Security Breach Case Study: A Literal Key to NY City

By: Brian Rhodes, Published on Oct 04, 2012

How much would it take to bring a city to it's knees? How about $150? It sounds impossible, but that is exactly what has happened in NYC. A major security vulnerability has been exposed with a simple set of keys - a "fireman's key ring" - illegally sold to a newspaper. In this note, we peek into the security firestorm, the backstory, the costs involved to recover from improperly managed 'master' keys, and discuss how to prevent similar events in the future.

The Story

In a scandalous story [link no longer available] appearing in several publications, a retired locksmith (allegedly) elected to sell a set of master keys typically carried by NYFD on an online auction. This particular set of keys is very powerful, due to the ability to 'universally' open or control the features common to NYC skyscrapers with the following keys:

  • Elevator Control Fireman Key: Lift systems are required by code to be recalled to the ground floor and 'locked out' of service by firemen during a fire event. This prevents building occupants from becoming trapped inside cars, or potentially waiting too long for a car when they should be evacuating.
  • Subway Gate Access Key: Rolling grilles are used to control access to vulnerable areas of NYC's Subway System, and one of master keys opened these gates.
  • Circuit Breaker Cabinet/Closet: Locks securing electrical utility share a common key for quick access by fireman during firefighting efforts.
  • Construction Site Lockboxes: Similar to 'Knoxboxes', several keys on the ring reportedly opened the keycabinets holding all keys for entire construction projects (1 World Trade Center was cited.)

The end result of this particular key ring being sold in the 'grey market' is that vast portions of NYC's most vulnerable areas can be entered without authorization by unknown keyholders - including potential terrorists, vandals, and criminals [link no longer available].

While no charges have yet been filed in the event, selling city property is a crime, and the public outcry has been swift and strong - many are calling for the compromised locks to be repinned immediately.

The Cost

Even conservative estimates place the cost of this event in tens of thousands, potentially up to hundreds of thousands of dollars.

Assuming that a single 'master key' could open 1000 potential locks throughout the city, losing a ring of 5 keys can easily effect 5000 individual locks. Assuming that the average cost of repinning a single lock is $10-$15, just the effort of changing over the locks alone could measure $50,000 - $75,000. This estimate does not consider the additional cost of recutting keys, purchasing (in some cases, rare) keyblanks, and the overall logistical labor required to administer and perform the work.

Solving The Problem

Among the number of mistakes and errors detailed in the story, the biggest failure is proper Key Control. As we previously discussed in our "Are You Neglecting Key Control?" report, this most inglorious aspect of security management is also one of the most critical.

While no indication of a key management system is given by the various reports, several of the key numbers have been tied to individual positions or keyholders. Regardless of the details of the particular system in place, the circumstance where a newspaper is able to buy a set of master keys simply would not be possible if basic key management was in place.

Given standard issuance policy, when a specific key (especially a 'master' key) is lost it should be immediately reported, or at least discovered to be missing during routine scheduled audits. At the point a key is missing, controlled and preventive action can be taken to recover the key or repin/modify affected locks, rather than a sensationalized 'knee-jerk' reaction fueled by fear.

Comments : PRO Members only. Login. or Join.

Related Reports

2020 Access Control Book Released on Dec 19, 2019
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Access Control Turnstiles Guide on Jan 28, 2019
Turnstiles control pedestrian access to secured areas, essentially becoming moving portions of fences, walls, or barricades for physically stop...
Access Control Mantraps Guide on Sep 26, 2019
One of access's primary goals is keeping people out of places they should not be, but slipping through open doors (ie: Tailgating) is often...
Access Control Mustering Guide on Sep 30, 2019
In emergencies, determining where employees are located can be critical for knowing whether they are in danger. Access systems can be used for...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...
The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
Propped Doors Access Control Tutorial on Jan 07, 2020
Doors should keep 'bad guys' out, but a common access control problem is people propping doors open, preventing them from being secure. Even...
Wyze Smart Door Lock Test on Jan 14, 2020
Wyze's inexpensive cameras have grabbed the attention of many in the consumer market, but can the company's new smart lock get similar...

Most Recent Industry Reports

Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of compressed air may defeat it. With no special training, intruders can...
ROG Security - Cloud AI For Remote Monitoring on Jan 28, 2020
ROG Security is offering cloud-based AI analytics to remote guard companies, by touting having "nothing to install" to "add virtual guards." We...
Brivo Business Profile 2020 on Jan 27, 2020
Brivo has been doing cloud access for more than 20 years. Is the 2020s the decade that cloud access becomes the norm? CEO Steve Van Till recently...
Favorite VMS / NVR Manufacturers 2020 on Jan 27, 2020
In 2018, a new winner emerged and a former top choice declined. Now, there is a new #1, a new top 5 finisher and 2 major VMSes in decline. Our...
"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...