Knox Boxes Hacked

An IPVMU certified member emailed this story to us: Security expert warns fire department lockboxes can be hacked

The impact of this 'hack' - essentially reverse-engineering a great-grand master key that fits all boxes - is especially troubling, because the point of these boxes is to be an external facing vault that stores a facility's particular master keys.

If you can unlock one Knox Box, you can theoretically open thousands of buildings.

I expect that one of the recommendations in dealing with this issue will be to install intrusion alarm contacts on the vault door. Layers of security are important.

I'm curious to read you thoughts!

Money quote from the article:

"[Expert/Hacker] said he removed the core of a Knox Box lock with a socket wrench, pulled out the pins, replaced them, measured the grooves, then carved out a key with the file. He subsequently confirmed the key worked by testing it on a locked Knox Box in his own laboratory."

Secondly, background tutorial / risks of Knox Boxes.

Knox provides an option for a Tamper switch. I believe it will monitor both the door and if you rip the box off the wall. Also, the box should be mounted in a highly visible area that requires a short ladder to access. In this way, a bad guy will be more exposed if he should try and access the box. Finally, I would suggest that the flushmount version be used, making it extremely difficult to remove.

I am confused. If I have a reverse engineered great grandfather key and I go to a knox box, how will a tamper switch detect it? I don't need to rip the box off the wall once I have that hacked key, no?

Tamper switch should activate when the Knox Box door is opened by any means, including with a key. If there is a true emergency at the building that requires opening the box, setting off the intrusion alarm shouldn't be a problem as police/emergency responders will already be aware that something is happening at the location.

Got it, so better hope the police respond fairly quickly if that tamper switch goes off by someone with a hacked great grandfather key?

Got it, so better hope the police respond fairly quickly if that tamper switch goes off by someone with a hacked great grandfather key?

Police response times to intrusion alarm systems varies greatly throughout the USA. In some big cities, it can take 30 minutes or longer, if they respond at all. In some smaller cities and towns, police response times can be 5 minutes or less.

Actually, in cases where a burglar used a key on a Knox Box, the central station should first receive an alarm from the box tamper switch, and then subsequent alarms on the entry door and interior motion detectors. A good central station operator would (or should) know that this has the pattern of an actual burglary rather than a false alarm and convey this fact to the police dispatcher, hopefully reducing response times.

All of our building have card access so if someone uses a key on a main entry door it will set off a forced open alarm and a guard will respond.

Here locally, the Knox boxes are usually mounted 8 to 10 feet above floor level, a hacker here will need a ladder or a really tall accomplice. When I used to buy Knox boxes for fire applications, we generally ordered the ones with the tamper switch and connected it to a supervisory input on the fire alarm panel. Fire type alarms are higher priority at a remote monitoring station and generally treated more seriously than intrusion alarms by local authorities.

So let me get this straight. You connect the tamper in the Knox Box to the fire alarm panel so the monitoring station dispatches the Fire Department instead of the police?

No, we would set it up with the monitoring station to dispatch the police, as well as notify the on-call owner's representative. Fire departments generally don't respond to supervisory signals. A fire alarm signal usually overcomes the "it's another burglar system false alarm" attitude. We did mostly municipal systems (schools, water plants, etc.), you would be surprised how quick the police or sheriff's deputies respond to an alarm at a facility owned by their employer regardless of which system sent the signal.

For the most part, it's residential burglar alarm systems that the police are slow to respond to, as they usually are false alarms most of the time. Many cities are requiring confirmation of an alarm on a residential system, usually by voice or video, before they will dispatch a responder. Commercial burglar systems usually get a response, especially if it's something like a bank or jewelry store.

Years ago, when i was a service technician, i had to replace a lot of these due to malfunction or broken locks. Drilling them always worked for me..


The Knox Box with alarm temper is connected to the burglar alarm and can either be an actual alarm point like a motion or a door contact, ect..., or can be a supervisory signal. The tamper works when the door is opened. It does not care if a key is used or the door is ripped off, or the lock is drilled. Once the door opens the box goes off. There is no requirement to have a knox box and a fire alarm panel. So many AHJ have a requirement to have a knox box on every facility built. However many AHJ only require a fire alamr system on a facility 6000 SF or greater. So the two don't always co-exist with each other.

The only purpose of a Knox Box is in te event of false fire alarm the fire does not have to break down a door to gain entry to check out a facility afte normal business hours. In the event a fire departement responds to a fire alarm or call of a fire and once there at the site there is visible smoke or flame, the fire department is not going to risk injury to a member of the fire crew to take the time to get out a ladder go up to the building on fire, looks for the box, place the ladder up against the building, remove the key or access card inside, climb down off the ladder and than go to the entry door and unlock it. Every fire department in the world has the master key already. Its called the fire ax, crow bar. If and when they need entry they will gain entry.

I give Knox the Hall of Fame award for marketing idea of the century. Put all marketing effort into getting the municipal AHJ's behind your branded product, get it mandated by the fire marshal or by ordinance then relax and live off the rewards for decades. Ron Popeil couldn't top that! Not a useful product but definitely a ubiquitous one!

I've always wondered what would happen when someone did one day compromise the locks on the Knox Box. I suspect those governents that mandated them might be a bit exposed?