Schneier on Security
A blog covering security and security technology.
« iPhone Iris Scanning Technology |
| Ars Technica on Liabilities and Computer Security »
July 26, 2011
Duplicating Physical Keys from Photographs (Sneakey)
In this demonstration, researchers photographed keys from 200 feet away and then made working copies. From the paper:
The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication -- extracting a key's complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S.
The design of common keys actually makes this process easier. There are only ten possible positions for each pin, any single key uses only half of those positions, and the positions of adjacent pins are deliberately set far apart.
EDITED TO ADD (7/26): I seem to have written about this in 2009. Apologies.
Posted on July 26, 2011 at 1:28 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Lisa did this in a recent Simpsons episode. So it's at least that well known
Interesting but frankly I've seen cooler things. I've attended a demonstration of a laser 3D scanner and a Rapid Prototyping printer scanning and printing Abloy Protec Elite and Ruby Exclusive (Custom Blank) keys which were used in the corresponding locks. It was expensive, slow and fragile but it was a good proof of concept and seeing their prevalence in high security environments, it looked like a cost-effective attack if one could gain temporary access to a key, especially when key control policy doesn't always consider key copying scenarios for technologies like Abloy. I don't see why you couldn't gain the coordinate data of complex keys, like Abloy, by using imaging techniques used here, although you'd need more images.
Just how long do you need to be in posession of a key to snap a hi-rec pic with your iPhone, 'droid, or any other cell phone with a decent quality camera? Easy enough to snap a pic, print it, trace it onto a blank. I like the concept of imaging at a distance though, with no need to physically posess the key at all.
I'm surprised people haven't found more ways to embed passwords into keys, so that you have to have both.
I guess you can already do that by having a PIN pad or something along with your card key, but it doesn't seem widely used.
There are plenty of obvious ways to combine "something you have" with "something you know" though and lock makers should really try to keep up with the times.
3D printers are going to make key copying a lot easier and they're already pretty easy to make.
I've seen several locksmiths do this from sight. It's good stuff, the security a key offers is only as good as the knowledge and effort required to duplicate. That's why so many of the locking systems restrict who they sell re-keying equipment to.
Now, with 3D printers (thanks Florent), and image analysis, and other fun tricks, the barrier is a lot smaller.
Last time I had a key cut at the hardware store the resulting duplicate didn't open the door. The keys looked the same to me, but there was a subtle difference in the way one point curved that made all the difference to opening the lock.
If only Bruce had stamped "Do Not Duplicate" on that original post...
It sounds like security by obscurity would be userful when it comes to physical keys - keep them in your pocket so people can't photograph them.
We used to do this in high school. Both trace or a 35mm (digicams weren't common yet). Even used modeling clay and made impressions.
Another security flaw in most locks (and sometimes higher-end locks) are standard pin sizes. There may be 5-7 pins, but there also may only be 5-7 standardized depths. I generally can look at a Schlage key and have a good idea of the numbering is and cut it from that.
As a result, all of my keys are offsets, non-standard depths.
This story is getting older than me :)
It has been well known by prison warders for well over 100 years that some prisoners could cut a key just from a single chance viewing...
When I was in my early teens I cut copies of the so called FB keys (Fire Brigade keys) and one or two other keys by memory with needle files.
I also taught myself to impression various locks including those Kaba locks (the ones with the variable sized holes drilled into the flat faces of the key blank). After having taught myself to pick locks of various types.
As far as I'm aware making a key from a photograph goes back well over 100 years, apparently at a Victoorian era fair a well known lock manufacture announced an unpickable lock and a cash prize inside a box the lock protected. As part of the publicity they alowed the press of the day to photograph the lock and by chance the real key... The rest they say is history.
But a cautionary note, some people made the very very costly mistake of beliving that the solution to "security by obscurity" of mechanical keys in prison was to replace the locks with electronic ones with finger print readers.
Within a few days the prisoners were moving quite happily through them. It happened in a Scotish Prison and I remember posting a link to the page on this blog several years ago.
I know Bruce is getting on a bit (but he's still younger than me ;)
But this is not the first time he has re-posted a story...
Perhaps he needs a holiday somewhere nice, to relax (I'm sure most of us would benifit from a vacation or two).
Or perhaps the scary thought, are we actually running out of original security stories, like we appear to have run out of crypto stories...
Oh whilst I remember anyone claiming to have made an "unpickable" mechanical lock is not telling the truth.
All mechanical locks are pickable the reason is simple physics of materials which give rise to "bind" in various forms. The simplest cause being the different coefficients of expansion of different metals.
So all mechanical locks including new high security high precision locks have "slop" built in for reliability.
And where there is "slop" there is "wriggle room" to "feel out" or "impression" the various parts of the lock.
And as has been seen the lock industry knows but denies this, and when they get it pointed out to them that their latest high security lock they sell to Governments for very large sums of money is fallable they first go into denial then lie then get quite aggressive with lawyers and all the other "protectionism" practices we used to see (and still do) in the software industry.
"If only Bruce had stamped "Do Not Duplicate" on that original post.."
The effect would be the same as stamping that on a key: Only honest locksmiths/bloggers would honor it. The dishonest would ignore it just as they ignore "No Trespassing signs.
Hmmm... is Bruce honest? Guess we'll have to read his book to find out!
(j/k - taking your cute gag and running with it.;)
What is a little duplicating errors and Duplicity, amoung those in the business?
I have found that a touch of roll-on white-out over the Do Not Duplicate stamp works wonders in getting the key duplicated by the minimum wage employee working the laser cutter at the big box store.
It's not that professionals can defeat locks; we know that. It's that dumb criminals can with nominal effort and limited resources and ingenuity.
No need to apologize, Bruce. Always useful to be reminded of important facts.
And I never read this before. Not everyone here has been reading your blog daily for years.
And like Clive says, it's inevitable that the same security issues will arise again and again. Even the exact same stories.
I wonder how long it will be until someone can point a laser from a hundred feet at an electronic keypad after someone has keyed it and read the heat signature of the fingers on the code keys to decode the key. An update of the usual "coat the pads with a substance" method.
Reminds me of episode 12 of season one of the TV show "Leverage". Nate Ford and his team of thieves had to steal Michaelangelo's "David" statue from a a vault which had a thumbprint reader on the entrance. Parker, the hot female thief on the team, took some dark eye shadow, a handkerchief, a makeup brush, and got the owner's fingerprint off the fingerprint reader itself to bypass that.
The vault had steel walls, a floor laser grid, infrared heat detection, and vibration detection on the statue.
She beat the heat sensor with some ice from the bar, some aluminum foil from the buffet table, and some gum from hacker associate Hardison to make a holder for the ice to stick onto the heat sensor to mask their body heat.
She gymnastically tumbled over the laser grid, then used more aluminum foil to make two trays, one behind her and one in front of her, to reflect the lasers back onto themselves (which admittedly made little sense.) Pushing the tray in front of her to move the laser grid back got her next to the statue.
Then she had Hardison use his radio frequency hacking - done from his smart phone inside the vault (wonder how he got a signal) - to set off the car alarms in the parking lot. When Parker removed the statue, the vibration alarm went off, but the guards saw the car headlights flashing in the parking lot and assumed it was an earthquake tremor and ignored it. This was the least believable part.
The whole thing was not quite believable, but it was clever, especially as she thought up the whole method of defeating top security in five minutes with just the stuff available at a party. It fictionally illustrated how high tech security devices MIGHT be able to be defeated by very low-tech means.
And ya gotta love Parker!
Johnny Long's "No Tech Hacking" book details the methods of dumpster diving, tailgating, shoulder surfing, lock bumping, social engineering to get into a building, Google hacking, P2P hacking, "people watching", kiosk hacking, vehicle surveillance, and - with relevance to Bruce's post - "badge surveillance" - observing security badges on people with an eye to reproducing them.
The latter is the same concept as viewing keys from a distance with intent to reproduce and uses optics and printers in the same way.
--Off Topic --
Stuxnet clones may target critical US systems, DHS warns
What part of "blockback" don't these morons get?
The US and Israel put this thing together to attack Iran's PERFECTLY LEGAL nuclear energy program (with the Pentagon now declaring such attacks on US would be an "act of war"), infect systems all over the world in the process, then worry about how the US will get hit by the same thing.
@Richard Steven Hack, why do they even need to worry about around, no damage would be done to any freinds of there country.
NOS towards MAD, path 1)free land, 2)after a year they can trade.
a) there's considerable asymmetry in the attack - Stuxnet used (IIRC) three zero-days and a stolen driver signing cert. All of which would have to be replaced for the attack to work again. Could Iran do this? (And if they could, why would they need anything from Stuxnet?)
b) continuing the asymmetry - Stuxnet propagated because there were a small number of people circulating between a large number of sites. Might not be true where most of the setups are old and stable.
c) this is a beat-up PR story for funding.
It's been done in at least one very-high-profile diamond theft, although in this case the made-from-a-photo key didn't turn out to be necessary since the security people left the original hanging where the thieves could grab it.
Jay: I'm not necessarily talking specifically about the actual Stuxnet malware. The same principles used in Stuxnet can be applied in similar malware. Stuxnet is just the example.
"All of which would have to be replaced for the attack to work again."
Depends on the target. Maybe none of that would have to be done again.
And who says Iran is necessarily the opponent? Could be China, or anyone else with a grievance against the US. That list is really long and getting longer by the day.
Regarding propagation, apparently Stuxnet was not intended to propagate. That was an accident, possibly because the original dissemination didn't hit the Natanz target. If you're targeting a specific facility, propagation is not what you want.
Finally, I do agree with you that it's mostly a propaganda piece for funding. But it's still stunningly obviously a case of blowback - or will be once such an attack occurs.
And if Iran is attacked militarily, I would certainly expect them to do something similar against US nuclear facilities.
In fact, if you want to go "conspiracy theory", with the recent DoD demand to make a "cyberattack" an "act of war" mandating a military retaliation against the aggressor, it's possible that this piece is setting up the public for some fake cyberwar attack - alleged to be from Iran in supposed retaliation for Stuxnet - which would then be used as justification for military action against Iran. A "cyber Gulf of Tonkin" incident...or the cyber equivalent of "The Northwoods Documents".
It's not different from all these accusations that "Iran is supplying the Taliban" and "Iran is supplying insurgents in Iraq". Neither accusation has much in the way of evidence to support them but could be used as justification for initiating military action against Iran.
An "Iranian cyber-attack" would be relatively easy to fake - especially if all the IP addresses come straight from Iran - which to any one with a brain (which means almost no one in the general population) would be a dead giveaway that it was a setup. I'm quite sure US intelligence agencies - or even more deviously, Israel's Mossad - could launch a "false flag" cyberattack against the US from Iranian cyberspace.
Who knows? Maybe Stuxnet was intended to do sufficient damage to the Iranian nuclear energy program as to provoke Iran into doing something stupid and setting them up for a US military response. In that case, of course, it failed - so far.
After all, since both Israel and the US KNOW that Iran does not have a nuclear weapons program, a real motivation for sabotaging their legit nuclear energy program is lacking unless there was a hidden agenda.
All of this is (or appears to be) based on the fact that hardware keys are effectively digital rather than analog, with just a few signal levels (depth of cut) and known coding constraints. How much security could you gain back (as Alex suggests above) by going to an essentially continuous (within the physical constraints) set of depths for key cuts?
Of course, if you did that, you'd need a whole new set of coding systems and maybe new key-cutting equipment. Thus showing that with physical as well as binary locks it's the PKI or equivalent that gets you...
Man, I wish the hardware stores could duplicate keys reliably. I'd say one in 10 keys I get made don't work (or work with some fiddling).
If I really *need* a key, I'll get three, since it's cheaper to have extra keys than to make a trip back to the store to have one recut.
3d printers are starting to get a bad rap. I saw recently where there has already been a copyright infringement suit against some "3d design repository", where someone claimed their design got posted without authority, and violated their copyright. (copyright on 3d?) Now we're starting to see 3d printers mentioned as a "security breach tool". How soon before we start seeing legislation limiting 3d printers? The cat is already out of the bag, so I don't see what we have commonly today being controlled. But I can see a chilling effect on developing the technology further. In some ways, the 3d printer democratizes the physical world in the same way the internet did the information world. I'm sure that there are many TPTB that aren't very fond of that, and they're in a position to propose/purchase legislation.
In Joe Haldeman's "The Forever Peace" one of the plot elements was the "nano forge", basically an ultimate 3d printer. The government set off a nuke in the nano forge lab, calling it an "accident" highlighting how dangerous the technology was. Thereafter all nano forges were government operated under very tight controls. The cat was shoved back into the bag.
@ Richard Steven Hack,
"he US KNOW that Iran does not have a nuclear weapons program, a real motivation for sabotaging their legit nuclear energy program is lacking unless there was a hidden agenda"
Well we have mentioned this before and my personal belief is the control of energy both short term and long term. As well as those with interests in short term profitering fro "war supply" which has branched out very nicely into "anti-terrorist / security supply" (as George Orwell indicated you need an enemy, any enemy, even one you invent, to keep the populous in a state of obediant fear and thus oppression).
Also as discussed before, with StuxNet I still feel in my bones that it was actually aimed at North Korea. The US has been trying ever since the Korean war (which most people only know of through M*A*S*H) to forment trouble and sofar North Korea has not bitten.
However a number of things have come together that quite frankly scare me. Firstly the US offered an energy deal with NK in return for cessation of coontinued nuclear development. NK complied but the US renaged on the deal so NK restarted at an enhanced rate it's nuclear development program. NK has the advantage of sitting on just about as much uranium as they are going to need for the next few centuries. The current NK leader is getting towards the end of his life and knows it and is quite clearly tired of US behaviour. SK has got the most lunitic war hawk leader they have had since they have been a seperate nation. And he is quite deliberatly formenting trouble with NK with a lot of US help. NK have made it abundently clear that they have assumed the US was behind StuxNet and that it was deliberatly targeted at NK. This view is actually supported by the places StuxNet was actually found.
Unless cooler heads prevail I can see the US having a re-run of the Vietnam War but this time initialy by proxy. If they do China will almost certainly get involved, which will almost inevitably bring Taiwan under attack, and Japan is then likley to get involved as well as NK have delivery systems that will go that far.
Due to the location and routing of subsea data cables much of the communications load will inevitably fall on Australia who will almost certainly become the target of "cyber-warfare" if not some limited form of conventional warfare.
With respect to that SK claims and continues with US assistance to claim that it is suffering "cyber-attacks" from NK. However there is little evidence to say who is behind the attacks, and a number of people have been droping hints it's not NK but another party. Some say China and others think it's more likely a false flag attack by interested parties in the US/SK.
What ever the truth of the matter is it will not take much of a spark to set the tinder burning, the question is then if people will fan the flames or pour water on it. If they fan there is more than enough cord wood stacked up to start a forest fire which will get out of hand to become a fire storm of epic proportions.
Clive: Agree with you on the history and status of the Korean situation. It's the US that created the reason for NK's nuclear weapons status.
DoD war games show the US taking 50,000 US casualties in the first ninety days of a war there. At the very least, the 27,000 troops we have in country will be in trouble immediately. This is why the US is moving them south of Seoul instead of leaving them up on the Armistice line.
Obama as much as Bush seems interested in deteriorating the situation further with unnecessarily provocative "war games" in the vicinity in concert with SK.
Obama never met a war he didn't like, contrary to the notion that he is being led around by the military. His actions indicate otherwise. He is controlled by the Crown and Pritzker families, who are heavily invested in General Dynamics.
As for Stuxnet being aimed at North Korea, I can't buy it, since the majority infection was in Iran - as far as we know, anyway. Also, Israel was partly behind Stuxnet, almost certainly, and Israel has actually been doing business with North Korea. They want to sell NK the technology for their "Wall" so that NK has help restraining their defectors into China, among other things.
And Israel has little interest in attacking North Korea since North Korea isn't Muslim - even if NK has been helping countries like Pakistan and Iran. It wouldn't be efficient to try to sabotage NK's nuclear facilities upstream compared to directly sabotaging Iran's.
I should add that I suppose it doesn't have to be "either-or". If the US participated in the Stuxnet build, they might have expected to use it against NK as well as Iran for their part.
The wait is on for entrepreneurs to broker a deal with the researchers and then have some government agency fork out mucho dinero for something that already exists.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.