Security Breach Case Study: A Literal Key to NY City

By: Brian Rhodes, Published on Oct 04, 2012

How much would it take to bring a city to it's knees? How about $150? It sounds impossible, but that is exactly what has happened in NYC. A major security vulnerability has been exposed with a simple set of keys - a "fireman's key ring" - illegally sold to a newspaper. In this note, we peek into the security firestorm, the backstory, the costs involved to recover from improperly managed 'master' keys, and discuss how to prevent similar events in the future.

The Story

In a scandalous story [link no longer available] appearing in several publications, a retired locksmith (allegedly) elected to sell a set of master keys typically carried by NYFD on an online auction. This particular set of keys is very powerful, due to the ability to 'universally' open or control the features common to NYC skyscrapers with the following keys:

  • Elevator Control Fireman Key: Lift systems are required by code to be recalled to the ground floor and 'locked out' of service by firemen during a fire event. This prevents building occupants from becoming trapped inside cars, or potentially waiting too long for a car when they should be evacuating.
  • Subway Gate Access Key: Rolling grilles are used to control access to vulnerable areas of NYC's Subway System, and one of master keys opened these gates.
  • Circuit Breaker Cabinet/Closet: Locks securing electrical utility share a common key for quick access by fireman during firefighting efforts.
  • Construction Site Lockboxes: Similar to 'Knoxboxes', several keys on the ring reportedly opened the keycabinets holding all keys for entire construction projects (1 World Trade Center was cited.)

The end result of this particular key ring being sold in the 'grey market' is that vast portions of NYC's most vulnerable areas can be entered without authorization by unknown keyholders - including potential terrorists, vandals, and criminals [link no longer available].

While no charges have yet been filed in the event, selling city property is a crime, and the public outcry has been swift and strong - many are calling for the compromised locks to be repinned immediately.

The Cost

Even conservative estimates place the cost of this event in tens of thousands, potentially up to hundreds of thousands of dollars.

Assuming that a single 'master key' could open 1000 potential locks throughout the city, losing a ring of 5 keys can easily effect 5000 individual locks. Assuming that the average cost of repinning a single lock is $10-$15, just the effort of changing over the locks alone could measure $50,000 - $75,000. This estimate does not consider the additional cost of recutting keys, purchasing (in some cases, rare) keyblanks, and the overall logistical labor required to administer and perform the work.

Solving The Problem

Among the number of mistakes and errors detailed in the story, the biggest failure is proper Key Control. As we previously discussed in our "Are You Neglecting Key Control?" report, this most inglorious aspect of security management is also one of the most critical.

While no indication of a key management system is given by the various reports, several of the key numbers have been tied to individual positions or keyholders. Regardless of the details of the particular system in place, the circumstance where a newspaper is able to buy a set of master keys simply would not be possible if basic key management was in place.

Given standard issuance policy, when a specific key (especially a 'master' key) is lost it should be immediately reported, or at least discovered to be missing during routine scheduled audits. At the point a key is missing, controlled and preventive action can be taken to recover the key or repin/modify affected locks, rather than a sensationalized 'knee-jerk' reaction fueled by fear.

Comments : Members only. Login. or Join.

Related Reports

Clearview AI Alarm - NY Times Report Says "Might End Privacy" on Jan 20, 2020
Over the weekend, the NY Times released a report titled "The Secretive Company That Might End Privacy as We Know It" about a company named...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...
Door Closers Access Control Tutorial on May 02, 2019
Door Closers have an important job: automatically shut doors when they are opened, because an open door cannot control access. In this note, we...
Why 3VR Failed on Feb 16, 2018
3VR destroyed transformed ~$65 million in VC funding into a $6.9 million exit. The reason they failed is simple. They bet on analytics. They...
IP Cameras Default Passwords Directory on Feb 09, 2018
Below is a directory of 50+ manufacturer's default passwords. Note: Change Default Passwords Leaving default passwords is dangerous and makes it...
The Interceptor Aims To Fix Vulnerability In Millions of Alarm Systems on Jan 08, 2018
Security executive Jeffery Zwirn claims a 'catastrophic' flaw exists in 'millions of alarm systems', and dealers could be liable if not fixed. His...
Washington DC Surveillance Hackers Arrested on Dec 29, 2017
The US Department of Justice has announced that "Two Romanian Suspects Charged With Hacking of Metropolitan Police Department Surveillance Cameras...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
Forgotten Password Problem Importance (Statistics) on Sep 15, 2017
Forgotten passwords has become a major industry topic. For example, Hikvision has been emailing admin passwords in plain text until IPVM's...
Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text on Aug 28, 2017
Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond...

Most Recent Industry Reports

Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM is 'not a good look' and that 'IPVM should never be your source of...
Vintra Presents FulcrumAI Face Recognition on Jul 02, 2020
Vintra presented its FulcrumAI face recognition and mask detection offering at the May 2020 IPVM Startups show. Inside this report: A...
Uniview Wrist Temperature Reader Tested on Jul 02, 2020
Uniview is promoting measuring wrist temperatures whereas most others are just offering forehead or inner canthus measurements. But how well does...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the industry but an obvious one to the US FDA, that the thermal temperature...
Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of face detection, requiring manual adjustment when screening each...