Reuters: U.S.: Security expert warns fire department lockboxes can be hacked

Reuters: U.S. Reuters.com is your source for breaking news, business, financial and investing news, including personal finance and stocks. Reuters is the leading global provider of news, financial information and technology solutions to the world's media, financial institutions, businesses and individuals. // via fulltextrssfeed.com

Security expert warns fire department lockboxes can be hacked Mar 1st 2013, 03:14 By Jim Finkle SAN FRANCISCO | Thu Feb 28, 2013 10:14pm EST SAN FRANCISCO (Reuters) - A security expert warned that criminals can gain access to locked businesses and apartments across the United States by reproducing the master keys now issued only to firefighters during emergencies. The expert said he identified a flaw in the heavy metal boxes made by an Arizona-based company called Knox Co, now commonly found outside millions of apartment complexes and commercial properties in cities across the country, including Chicago, Atlanta and San Francisco. These so-called "Knox Boxes" contain keys to apartments and other spaces, which in turn only firefighters issued a master key can open. Knox told Reuters on Friday it was unaware of any security flaws in its products, but will investigate research presented at the RSA conference in San Francisco this week. Justin Clarke, a researcher with cyber security firm Cylance Inc, said he created a key capable of opening a Knox Box after buying one from the company's website for about $300 and blank keys on eBay for about $2 each, all of which were mailed to his home. Because Knox issues one standard master key to firefighters in each city, a single hack - or reproduced key - can, in theory, give criminals access to every box installed within that particular city. Some federal government facilities overseas have Knox Boxes placed outside of them. Dohn Trempala, an engineer with Phoenix-based Knox, told Reuters he found it hard to believe that Clarke had succeeded in fabricating a Knox Box key, noting that similar claims in the past have turned out to be false. "I'm not saying that somebody can't eventually make one, but I haven't seen it yet," Trempala said. He said the government was also looking into the matter. "The Feds are already working on it," he said, but would not elaborate. Officials with the FBI and Department of Homeland Security declined comment. METHOD During his presentation at the conference, Clarke described how he created the Knox Box key in about four hours using the purchased box and a $30 metal file. Clarke said he removed the core of a Knox Box lock with a socket wrench, pulled out the pins, replaced them, measured the grooves, then carved out a key with the file. He subsequently confirmed the key worked by testing it on a locked Knox Box in his own laboratory. "A highly motivated criminal with plenty of time on their hands and incredible focus could do this. All it takes is time, focus and intent," said Clarke, whose full-time job is finding security bugs in computer networks, not mechanical devices. Marc Weber Tobias, a well-regarded expert on lock security who reviewed Clarke's research, said he believed Clarke's hack could be replicated. "What he did is not technical. It's not sophisticated," Tobias said. "It's good research. He alerted everybody to a vulnerability." Tobias suggested that Knox can prevent criminals from using Clarke's technique to fabricate keys by changing the way it distributes its products. Knox now ships unlocked boxes to users; customers must call their local fire department to have the devices locked up. Tobias said Knox should ship boxes to customers without locks, then deliver the locks directly to local fire departments, who would be responsible for installing the locks, as well as turning the key. That would prevent criminals from replicating the technique Clarke described, he said. (Editing by Edwin Chan and Lisa Shumaker) Link this Share this Digg this Email Reprints

You are receiving this email because you subscribed to this feed at blogtrottr.com. If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions