Security Breach Case Study: A Literal Key to NY City

Author: Brian Rhodes, Published on Oct 04, 2012

How much would it take to bring a city to it's knees? How about $150? It sounds impossible, but that is exactly what has happened in NYC. A major security vulnerability has been exposed with a simple set of keys - a "fireman's key ring" - illegally sold to a newspaper. In this note, we peek into the security firestorm, the backstory, the costs involved to recover from improperly managed 'master' keys, and discuss how to prevent similar events in the future.

The Story

** * ********** ************** ** ******* ************, * ******* ********* (*********) ******* ** **** * *** of ****** **** ********* ******* ** **** ** ** ****** auction. **** ********** *** ** **** ** **** ********, *** to *** ******* ** '***********' **** ** ******* *** ******** common ** *** *********** **** *** ********* ****:

  • ******** ******* ******* ***:**** ******* *** ******** ** **** ** ** ******** ** the ****** ***** *** '****** ***' ** ******* ** ******* during * **** *****. **** ******** ******** ********* **** ******** trapped ****** ****, ** *********** ******* *** **** *** * car **** **** ****** ** **********.
  • ****** **** ****** ***:******* ******* *** **** ** ******* ****** ** ********** ***** of ***'* ****** ******, *** *** ** ****** **** ****** these *****.
  • ******* ******* *******/******: ***** ******** ********** ******* ***** * ****** *** *** quick ****** ** ******* ****** ************ *******.
  • ************ **** *********:******* ** '*********', ******* **** ** *** **** ********** ****** *** *********** holding *** **** *** ****** ************ ******** (* ***** ***** Center *** *****.)

*** *** ****** ** **** ********** *** **** ***** **** in *** '**** ******' ** **** **** ******** ** ***'* **** ********** ***** can ** ******* ******* ************* ** ******* ********** - ****************** **********, *******, ************.

***** ** ******* **** *** **** ***** ** *** *****, selling **** ******** ** * *****, *** *** ****** ****** has **** ***** *** ****** - **** *** ******* *** the *********** ***** ** ** ******** ***********.

The ****

**** ************ ********* ***** *** **** ** **** ***** ** tens ** *********, *********** ** ** ******** ** ********* ** dollars.

******** **** * ****** '****** ***' ***** **** **** ********* locks ********** *** ****, ****** * **** ** * **** can ****** ****** **** ********** *****. ******** **** *** ******* cost ** ********* * ****** **** ** $**-$**, **** *** effort ** ******** **** *** ***** ***** ***** ******* $**,*** - $**,***. **** ******** **** *** ******** *** ********** **** of ********* ****, ********** (** **** *****, ****) *********, *** the ******* ********** ***** ******** ** ********** *** ******* *** work.

Solving *** *******

***** *** ****** ** ******** *** ****** ******** ** *** story, *** ******* ******* ** ****** *** *******. ** ** previously ********* ** *** "*** *** ********** *** *******?" ******, **** **** ********** ****** ** ******** ********** ** also *** ** *** **** ********.

***** ** ********** ** * *** ********** ****** ** ***** by *** ******* *******, ******* ** *** *** ******* **** been **** ** ********** ********* ** **********. ********** ** *** details ** *** ********** ****** ** *****, *** ************ ***** a ********* ** **** ** *** * *** ** ****** keys ****** ***** *** ** ******** ** ***** *** ********** was ** *****.

***** ******** ******** ******, **** * ******** *** (********** * 'master' ***) ** **** ** ****** ** *********** ********, ** at ***** ********** ** ** ******* ****** ******* ********* ******. At *** ***** * *** ** *******, ********** *** ********** action *** ** ***** ** ******* *** *** ** *****/****** affected *****, ****** **** * *************** '****-****' ******** ****** ** fear.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Controller Software Guide on Dec 11, 2017
Properly configuring access controllers software is key to a professional access system. These devices have fundamental settings that must be...
Hazardous & Explosion Proof Access Control Tutorial on Nov 27, 2017
Controlling access to hazardous environments require equipment meeting specific ratings that certify they will not start fires. Understanding those...
Top Maglock Provider Warns Against Using Maglocks on Nov 21, 2017
Do not buy my company's product. It sounds strange indeed, but a senior Allegion consultant stated that maglocks should not be used in common...
Assa August Smartlock Pro Tested on Nov 07, 2017
Failures and set backs in the smartlock business have been commonplace (e.g., Lockitron Admits Failure and issues from our 2017 Kevo test). But...
Assa Abloy Acquires August on Oct 25, 2017
The mega access control manufacturer, Assa Abbloy, has acquired one of the most well funded access control startups, smart lock...
Door Closers Access Control Tutorial on Oct 24, 2017
Door Closers have an important job: automatically shut doors when they are opened, because an open door cannot control access. In this note, we...
Multipoint Lock Access Control Tutorial on Oct 17, 2017
Doors are notoriously weak at stopping entry, and money can be misspent on wrong locks that leave doors quite vulnerable. While closed and locked...
PoE Powered Access Control Tutorial on Oct 12, 2017
Powering access control with Power over Ethernet, like for IP cameras, has become increasingly common.  However, the demands for access power are...
Delayed Egress Access Control Tutorial on Oct 04, 2017
Is it ever legal to lock people into a building? The answer is: Yes... under specific situations. With so much of access control driven by life...
Access Control Job Walk Guide on Sep 26, 2017
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...

Most Recent Industry Reports

Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
Hiring Camera Calculator Product Manager on Dec 12, 2017
We are working on making the Camera Calculator even better and hoping you can help us find the right person to join our team. IPVM is hiring a...
Testing $20 WyzeCam, The Money Losing Amazon Vet Startup on Dec 12, 2017
This startup is perfecting the old adage: We lose money on every sale, but make it up on volume But it is no joke. The company, Wyze Labs, is...
Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks on Dec 12, 2017
The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by...
Robot Vandalism on Dec 11, 2017
Vandalism of security systems is a common concern. It is so common that camera vandalism statistics show that designers routinely sacrifice camera...
Access Controller Software Guide on Dec 11, 2017
Properly configuring access controllers software is key to a professional access system. These devices have fundamental settings that must be...
2018 Video Surveillance Cameras Overview on Dec 11, 2017
This report concisely explains the developments for surveillance cameras offered in 2017 and the state of offerings going into 2018, including...
Imperial Capital Security Investor Conference Review on Dec 08, 2017
Investment bank Imperial Capital holds an annual Security Investor Conference where 60+ companies present, including this year: IPVM bought a...
Integrator GPS Vehicle Tracking Statistics and Success Examined on Dec 08, 2017
GPS vehicle tracking is a growing but somewhat controversial topic. On the plus side, tracking may increases productivity by providing greater...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact