A recent Twitter exchange I was involved with provided a great example of why effective key control policies must now contain provisions related to social media. Let me explain.

The original tweet.

Back in December, @dontlook retweeted a tweet by a member of the U.S. Air Force. The original tweet contained a photograph of the service member’s ID badge as well as his key. Using the information on the badge, it wasn’t hard to narrow down where he was currently stationed: a public health building at a Royal Air Force installation. Further work by @nite0wl determined the key blank and pinning system of the key pictured, one that is readily available from multiple aftermarket vendors. He was also able to decode the key to two possibilities without the aid of apps or programs, which are available, or further analysis by comparing pixels or using actual measurements. He provided me with the bittings he decoded and I cut the keys for comparison.

Let me stress this: this was nothing more than proof of concept. We could have produced an accurate duplicate key with complete certainty but that wasn’t the point of this exercise. It was to show that individuals, locksmiths or not, can use photographs and/or information shared on social media platforms to compromise key systems.

Social Media and Key Control Policies

Your institution’s or employer’s key control policy should contain provisions which prohibit the sharing of information related to it on social media as well as provide corrective actions in the event such information is distributed on social media platforms. An effective key control policy in 2018 would prohibit photographs of keys as well as the locks or cylinders, which can assist in revealing keyways, governed by it. If the key control policy also governs access control systems then it should also prohibit photographs of credentials, such as cards or fobs, card readers, and other hardware related to the access control system. Furthermore, information unique to your physical security systems, such as the key bittings or badge types, should not be readily available to anyone with an Internet connection. This is even true for keys and cylinders with patent protection and restricted distribution channels. That adds an additional layer of security, yes, but it does not make you invulnerable. In the event that such a compromise is discovered, the corrective action should be all reasonable efforts to restore security to the areas left vulnerable. This may include loss of privilege, fines and fees, the rekeying of locks and issuance of new keys, etc.

This entire premise may seem far fetched but it’s not. I know first hand of a loss of security that occurred because of a key control policy that was lacking. Unfortunately, a sexual assault occurred because of it. Legal and civil ramifications aside, I wouldn’t want that on my conscience and I wouldn’t want my lack of foresight to result in a tragic experience for others. Make sure that your key control policy is up to date to protect your institution, your employer, the individuals that use it, and yourself.

Special thanks to @nite0wl and @dontlook for their participation in this case study.