Modern property management runs on electronic access control — smart locks, key fob systems, mobile credentials, intercom integrations, and cloud-based management platforms that control who enters which doors at which times. These systems are indispensable for security, convenience, and operational efficiency.
But they also represent a growing cybersecurity risk. Every networked lock, every cloud-connected panel, and every mobile credential app is a potential entry point — not just into your building, but into your network and your tenants' data.
Why Access Control Systems Are Attractive Targets
Electronic access systems are uniquely valuable to attackers because they provide both digital and physical access:
- Physical intrusion: Compromising an access system lets attackers unlock doors remotely — for theft, surveillance, or sabotage
- Tenant data exposure: Access platforms store personal information — names, unit numbers, phone numbers, entry patterns, and sometimes photos
- Network pivot point: Access controllers often sit on the same network as other building systems, providing a stepping stone to HVAC, elevators, or business networks
- Ransomware leverage: Locking out an entire building's access system creates immediate operational pressure to pay
Common Vulnerabilities in Building Access Systems
Default Credentials
The most common and most preventable vulnerability. Access control panels ship with default admin passwords (often "admin/admin" or "1234"). Many installers never change them, leaving remote management interfaces wide open to anyone who knows the default.
Unencrypted Communications
Older systems transmit credential data between readers and controllers in plaintext. An attacker with physical access to wiring can intercept card data and clone credentials. Modern systems should use OSDP (Open Supervised Device Protocol) with encrypted channels.
Outdated Firmware
Access control hardware rarely receives automatic updates. Panels installed five years ago may be running firmware with known vulnerabilities that have never been patched. Unlike IT equipment, these devices often have no update mechanism beyond manual intervention.
Flat Network Architecture
When access control systems share a network with tenant Wi-Fi, business systems, or other IoT devices, a compromise in any system can spread to all others. Without network segmentation, your access system is only as secure as your weakest connected device.
Real-World Impact: In 2025, a mid-Atlantic property management firm discovered that attackers had been accessing their Brivo cloud panel using default credentials for three months — downloading tenant entry logs, adding unauthorized credentials, and using the access system's network connection to reach the property management software containing lease agreements and financial records.
Securing Your Access Control Infrastructure
Network Segmentation
Access control systems must operate on their own isolated network segment (VLAN). This ensures that even if the access system is compromised, attackers cannot reach tenant data, business applications, or other building systems.
- Place all access control panels, readers, and controllers on a dedicated VLAN
- Restrict traffic between the access VLAN and other network segments using firewall rules
- Allow only specific management traffic from authorized admin workstations
- Monitor cross-VLAN traffic for anomalies that could indicate lateral movement
Credential and Authentication Hardening
- Change all default passwords on panels, controllers, and management interfaces immediately upon installation
- Enable MFA for cloud-based access management portals
- Restrict admin access to specific IP addresses or VPN connections
- Implement role-based access — maintenance staff don't need the same portal access as property managers
- Audit active credentials quarterly — remove former tenants, expired vendor access, and orphaned accounts
Firmware and Software Maintenance
Maintenance Schedule: Check for firmware updates quarterly. Subscribe to your manufacturer's security bulletins. Include access control systems in your regular IT patching cycle — not just at installation time. If your system is end-of-life with no security updates available, begin planning for replacement.
Choosing Secure Access Control Technology
When evaluating or upgrading access control systems, prioritize these security features:
- OSDP v2 compliance: Ensures encrypted communication between readers and controllers
- Cloud platform with SOC 2 Type II certification: Demonstrates the vendor maintains security controls over your data
- Mobile credentials over proximity cards: Phone-based credentials are harder to clone than 125kHz proximity cards
- Automatic firmware updates: Cloud-managed systems that push security updates without manual intervention
- API security: If the system integrates with other platforms, ensure API authentication and encryption
- Audit trail depth: Full logging of all access events, credential changes, and admin actions
Legacy System Risks: When to Upgrade
If your building still uses 125kHz proximity cards (HID ProxCard, EM4100), understand that these credentials are trivially cloneable with sub-$50 hardware available on Amazon. Modern alternatives:
- 13.56 MHz smart cards (MIFARE DESFire, iCLASS SE) — encrypted, significantly harder to clone
- Mobile credentials (HID Mobile Access, Openpath, Verkada) — use phone's secure enclave, revocable remotely
- Biometric readers — fingerprint or facial recognition eliminates credential sharing and cloning entirely
Vendor Security Requirements
Your access control vendor is a critical supply chain partner. Before signing a contract or renewing, verify:
- The vendor provides a signed data processing agreement or BAA (if applicable)
- Cloud platforms are hosted in SOC 2 Type II certified data centers
- The vendor has a documented vulnerability disclosure and patching program
- Data at rest is encrypted (tenant information, entry logs, credential databases)
- The vendor supports SSO integration with your identity provider
- You can export or delete tenant data upon request (privacy compliance)
Monitoring and Incident Detection
Access control systems generate valuable security telemetry that most property managers ignore:
- After-hours access attempts: Alerts on credential use at unusual times
- Repeated failed attempts: May indicate credential brute-forcing or a cloning attack
- Admin portal logins from unusual locations: Could signal compromised management credentials
- Bulk credential additions: Unauthorized mass provisioning of access cards
- System offline events: Controllers going offline may indicate tampering or network attacks
A managed IT services provider can integrate access control monitoring with your broader security operations — correlating building access events with network activity for comprehensive threat detection.
Tenant Communication
Keep tenants informed about access system security without creating alarm:
- Explain why you're upgrading from proximity cards to mobile credentials
- Provide clear instructions for reporting lost credentials immediately
- Disclose what access data you collect and how it's protected (privacy compliance)
- Notify tenants of any security incidents that may have exposed their information