This video was recorded for the sole purpose of having some reference in my bachelor thesis that such an attack can be done. It is one of many strikingly apparent physical attacks for which I could not find any example online. On the other hand, more popular PIR REXes have tons of videos.
Why
This is one of the most common setups you’ll see: one-way REX with access control for the other direction. This particular case is a dormitory building, where the traffic and randomness of people is so high that all an adversary needs is to wait for some insider to pass by.
But this setup is used in banks, grocery shops, office buildings and so on.
How
Microwave sensors, just like their ultrasound cousins, are sensing the Doppler effect. So by moving an item that reflects those waves towards the sensor makes it trip (REXes as opposed to alarms ignore items moving away from them.) By nature, the range is so wide that just a little piece of aluminium foil right under the sensor is enough.
How to fix it
Preferably, do not use this setup at all! If you really care about access control, you should do it both ways. Introducing a little inconvenience for insiders is not something to be afraid of when inconvenience for motivated adversary is virtually zero.
That’s it! Any other way is either pricey (custom doors without gaps? Face recognition?), or clunky (classic doors with automatic opening generally used for wheelchair access?) If security is of interest, just do not do it!
Deviant Ollam in his famous Wild West Hackin’ Fest video claims that a particular GE combined REX sensor (PIR and MW) can save the day, because it needs to see “something vaguely human size moving towards the sensor.” I did not have the pleasure with that one, but I doubt it.