Schneier on Security
A blog covering security and security technology.
« Nice Use of Diversion During a Robbery |
| Proving a Computer Program's Correctness »
October 1, 2009
Reproducing Keys from Photographs
Reproducing keys from distant and angled photographs:
The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private --- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication --- extracting a key's complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S.
Those of you who carry your keys on a ring dangling from a belt loop, take note.
Posted on October 1, 2009 at 2:09 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's just a matter of time until someone installs key detection code in the software used to control 'security' X-ray machines.
This threat is old news. I remember guys doing this in high school, with me working on the software [for recreational purposes only]. Gave persistent access to covert hangout spots, like apartment clubhouses. Cops thought they were the fastest lockpickers around, till they found out they just duped the keys. This new process is MUCH of an improvement.
There is a catch though: the older manual decoding after close-up pictures was actually quite easy. And the kids didn't mind spending many hours for little cash because they had no bills and got street creds out of it. So, nothing changes, and we are no more or less safe from the threat.
A thought: I guess hiding your key is no longer security through obscurity. Now that visual techniques made the press, the risk is real and a little higher. Is keeping keys concealed whenever possible now an actual countermeasure? Moreover, is it worthwhile if you have a cheap lock? ;)
If it weren't possible to pick most locks in under a minute this news would actually be concerning.
Opportunity for a metal key sleeve business, Sleekey, that presents faux projections and grooves - security by obfuscation.
Let's hope this rattles the UK into discussions of removing the street cameras as a matter of national security.
"Let's hope this rattles the UK into discussions of removing the street cameras as a matter of national security."
More likely they'll use it as an excuse not to release footage to the public in future...
Way old news. Many years ago, I worked in a close security prison. We were supposed to keep our keys in pockets (as opposed to belt key clips) because inmates had managed to duplicate keys from repetitive viewing -- no photos -- just watched the keys very closely.
I'm pretty sure that the average CCTV security camera doesn't take usable pictures of your keys. Most of them barely take usable pictures of human faces.
No, if you're going to knee-jerk ban anything because of this, it should be digital cameras over N megapixels. Where N is picked out of the air with no justification possible nor offered.
It should be noted that this does not work for some keys.
For instance keys that are three dimensional.
If you think about the common bike lock even very close up it is difficult to see more than 1/3 of the cuts.
Likewise some keys use pits of varying size and depth which would be very difficult to photograph with any accuracy.
As for the bog standard 5 lever mortice lock keys they are so easy to memorise I was hand cutting them (FB1/FB2/FB3) with needle files when I was not even a teenager.
Likewise with padlock keys, not that most of those had any real security anyway.
@Clive Robinson: Good point. It seems most bike locks have better security than the locks most people have on their houses. Amusing.
A typical cylindrical key, which I assume is what you mean by a bike like, would simply require several photographs takes from different angles. So you've increased the cost of the attack by maybe 4.
Cylindrical keyed bike locks have had their own problems - http://www.wired.com/culture/lifestyle/news/2004/...
I know someone who work in a prison who says there are inmates who can memorise and duplicate typical Yale keys just from a single view. (Which doesn't contradict Carl, the keys used inside a prison might be harder and take repeated viewing.)
I still have 3 dogs ;)
I have 3 steaks. Every system has a weakness.
Time to add electronic chips to keys a la cars?
On the other hand as long as it takes me to get in my house when I HAVE the keys... (1 deadbolt and 1 nightlatch per door, 6 keys of similar style on the keyring in addition to 4-5 other obfuscating keys on the ring [plus 4 or 5 more that could in no way be a match] - similar to guessing which rotors were installed in a naval Enigma).
The first time I worked in a facility that had computerised badge-slide locks on the doors I was frequently (npi) able to convince it to unlock by keying a ~5W 2m handheld xvr with 'rubber-duck' antenna on ~147 MHz. It worked often enough that I would always try that before digging the card out of my wallet (this was back before people wore ID cards at work).
I assume there was a solenoid in the latch which had a long enough wire (since the wire ran from the reader-box to the wall, then back across the door to the latch) running to it that adequate power was induced to fake a logic-level transition and the designer assumed that any voltage on the wire was produced by the card reader. Kind of like early garage-door openers that assumed ANY transmitter on its frequency was its own.
I have a couple like that and as far as I can work out there are only about 4 different pit depths and they're drilled with a cone drill so the hole diameter directly translates to depth and is pretty easy to measure from the photo.
> Those of you who carry your keys on a ring dangling from a belt loop, take note.
It's on: Schneier vs. Schneider (from One Day At A Time).
Didn't Wired cover this a year ago? Which, given that it's Wired, would imply it had been done long before that.
I thought the news before was that it could be automated, and so had figured the news now is that the range has increased and they can use a wider range of photos (wider range of angles supported).
@c-x, and D :
I still have 3 dogs ;)
I have 3 steaks. Every system has a weakness.
I've taught my dogs to only take food from myself or my wife. . .
This is the standard type of key for rented and owned homes in Switzerland. Kaba and Keso typically provide many locks and I would dare to suggest make this compromise more difficult to execute....perhaps that's why many a Swiss geek sports his keys on a belt clip?
And I'll take the dog challenge one level higher - my dogs are vegetarian! ;-) (actually one of the dogs is hugely suspicious of food given to him both in where he gets the food, what's around him and who is giving the food; I would not be cruel enough to make a dog a veggie!)
In 2007 keys to Diebold voting machines were made from a photo of a key on their Web site.
The 'hanging chad' debacle in the US pales in comparison to the thought of voter fraud en masse with those devices.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.