The following bulletin was released to law enforcement and critical infrastructure throughout the country following a demonstration of vulnerabilities in Knox-Box key entry systems by security researcher Justin Clarke of Cylance, Inc. at the most recent RSA Conference in February 2014.
Vulnerability of Key Entry Systems within Critical Infrastructure Sectors
- 3 pages
- For Official Use Only
- April 15, 2014
(U/FOUO) The Knox-Box® rapid entry system is an access control system utilized by public safety agencies. This system allows facilities to securely store entry keys or cards on site for first responders. First responders utilize a master key that unlocks all KnoxUSBUS boxes within their jurisdiction.
(U/FOUO) Currently there are over 3.5 million Knox-Box rapid entry systems in use nationwide and over 11,500 fire departments in North America that use the Knox-Box rapid entry system. In one Colorado fire district there are over 4,000 Knox-Box systems in use within the local, state, and federal government which includes; energy, water, postal, emergency services, defense, transportation, and communication sectors.
(U/FOUO) The Knox-Box system is utilized in numerous ways to include but not limited to:
– Knox Padlocks
– Key switches for gate or other controls
– Electrical shutoffs
– Narcotic storage vaults
(U//FOUO) Unauthorized access to the system would allow individuals to bypass physical security measures at the site. The unauthorized individuals would also be able to duplicate keys, or remove entry keys or cards which would delay first responders.
(U//FOUO) Master keys for entry systems such as the Knox-Box rapid entry system can be stolen, and older master keys duplicated or fabricated. A single compromised master key will unlock all Knox boxes within the entire jurisdiction.
(U) In February 2014, there were multiple burglaries at several senior assisted living complexes in Minnesota due to illegal access of the Knox-Box system. The master key had been duplicated or compromised and used to open the Knox box.
(U) In January 2014, an audit of a California emergency response organization found that many master keys were unaccounted for, unsecured, or possibly stolen.
(U) In October 2013, an identified USPER was criminally charged with multiple burglaries and possessing a homemade “Master” key used to compromise Knox-Box systems at several apartment complexes in Seattle, WA. There were reports of forty other burglaries associated with the Knox system in 2013.
(U) In February 2013, a researcher with a cybersecurity firm Cylance IncUSBUS, said he created a key capable of opening a Knox box after he obtained a key cylinder for about $300 and blank keys on eBay for about $2 each, all of which were mailed to his home. The expiration of keyway patents has allowed the sale of MedecoUSBUS key blanks on the internet outside of the manufacturers’ control.
(U) In February 2011, two identified USPERS from Seattle, WA were criminally charged with multiple burglaries after forcibly removing the Knox-Box boxes from businesses, breaking into the boxes, and using the keys inside to enter the business.