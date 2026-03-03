A hackerspace is a place that generally needs to be accessed by a wide group of people, often at weird and unusual hours. Handing around keys and making sure everything is properly locked up can be messy, too. To make it easy for hackers to get in to [Peter]’s local hackerspace, a simple electronic system was whipped up to grant access.
The basic components of the system are a keypad, a QR code and barcode scanner, a stepper motor, an Arduino Nano, and a Raspberry Pi. The keypad is read by an Arduino Nano, which is also responsible for talking to a stepper motor driver to actuate the lock cylinder.
The system works on the basis of two-factor authentication. Regular users authenticate to enter by presenting a QR code or barcode, and entering a matching PIN number. The system can also be set up for PIN-only entry on a temporary basis.
For example, if the hackerspace is running an event, a simple four-digit pin can allow relatively free access for the duration without compromising long-term security. Actual authentication is handled by the Raspberry Pi, which takes in the scanned barcode and/or PIN, hashes it, and checks it against a backend database which determines if the credentials are valid for entry.
While it’s not technically necessary for a project like this — in fact, you could argue it’s preposterously overkill — we have to take particular note of the machined aluminum enclosure for the keypad. Mere mortals could just run it off on their 3D printers, but if you’ve got access to a CNC router and a suitably chunky piece of aluminum, why not show off a bit?
It’s a nifty system that has served the hackerspace well over some time. We’ve featured some neat access control systems before, too. If you’ve got your own solution to this common problem, don’t hesitate to notify the tipsline!
8 thoughts on “Building A Hackerspace Entry System”
At our hackerspace, we use SSH keys to login to a special user account on the server. It has a script set up to open the locks through Modbus.
For alternative method in case someone cannot use SSH on their phone, we have a phone number + PIN access (I think using some VOIP service).
For more security, the enclosure should not be able to be opened from the keypad side.
For more security it shouldn’t matter whether the enclosure is opened from the keypad side.
Don’t put the verifying-and-opening-mo-tron in the keypad case. A keypad is for pressing buttons, not for security.
… and a tamper switch that is triggered if the keypad/cover is removed from the case or the whole case from the wall it’s mounted on.
What was wrong with:
00123456#
*# member login
member-number 00 + totp-token 123456
and
*12345678
** = guest login, single use
The insecure numbers purely for demonstration. People probably can handle Aegis, gwallet, iOS TOTP apps better than fancy barcode generators, etc. The DB checks against the 100 members (00-99) which would already a gigantic hackerspace. Generates the past and current token (60 seconds time to enter a valid code, more than enough).
A fips-198a compliant TOTP can be generated in 16 lines of pure vanilla python.
Looks like it ate up some asterisk and pound as formatting, yuck!
‘”The keypad is read by an Arduino Nano, which is also responsible for talking to a stepper motor driver to actuate the lock cylinder.”
Perfectly disclosed built-in vulnerability !!!
so, get this:
https://www.ebay.com/itm/165752068122
and a Torx bits set, and go there:
50.60289880216728, 8.70102891030175
and you can enter in one minute. Leave the Arduino for the next visitor.
And what are the failure modes. What happens during, and after, a power outage.
Or even a long network outage, simple things like losing DNS access can cause fascinating unforseen consequences.
