Security Breach Case Study: A Literal Key to NY City

Author: Brian Rhodes, Published on Oct 04, 2012

How much would it take to bring a city to it's knees? How about $150? It sounds impossible, but that is exactly what has happened in NYC. A major security vulnerability has been exposed with a simple set of keys - a "fireman's key ring" - illegally sold to a newspaper. In this note, we peek into the security firestorm, the backstory, the costs involved to recover from improperly managed 'master' keys, and discuss how to prevent similar events in the future.

The Story

In a scandalous story appearing in several publications, a retired locksmith (allegedly) elected to sell a set of master keys typically carried by NYFD on an online auction. This particular set of keys is very powerful, due to the ability to 'universally' open or control the features common to NYC skyscrapers with the following keys:

  • Elevator Control Fireman Key: Lift systems are required by code to be recalled to the ground floor and 'locked out' of service by firemen during a fire event. This prevents building occupants from becoming trapped inside cars, or potentially waiting too long for a car when they should be evacuating.
  • Subway Gate Access Key: Rolling grilles are used to control access to vulnerable areas of NYC's Subway System, and one of master keys opened these gates.
  • Circuit Breaker Cabinet/Closet: Locks securing electrical utility share a common key for quick access by fireman during firefighting efforts.
  • Construction Site Lockboxes: Similar to 'Knoxboxes', several keys on the ring reportedly opened the keycabinets holding all keys for entire construction projects (1 World Trade Center was cited.)

The end result of this particular key ring being sold in the 'grey market' is that vast portions of NYC's most vulnerable areas can be entered without authorization by unknown keyholders - including potential terrorists, vandals, and criminals.

While no charges have yet been filed in the event, selling city property is a crime, and the public outcry has been swift and strong - many are calling for the compromised locks to be repinned immediately.

The Cost

Even conservative estimates place the cost of this event in tens of thousands, potentially up to hundreds of thousands of dollars.

Assuming that a single 'master key' could open 1000 potential locks throughout the city, losing a ring of 5 keys can easily effect 5000 individual locks. Assuming that the average cost of repinning a single lock is $10-$15, just the effort of changing over the locks alone could measure $50,000 - $75,000. This estimate does not consider the additional cost of recutting keys, purchasing (in some cases, rare) keyblanks, and the overall logistical labor required to administer and perform the work.

Solving The Problem

Among the number of mistakes and errors detailed in the story, the biggest failure is proper Key Control. As we previously discussed in our "Are You Neglecting Key Control?" report, this most inglorious aspect of security management is also one of the most critical.

While no indication of a key management system is given by the various reports, several of the key numbers have been tied to individual positions or keyholders. Regardless of the details of the particular system in place, the circumstance where a newspaper is able to buy a set of master keys simply would not be possible if basic key management was in place.

Given standard issuance policy, when a specific key (especially a 'master' key) is lost it should be immediately reported, or at least discovered to be missing during routine scheduled audits. At the point a key is missing, controlled and preventive action can be taken to recover the key or repin/modify affected locks, rather than a sensationalized 'knee-jerk' reaction fueled by fear.

Comments : PRO Members only. Login. or Join.

Related Reports

Dahua Intercom Tested on Feb 07, 2019
Video intercoms are a growing market with video surveillance manufacturers expanding into this niche. IPVM is continuing its series of video...
Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and...
Intersec 2019 Show Report on Jan 23, 2019
The 2019 Intersec show, held annually in Dubai, is now complete. IPVM attended for 3 days, interviewing numerous Chinese and Western video...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
Openpath Access Control Tested on Nov 20, 2018
Big investment in access startups is uncommon, but Openpath has recently attracted $20 million doing just that. The company has limited security...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...
Favorite Video Surveillance Hard Drive Manufacturer 2018 on Nov 06, 2018
Who is the favorite hard drive for video surveillance use? 150+ integrators answered: What is your preferred brand/model of hard drive for...
Solar-Powered, Smart-Phone-Based Access Kit (VIZPin) Examined on Nov 02, 2018
Cloud-based access control company VIZPin is releasing a solar-powered and smart phone based access control system for gates and other remote...
Video Surveillance Hard Drive Failure Statistics 2018 on Nov 02, 2018
Hard drive failures can be significant service problems but how common of an issue are they in video surveillance? How long do drives last when...

Most Recent Industry Reports

The Fastest Growing Video Surveillance Sales Organization Ever - Verkada on Apr 17, 2019
Verkada has the fastest growing video surveillance sales organization ever. In less than 2 years, they already have more salespeople in the US...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Securadyne CEO: IPVM 'Entertaining For An Ignorant Few' on Apr 16, 2019
Securadyne's CEO Carey Boethel is unhappy with IPVM's report - Failed Integrator Rollup, Securadyne Sells to Guard Giant Allied. Indeed, he...
Dahua Repositionable IR Multi-Imager Camera Tested on Apr 16, 2019
Dahua has released their first repositionable multi-imager camera, the Multi-Flex 4x2MP, claiming integrated IR, true WDR, and flexible...
Strong ISC West 2019 For Manufacturers But Concerns For 2020 March Move on Apr 16, 2019
ISC West 2019 was strong for manufacturers, according to new IPVM survey results of 100+ manufacturers, consistent with 2018 results. However,...
Axis Supports HD Analog on Apr 15, 2019
In 2017, Axis declared 'Everything is IP': Now, in 2019, Axis has released support for HD analog, with their new encoders.  Why the change?...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
UK Camera Commissioner Calls for Regulating Facial Recognition on Apr 15, 2019
IPVM interviewed Tony Porter, the UK’s surveillance camera commissioner after he recently called for regulations on facial recognition in the...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Pole Mount Camera Installation Guide on Apr 11, 2019
Poles are a popular but challenging choice for deploying surveillance cameras outdoors. Poles are indispensable for putting cameras at the right...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact