The Deadlocking Plunger Weakness

One recent facility security assessment started with the question below, and after encountering this vulnerability in every assessment for the past 15 years, it became obvious that it was time to write about it. The problem is easily remedied.

 

Q: We installed a good quality industrial door lock, yet someone was able to bypass it using a credit card. How could this be?

 

A: Most likely, the door latch installation somehow kept the deadlocking plunger (also called a deadlock latch) from being engaged, or allowed it to be disengaged. It is the purpose of this part of the door lock mechanism to prevent doors from being opened in this fashion.

 

Over the past 15 years, when I started tracking this particular vulnerability in our facility security assessments, in every commercial facility security assessment I performed, I found that at least one door could be easily opened (5 seconds or less) with a credit card, screwdriver or hair comb. Facility managers have been amazed to see strong commercial and industrial locks bypassed this way. Recently at one facility, after a big name company installed card + PIN electronic access control (card reader plus keypad) for a half-dozen very critical internal doors, I was able to slip my comb out of my pocket and pop open each door.

IT departments take note: this vulnerability is common for IT equipment room closets, especially where the closet originally served another purpose, and was later given to IT without upgrading the door to a security grade installation.

 

What is a Deadlocking Plunger?

For convenience in closing doors, many types of door latch bolt have a beveled tip shape as shown in Figure 1.

The purpose for the angle is to enable the latch bolt to be pushed in automatically as the door is closed, otherwise you’d have to manually twist the doorknob to retract the latch and be able to close the door. However, that feature is a security weakness. When the door is closed you can push the latch bolt back using a screwdriver, metal ruler, plastic card, and so on as shown in Figure 2.

To keep the latch bolt from being push-retractable once the door is closed, a second mechanism is incorporated into the latching mechanism — called a deadlocking plunger (the entire mechanism sometimes called a deadlock latch), as shown in Figure 3. When the plunger is kept pushed in by the strike plate, the latch bolt will not retract. However, security assessments commonly find that the strike plate is the wrong type of strike plate or the wrong size, allowing both the latch bolt and the deadlocking plunger to be fully extended. In such an instance, the latch can be pushed back as shown in Figure 4. Sometimes the deadlocking plunger mechanism simply doesn’t work, and I have found about 10 percent of the type of plunger illustrated to fail in security assessments. (To test: With the door open, push the plunger back and see if you can still push in the latch bolt.)

Commercial and industrial security locksets of a higher rating use an improved design. One such design can be seen in the Simplex 900 Lockset shown in Figure 5, in which the deadlocking plunger is separated vertically from the latch bolt. (I am using this lockset as an example because it has a YouTube video of the lockset rotating, providing a good view of the latching mechanism. See: www.youtube.com/watch?v=Z_rWE3SxsZE)

If the latch is closed, there is no possibility of the deadlocking plunger being extended in a well-built and properly installed security door. One example of a poor door installation is one where a crowbar can be inserted between the door and the strike plate and turned to push the strike plate away from the plunger. Once the strike plate is pushed away, the deadlocking plunger is extended, and the latch bolt can be easily pushed back.

Knowledge of these aspects of door design is well understood by most locksmiths, but not by enough security practitioners and facility managers. Good advice is to check every building perimeter door and every door leading to critical facility areas and critical assets.

 

Write to Ray Beranrd about this column at ConvergenceQA@go-rbcs.com. Mr. Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.

Loading