Schneier on Security
A blog covering security and security technology.
« Lance Armstrong Accused of Doping |
| A U.S. National Firewall »
September 7, 2005
Shoulder Surfing Keys
Here's a criminal who "stole" keys, the physical metal ones, by examining images of them being used:
He surreptitiously videotaped letter carriers as they opened the boxes, zooming in on their keys. Lau used those images to calculate measurements for the grooves in the keys and created brass duplicates.
"The FBI is not aware of anything else like this," bureau spokeswoman Jerri Williams said.
Technology causes security imbalances. Sometimes those imbalances favor the defender, and sometimes they favor the attacker. What we have here is a new application of a technology by an attacker.
Posted on September 7, 2005 at 11:35 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is really a hi-tech spin on an old thing.
Guards in prisons keep keys in their pockets because the convicts look at the keys and memorize what they look like so that that can make a copy
Interesting. I don't think you can memorize the exact key, but you can memorize enough to significantly reduce the keyspace. Assume four pins in the lock, and you figure out one of three set positions: high, low, medium.
That would make it pretty easy to brute-force the lock.
And if you can do better....
Remember that some inmates are self-taught master locksmiths. I can't speak for locksmiths, but I've know engineers who can look at a work piece and say that it's 5, 10 or 20 thou' out, just by eye. Certainly when I'm hacking pieces of wood about when making guitars I can see a 1/64" out by eye.
The human eye is very good at seeing proportion in familiar things. If one of the dimensions is fixed, say the length of a key, then it's surprisingly easy to judge the other dimensions by assessing proportion.
This is just the sort of story I love - it justifies my rewriting of site access-policies which forbid people bringing camera-equipped cellphones on to my sites.
I noted this concern a few days ago when, in an advertisement, I noticed what looked like an unlikely cut on a larger-than-life-sized photograph of a car key. Assuming no discernable connection to an identifiable car, it would have been a non-issue, but that may well have been too big an assumption, and I think the ad people were thinking of it too.
However that may be, it caused me to realize that merely getting an image of a physical key, close to scale in the dimension of the notches, is all that is necessary to copy it. From the movies and TV, we've learned to be wary of the possibility of thieves making clay impressions of keys, but this is much faster and doesn't require the attacker to possess or even touch the key, nor even to get close enough to arouse suspicion.
On a previous comment: it occurs to me that prisons are probably a really good source of practical knowledge of what a determined attacker can do with few resources except time...
>>it justifies my rewriting of site access-policies which forbid people bringing camera-equipped cellphones on to my sites
The reality is that majority of people will eventually have camera phones, keychains and jewelry. Rather than authoritarian rules (than only serve to antagonize*), one needs to concentrate on better housekeeping.
[BTW have you seen the resolution of cell phones? Maybe good enough for thumbnail]
*I have observed that IT people often tend to treat humans as just another machine to be controlled with arbitrary and niggling restrictions. Human nature rebels at that and any real security involves working with, rather than against human nature.
"it justifies my rewriting of site access-policies which forbid people bringing camera-equipped cellphones on to my sites"
I agree with jayh. A better approach might be some basic background checks (e.g. illegal aliens with outstanding warrants probably shouldn't be given access privileges), or even camera surveillance of locks, both of which the story admits helped crack the case.
"a new application of a technology by an attacker"
Sounds like the cameras were used in conjunction with GPS tracking and perhaps even a database to manage photos and the associated data. It isn't clear if the photo album was digital, but it all sounds very methodically planned and executed.
..."The reality is that majority of people will eventually have camera phones, keychains and jewelry"....
But if they're mandatorily surrendered on entrance to the facility, and returned on exit - the matter is moot. Perimeter management is the first, basic component of any security-model. It doesn't exclude defence-in-depth. Reminding people that any unauthorised devices will be subjected to a 'Makita Format' if discovered within controlled areas tends to be quite effective. I've not yet had to destroy a laptop or camera or iPod but the day will surely come.
"I've not yet had to destroy a laptop or camera or iPod but the day will surely come."
And the day will surely come when cameras, recorders, PC's, wireless internet and other electronics are built into the human body and wired directly to optical / auditory nerves. Are you going to "Makita format" into someone's head? I doubt it.
When a guard takes out a key to open a cell/door/whatever the cons look at it and memorize the ridges on it, as they have lots of free time and nothing better to do. After they've seen it enough times, they make one out of whatever they can. They might not be exact copies but they're good enought to open whatever was locked.
I used to work at Joliet prison in Illinois. You would be amazed what prisioners can do.
"I've not yet had to destroy a laptop or camera or iPod but the day will surely come."
Detective controls are not perfect, but preventative controls for cameras are almost worse. They are needles in the haystack today...
Moreover, your approach only works if you are absolutely certain about every violation, or have the authority to enforce zero-tolerance due to the risks. Otherwise it only takes one mistake such as formatting an innocent's laptop (mistakes DO happen) to completely undermine the foundation of your security and therefore lose authority.
Note that the FBI are not advocating for a ban on all video cameras, and other technology used in this case. Detective controls cought the criminal, and I am sure there will be advisories/alerts for lock-box companies to help prevent this type of risk going forward.
In January 1995 three prisoners escaped from Parkhurst prison using a key they made.
News reports (that I cannot now find) after they were recaptured days later said they made the copy after
having sight of a key they said one of the prison officers had the habit of waving in front of them.
Column 32 contains a description but does not cover how they made the key.
Interestingly they made a master key and used it on several doors. This suggests that they had tested it undetected
on those doors previously (or risked failure at the time of the escape attempt). Maybe such testing could be prevented by:
- internal alarm or observation systems covering places prisoners should not go
(or audit records in the lock which may be hard to do only mechanically)
- preventing access to the locks of doors prisoners use (such as a second lock to secure the door in
an open position with the main lock covered)
Consideration of master keys and changes to locks also enters into this situation.
Seems like the easiest way to defend against this would be to create keys with collapsable metal sheaths, which retract as you press them into the lock. That would prevent this attack without changing the basic technology. It could be defeated with an X-ray scan, but so could the lock without the key present.
The basic shortcomings of key-and-lock tech would still be there, of course, but this could go a long way. Keys and locks will be with us for many more years, so why not make some small changes like this?
The ability to copy keys easily is the reason why car manufacturers have gone to great lenghts to change how keys are made. The biggest improvement that would prvent this easy copying, that should be moved to residential use, is what is essentially two factor authentication. Many cars have this now, I think Honda was one of the first when they had a rash of breakins to Accords. Back in 1998, I purchased an Accord, and it had a typical key, and a also had an electronic key embedded as well. You needed to have both in order to start the car. Just simply copying the metal would not help you.
Making keys from an image is not new, but it wasn't widely known or done either. Locksmiths can generate a key from a fax or photocopy of the original key.
If you know the different depths that are available for a type of key, it's much easier to read better than high/medium/low. It doesn't take a lot of practice to get to where you can discern the different possible levels on your average housekey.
I find the evolution of keys in the last 15 years to be quite interesting.
Using car keys as an example, the Japanese car I bought in 1992 had the expected metal key that operated the doors and trunk. I could have added aftermarket a wireless remote alarm and key fob but chose not it.
The German car I bought in 1995 had the first generation of keys with an integrated microchip. The key was powered by induction via a ring-antenna around the ingnition lock. Each attempt to start the vehicle interrogated the chip which responded with a serial number and a rolling code. If it all matched, the car started and a new code was assigned (I'm not about the assignment mechanism though). The physical lock was very hard to pick with irregular grooves in the metal and the tumbler merely spinning in the lock if the wrong key was used. I added an aftermarket wireless alarm with a key fob for the insurance discount and convenience of remote lock/unlock.
Many of today's cars have an evolution of what I had in '95; a lot integrate the remote fob with the physical key. Some cars have "keyless" operation that no longer depend on any physical property of the key itself.
What strikes me as interesting is this: In 1992 you could theoretically duplicate the key by visual inspection alone.
In 1995 you could duplicate the key by visual inspection of the key and, with the right equipment, inspecting the transmission between key and car. To be sure the communication was very low power, but then you can pick up an unamplified wi-fi signal from 100+ miles away.
Today, in some vehicles you now only need observe the communication between the vehicle and key. Visual observation of the physical key is no longer required. Instead of observing two factors you need only observe one.
I hope the system in today's $100,000 luxury cars are more secure than a Speed-Pass. But how can I know? Manufacturers aren't releasing any details that I've seen and I doubt purchasers of these cars are asking any questions. After being told their keys use of possible codes who'd be worried?
ooops...looks like a bit from my last sentence got sanitized out...
should read "After being told their keys use *insert large number* of codes, who'd be worried?"
"But if they're mandatorily surrendered on entrance to the facility, and returned on exit - the matter is moot. Perimeter management is the first, basic component of any security-model."
Sure, but as is so often asked here, does the benefit outweigh the cost?
I would think that banning legitimate and ubiquitous technology only suceeds in penalising the innocent users of that technology. Someone with criminal intent will not be afraid of a 'Makita Format', as to them the potential benefit outweighs the risk.
Similarly it would seem that banning portible media devices and cameras to prevent security breaches is a somewhat hacky fix.
If internal security procedures are so poor that a camera or media device in the hands of an innocent visitor can capture sensitive information, then someone intent on subverting the process will simply find a differrent way around the restriction.
( Like looking with their eyes and listening with there ears. Or simply attempting to aquire the sensitive information through a different point of access.
Such patch work efforts tend to lead to a false sense of security on the part of the protected. (The parallels to government reactions to terrorist incidents are quite pertinent. It's a bit like saying " Oh, we use terrorist watchlists on our borders so we must be safe from domestic terrorism". It contributes to the protected _feeling_ as though something is being done to make them more secure, while costing enormous amounts of money, inconveniencing enormous quantities of people, demonstrating potential for false positives and in the end providing only nominal effective security.)
jayh says, "BTW have you seen the resolution of cell phones? Maybe good enough for thumbnail."
Indeed, a very, very detailed picture of a thumbnail. Current cameras in phones here in Japan are 2 megapixels, with (finally!) relatively decent lenses and autofocus.
Chris: "I hope the system in today's $100,000 luxury cars are more secure than a Speed-Pass. But how can I know? Manufacturers aren't releasing any details that I've seen and I doubt purchasers of these cars are asking any questions. After being told their keys use of possible codes who'd be worried?"
For the chips (at least) BMW use, go to http://www.semiconductors.philips.com/markets/... and look for the PCF7936AS. The actual encryption system used is confidential, and hidden in a password protected PDF file that you need to submit a form to gain access to. Fancy doing a bit of pro bono analysis for us, Bruce? :-)
This technique was also shown in German television, I think it was on RTL about 1998.
They filmed the key hanging inside a glass door over ~30 meters, printed a magnification, went to a locksmith and presented the puzzled owner a copy of his keys...
"I don't think you can memorize the exact key, but you can memorize enough to significantly reduce the keyspace."
Locks often have an additionally reduced keyspace - there are 7-9 possible cut depths, and many patterns aren't allowed as they would be too steep for the pins or too weak (e.g. ascending and descending lines). And if it's no high-security lock, there are tolerances of a few 1/10mm, so your key doesn't have to fit exactly, you can wiggle and shake a bit. And if you're a bit familiar with locks, you could easily practice to associate keys with the cut depths, and all you need then is a blank key and a cutting machine or a file...
The article, and Bruce's post, suggest that the real issue here is the future security of physical keys. It's obvious that "unpickable" locks are pretty useless if you can shoulder surf the key, so it's time to hide the keys.
One idea would be to use tubular keys, as in my old Kryptonite lock, but with the notches on the inside. I don't know if these exist, but they should be virtually impossible to shoulder surf. (The other kind would be difficult to duplicate without being able to see all the way around it.) Of course, it'd also have to be proofed against the BIC pen (or toilet paper roll) attack.
I also seem to recall magnetic keys: physically uniform objects set with a specific magnetic pattern which moved the pins/tumblers of a lock. It satisfies the anti-shoulder surfing criterion (barring pocket SQUIDs), but I don't know how hard to pick the lock would be.
Plainly, this is an issue that needs to be addressed, though adding other layers of security (such as an access log) should certainly be persued. Apropos of Bruce's post on the theft of the keys to the Sydney (??) subway, those thieves might've just as easily done the same as the alleged postal thief, and no one might be the wiser that unauthorised people have access to subway trains.
just what kind of sites do you manage? you propose to assure that visitors surrender all cameras - how? just frisking them, or full body-cavity searches? then you propose to "makita format" all unauthorized cameras found within your perimeter. just who are these visitors intruding upon your hallowed space? are they your customers? your employees? colleagues and associates in your enterprise? in each case, there is a relationship between the visitor and your company which is valuable to the company. this relationship is with a human who is coming to visit you. humans are funny things. they have a concept known variously as "respect" or "dignity", it is no less real for being unquantifiable, and if this concept degrades during the course of a relationship, it is frequently fatal to the relationship with consequent loss of value to the other relator. my own perception of dignity and respect would necessitate that i knuckle-sandwich format the dental bridgework of anybody proposing to makita format my cellphone.
You're right, but these Locks have other security downsides... the tubular locks were never really pick-proof, some magnetic locks are readable and they are sensible to heat (non-magnetic materials -> plastics).
Dimple-key locks would be my favourites against this attack, especially when manufactured with very high precision. And if you choose one with multiple rows of pins (see BKS Janus or Kaba quattro) just one picture (=one side of the key = max 2 rows) wouldnt be enough...
Typical keys in Switzerland (and some regions in Germany) look uniform from a distance, since hole depths contain the combination:
The actual variation is in the placement of drill points and their depths on two surfaces. My apartment keys show even less externally visible difference than the above key does. One could only locate the drill points based on a picture, but still need proper depths. With sixteen holes, finding the correct depth combination may not be trivial.
Medeco keys also rotate the pin, so a photo won't have whether the pin rotates one way, the other, or not at all. I should be surprised that we use 100+ year old lock/key mechanisms when there are better schemes out there.
When I was in grad school, many of the graduate students had master keys that could be made from the sub-master we were commonly issued. The original key was made by a graduate student who had managed to borrow a master, and stopped by a photocopier before he returned it. The lovely thing was that the sub-master in question could be made into a master with one glob of solder.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.