40

The workplace has a physical access key stored in a fire department lockbox (sometimes called a Knox Box), how it's possible to mitigate the risk that the Knox Box gets picked, or that an unauthorized key may exist?

What could the local fire department ask for to remove that key?

Limit
  • 3,191
  • 1
  • 16
  • 35
jth
  • 726
  • 6
  • 10
  • 6
    you do not say in which jurisdiction you are in. There are some in which it is permitted to give access to that box only when a fire alarm is active. Also assume that always someone malicious has access to the key of that box when thinking for any solution – PlasmaHH Apr 18 '18 at 06:54
  • @PlasmaHH Beyond the possession of the key to unlock it, these boxes do not provide a mechanism to limit or restrict access. Jurisdiction is largely irrelevant -- I know some "require" keys, but for a sensitive security operation, that may expose a critical vulnerability. Hence my question of how others have dealt with this situation. – jth Apr 18 '18 at 15:57
  • The implication here was that others dealt with this situation by implementing boxes that additionaly to the key require an active fire alarm to be opened, given the jurisdiction allowed for this – PlasmaHH Apr 18 '18 at 16:09
  • Wouldn't the lack of physical presence or continuous monitoring giving a would-be lock picker the leisure to reach and play with the Knox Box suggest that this operation is not *that* sensitive? – Relaxed Apr 19 '18 at 00:08

3 Answers3

72

To be clear: a Knox Box is a lock box that holds keys for emergency personnel. If the fire department needs to get inside your building while it is locked, the fire crew will have a key to unlock your Knox Box and retrieve your building's key.

There are a couple of ways to mitigate this risk. The easiest IMO is security cameras that watch your doors. If someone unlocks the Knox Box and uses your key, the camera will pick them up and you can respond appropriately.

What I often see either to automate this or in conjunction with this is, the Knox Box is hooked up to an alarm system. When it's unlocked, the alarm goes off alerting your security company that someone has obtained access to the key. If it's a true emergency and responders are on scene, this will not have any impact. If it's not an emergency and it's a burglar, the police will now be notified to respond.

Most Knox Boxes I've seen have a hookup to wire them into a security system. Here is a link to a fire department recommending this approach.

IconDaemon
  • 109
  • 4
freehunter
  • 621
  • 4
  • 5
  • 10
    Just to add on to this: Knox Boxes are made pretty tamper prove and typically emergency service personnel cannot immediately access the keys to a knox box. They have to contact the dispatcher that sends a signal to a box inside of the apparatus on site that has the knox keys in it. – ford prefect Apr 17 '18 at 21:13
  • The camera is only useful if you have someone constantly monitoring it, and being on site to respond. So not really specific to theses boxes either since it's an equally good measure against someone breaking into e front door – PlasmaHH Apr 18 '18 at 06:51
  • 4
    @fordprefect Citation please - I believe your comment is incorrect. I have never heard of such a mechanism, and the research I've done indicates these boxes aren't electronically connected or controlled in any way. (Unless the box is wired into the security system, but that's a detective measure, not an access restriction or control.) – jth Apr 18 '18 at 15:51
  • 1
    @jth I used to be a firefighter and it was part of our training... It isn't that the box itself has to be opened via signal from dispatch. The box is opened by a key that could only be accessed via a signal from dispatch. I don't know if this is standard for all knox boxes but it was definitely true for our district. – ford prefect Apr 18 '18 at 16:01
  • 3
    Backing up @fordprefect. Note that this is regarding knox _keys_, not the boxes attached to buildings. We had a Knox key on ambulances I worked on. The Knox key was stored in a safe in the ambulance. When we needed to access the key, we called dispatch on the radio and they sent a short DTMF sequence over the radio which was picked up by the safe and allowed it to be opened. There was also a numeric keypad on the safe, presumably for servicing, but we weren't given the combination. – Ben Apr 18 '18 at 17:15
  • @Ben fordprefect Thanks for that, I had no idea that was part of it. Definitely not universal, but that's a great question for meeting with the municipality. – jth Apr 18 '18 at 21:05
  • @PlasmaHH that's the case for most monitoring devices. Typically these systems are used to help the post-mortem more than they are used to actively interfere in malicious actions. Stuff like having evidence for law enforcement, tracking down paths someone took (both digital forensics and physical) or figuring out why the computer didn't do what it was supposed to. – Nzall Apr 19 '18 at 12:11
11

The purpose of that lockbox is to permit emergency services to enter your building without damaging it -- the fire department is quite capable of taking an axe to your front door if needed. Someone intent on breaking in doesn't typically care about incidental damage caused, and in fact you might prefer them using a crowbar to open the box and get the key, rather than use that same crowbar to open your door directly.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 19
    A burglar would have a much easier time defeating a typical commercial entry door than defeating a Knox box. – supercat Apr 17 '18 at 19:50
  • 1
    Based on what experience? I know several adept lockpickers that could work faster on a single lock at eye-level than five doors with four different keys at waist level...I'm concerned more about someone that could enter without leaving a wake of destruction than someone willing to drive a truck through a door. – jth Apr 17 '18 at 22:18
  • 2
    There are often legal requirements to have a box; the fire department doesn't want to have to axe every door, especially if you also have security doors. Plus, there's often lift keys and similar in there. – SomeoneSomewhereSupportsMonica Apr 18 '18 at 06:14
  • 1
    @supercat the burglars who raided a company near us just bought the key to the box on some black market – PlasmaHH Apr 18 '18 at 06:55
  • 4
    @SomeoneSomewhere `the fire department doesn't want to have to axe every door,` Citation needed. In my city (located in Spain) I've both seen and heard of many instances of our fire department axing doors and those little removable pillars at the entrance of pedestrian zones, having the keys for both readily available at the truck. They said it was "faster" (which it wasn't, they took a good while with the pillar). If we had one of those Knox Boxes I'm pretty sure they'd axe the box, pick up the key and then axe the door. – xDaizu Apr 18 '18 at 07:33
  • 1
    This post doesn't answer the question. Consider reviewing https://security.stackexchange.com/help/how-to-answer - specifically, *"Read the question carefully. What, specifically, is the question asking for? Make sure your answer provides that – or a viable alternative. The answer can be “don’t do that”, but it should also include “try this instead”."* – Adam Davis Apr 18 '18 at 14:23
  • 2
    This is what the fire department told us when we said we didn't want to give them a master key with access to our server room, they said they didn't care, but if they needed to get in to fight a fire, they were going in with or without a key. We opted not to give them the key since at least if they break the door down, we *know* someone's been in the room. – Johnny Apr 19 '18 at 04:45
1

You need a Harry Potter solution to protect the Philosopher's Stone only from bad people! Maybe a riddle involving hundreds of fake keys with the real one in there somewhere? Or a system that requires two or three people to be present to activate a mechanism that gives access to the key.

Anyway, essentially you have to allow the fire department's key obtain access to your building, but not allow anyone in the fire department to use the key when they're not supposed to, nor allow anyone who has a black market copy to use it.

I like the alarm idea. When the box is opened, in triggers the security alarm.

How about this: make a tube that connects to the top of the box and goes up inside the building. At the top of the tube is a set of real keys held in place by an electromagnet. When the fire alarm is activated, it releases the magnet and drops the keys down. The automatic fire doors work the same way.

You could also have an intercom system at the box, where someone could convince you to activate a remote control that drops the keys down in to the box. Or you could have a code pad that releases the keys, and make the fire department call you to get the code from you.

Alex Cannon
  • 402
  • 2
  • 7
  • Cute ideas, but not realistic, especially since the fire department can break through whatever they need to in a worst-case event. The rest of the time, the space protected is generally going to be occupied (or why protect it like this at all?) – jth Apr 19 '18 at 13:44