control system. This applies to both IR lasers and canned air.
REX Vulnerabilities in Audits: What We Find in Practice
| Vulnerability | Audit Frequency | Attack Vector | Risk |
|---|---|---|---|
| PIR sensor in glazed vestibules | Very Common | IR laser through glass pane from outside | CRITICAL |
| PIR sensor reachable via door gap / vent slot | Common | Canned air (upside down) – Cold shock triggers temp difference | CRITICAL |
| Microwave sensor with excessive range | Common | Fast movement in front of thin window glass or partition | HIGH |
| REX without alarm integration | Standard | Every attack remains undetected – no log, no alert | HIGH |
| No door contact sensor combined | Common | Door is opened without the opening process being assigned to a badge | MEDIUM |
| Touch button with door gap exposure | Occasional | Thin wire or flexible tool through door gap | MEDIUM |
| Correctly shielded touch button, opaque wall | Rare | No known remote attack vector | LOW |
How to Systematically Close REX Vulnerabilities
The good news about REX attacks: They are entirely preventable. Unlike cryptographic vulnerabilities or zero-days, these are physical mounting errors and planning gaps that can be addressed through concrete structural and configuration measures.
- Include REX sensors in security assessments: Start by inventorying all REX sensors in the building—type, mounting position, visibility from outside. This list does not exist in most companies. That is the first mistake.
- Select sensor type based on exposure: PIR sensors have no place in glazed areas. For vestibules and areas with outside visibility: use an opaque barrier in front of the sensor or switch to a shielded touch button with an IR filter.
- Assess door gaps and vent slots as attack vectors: Not just the glass pane is a risk—any gap through which a canned air canister can be directed is a potential trigger point. Vents on doors in secure areas should be fitted with deflectors or secured with metal shrouds that do not allow a direct jet onto the sensor.
- Shielding for glazed installations: Where changing the sensor is not possible, targeted IR shielding film on the glass or an opaque shroud that makes the sensor invisible from the outside—while maintaining function from the inside—helps.
- Integrate REX triggers into logging: Every REX activation should be logged with a timestamp, door identifier, and—if available—a video trace. Unplanned triggers outside of business hours must automatically trigger an alert.
- Link door contact sensors with REX: A door contact sensor detects when the door is opened. If the door is opened without a prior card reading AND without REX activation, it is by definition a breach attempt—and should be alarmed accordingly.
- Clarify and document accountability: REX sensors must be explicitly included in the security area of responsibility. The gap between Facility Management and IT Security is the largest structural risk factor—close it with a joint accountability matrix.
- Commission Physical Pentesting with a REX focus: An audit that does not explicitly test REX sensors as an attack vector is incomplete. Have your entire door infrastructure—including the exit side—audited.
The irony of the REX problem: The sensor exists to protect people—as an emergency exit. It becomes a vulnerability because no one asked if it was reachable from the wrong side. Security and compliance are not a contradiction—but they need someone who keeps both perspectives in mind simultaneously.
Conclusion: The Most Dangerous Door is the One No One Checks
A REX sensor is not a niche product or an exotic attack vector. It’s in nearly every controlled door you have. It is included in almost no security assessment. And it can be exploited in four seconds with a 15-Euro device—without an alarm, without a badge log, without a trace.
The Frankfurt engagement showed: A six-figure budget for biometrics and mantraps does not protect you if the glazed vestibule at the rear shows an uncalibrated PIR sensor that is addressable from the outside with a laser pointer. The investment in the main entrance wasn’t wrong—it was incomplete.
Physical security is three-dimensional. It doesn’t end at the front facade. It doesn’t end at the boundary between IT Security and Facility Management. And it definitely doesn’t end on the inside of the door.
Do you know which of your doors have a REX sensor—and where it’s located?
We test the exit side of your entire door infrastructure. Systematically, documented, with concrete hardening recommendations per location.
Request Physical Security Audit →