Schneier on Security
A blog covering security and security technology.
« Another Liars and Outliers Review |
| Apple Turns on iPhone Tracking in iOS6 »
October 15, 2012
Earlier this month, a retired New York City locksmith was selling a set of "master keys" on eBay:
Three of the five are standard issue for members of the FDNY, and the set had a metal dog tag that was embossed with an FDNY lieutenant's shield number, 6896.
The keys include the all-purpose "1620," a master firefighter key that with one turn could trap thousands of people in a skyscraper by sending all the elevators to the lobby and out of service, according to two FDNY sources. And it works for buildings across the city.
That key also allows one to open locked subway entrances, gain entry to many firehouses and get into boxes at construction jobs that house additional keys to all areas of the site.
The ring sold to The Post has two keys used by official city electricians that would allow access to street lamps, along with the basement circuit-breaker boxes of just about any large building.
Of course there's the terrorist tie-in:
"With all the anti-terrorism activities, with all the protection that the NYPD is trying to provide, it's astounding that you could get hold of this type of thing," he said.
He walked The Post through a couple of nightmare scenarios that would be possible with the help of such keys.
"Think about the people at Occupy Wall Street who hate the NYPD, hate the establishment. They would love to have a set. Wouldn't it be nice to walk in and disable Chase's elevators?" he said.
Or, he said, "I could open the master box at construction sites, which hold the keys and the building plans. Once you get inside, you can steal, vandalize or conduct terrorist activities."
The Huffington Post piled on:
"We cannot let anyone sell the safety of over 8 million people so easily," New York City Public Advocate Bill de Blasio said in a statement. "Having these keys on the open market literally puts lives at risk. The billions we've spent on counter-terrorism have been severely undercut by this breech [sic]."
Sounds terrible. But -- good news -- the locksmith has stopped selling them. (On the other hand, the press has helpfully published a photograph of the keys, so you can make your own, even if you didn't win the eBay auction.)
I found only one story that failed to hype the threat.
The current bit of sensationalism aside, this is fundamentally a hard problem. Master keys are only useful if they're widely applicable -- and if they're widely applicable, they need to be distributed widely. This means that 1) they can't be kept secret, and 2) they're very expensive to update. I could easily imagine an electronic lock solution that would be much more adaptable, but electronic locks come with their own vulnerabilities, since the electronics are something else that can fail. I don't know if a more complex system would be better in the end.
Posted on October 15, 2012 at 7:02 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And I had thought 'master key' was another name for a 12 gauge shotgun that military and police use.
The first link has a trailing quote (") that needs to be removed before the link works.
sort of like china .. bike lock manufacturers sell the locks to bike and scooter owners, and the master keys to thief rings.
The interesting thing is that it while selling the actual keys may be policed to some degree and such auctions may be taken off eBay, there's no way to stop selling/disseminating the information regarding the shape of the keys, in a form of an AutoCAD file or similar - often even a photo would be suffictient. Such files, once spread over the net, never could be all hunted down.
So it is safe to assume that anyone who really wants them, has them.
I love how people can always find disaster scenarios when they want to change something, but not when they are in favour of something.
Suggesting monthly criminal record checks for all firefighters, a key register and regular random key audits would be a great mitigation - but not much of a vote-winner.....
Better yet - everyone should be frisked by the TSA before entering buildings 'to protect children from terrorists with master keys.'.
Try arguing with that in an election year.
Because buying something openly on ebay is so much more terrifying than slipping somebody of $20 so you can borrow their keyring for a few hours...
And never mind the attack Matt Blaze published a little while back: if you have a "normal" key for the lock in question, and the ability to cut keys, then you can determine the bitting of the master key with very little effort.
I know quite a few people here in France that have "mailman" keys that essentially open all front doors of residential apartment buildings, including converted house.
The idea is that the mailman has to have access to the individual mailboxes for every tenant, which are almost always inside. There are "mailman" key-fobs and magnetic cards as well.
They're known as a "clé pass-partout"or a "PTT T-10"), the latter of which is apparently the official designation (because in France EVERYTHING has an official designation and a law specifically pertaining to it!)
There should not be an additional risk of grounding the elevators in a tall building by having this key, simply activate the fire alarm and the elevators should ground without a key - the key should allow you to turn elevators on in this scenario and that doesn't seem much of a risk.
Wait, "trap people" by sending all the elevators to the ground floor?
At worst, inconvenience people by making them take the stairs. Hardly trapped.
Sure, there's a few special cases of people with limited mobility who would be more than inconvenienced -- but this is no different than a denial of service attack, and one with a much easier resolution. The attack would only last so long as the black hat had a physical presence at the lock cylinder.
> trap thousands of people in a skyscraper by sending all the elevators to the lobby and out of service, according to two FDNY sources
Are there no stairs?
> trap thousands of people in a skyscraper by sending all the elevators to the lobby and out of service, according to two FDNY sources
Wouldn't it only take another official with keys to (quickly!) set the elevators in motion again?
There seems to be a lack of discussion on the protocols for the "retired" individual, in that he should have be required to forfeit any/all such keys at or BEFORE retirement, and had to sign a non-disclosure (with all the restrictions) under penalty of law with regard to his knowledge, possesions pertaining to work, or attempting to monetize same without former employees permission.
Sounds harsh but the potential impact for lost lives is worse. Is this guy in jail yet?
@kashmarek - Such a protocol wouldn't help much - it's too easy to make copies of keys.
However, if you think that that person should be penalized, what of all the newspapers and other news sources which have now put all those keys into the public domain - presumably doing a lot more damage than a person selling a physical key?
How hard is it to pick these locks in the first place?
The outcry of public officials over this is really stupid. They need to get a security engineer.
All locks are insecure -- doubly so if the keys are given out to every firefighter or meter reader in the city. If there is a lock that absolutely positively cannot be opened by an unauthorized user, it needs to be supplemented or replaced by more secure systems.
In the case of the fire key for elevators, the best supplementary system is giving a copy of the key to building security and having the system notify them whenever the fire key is used, so that they can investigate.
In all the other cases, such as basement circuit breakers, if they are so vitally important to keep secure, then why is a simple lock considered good enough? I am pretty sure a crowbar would be a good enough master key to get into any breaker box.
Revealing the cut of the keys doesn't make the system any more insecure than it already is by dint of its design.
Gotta love the article's propaganda wrt the "terrorism" of OWS. They're getting their money's worth on this one.
What about 3D printing the keys based on the image in the newspaper?
Master keys are a convenience, not a security measure.
One of the keys had a badge number etched on it.
The story said that the FD was investigating. Then it says that they claim such a badge number doesn't exist.
Did the newspaper have the ability to clarify that detail, or did they decide not to push for that data?
Interestingly, the editor could have replaced every instance of "terrorist" and "terrorism" with "criminal", and not changed the meaning of the sentences at all.
The keys could be acquired for nefarious purposes by unauthorized persons.
What makes this story fun is that they KNOW there's keys out there. You can't tell me that this strange keyring is the only keyring of keys "lost" during the excitement of duty.
And of course the old maxim will still hold true, as it always has: Locks keep honest people honest.
@Johnston: I love that angle. It's the best part of the story. "Those dirty hippy society-destroyers... They're terrorists I say, terrorists!"
"Wouldn't it only take another official with keys to (quickly!) set the elevators in motion again?"
Actually, as I understand it, they wouldn't even need the key - just chase the attacker away and remove their key from the lock.
@RH: exactly. eBay is just a medium, there's nothing new about being a market for this kind of item and there's got to be more unauthorized keys in circulation than this set. But because the transaction was set to take place through an electronic medium this becomes cyber-terrorism instead of just a common misdemeanor.
Sounds terrible. But -- good news --
...Is there hasn't been an attack like they have mentioned? I'm sure there's been "unsolved" instances of theft.
Are there no stairs?
--To make the nightmare scenario complete, they've locked the stairwell doors as well.
could trap thousands of people in a skyscraper by sending all the elevators to the lobby and out of service
They'd better remove all those "In case of fire use stairs" placards, then. It sounds like the only way out is the elevator.
@Figureitout: Then light the building on fire? Preferably while setting up a pirate TV station claiming it's 9/11 all over again so that everyone jumps out the windows.
Is that movie threat enough?
No, I could give you mine; but I want to remain on good terms w/ the Moderator. It would have involved lockitrons, Times Square, Anonymous, and Jigsaw.
In all seriousness, if I could get judicial immunity, I would like to try these crazy scenarios. I highly doubt I would have much success besides getting somewhere I shouldn't be. Just the other day, I believe I spotted some thieves scoping a target in my neighborhood; much easier targets, but let's just say I was ready for them...
This is like an advertisement for lockitron.com...
EBay sellers often include very comprehensive photographs of locks and keys, especially the high security (expensive) locks and keys they sell. Save the pictures, see the feedback, and you have the key for the buyer's locks. Pretty stupid.
I don't know if a more complex system would be better in the end.
The simple answer is "absolutly not" arguably the system is to complex as it is even with simple locks.
As an example what those in the US used to call the "Denver Boot" and others call the "wheel clamp" are not used in some places because of the locals attitude and tubes of "super glue". One version of this was told by a motoring program that, In Paris there are no longer any wheel clamps, becasue the enterprising French citizen outraged at the affront to liberty would go across and super glue the lock solid so it had to be cut off which it obviously had been designed not to be able to do. Thus creating much inconveniance and excessive cost and thereby punishing not just the clamping organisations but those who thought of using the clamps in the first place...
The whole point of these public service master key locks is not as security but as a safety feature or more correctly a "liability limiting" feature for organisations. Essentialy they are there to keep people from entering an area where they might come to harm or cause a nuisance either of which in a sue happy culture costs insurance organisations lots of money. However if they err to much towards security you go the other way in that people get hurt by emergancy responders etc not being able to get to places to save lives directly or indirectly (ie turn services off).
As a solution they keep us close to the optimum point on the safety curve under a broad range of known risks, but as risks and reliability change the optimum moves.
Unfortunatly the risks can also be forcefully moved by incorrect assessment of other issues, which the clarion call of "Terrorism" is likely to cause.
We have seen something similar played out in the UK. Here the master keys are often known as FB Keys (ie Fire Brigade keys) and used to be used to limit access to many places including the roofs of tower blocks. In the 1980's VHF Pirate Radio got going with people converting Taxi Cab base stations to work in the VHF broadcast band. They then obtained FB keys simply by opening the "break glass" box and taking them away to be cut. At this point the risk profile had at best marganily changed. However the Government Dept with responsability for licencing the air waves (back then the Home Office) was preasurised by considerable comercial preasure (from the likes of Richard Attenborough) to deal with the Pirates who were taking advertising revenue away from the comercial radio stations such as London's "Capitol Radio". The result is preasure was put on the owners/operators of the towerblocks to more securely restrict access to the roofs. So now FB locks are not used on many tower block roofs and in some places individual high security locks are used which very much changes the risk profile.
Has this stopped the Pirates, not a bit, infact it's made them considerably more difficult to stop because the pirates either "impression the lock" or crow bar the lock and put their own lock in thus considerably delaying the authorities getting access to and turning off / removing the equipment.
So the authorities have taken to crowbaring the door and putting their own locks in as a temporary measureb which can take weeks to sort out. In the process this has considerably increased the risk to the residents of such tower blocks...
Master key versus shotgun or crowbar:
The former let keep access to the particluar lock and space being locked hidden. E.g. when LEO secretly set up key logger on PC inside the appartment of the suspect, they are not using latter, but lock picks. I guess that they do have for high level black ops master keys for several brands of popular locks of resedential units, cars, private homes, etc. in targeted jurisdiction.
By the way, there are master keys for hand cuffs as well.
For many master lock applications, you can replace security with surveillance. Rather than locking the door securely, install a dumb camera that photographs the doorway every time it opens, and post a sign outside saying "Authorized personnel only, violators will be prosecuted, area under surveillance" -- and pass a local law if you need to put more teeth on that threat.
This should keep out curiosity-seekers and petty criminals. It won't keep out a determined terrorist or serious burglar, but then, neither will a master key.
First off, let's talk about the elevator keys. Great source of distraction for either criminal or terrorist activity. For those who say all you have to do is put them back into service, all I have to say is 'epoxy'. Good luck getting the broken off key stub out without a couple hours and a locksmith. I'm pretty sure the building would be locked down, at least until the elevators are fixed. If someone called in a bomb threat, longer, plus almost certainly there would be casualties during an elevator-less evactuation of one of the bigger buildings, especially if people believed it wasn't a drill.
Second, street lights, breaker boxes and construction sites? Even excluding movie-plot uses (put in a remote switch to turn off street lights on command for example; anyone who can do that competently probably isn't worried about the lock anyway) copper thieves are what 'd be worried about here. Of course, depending on NYs scrap laws, they may or may not be that big a problem these days.
I remember a lockpicking tournament in a security conference I was present, locks don't have a chance against knowledge, there are several books (some of them quite old) about this topic.
Regardless of how you feel about Occupy Wall Street........is it just me or did that article conflate what they do with terrorism??
Phocks, if I remember correctly most of those elevator locks can be access with the proper screw driver (torx, or philllips mostly). All you have to do then is jump the proper cables at the end and you bypassed the mechanical lock. Not much different than jacking a car start. All the lock does is keep the silly pranksters from pranking. Think about the mall escalators and teens hitting the panic stop button. It then takes someone with a key to restart it. Ohh the humanity, people are then trapped on the second floor.
...Occupy Wall Street........is it just me or did that article conflate what they do with terrorism??
That depends on what your definition of terrrorism. One is the old catch all of "Effects National Security", and arguably some of those on wall street would have been effected in some way by the protesters so did not perform as well as they might, or atleast that is what their employers will claim.
I suspect it won't be long befor kids running and shouting around a shopping mall will be portrayed in a negative light and attempts made to liken them or their actions to that of terrorists.
I guess the real question is, when will the children in the US will be taught that reporting your parents for making negative comments about some asspect of US life is a civic duty.
Senator Joe McCathy sure got his timings wrong, just think what fun he'd be having witth an Anti-American enquiry these days...
That should be "Un-American" not "Anti-American"...
I don't know whether the New York branch of Occupy would want to break into places using illicitly obtained master keys, but I do recall that the London outfit's General Assembly approved the purchase of a set of bolt cutters for £137, presumably for use in their peaceful protest camp outside St. Paul's cathedral.
I've camped out from time to time, and I don't recall ever wishing I had a set of bolt cutters handy. That's the sort of tool you'd associate more with rogues and villains breaking in to other people's buildings. Can't imagine why #occupylsx wanted them.
Just for the record: it's in the accounts for 10th January 2012. It says the bolt cutter was intended for 'direct action'.
I'm told that General Assembly decisions reflect group consensus and that anybody can veto if they want to. So I can only assume that all of #occupylsx felt that bolt cutters were indeed a part of the direct action their group should be taking.
If the American groups are anything like these, I'd be wary of letting them get hold of master keys to buildings too.
I love the hilarious statement that exposing a single master key exposes the billions of pounds they've spent on counter-terrorism as being worthless - then proceeding to blame the release of the master key.
One could argue that perhaps a small portion of those billions could have been spent on a 'brilliant' mind who might have considered the risk associated with master keys and mitigated against it as relevant. Y'know, like anyone in our industry outside the government.
"The idea is that the mailman has to have access to the individual mailboxes for every tenant, "
I once lived in an apartment building with a much better system. To open the door into the lobby, you had to swipe a magnetic stripe card through a reader.
The clever bit was that during business hours, you could use any mag stripe card you liked: credit card, bank card, seasonal bus pass, whatever. All it did was record it. This meant that anyone with business in the building could easily get in, but if you got up to no good, an investigator would have some sort of starting point to track you down. At least, it claimed to record it; the suggestion was probably enough of deterrent to casual larceny.
Outside business hours, it would only open for a card that was actually registered with the system. Apart from residents and employees, a number of cards were registered for the local fire brigade.
> If the American groups are anything like these, I'd be wary of letting them get hold of master keys to buildings too.
Yet you've just identified that it makes absolutely no difference to their actions. If they don't have master keys then they'll just use bolt cutters - so the master keys are irrelevant!
How long ago was that, Roger? Buy a gift card with cash and they'll have to hope the cashier remembers you well enough to significantly reduce the number of people to look for. Steal one, pick one out of the trash, or even get a multi-pack, and they can't find you at all.
It was about 10 years ago.
" Steal one, pick one out of the trash, or even get a multi-pack, and they can't find you at all."
Sure. But having gone to all that trouble, you've achieved no more than could have done by tailgating: you got into the lobby, during business hours when plenty of people are coming and going. It's not meant to be high security, it's just "picket fence" deterrence against pan-handlers, rubbish dumpers, casual vandalism and junk-mail stuffers.
The neat part is the way that switching from a (very low grade) monitoring system to an authentication system, prevents issues in low security mode from affecting high security mode. It's actually very similar to the reason picket fences are useful despite being easy to climb over.
In the version that phanmo described, the postman's key system would be quite an asset to a burglar if he could get his hands on one of the many copies of the special key, or duplicate it using Blaze's attack. After-hours, protected by an appearance of legitimacy, he could successively enter many buildings until he found an unoccupied flat. Then, screened from view of passersby, break in. Or follow a victim to his/her door.
Plus it requires administrative overhead, and requires that you know in advance all tradesmen who might have legitimate business.
In contrast, this system is self-organising by day, and provides no assistance at all to a thief after-hours.
Bruce, The picture in the link is you. Has that article been hacked?
Keys exist solely to deter the casual attacker.
The determined attacker is assumed to be able to unlock the streetlamps (or whatever).
The secure response is twofold:
(1) be able to identify and repair whatever this person did to the streetlamps, *after the fact*;
(2) give very few people a motivation to unlock the streetlamps
(3) Make people suspicious of people found to be unlocking the streetlamps
Those are the actual goals.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.