Security Breach Case Study: A Literal Key to NY City

Author: Brian Rhodes, Published on Oct 04, 2012

How much would it take to bring a city to it's knees? How about $150? It sounds impossible, but that is exactly what has happened in NYC. A major security vulnerability has been exposed with a simple set of keys - a "fireman's key ring" - illegally sold to a newspaper. In this note, we peek into the security firestorm, the backstory, the costs involved to recover from improperly managed 'master' keys, and discuss how to prevent similar events in the future.

The Story

In a scandalous story appearing in several publications, a retired locksmith (allegedly) elected to sell a set of master keys typically carried by NYFD on an online auction. This particular set of keys is very powerful, due to the ability to 'universally' open or control the features common to NYC skyscrapers with the following keys:

  • Elevator Control Fireman Key: Lift systems are required by code to be recalled to the ground floor and 'locked out' of service by firemen during a fire event. This prevents building occupants from becoming trapped inside cars, or potentially waiting too long for a car when they should be evacuating.
  • Subway Gate Access Key: Rolling grilles are used to control access to vulnerable areas of NYC's Subway System, and one of master keys opened these gates.
  • Circuit Breaker Cabinet/Closet: Locks securing electrical utility share a common key for quick access by fireman during firefighting efforts.
  • Construction Site Lockboxes: Similar to 'Knoxboxes', several keys on the ring reportedly opened the keycabinets holding all keys for entire construction projects (1 World Trade Center was cited.)

The end result of this particular key ring being sold in the 'grey market' is that vast portions of NYC's most vulnerable areas can be entered without authorization by unknown keyholders - including potential terrorists, vandals, and criminals.

While no charges have yet been filed in the event, selling city property is a crime, and the public outcry has been swift and strong - many are calling for the compromised locks to be repinned immediately.

The Cost

Even conservative estimates place the cost of this event in tens of thousands, potentially up to hundreds of thousands of dollars.

Assuming that a single 'master key' could open 1000 potential locks throughout the city, losing a ring of 5 keys can easily effect 5000 individual locks. Assuming that the average cost of repinning a single lock is $10-$15, just the effort of changing over the locks alone could measure $50,000 - $75,000. This estimate does not consider the additional cost of recutting keys, purchasing (in some cases, rare) keyblanks, and the overall logistical labor required to administer and perform the work.

Solving The Problem

Among the number of mistakes and errors detailed in the story, the biggest failure is proper Key Control. As we previously discussed in our "Are You Neglecting Key Control?" report, this most inglorious aspect of security management is also one of the most critical.

While no indication of a key management system is given by the various reports, several of the key numbers have been tied to individual positions or keyholders. Regardless of the details of the particular system in place, the circumstance where a newspaper is able to buy a set of master keys simply would not be possible if basic key management was in place.

Given standard issuance policy, when a specific key (especially a 'master' key) is lost it should be immediately reported, or at least discovered to be missing during routine scheduled audits. At the point a key is missing, controlled and preventive action can be taken to recover the key or repin/modify affected locks, rather than a sensationalized 'knee-jerk' reaction fueled by fear.

Comments : PRO Members only. Login. or Join.

Related Reports

Dahua Intercom Tested on Feb 07, 2019
Video intercoms are a growing market with video surveillance manufacturers expanding into this niche. IPVM is continuing its series of video...
Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and...
Intersec 2019 Show Report on Jan 23, 2019
The 2019 Intersec show, held annually in Dubai, is now complete. IPVM attended for 3 days, interviewing numerous Chinese and Western video...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
Openpath Access Control Tested on Nov 20, 2018
Big investment in access startups is uncommon, but Openpath has recently attracted $20 million doing just that. The company has limited security...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...
Favorite Video Surveillance Hard Drive Manufacturer 2018 on Nov 06, 2018
Who is the favorite hard drive for video surveillance use? 150+ integrators answered: What is your preferred brand/model of hard drive for...
Solar-Powered, Smart-Phone-Based Access Kit (VIZPin) Examined on Nov 02, 2018
Cloud-based access control company VIZPin is releasing a solar-powered and smart phone based access control system for gates and other remote...
Video Surveillance Hard Drive Failure Statistics 2018 on Nov 02, 2018
Hard drive failures can be significant service problems but how common of an issue are they in video surveillance? How long do drives last when...

Most Recent Industry Reports

Outdoor Camera Mounting Hardware Guide on Feb 21, 2019
Mounting cameras outdoors can be challenging, requiring understanding different types of equipment and methods. In this guide, we teach this...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...
First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
ADI 'SAVE BIG' On FLIR And Hikvision Examined on Feb 20, 2019
One is a major US defense supplier. The other is owned by the Chinese government. But you can "SAVE BIG" on both at ADI. In this note, we...
BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Sales Cuts At Rasilient on Feb 19, 2019
Over the past 2 years, video surveillance storage specialist Rasilient has expanded its workforce significantly, aiming to build its own branded...
Exacq Raises VMS Software Pricing Twice in Less Than a Year on Feb 18, 2019
Most VMSes regularly release new features, but rarely increase their prices. For the 3rd time in 4 years, and 2nd time in 8 months, since being...
Axis IR Multi Imager Camera Tested (P3717-PLE) on Feb 18, 2019
Axis has released their first IR multi imager, the P3717-PLE, a repositionable model listing 360° IR illumination and flexible positioning,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact