Security Breach Case Study: A Literal Key to NY City

Author: Brian Rhodes, Published on Oct 04, 2012

How much would it take to bring a city to it's knees? How about $150? It sounds impossible, but that is exactly what has happened in NYC. A major security vulnerability has been exposed with a simple set of keys - a "fireman's key ring" - illegally sold to a newspaper. In this note, we peek into the security firestorm, the backstory, the costs involved to recover from improperly managed 'master' keys, and discuss how to prevent similar events in the future.

The Story

** * ********** ************** ** ******* ************, * ******* ********* (*********) ******* ** **** * *** of ****** **** ********* ******* ** **** ** ** ****** auction. **** ********** *** ** **** ** **** ********, *** to *** ******* ** '***********' **** ** ******* *** ******** common ** *** *********** **** *** ********* ****:

  • ******** ******* ******* ***:**** ******* *** ******** ** **** ** ** ******** ** the ****** ***** *** '****** ***' ** ******* ** ******* during * **** *****. **** ******** ******** ********* **** ******** trapped ****** ****, ** *********** ******* *** **** *** * car **** **** ****** ** **********.
  • ****** **** ****** ***:******* ******* *** **** ** ******* ****** ** ********** ***** of ***'* ****** ******, *** *** ** ****** **** ****** these *****.
  • ******* ******* *******/******: ***** ******** ********** ******* ***** * ****** *** *** quick ****** ** ******* ****** ************ *******.
  • ************ **** *********:******* ** '*********', ******* **** ** *** **** ********** ****** *** *********** holding *** **** *** ****** ************ ******** (* ***** ***** Center *** *****.)

*** *** ****** ** **** ********** *** **** ***** **** in *** '**** ******' ** **** **** ******** ** ***'* **** ********** ***** can ** ******* ******* ************* ** ******* ********** - ****************** **********, *******, ************.

***** ** ******* **** *** **** ***** ** *** *****, selling **** ******** ** * *****, *** *** ****** ****** has **** ***** *** ****** - **** *** ******* *** the *********** ***** ** ** ******** ***********.

The ****

**** ************ ********* ***** *** **** ** **** ***** ** tens ** *********, *********** ** ** ******** ** ********* ** dollars.

******** **** * ****** '****** ***' ***** **** **** ********* locks ********** *** ****, ****** * **** ** * **** can ****** ****** **** ********** *****. ******** **** *** ******* cost ** ********* * ****** **** ** $**-$**, **** *** effort ** ******** **** *** ***** ***** ***** ******* $**,*** - $**,***. **** ******** **** *** ******** *** ********** **** of ********* ****, ********** (** **** *****, ****) *********, *** the ******* ********** ***** ******** ** ********** *** ******* *** work.

Solving *** *******

***** *** ****** ** ******** *** ****** ******** ** *** story, *** ******* ******* ** ****** *** *******. ** ** previously ********* ** *** "*** *** ********** *** *******?" ******, **** **** ********** ****** ** ******** ********** ** also *** ** *** **** ********.

***** ** ********** ** * *** ********** ****** ** ***** by *** ******* *******, ******* ** *** *** ******* **** been **** ** ********** ********* ** **********. ********** ** *** details ** *** ********** ****** ** *****, *** ************ ***** a ********* ** **** ** *** * *** ** ****** keys ****** ***** *** ** ******** ** ***** *** ********** was ** *****.

***** ******** ******** ******, **** * ******** *** (********** * 'master' ***) ** **** ** ****** ** *********** ********, ** at ***** ********** ** ** ******* ****** ******* ********* ******. At *** ***** * *** ** *******, ********** *** ********** action *** ** ***** ** ******* *** *** ** *****/****** affected *****, ****** **** * *************** '****-****' ******** ****** ** fear.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
Master Keying Tutorial on Sep 14, 2017
Mechanical keys are the most fundamental, albeit unsophisticated, form of access control. Like access control, Master Keying allows large scale use...
Fail Safe vs. Fail Secure Tutorial on Sep 13, 2017
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these concepts...
Access Control Commissioning / Install Checklist on Aug 03, 2017
This 80+ point checklist helps end users, integrators and consultants verify that access control installation is complete. It covers the following...
Smartphone Controlled Kevo Lock Tested on May 04, 2017
Smartlocks are a growing market, with millions sold. Kwikset's Kevo is one of the most common choices, using the Unikey smart phone access control...
Dell EMC Surveillance Division Profile on Apr 20, 2017
With revenue growth from traditional IT customers slowing, Dell has set a focus on the security industry as a market where the company can offer...
2Gig Intrusion Megatest (GC2 & GC3 Panels Tested) on Mar 28, 2017
2Gig is one of the most widely used intrusion systems, with two product lines that are the main offering of many alarm companies, huge national...
Lock Keyways For Access Control Guide on Mar 23, 2017
Lock keyways can be the difference between a lock working or not. Understanding keyways is important for access control. Indeed, a member recently...
Unikey Smart Phone Access Control Platform Profile on Mar 21, 2017
More and more people carry smart phones. Many think this could replace the conventional key or card for access control. However, using a phone...

Most Recent Industry Reports

Reseting IP Cameras - 30 Manufacturer Directory on Sep 22, 2017
Every camera has a reset button (well, almost) but it is not always clear what these buttons do, how long they need to be held, what settings they...
80+ OEMs Verified Vulnerable To Hikvision Backdoor on Sep 22, 2017
Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the...
Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
New IPVM Calculator V3 Released on Sep 20, 2017
The New IPVM Calculator V3 is released. An entirely new architecture delivers the following benefits: Turbo The calculator is now ~50% faster in...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact