Friday, March 1, 2013

Fire Fighting Security Notes: Security expert claims he hacked #KnoxBox


Security expert warns fire department lockboxes can be hacked


(Reuters) - A security expert warned that criminals can gain access to locked businesses and apartments across the United States by reproducing the master keys now issued only to firefighters during emergencies.
Typical Knox Box Installation
Photo Credit: Forestvillefire.org
SAN FRANCISCO — A security expert says he has identified a flaw in heavy metal boxes that are found outside many locked companies and apartments and warns that criminals can gain access to these businesses by reproducing master keys issued only to firefighters.

The boxes manufactured by Arizona-based Knox Co. are outside of millions of apartment complexes and companies across the country, including cities like Chicago, Atlanta and San Francisco, according to Reuters. Knox is looking into the claim.

Justin Clarke, a cyber security researcher said he was able to create a key that was able to open a Knox Box by ordering a box and blank keys and reproducing the master key that is usually issued to firefighters from the Box.

Knox officials said they were unaware of any safety issues with the boxes and would look into it. An engineer with company said he found the hacking hard to believe.

"I'm not saying that somebody can't eventually make one, but I haven't seen it yet," Knox Engineer Dohn Trempala said.

Clarke claims that because only one master key cut is issued for firefighters in each city, it is possible for a reproduced key to give criminals access to every box in that city.

Using a metal file, and specific measurements from the box, Clarke says he was able to make a "hacked" key in about four hours.

"A highly motivated criminal with plenty of time on their hands and incredible focus could do this. All it takes is time, focus and intent," said Clarke told Reuters.

Lock expert Marc Weber Tobias told Reuters he thinks the hack is possible and that Knox can prevent it by changing how it ships its product.

"What he did is not technical. It's not sophisticated," Tobias said. "It's good research. He alerted everybody to a vulnerability."

Tobias said that Knox should ship its boxes to customers without locks and send the locks directly to the fire department that would then install both the box and lock. Currently, fire departments install the boxes with the locks in place.

The FBI and Department of Homeland Security are also looking into the issue, Trempala told Reuters.

Source: Reuters. - http://www.reuters.com/article/2013/03/01/us-security-lockbox-idUSBRE92004T20130301

Post a Comment

Search Cal Fire News

Twitter links

-

Twitter Buttons