When your first defcon talk gets nuked for a year and it's legality is questioned by the authorities, _you're a welcome addition to the speakers._

When the talk is so good and so damaging, even Defcon quarantines it for a year to let the manufacturer catch up.

'A key is just a metal password' Poetry

18yo.. what a legend! 👏👏👏

The single thing that tremendously improves the security of the Knox box is connection to the intrusion alarm. This way, they can get into the building, but the police will already be notified before you are in the door. I, as a firefighter, don't care in the least if I trigger the intrusion alarm, since the police were dispatched at the same time that I was. However, depending on where you are, police response can be spotty at best. The intruder does know that the sword of Damocles is hanging over their heads once they open the box and the police will be there at some point. If the box has the buttons installed, but not wired, the thief may not be able to be sure if they are dummies or not.

12:28: Knox got the call and hacked the feed. Knox did not account for hacking a hacking conference.

What an excellent speaker, and such amazing information. Knox needs to give this young man some reward for pointing out how pointless their boxes are. Well done :P

Friendly reminder: If someone says a system is hackproof, and there aren't all kinds of alarms going off in your head, check the alarm system, _someone might have hacked it._

I am in the wrong industry. You guys are awesome. Keep exploiting the systems so we can continue to improve.

I know in many cities around my area both the fire department and the police department carry the knox keys on their duty belt, not in a "knox key safe" and if you place an alarm code inside make it a duress code. the thief thinks he's disarmed the alarm only to find out he called the police.

The first video showing the Medeco key also explained the access code was the same two digits followed by the last four digits of the fighterfighter's SSN.

"I'm Johnny Knoxville and this is Building Security"

This is why mandatory backdoors are always wrong, and should be resisted/sabotaged by all means necessary.

12:30 - m010ch starts talking about details of the lock, and the video starts jerking out chunks of audio and video. I don't know who edited this, they could have just skipped it! This way to partially hinder the explanation is so intriguing!

lol. every speaker is surely on a Federal Watchlist. 😎✌

Speaking of public-private-partnership the real question is: which so called "representative"/"politician" was bribed to force this idea of lock boxes into a law? This is ridiculous.

"I didn't really want to mess with mine so I bought some *very* similar locks" :)

My dad is a firefighter and he prefers to just break the door down anyway.... What if the Knox boxes had no key, and you just had to smash them open with an axe. That would deter all but the most determined.

Sophomore year of college I was in a prank war with one of my roommates so when he was in the shower I took some photos of his keys modeled them in cad and 3D printed them at work then when he was at class I set alarm clocks to go off at all hours around his room

Just an FYI on including your alarm code in the box. Often to facilitate communications, the noise of the alarm can hinder operations. Most home alarms have a Duress Alarm, which is an alternate code to make an attacker think the alarm was disarmed as it then goes silent and sends an emergency under duress code to the alarm company. Put this code inside the box. It can be used by emergency services to silence the local alarm, but does not help an intruder.

I've read lock pins many times to determine the key needed. This often blows people's minds.

12:10 "It was shown to be very secure, asl long as the attacker does'nt has access to a paper clip or something similar" LMAO

Seriously, how hard would have it been to put a couple baffles over that drain hole lmao

"Only the fire department has the key" seems strange when everyone is aware that if someone has access to a lock it can be reverse engineered countless ways. If you can take it apart/break it its an incredibly easy process, but key impressioning is a lockpicking technique whereby you can create a working key simply by using a blank key in the lock and working on it. If the lock opens with a working key then the technique can't be stopped. The lawmakers don't seem to understand just how easy it is to create a key, and keep forcing through laws to make lockboxes, TSA locks and the like mandatory. Frankly I'm surprised there hasn't been significantly more crime exploiting these rules, they are pretty much offering a free key to every building to anyone with the slightest understanding of locks.

Duress codes can be placed inside the box to automatically alert a monitoring facility to send law enforcement.

Absolutely great talk! I was very very impressed!

I've never heard of these. But the talk reminds me of the easterhegg talk about general keys for safety locks for camping vehicles.

we have in germany this box to, we call it "FSD or Feuerwehrschlüsseldepot" and they closed with a strong e-magnet if the firealarm triggers the box will open then you need a key with this one you can open the secound door auf the FSD than you can use the Key from the Building, if you forget to put the Key back the firealarm system will be not reset until you put the keys back. the Boxes have a anti Drilling system, when you make a hole in this box it will call the Police

I really like it the way it is here in germany... There is one door that will only open in case of a fire alarm (if the house is on fire and the alarm hasn't gone off, you can make it via key switch). Behind that is a second door with a lock, only the fire department should have the corrosponding key. As a third line, there is a key control system inside so you can't close the thing back up and rearm the alarm when a key is missing...

Keep it up! Only 18!!! Very impressive

Excellent "key takeaways" :) Great talk!

The system I'd suggest would be a public/private encryption key system. The "lock" is an unpowered system (it doesn't use a battery or outlet, so it works in a power outage still too, for emergencies). The "key" is powered (provides power to the lock when inserted, sits on a charging port and has a battery basically, if it's low enough power usage it'd basically be a key-fob). All locks ship with a hard coded copy of the public encryption key, the lock uses a pseudorandom value and encrypts it with the public key, then sends this encrypted value to the "key", the "key" can only decrypt this with the private encryption key. A city could use a single public/private key pair, or it could use hundreds of them, the automation of this process would still make it instantaneous for the "key" to figure out the correct private key to use to get in (the random value can be encrypted and passed along with a preagreed value to ensure correct decryption). It will decrypt the random value, perform some pre-agreed arithmetic/algorithm on it (example's sake: divide by 2). Then re-encrypt it with the private key, verifying authenticity and sending this new value back to the "lock" which decrypts it and compares to the expected result. A match allows the lock to be opened. The only point of attack now then is gaining this private encryption keys, which is only stored on the physical "key". Again meaning you can't duplicate it without having the key now. Since the lock is no longer a "negative" of the key. Still leaves key theft as an issue. But if there's a physical object you can give to a firefighter to get into a building, then there's always a physical object you can also steal from a firefighter to get into that same building.

great talk, love that the audio is decent!

That’s the first time I’ve heard of a Knox box and key escrow, because I’m not from the USA, but it should have been instantly recognized as the stupidest thing anyone has ever heard of the moment it was proposed! And maybe it was, in other countries.

Regarding the shops theft alarm goes off.... there might be other systems connected like automated doorlocks, fog systems, roll gates etc.etc.

One major improvement would be to explicitly use a number code that passes through a circuit that unlocks a lock, and the circuit could be npossible to invert.

Here in South Africa, there is no such thing. No one would comply with a law like that anyway.

Damn dude. You know your stuff anyways. I wonder if LockPickingLawyer could pick the Knox Box.... Off to do a search now, peace

Well, in my school i tried how hard it would be to open a lock - never done it before, used 2 paperclips, still managed to get open one door in a couple of minutes - a really old door that lead to the attic - and what was stored there? Oh right, only the records of all students. Years later at the military we were doing routine checks and the officer in charge noted that the locks would get replaced soon and we need to do a checkup on the keys - so we went through the records, found that several keys vanished from all listings, some keys were with people no longer in the military, oh and right - out of the 5 master-keys to the high security area only 2 were with the officers that were supposed to have them, 2 were missing. Guess were the last one was? In the hands of the recruits doing the cleaning. Yep - the masterkey that lets you enter all high security areas, buildings where you need to go through 2 checkpoints to enter them, were generals had to wait for somebody to check if they are allowed to enter at that specific time - the recruits could just unlock the door them self. Worse yet - the commanders knew and it was intentional - they didn't like the hassle of checking all the time when the recruits came to dispose of the garbage..... oh and tight, the secret documents that needed to get destroyed. Security sometimes is really just a bluff - as long as nobody looks too closely they will not see the giant gaping holes.

Thinking about Saflok, electronic would be way to go. If new keys needed to be made, they can be used to disable the prior keys. Just need to go to each lock and insert new key once to rekey them.

Awesome talk dude, one year later

Yoh this is a sick talk, flip bro is smart!

That one dislike has to be knoxbox

Opening the Knox Box should trigger an alarm (if the alarm hasn't already been triggered by fire etc). That way anyone who managed to access the box this way would be setting off the alarm (pretty good deterrent if you are trying to steal/copy building access keys and dont want anyone to know they have been stolen/copied and change those locks out)

Scary - but very cool. Thx!

Now I want to learn more about my Knox Boxes at work.. Didn't know they were using wifi

What is needed is a constantly changing key EG a one time password that has an expiry of long enough to be safe but short enough to be secure.

Awesome. Putting that

Most of those buildings should have a automatic fire-alarm system? just put an electromagnet inside the box to keep it closed unless theres an active firealarm (or power fails)

"this isn't a huge issue" absolute fucking mad lad

The year is 20XX, we are still waiting for the development of a commercial physical public encryption key.

The M3 is a damn good system. They can be picked easily enough by some, but I'm not one of those privileged enough with the skill to successfully attack an M3.

A good electronic version could use an improved variation of ASSA's CLIQ cylinders, where the key already contains a battery, a microchip and an expiry clock. The emergency services version would use strong public key security, with per key serial numbers and the key becoming useless 10 hours after being presented to the duty Sargent at start of shift. The key signing machine at the firehouse would need to get online with the one of 3 state buildings (in Capitol and a spare city) every day or it can't issue after a week of being offline. At a hurricane sized outages, emergency reactivation codes can be distributed to firehouses by military couriers visiting twice a week. Such a lock would also accept a completely unrelated key code that is unique to the owner and sold with the box. Because CLIQ keys include a traditional mechanical key, they can be cut to fit the old/cheap boxes in the city, so the firemen don't need to guess which key to use, and thieves can't see which boxes have the weaker security.

"only firefighters have access to the key" the last time i checked firefighters are people too and people can have bad intentions/ be corrupt. city wide back doors to every commercial building is a bad idea

Thanks

Great talk dude (:

how about the fire department just uses an axe to break down a door when a fire is inside the building. now you can get rid of those keys alltogether.

All security systems fail at some point. ALL of them. Every one. (15 years of banking experience.) "Nothing is fool proof to a sufficiently talented fool" - Stephen Hawking. "Nothing is hacker proof to a sufficiently talented hacker" - Every Hacker Ever

"It cannot be hacked" That's a challenge, not a statement of fact.

It's not the first time someone has thought of this.. The thing is, having a key is not necessary, and having a key doesn't mean that there's not other forms of security. One of the key components of a top notch security system is a pre emptive notifications system. So, take the key from the Knox box.. By the time you have the key in your hand, they know you are there. It's only a matter of how fast they are set up to respond.

maybe I am completely nuts...but why would they not just have a keypad instead of a key? The firefighters would have a special number with a code they have to call and give to an operator, who would then log in what they were opening and give them the code for the locked key at the business/home. The code would only work for say 10 minutes, and then randomize again. Could go even further and have the firefighters have one of those number generator pads used for PC and gaming security (like the WOW locking key) where they have to give the code, that is only good for say 1 minute, to the operator before they would give out the code.

Sponsored by Shapeways™

12:24 somethings up

Is it better to cut the lock in half like shown in the video, or could you cut the lock from 12 o'clock down to the point where it snaps in half? Then you could sandwich putty in between both pieces of the lock for a physical copy.

Iberia, Liberia?.. now should spend his great intelligence on designing a Knox Box that actually IS as close to 100 % safe as possible. Some really good automation I think is what it would take.

Lockpickinglawyer would probably unlock it with his bare hands

Why are intentional backdoors still a thing, WTF

9:35 What happened to the audio?

8:01 they should have used asymmetrical encryption...

9:36 Talking about duplication.

Why not install the box, for code compliance, leave it permanently open, with a message "use your axe on the glass door" or something?

I am surprised more of these aren't tied into alarms of some sort. Given that the only people who need to access these boxes are firefighters (who are presumably only doing it if there is an emergency AND they cant just enter through the door because its open or there is someone there to buzz them in) then there is no reason that opening the Knox Box shouldn't trigger the fire alarm (if it isn't already active via smoke detectors or other systems). Burglars are a lot less likely to do whatever it is they came there to do if there are alarms blaring and they know that the emergency services are on their way.

They could offer a service where they switch out locks like crypto codes were switched on a regular basis during ww2.

How to solve this problem. Connect the nox box to your fire alarm system. If the box is opened, sound the fire alarm and call the fire department. This makes it like pulling the fire alarm to open a fire door to get in a room. A very loud attack.

Oh that reminds me of a joke Knox Knox.......

electronics keys/locks that are open if there is a power failure 'safe off' are not really the solution.... electronic solution may not work altogether in case of fire....

Ahhh the political world of lobbying for contracts which should be outlawed in my opinion. This is how catastrophic failures happen either to save a few bucks or to reward a lobby who contributed much money to their campaigns. That's how we end up with subpar infrastructure and or situations like this. Not to mention Microsofts situation similar to this. Here is real..... THEY WANT IT UNSECURED ONLY TO APPEAR SECURE. THE SAME WITH PCs ETC. THE SAME PPL WHO ARE SUPPOSED TO SERVE US HAVE ONE LEG IN BOTH THE GOOD AND BAD WORLDS. Just like in the medical fields there isn't any profits in creating cures

100% hack proof, guys. Trust me no hacking this box, it is impossible. No way to hack the box!

never understood why they don't just alarm the lock boxes. If it's really the fire department no problem.

How does the owner access the box to place/replace his keys? It did not appear to be a master key system, and if you had your personal key with it then you could have gotten the keyway from that.

While good in theory, any master key based system is inherently flawed. All the "bad guy" needs to do is get that key and they can break in to every building in the city. If you're going to add such an obvious backdoor, you might as well just not have any locks at all.

shapeways like this video

Nine minutes before the audio fucks up. Is that a high score?

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." ~ Richard Saunders

"why are intentional back doors a thing?" first fire escapes are great, and neighborhoods are even designed with multiple exits to emulate the multiple exits of buildings. seccond, firemen can carry firearms to get in nearly anywhere. instead of having keys, one could have a starter pistol which if held right next to a lock would have a similar effect to shooting it. intentional backdoors exist because motive about access is all about time. locks don't exist to keep people out but to cost them time for emergency personel to arrive. fire marshals don't need to be delayed.

Ad for Shapeways?

what about put a dummy key in the box?

Isn't the main problem that once a key gets lost by the fire station the whole system is screwed? The only solution, in my opinion, is that a person who has access to the building has to hand over the key in an emergency. Although this is a slow process that can and will go wrong. I have no other Idea how one could otherwise ensure that one lost Key won't screw up. (The only other way would be an electronic system which can deactivate keys, which would need all the locks to be connected to each other...)

If you're ballsy enough you can actually grab a Medeco key tight in your hand and punch something... like accidentally snatch it while falling and imprint your hand then take a pic of that. Keys have limited numbers of stops and the spin-pins have rather loose tolerances. No need to keep playdoh.

clicked on the video thinking about people who cant hear but still interesting.

Whats with the echoey audio at 10 minutes.

@lockpickinglawyer

wait...you have to install something like that, or you get arrested ? 3:13 What a Shithole...

What if firefighters are thieves?

I mean we could have just bought a medico lock that comes with medeco key with the same key way

In germany such boxes mostly come with tamper alert. We also use city-wide keys that are stored in the fire department. It's far away from perfect, but better than nothing.

this is so funny

Knox like: more chemtrails!

9:25 Com link online.

artificial intelligence 2000 yapanda TDPM (Trans Dermal Pulse Modulation) ... Where keys are programmed into your skin through a dermal transmitter.