Skip to Main Content
January 09, 2020

Rekt by the REX

Written by Jason Ashton
Penetration Testing Physical Security Security Testing & Analysis

The request-to-exit (REX) passive infrared (PIR) sensor. You know the one. Spray canned air or smoke in its face, it becomes disoriented and unlocks the door. Spit a mist of alcohol in its face, it gets a buzz and unlocks the door. The butt of many "jokes" for how easily it provides unauthorized entry, but is this just victim shaming?

Courtesy Bosch Security Systems

I've seen many people suggest simply removing it as a remediation effort - this should never be the recommendation. Depending on other aspects of the access control installation, this device is required by national and local codes within the US. Drawing from over 15 years of design and implementation experience with these systems, I will cover these requirements, as they relate to the REX PIR, in this post. In a future post, we will take a look at active infrared and dual-technology (PIR plus radar) REX devices to see if they are more effective than traditional devices.

Proper Design/Installation

An access control system generally consists of the following components: card reader, door contact, electronic lock, and REX device. All are necessary for proper operation and alerting within the system. Can systems be installed without one or more of these components? Yep. However, they will not function properly for re-locking the door upon opening or alerting when the door is improperly opened (loid, under-the-door tool, etc). We will take a deeper dive into system installation and operation in future posts.

When it comes to electronic locks, there are two main types: fail-secure and fail-safe. The former remains locked during a loss of system power - typically an electric strike. The latter requires power to remain locked - typically a magnetic lock.

For fail-secure locks, the REX does not need to unlock the door, since the handle can be turned, or the bar pressed on an exit device from the secure-side during egress. As a general practice, the REX should only signal valid egress and should not unlock the door. For fail-safe locks, the REX is required to break power to the lock and must return to an unlocked state if its own power or system power fails. This functionality is in addition to the signal provided to the door controller.

Two primary building Codes govern the installation requirements within the US: International Building Code v2017 (IBC) and NFPA 101 Life Safety Code v2018 (LSC). Most states have adopted the IBC or use it as a basis for the state's code. The NFPA 72 National Fire Alarm and Signaling Code may also apply where a fire alarm system is installed. All new construction facilities must comply with these and many other codes in order to pass a final inspection and receive a Certificate of Occupancy. Many municipalities also require a low-voltage electrical permit and subsequent inspection for these systems, including retrofit installations. So, if the systems integrator wants to get paid, the installation must be completed correctly.

The REX PIR, when used with fail-safe locks, is considered a "sensor-release" as defined by IBC 1010.1.9.9 and LSC, where several criteria are required for installation. This includes an additional wall-mounted emergency release device, which must break power to the lock. Excerpt of the LSC sections: Sensor-Release of Electrical Locking Systems

Where permitted in Chapters 11 through 43, door assemblies in the means of egress shall be permitted to be equipped with sensor-release electrical locking system hardware provided that all of the following criteria are met:

(1) A sensor shall be provided on the egress side, arranged to electrically unlock the door leaf in the direction of egress upon detection of an approaching occupant.

(2) Door leaves shall automatically electrically unlock in the direction of egress upon loss of power to the sensor or to the part of the locking system that electrically locks the door leaves.

(3) Door locks shall be arranged to electrically unlock in the direction of egress from a manual release device complying with all of the following criteria:
(a) The manual release device shall be located on the egress side, 40 n. to 48 in. (1015 mm to 1220 mm) vertically above the floor, and within 60 in (1525 mm) of the secured door opening, except as otherwise permitted by

. . .

(8) Hardware for new installations shall be listed in accordance with ANSI/UL 294, Standard for Access Control System Units.


So how do we minimize the likelihood of activation from the non-secure side of the door? Let's explore a few of the possible scenarios.

1. Remove and replace with a button adjacent to the door.

A picture containing person, ground, man, outdoor

Description automatically generated

LSC: Locks, if provided, shall not require the use of a key, a tool, or special knowledge or effort for operation from the egress side.

In this case, "special knowledge or effort" (as designated in above) would be required to be aware of and/or activate a device away from the door during egress. Have I witnessed installations with only a button to unlock the door? Yes. Are they Code-compliant or safe during an emergency? Nope.

2. Relocate the REX PIR

This is a potential solution, provided the installation area supports an alternate location. The REX PIR should be located as close as possible to the door so that it does not re-lock prior to the occupant reaching the door. Additionally, if the door is within a crossing corridor, it could be inadvertently unlocked by occupants passing by the sensor.

3. Mechanical/Capacitive Hardware

This is also a potential solution. The REX device is either contained within the exit hardware or the exit hardware operates by simply touching an electronic bar to unlock the door. This may or may not be possible, depending on the door configuration or even the building owner's budget. The drop-style exit hardware has no option for the addition of a switch to perform REX functions. From a budgetary standpoint, replacing exit hardware is not inexpensive. The hardware itself is generally at least five times the cost of a typical REX PIR. This excludes installation labor and potential challenges of getting wire from the frame to the door in order to connect to the internal switch.

4. Security Astragals

Seal the gap between the door and frame or between a pair of doors with a molding known as an astragal. The astragal is generally fixed to the moving door leaf, but special versions exist to accommodate openings with two moving leaves. Weather stripping can also be used to prevent canned air from creeping through the door gap. These solutions are specific to the type of door assembly, so all possibilities cannot be covered here.

5. Monitoring/Alerting

Just like other information security vulnerabilities, layers of controls apply here also. Now, if the REX PIR is activated from the non-secure side of the door, the system will think that the door was opened validly from the secure side. A pressure mat, typically installed under carpet or rug, could be used in conjunction with the REX PIR. The mat would be wired in series with the REX PIR, so that if both are not active when the door prior to the door opening, a forced-door event is generated within the system. The event can then be acted upon by security personnel.


So, should the REX PIR be avoided or are there just other considerations associated with its installation? This device is somewhat of a standard component within access control systems. Unfortunately, most physical security integrators are unaware of its use in bypassing secured entry doors. When alternate REX devices may not be an option, for various reasons, additional door hardware or complementary devices could be used as a solution.