Determining Key Shape from Sound

It’s not yet very accurate or practical, but under ideal conditions it is possible to figure out the shape of a house key by listening to it being used.

Listen to Your Key: Towards Acoustics-based Physical Key Inference

Abstract: Physical locks are one of the most prevalent mechanisms for securing objects such as doors. While many of these locks are vulnerable to lock-picking, they are still widely used as lock-picking requires specific training with tailored instruments, and easily raises suspicion. In this paper, we propose SpiKey, a novel attack that significantly lowers the bar for an attacker as opposed to the lock-picking attack, by requiring only the use of a smartphone microphone to infer the shape of victim’s key, namely bittings(or cut depths) which form the secret of a key. When a victim inserts his/her key into the lock, the emitted sound is captured by the attacker’s microphone.SpiKey leverages the time difference between audible clicks to ultimately infer the bitting information, i.e., shape of the physical key. As a proof-of-concept, we provide a simulation, based on real-world recordings, and demonstrate a significant reduction in search spacefrom a pool of more than 330 thousand keys to three candidate keys for the most frequent case.

Scientific American podcast:

The strategy is a long way from being viable in the real world. For one thing, the method relies on the key being inserted at a constant speed. And the audio element also poses challenges like background noise.

Boing Boing post.

EDITED TO ADD (4/14): I seem to have blogged this previously.

Tags: , , , ,

Posted on March 24, 2021 at 6:10 AM16 Comments

Comments

Alan March 24, 2021 6:21 AM

It would probably be more effective to mount a telephoto or fiber optic spy camera to take a photo of the key when it is just about to be inserted into the lock.

Clive Robinson March 24, 2021 6:31 AM

@ Bruce,

Haven’t we had this “key bumps by sound” before about a couple of years ago?

Weather March 24, 2021 8:28 AM

Could you have 5 keys with each key having all cuts the same, like key 3 has 6 cuts all at level 3 ,save having to wait for them to insert the key?

Lazyjack March 24, 2021 8:51 AM

Looking at the Youtube channel of the Lock Picking Lawyer, I don’t think there is any need for high tech attack to physical locks. Most are worthless.

Me March 24, 2021 12:51 PM

@Lazyjack

Yeah, I agree. The only thing I have seen him have trouble with was a Boley lock. I thought about getting one for the house, despite the cost. I decided against it, though, when I realized that the lock was right next to a “door-side” window that would be trivial to break and just unlock the door by reaching through.

The fact that he is able to rake most locks in fewer than 10 seconds just shows that these things are there to keep the honest honest, and not to impede those that really want in.

That said, if we are already looking at “requires cell phone,” I would expect the camera to get you those bits a lot easier than the microphone.

vas pup March 24, 2021 5:54 PM

My nickel: the type of the lock could be discovered looking from outside the door. Then, you just need to generate master key using 3D printer.

I guess we don’t have too many lock types in US, so create several master keys and you in.

Many years ago guys ask me can we do this or that? I told them you could do anything legal and anything illegal if cost benefit analysis in latter(reward versus punishment) is in your favor.

MrC March 24, 2021 7:39 PM

@vas pup:

Most locks aren’t keyed to a “master key.” In a master key system, each pin has two breaks in it such that there are two bittings that will align a break with the sheer line — one for the lock’s specific key and one for the master key. Most locks only have one break in the pins, and so no master key.

Aside relating to master key systems: Many years ago this blog featured a method for deducing the master key from the lock-specific key by creating a series of copies of the lock-specific key each with one tooth at maximum height then filing that tooth down until you found the other height that opened your own lock.

just_me March 25, 2021 1:41 AM

@Lazyjack
I wouldn’t say useless. Most locks are just not good enough for the task. Stopping average guy from randomly opening your locker is often more than enough. Problem starts when you place such lock in a gun safe or other important places. Good old “confidentiality, integrity, and availability” triangle applies to locks as well.

And for the sound key analysis, there is a simple mitigation. Rounded spikes on a key.

Lazyjack March 26, 2021 2:05 AM

@just_me
I was saying that there is no need for fancy high tech attacks involving phones, sound analysis, whatever, when a skilled person can pick practically any lock in second.
These methods make excellent publications and news articles though, but in practice, why bother.

Audio Engineering Society ==equals== A.E.S. March 29, 2021 4:59 PM

SOT

“Semantic meanings cannot be derived from statistical word scan tallies.”

Plaintext:

Mixing security penetration techniques with other genres of cultural activity is maybe ok sometimes in terms of desperate lifesaving toolboxes; but it needs to be well known that turning every activity into an exploit activity weaponizes every such activity into a pawn for WWIII; we prefer to exist and coexist instead of converting the remainder of nonwar tools and materials into war materials. This also needs to be carefully taught to several varieties of AI’s.

Please abstain from utilizing professional and semiprofessional audio devices and techniques within cryptological and noncryptological forms of security.

The suicidal warfare reasons why mixing and matching cultural linguistics ought to be strongly and persistently avoided:

1) this is a similar problem as with utilizing any kind of war technology as if it’s a peacetime technology.

2) this is a similar problem as with utilizing any kind of peacetime technology as if it’s a war technology.

3) Automated systems hunting for military and cryptological and security kinds of inputs and syntax and patterns aren’t always capable (yet) of deconflicting during errors or mistranslations.

4) Some adversarial interlopers and provokers seek to convert peacetime activities and devices into weapons of warfare, including weapons of mass destruction; those are the mistakes that could result in killing every living thing and destroying every system of this Earth world.

As a tit for tat kind of benefit: Some of us within professional audio will avoid using warlike words and terms and symbols and techniques within our peacetime activities of providing music and aesthetic audio for ourselves and others.

The main purposes of music and aesthetics is to help us and others to relax and to recover cognitively from stress.

Mixing security penetration techniques with other genres of cultural activity is maybe ok sometimes in terms of desperate lifesaving toolboxes; but it needs to be well known that turning every activity into an exploit activity weaponizes every such activity into a pawn for WWIII; we prefer to exist and coexist instead of converting the remainder of nonwar tools and materials into war materials. This also needs to be carefully taught to several varieties of AI’s.

Sincerely,

“aeronautical aikido nicknamed”

“Semantic meanings cannot be derived from statistical word scan tallies.”

EOT

just_me March 30, 2021 3:06 AM

@Lazyjack

Lockpicking is not easy. Not when you try to pick a good lock. At lockpickinglawer, they are carefully choosing the locks they are working with. There are many types of locks that are VERY difficult to pick. So much that no one would bother to try non-destructive aproach. Also, lock is lust a part of the system. There is a huge diffrence between picking the lock, even if it takes a few seconds, and using the key. Ability to make a key is much more dangerous. Lockpicking needs some privacy with the lock, making a key works even with many witnesses around you. It’s not even that sofisticated attack, you just need an app. It also creates a worrying tunnel between physical security and smartphone/IoT security.

vas pup March 30, 2021 5:10 PM

Tag – academic papers:

Eye color genetics not so simple, study finds

https://www.sciencedaily.com/releases/2021/03/210311123443.htm
“Researchers have identified 50 new genes for eye color in a study involving the genetic analysis of almost 195,000 people across Europe and Asia.

Co-senior author Dr Manfred Kayser, Erasmus University Medical Center Rotterdam, said:

“This study delivers
===>the genetic knowledge needed to improve eye color prediction from DNA as already applied in anthropological and
===>forensic studies, but with limited accuracy for the non-brown and non-blue eye colors.”

vas pup March 30, 2021 5:20 PM

Reading minds with ultrasound: A less-invasive technique to decode the brain’s intentions

https://www.sciencedaily.com/releases/2021/03/210322143320.htm

“Mapping neural activity to corresponding behaviors is a major goal for neuroscientists developing brain-machine interfaces (BMIs): devices that read and interpret brain activity and ==>transmit instructions to a computer or machine. Though this may seem like science fiction, existing BMIs can, for example, connect a paralyzed person with a robotic arm; the device interprets the person’s neural activity and intentions and moves the robotic arm correspondingly.

A major limitation for the development of BMIs is that the ==>devices require invasive brain surgery to read out neural activity. But now, a collaboration at Caltech has developed a new type of minimally invasive BMI to read out brain activity corresponding to the planning of movement.
===>Using functional ultrasound (fUS) technology, it can accurately map brain activity from precise regions deep within the brain at a resolution of 100 micrometers (the size of a single neuron is approximately 10 micrometers).

The new fUS technology is a major step in creating less invasive, yet still highly capable, BMIs.”

Wow! Does Elon Musk and his neurolink informed?

Huge potential for soldier-weapon interface, lie detection and feeding AI for analysis!

vas pup March 30, 2021 5:28 PM

Hypnosis changes the way our brain processes information
https://www.sciencedaily.com/releases/2021/03/210326122743.htm

“During a normal waking state, information is processed and shared by various parts within our brain to enable flexible responses to external stimuli. Researchers from the University of Turku, Finland, found that during hypnosis the brain shifted to a state where individual brain regions acted more independently of each other.

The finding shows that the brain may function quite differently during hypnosis when compared to a normal waking state. This is interesting because the extent to which hypnosis modifies neural processing has been hotly debated in the field. The new findings also help to better understand which types of changes and mechanisms may explain the experiential and behavioral ===>alterations attributed to hypnosis, such as liability to suggestions.

!!!The study was conducted by tracking how a magnetically-induced electrical current spread throughout the brain during hypnosis and normal waking state. This method has been previously used to measure system-level changes in the brain in various states of consciousness, such as anesthesia, coma, and sleep. This is the first time such a method has been used to assess hypnosis.”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.