Copying a Key by Listening to It in Action

Researchers are using recordings of keys being used in locks to create copies.

Once they have a key-insertion audio file, SpiKey’s inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock’s pins [and you can hear those filtered clicks online here]. These clicks are vital to the inference analysis: the time between them allows the SpiKey software to compute the key’s inter-ridge distances and what locksmiths call the “bitting depth” of those ridges: basically, how deeply they cut into the key shaft, or where they plateau out. If a key is inserted at a nonconstant speed, the analysis can be ruined, but the software can compensate for small speed variations.

The result of all this is that SpiKey software outputs the three most likely key designs that will fit the lock used in the audio file, reducing the potential search space from 330,000 keys to just three. “Given that the profile of the key is publicly available for commonly used [pin-tumbler lock] keys, we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door,” says Ramesh.

Posted on August 20, 2020 at 6:22 AM35 Comments


Mr. H August 20, 2020 6:36 AM

My mama always said (and this is not from ‘Forrest Gump’),
“You only lock because of the good, honest folks. You can’t lock anything away from those wanting it real bad.” Mama knows best.

Petre Peter August 20, 2020 6:42 AM

Moving to digital locks is not the solution here. Just remember what happened to Onity.

Jose Sardinas August 20, 2020 7:08 AM

Are European style keys (side pins) some sort of deterrant/hardening? I don’t think so, but just asking. Definitely going digital is not a solution, I agree.

Clive Robinson August 20, 2020 9:05 AM

@ ALL,

With regards “SpiKey” it was presented at this years “HotMobile”[1][2] conferance.

Whilst I’ve been aware of how to do this for quite some time as have quite a few other engineers, we tended not to talk about it as the only defence is reengineering all the pin and tumbler locks out there, and the methods to avoid the attack of seperating the pins from the keyway whilst the key is inserted or withdrawn (yes the attack works both ways) are nearly all patented or very expensive to implement.

There is actually nothing new in the individual steps as I discuss below, nor in pulling them all together and assembling them into a neat little attack. However putting them together in an application and writing it all up in an accademic paper is as far as I’m aware a first.

However both the paper[1] and the presentation[2] assume a certain base level of information / knowledge that many may not be actually aware of in the right way. So to get a grip on how spikey does what it is doing you need to know some basic facts in the right way, that do not come out very well in either the paper or the presentation.


Firstly unlike lock picking you are not “enumerating the lock” you are infact “enumerating the key”…

I know that once you understand what is going on it will sound obvious when you say it. But most lock pickers would be starting in the wrong mind set as they usually “enumerate the lock” as they do not have access to the key.

Put more simply “This is a key present attack” and “The lock is the tool that enumerates the key to produce a time based serial attack vector of a two dimensional path”.

To see why knowing this is important to get SpiKey to work you have to understand that you need to pick the correct degenerate or base model to start from (and when to switch back and forth between both).

Thus a “one ridge key, six pin lock” model will enumerate the distance between the lock pins and give you very little information other than the key insertion or removal speed and acceleration[3]. Thus you need to start with “multiple ridge key one pin lock” model which gives you a crudly aproximate ridge to ridge time function based on the time between the lock pin clicks[4].

However the ridge to ridge time function is “one dimensional” where as the ridge to ridge positions fall in one of a number of “path” positions on a physical grid that is two dimensional. Thus you need some way to get two dimensional “path” information out of the one dimensional time intervals.

To do this you need atleast two pieces of information. Firstly an initial known start direction and secondly a time to hight function. The first piece of information is known from the lock design that is the pin is rising not dropping as the key is inserted (obviously dropping on removal). The second piece of information is the angle of the key cutting wheel that gives the slope angle. Whilst almost anyone who has seen a key being cut will have seen the cutting wheel has an angle on it, it’s doibtfull they will have realised it’s significance or even conciously remembered that the cutting wheel for these types of keys was angled. So for easy imagining assume it’s 45degrees which gives a simple linear relationship with rise or fall of the key cut thus the pin ofset position with time.

However even knowing this, all you actually get is a “change in path” not an absolute position of the key profile. That is you do not give the actual cut depths (bittings) only the “relative” relationship to each other. Obvioulsly if you can imagine a “cut line” on a piece of paper over which you overlay a transparancy with the grid pattern you can see that it can only fit in a smaller range than the total number of cut hights. Also there are other practical bitting rules that reduce the number of possibilities further and both the paper[1] and presentation[2] give slightly different asspects on this problem.

But the real model is “multiple key ridges and six lock pins” this is going to give the base timing you want from the lead pin in the lock plus five other delayed thus partial copies from the five following pins. Thus you get six clicks from the first pin five from the second, four from the third and so on giving you twenty one clicks in total. How do you clean out the fifteen unwanted clicks to get just the desired six clicks from the first pin. Well it’s a trick known to many engineers that have to deal with multiple echos in ranging systems like radar and from imperfections in transmission lines. The trick is to realise that if you overlay all five delayed click sequences from the five unwanted pins you can do a simple time based subtraction. That is you take the 21 click spectrum work out the delay on the first click, then using that delay subtract the one click delayed sequence from the undelayed sequence and you end up with six clicks of increasing uncertainty in time which you can apply a well known signal processing technique to, to clean up.

But the fundemental idea that is not stated in either the paper or the presentation is one I’ve mentioned several times before on this blog. Which is converting a parallel system of information into a serial system of information[4]. This is a very fundemental EmSec or TEMPEST attack technique and it can be very very powerful and it’s very easy for an inexperienced designer to get wrong. And as with analysing the signals from a “loop unrolled” AES encryption algorithm takes the analysis required from the M^N down to just N steps of M individual measurments. Thus from 2^128 to 128×2 in the case of AES. Or in the case of a six pin lock from 10^6 or 1million potentially diferent keys down to just six measurments and interpretation to find the relative key cut depths.

Thus you can see from this that it must be possible to design a lock where this attack will not work because there is no serialisation process.

And yes there are indeed locks out there where this attack will not work. These have been designed with stopping the “serialisation” of “pin raking”, as well as “Newtonian Phisics” issues that “pick guns”, or “lock bumping” exploit. Thus the key has to be fully inserted into the lock “key way” before it can be pushed up against the locking pins.

[1] The paper :

[2] The presentation :

[3] The key instantanious velocity is needed to get precice key cut depth information, but a simple average of key click timings can give you a first aproximation. Then an iterative process will give you a more precise set of measurments. Any one who has written software to decode the data on mag stripe key or credit cards from an inductive “swipe sensor” will know this because you have to alow for “read head bump” causing changes in velocity as the leading edge of the plastic card hits the read head.

[4] It’s essential to understand that the first pin in the lock whilst measuring the distance between key ridges as a time function is also “serialising” what is a physical two dimensional model. If the serialisation does not happen then this type of attack can not work.

Clive Robinson August 20, 2020 9:17 AM

@ Jose Sardinas, Nik,

Sorry but they will still fail if there is a serialisation process and you can detect it in some way.

Thus Karba keys with their indentations are vulnerable as the key is pushed into the key way, and like as not many magnetic pin systems as well.

As I said above what you are doing is using the lock to enumerate the key pattern be it hight of ridges, depth of pits or direction of magnetic attraction. As long as the “serial measurment” can clearly be distinquished in some way then it’s game over.

Most pin and tumbler locks are thus vulnerable because due to not just cost reduction but increased reliability they “serialize” in some way.

There are locks out there where the key has to be fully inserted into the keyway before it is presented to the tumbler pins, but they are few and expensive.

If I remember correctly @SpaceLifeForm had found one that did this that was not very expensive.

Lusoman August 20, 2020 11:08 AM

The key for my 2002 Honda CRV didn’t have peaks and valleys – it was a smoothly curved ridge on both sides. Not sure if this would be better able to resist these attacks.

Clive Robinson August 20, 2020 11:40 AM

@ TimH,

Don’t think this approach will work for two-sided keys/locks such as Ingersoll sc71

As the Mul-T-Lock key is inserted into the Cylinder and removed on the video,

You can clearly hear the serialisation by the pins in the tumbler cylinder enumerating the key….

This video which is “Not Suitable For Work” due to guy having a “potty mouth”,

Not only shows a ten leaver SC71 getting picked very quickly but also a partial view of the leavers. The lock it’s self has one heck of a lot of “slop” in it which usually aids in picking, but even so it was a fast pick.

What the guy indicates is that the levers are offset with respect to each other which is why he puts the torsion bar in at the top of the cylinder. This may well mean that the serial clicks are alternating between the top leavers and the bottom leavers.

If that is the case then the lock would be just as proportiantely susceptable to the SpiKey attack as is a normal six pin cylinder lock…

Either way both types of cylinder are serial not parallel presentation to the pins/leavers which means the locks leak information about the key…

On another note people appear to think that the opener on the inside is some how more secure than those you have to turn.

Sorry to disilution you boys and girls it’s actuall a serious design flaw. Back in the 1970’s and 1980’s I used to know locksmiths who worked for utility suppliers, they all had a little secret which was, you lifted the letter box flap and pushed a dentists “in your mouth” mirror through and they looked to see what type of latch opener was on the back of the door. They hated those that had to be rotated because that ment they had to pick or drill the lock both of which were slow compared to shoving a stiff bit of electrical “twin and earth” through the letter box and using it to “hook” the latch leaver in some cases or as in this ingersol just use it as a wedge to get the latch leaver to go back far enough to pull the latch back for the door to open.

It’s why people in the know do one of three things,

1, Don’t have a leaver operated latch.
2, Don’t have a letter box slot in the door
3, put a metal “draft excluder” raised plate over the letter box slot, which only alows things to go downwards towards the floor.

I do one and two with the latch actually operated as a dead bolt operated by a specialised security key that I dont leave in the latch mechanism. I also have a couple of non standard mortice locks, that I lock but don’t leave the key in either.

My door is not a normal UK door, which is why I could not put a letter box slot in it even if I wanted to. It’s imported from a southern european country where the police are shall we say “lazy” thus might not respond to an alarm etc for a day or two (much as they are now doing in the UK). It has a hidden high strength high cutting temprature frame and plate in the door which has solid oak front and rear and locking bolts that go into the frame from all edges of the door oh and a full length security hinge. The 90degree porch makes the use of battering rams also ineffective. So whilst not impossible to get through, it would take quite some time. Which is why a sledge hammer through the wall might be a lot faster and quieter 😉

Do I need that level of security not that I’m aware of, but it was fun putting it in place and realy discorages “cold callers” and those nuisance leafleters etc.

Technotron August 20, 2020 12:17 PM

Easy solution. Play audio of random key clicks or other similar metallic sounds on your phone, while opening your door lock

Clive Robinson August 20, 2020 12:50 PM

@ Technotron,

Play audio of random key clicks or other similar metallic sounds on your phone, while opening your door lock

Sorry to shoot you down that will not work over time, for exactly the same reason you never use an OTP more than once or many other encryption systems where you can get “messages in depth.

So how to attack it,

If I hide a pin hole camera and microphone up above your door then I can make a recording every time you put the key in, and use the video to synchronize the audio recordings.

I also use the video to then just stretch or compress each recording by the velocity factor I get from the video of the key insertion time[1].

Then I average those audio tracks.

It will take maybe 16 recordings tops to pull the real signal from the random signal…

In essence it’s little diferent to a “Differential Power Analysis”(DPA) attack from the end of the last century.

Students in EU Uni’s doing computer security at undergraduate level were taught how to do the syncing of DPA recordings and averaging out the required signal from the noise to recover DES, AES and other crypto keys. That was a fifth of a century ago how much improvment has been potentially made in that time?

Sherman Jay August 20, 2020 2:55 PM

It seems to me that this so exotic a technique that it will VERY seldom be encountered in ‘real life’ (whatever that is now).

Also, I think that if we are going to be ‘cautious’ about this, it would be easy to develop a habit of:
1) using your other hand to cover the key hand when the key is inserted into the lock so no visual record could be made.

2) inserting the key part way (engaging a couple of pins), immediately pulling it out part way and then immediately inserting it fully. Then turn it and unlock the lock. Thus, providing a false ‘acoustic signature’. If we are even more ‘cautious’ we could repeat the partial insertion a few times. I think this would make any audio recording unusable

If anyone can think of a reason why this would not work I would be glad to hear it.

Also, decades ago I developed (and used) a rotary switch combination lock where only the shafts and pointer knobs extended through the wall and on the inside, only one of the 8 positions would close the circuit to the next switch. Thus, only if all 6 rotary switches were set to the correct position would the circuit be closed and a pushbutton (momentary on) could be pressed that would actuate a solenoid lock on the door. All the other positions on each rotary switch were wired to a latching relay that set off an alarm if the pushbutton were pushed.

echo August 20, 2020 3:23 PM

I had the vague idea years ago when I was much younger so it’s been interesting to learn that it is actually possible. (Yes I took locks apart and made key impressions and glue fingerprints too when I was young.) Whatever the attack it still swivels around skill, detection, and laziness. It’s kinda funny seeing Clive stay quiet because “theoretical threat” and people getting antsy when I asked for a particular thing to be taken down. To explain: when you havea node of interest which gets word of mouth traction it can bubble up. When it passes a critical threshold it can attract attention and also copycats. See also road rage, suicide, planes flying into skyscrapers, drones, stealth aircraft, and detecting planets orbitting distant stars. And of course when it gets on Youtube with its dodgy algorithm or some collegeage bigmouth wantingto earn a gold star mouths off on Slashdot and the desperate for a page click media bandwagon it may be pushed to the top of the stack thus amplifying the problem. If I can put two and two together so can somebody else.

While people with the “take a perfect sphere and roll it in a perfect straight line” view will sweat bullets in reality locks are broadly speaking still as secure as they always have been in the overwhelming majority of cases. A group can be as clever as the cleverest person in the group but no smarter than the average” still applies with the usual stack of bellcurves.

I suspect tier one adversaries would already know this so the science and risk analysis has already been done. I would also expect in the UK at least the Home Office to consult with security services and police and potentially make the case for seizure of patents for both security and human rights reasons. Other mitigations may be available to as they are to prevent counterfeiting. But by and large I would only expect a minority may need to change their locks and surrounding security practice while for the majority it would be business as usual.

None of the locks on any of my doors are susceptable to this attack and there are other security gotchas when considered “in the round” unless it’s a tier one adversary in which case all they need to do is ring the doorbell. Can the firebrigade and cops and SAS get in? Well, duh.

There is a lot of milage in “not being worth it” and “too much bother”.

All my jewellery is costume jewellery off Ebay. Good luck retiring on the proceeds from that.

Clive Robinson August 20, 2020 4:48 PM

@ echo, ALL,

in reality locks are broadly speaking still as secure as they always have been in the overwhelming majority of cases.

That is because a lock is not a security device as most ICT Sec people understand security.

Under real tangible object physical world objectives security is about ensuring physical objects stay in a designated space under the direction of a designatef person. Any attacker has to come to the physical object and make real physical effort to move it in a realitively short period of time

For instance I do not need a lock to protect your car when you’ve put it in the garage, all I need to do is brick the doors and any windows up to stop ingress and egress. In many respects and cases it may not be practical.

The actual purpurse of a physical lock security wise is two fold,

1, Not to be the low hanging fruit.
2, To delay an attack untill others have time to get there.

The fact that they also take temptation away from honest people is just a bonus.

But many physical locks are not about security, the are about other things such as privacy and safety.

A locked window may stop entry but it does not stop prying eyes, hanging a curtain on the inside of the window does that, and the lock on the window need be nothing more than a simple physical latch provided it can not be accessed from the outside. For normal privacy that will remain a sufficient deterent for many years if not centuries to come.

Likewise a lock used for safety purposes needs to be little more than the latch does for privacy. There is a standing joke in UK construction industry that the security of plant equipment is not the ignition lock that can be operated with a bent nail, but the fact it takes quite some time to operate plant equipment without arousing suspicion. Oh and the eight foot high fences just stood up in concreat blocks that any drunk with half a brain knows how to lift out of the blocks…

In the intangible world of non physical information objects security is a lot lot different. Firstly to steal an information object generaly requires no physical presence by the attacker and mostly the next to zero cost to the attacker of duplicating the information object means they only realy have to avoid detection of the copying and transmission processes as the actual information object never actually needs to be moved.

Thus in the iCT Sec industry the information objects are what are locked bot some container as with physical objects.

There are other differences but it makes the point that physical security and information security in the main require not just different skills but majorly different practices because the attacks you are dealing with in ICT Sec for information objects are very much different to physical objects. Thus the skill set differs extensively as well.

K August 20, 2020 4:59 PM

All of this is very interesting, but ultimately pointless when you remember that bump-keys are a thing. The day I learned about them was the day I realized that lock-picking skills are purely for the enjoyment as an art.
If you’re not familiar, bump-keys can be hand cut (with a file) from a standard blank to work with any lock for which that blank is designed. With a couple taps of a screwdriver handle, the lock is unlocked with no signs of mistreatment. This can be misconstrued as the attacker having the original key (or a copy) for the lock.

I’m also reminded of this:

echo August 20, 2020 6:26 PM


That is because a lock is not a security device as most ICT Sec people understand security.

I can tell whan I got you because you either copy what I say and rewrite it or shift the goalposts and flannel.

Thus in the iCT Sec industry the information objects are what are locked bot some container as with physical objects.

There are other differences but it makes the point that physical security and information security in the main require not just different skills but majorly different practices because the attacks you are dealing with in ICT Sec for information objects are very much different to physical objects. Thus the skill set differs extensively as well.

Sometimes a lock is just a lock. There’s no need to make it more complicated than it is. Sometimes a “less than last word in security” lock or system is a security strategy too because it attracts less attention or lowers their guard.

Good luck finding any information I want to hide if you even know what type of information it is. Personally, I’ve found giving it away is harder. Following on another property of information is knowing what to do with it or the information conflicting with an agenda. So even if someone is staring right at it the information may as well be a null byte. Now if you’re telling me these “army of one” ICT sec experts have what it takes then no because that’s another set of skills. So we’re back to the stack of bellcurves again. Information really can be as a slippery as a greased piglet.

Okay, so the “duck and roll” brigade get past all the layers and don’t just steal it but destroy the information. Go right ahead. I can use that too.

Security is more than hardware and more than hardware and information systems and the thing I want to protect and how and why are different. You’re simply not going to find it in a pile of lockpicks or firewalls.

echo August 21, 2020 12:57 AM

The Bowley lock has a slightly different mechanism which may make it a lot harder or possible impossible to realistically attack with this method. The reason is the key has only a couple of milimeters rake against the pins.
Bowley Lock Company Inc
Here is an computer generated animation of the Bowley Lock and Key in action.

Rober August 21, 2020 1:42 AM

To pop an even bigger bubble in Technotron’s comment all you need to copy all keys sold at a box store and most sold by locksmiths is just a photograph of the key. I suspect the surveillance equipment required to capture a picture if the key is much easier to set up than a miniature microphone.

SpaceLifeForm August 21, 2020 3:26 AM

@ Clive


Will reduce this attack.

Insertion and removal will create it’s own noise.

Especially if key cuts never match, even nearly. Which they should not, as that can result is a key that is easier to physically break. Inside the lock. Been there, done that.

The attacker would find it easier to just get a high-res pic of key.

In most cases of physical security locks, it’s all about making it expensive for the attacker. Or, at least, as a deterrent.

echo August 21, 2020 4:00 AM


Now people are thinking about different lock designs a Banham lock with sliders is similar-ish in principle to a Bilock. There’s other lock designs too with various bumps and holes and sliders which are somewhere in between a Banham and a Bilock so have different audio profiles too.

And locks with magnetic pins… Oops!

There’s plenty of locks not vulnerable or not easily vulnerable to photographs but this is straying away from the audio attack. The other thing is what a lock gains in one way may be lost in another way so you still need to test the lock as a system as a whole.

People may also be assuming a single microshone or a long range microphone but there is also a scheme with multiple microphones able to isolate sound at a given location across a noisy room.

Phaete August 21, 2020 12:04 PM

Is anywhere mentioned how different strength springs within the same lock affect it?
I assume the click timing would be off due to different accel/speed with which the pins react, or is that negligible?

Clive Robinson August 21, 2020 12:59 PM

@ echo,

The Bowley lock has a slightly different mechanism which may make it a lot harder or possible impossible to realistically attack with this method.

You can see it being stripped down in this video,

However the video maker has missed some important points, why I’m not entirely certain.

First off and most importantly as far as this thread is concerned you can see that the design of the Bowley lock is such that the bittings on the key are effectively presented in parallel, thus it does not serialize the bitting pattern acoustically or otherwise. Thus there is not realy an opportunity for an acoustic or other side channel to be formed. Which you can also hear when the lock is operated you just get a single click not multiple clicks.

The tear down in the first half of the video shows why this is the case. That is the locking cylinder that pulls back the latch or dead bolt and has the pin “cut line” –thus bottom half of the pins– has the key rotated against the pins not raked along them. This occures because within the locking cylinder there is a rotating sleeve that has a lug on the back of it. This lug is in a position that enables it to engage the pin holding locking cylinder so it can rotate if the pins fall flush along the cut line. Inside of the rotating sleeve cylinder but fixed to the lock body is a simple uncoded warding cylinder[1].

Thus although you could make a torque shim to get to the hole in the pin cylinder which the sleeve lug locates in you could still not get a pin tool in that you could use on the pins individually.

Importantly whilst the lock uses conventional brass pins the key is made from a high grade steel, thus to “impression a key” would require you to come up with your own soft alloy key, or do as I used to do, use “engineers blue” or similar. However Bowley have reduced the pin cut depths from around 15-20 thousandths of a millimeter to around 4-9 thousandths which means you need very very fine abrading tool control. Lets say you were using needle files a full stroke length would normally take off 10-20 thousandths of a millimeter with a brass key deppending on how heavy handed you were…

So how about “bumping the lock” you would first need to make a bump key, well whilst it looks like it might be done as the second half of the video trys to demonstrate, you have to remember that the actual available key way movment is about the width of a pin, which makes bumping improbable.

But to make bumping even less likely atleast two of the pin sets are of the “antibumping”, “antiraking” type, also it appears that diferent springs are used on other pins further reducing the chance of either.

However what the video author missed is that Bowley have one “zero set” cut pin in each and every lock. Whilst this reduces the number of key combinations available quite a lot it does make “bumping” via a bump key or “vibrating” via a pick gun beyond the capabilities of most human beings[2].

The question is of course is Bowley going to “up their game” they made a “trade off” between the number of key combinations and an anti-bumping zero set cut pin. They’ve two basic choices to get the key combinations up, increase the number of pins, add coded warding. Or they could do both. Adding coded warding does not reduce the reliabiliry of a lock very much however adding extra pins does.

Whilst they are at it they might want to reconsider how they do the lug and pit mechanism to engage rotation in the latch/bolt operating cylinder in such a way that it can not be used from the lock key way.

Why do this, well the simplest attack might be to just drill the face of the lock body just infront of where that easy to slide out pin spring retaining plate is. Push the plate out to get rid of the springs, then blow the pins out using compressed air insert a wrench and turn the now unlocked latch operating pin cylinder.

[1] It’s quite similar to a design I came up with way back last century when working at Unique. However unlike this design where the warding is just an uncoded barier, I had a not so obvious way to actually make warding coded to the equivalent of eight extra pins. But the Managing Director who had taken over when I joined the company did not see the value in it for various reasons so he stopped the patent application… Unique nolonger realy exists but unless the various companies that took it over have thrown away the paperwork then the design and pattent application are sitting in another file cabinate appart from the copies I’ve got tucked away.

[2] You could in theory to over come human failings come up with a set of bump-keys where for each pin position you had a cut out for a zero set pin, likewise for the vibrating needles in a pick gun. But that would just multiply how long you would have to try by the number of bump-keys / needles, which dramatically increases the time a “response team” has to stop you on average…

Clive Robinson August 21, 2020 1:05 PM

@ Phaete,

I assume the click timing would be off due to different accel/speed with which the pins react, or is that negligible?

Not as much as you might hope.

The actual click occures as the pin comes off the top of the ridge. Thus time wise it will always happen in relation to the key position thus velocity. A stronger spring might make the sound louder and the key fractionaly harder to push in but those timings stay pretty much the same, and it’s the timings that are being measured.

Clive Robinson August 21, 2020 1:08 PM

@ SpaceLifeForm,

Photographing the key 😉

The idea that so suprised our host @Bruce when I first posted it is another form of side channel attack against the key not the lock.

It’s a point that confuses many lockpickers.

k15 August 21, 2020 4:29 PM

Should photos of keys be considered verboten and subject to reporting and takedown, online?

1&1~=Umm August 21, 2020 4:54 PM


“Should photos of keys be considered verboten”

That ship sailed long ago, over half a century ago. Kind of in reverse order,

You’ve had the TSA put up a photograph on their website of all the TSA master lugage keys…

Likewise Law Enforcment Agencies with photos of the make, model and sometimes keys of handcuffs they use.

Then there are those people walking along with their keys just hanging off their belt in full view of the public and well within range of a good telephoto lense or one of those high power street CCTV units.

Oh and don’t forget the many others doing similar with security keys hanging in ‘break glass’ units near doors in case of emergancies or hanging up on a key board or in an open ‘key locker’ behind the security desk in full public view.

Modern mobile phone cameras are up beyond 14mega pixels these days at ten to twenty feet that’s more than good enough to photograph a key to use to cut a key from.

The cat left the bag long enough ago to have been the ancester of almost every cat you now see 😉

lurker August 21, 2020 7:38 PM

In China I have seen frequently, and used once, a key whose profile was an irregular orthogonal set of four keys. It was used in a door lock with the cylinder inside a round knob. The key ridges were slightly bevelled, all on the side towards wich it was rotated. Key entry was smooth and soundless, indicating probably the type where the pin assembly is parallel to the key slot. At the time I thought it was just to get 4 times the number of pins, massively increasing the number of combinations; but assuming somebody can devise a method of raking such pins, there’s the problem of doing four rows simultaneously…

Clive Robinson August 22, 2020 4:51 AM

@ lurker,

In China I have seen frequently, and used once, a key whose profile was an irregular orthogonal set of four keys.

Are you refering to the Chinese copy of the cruciform / Zeiss lock?

There was a variation of these locks used at Colditz Castle and most of the Countries that had officers imprisoned there had learnt how to pick them.

I used to know a man Dominic Bruce who knew how to pick them having had first hand experience there.

echo August 22, 2020 6:08 AM

I knew cruciform locks were tickling some of my neurons. Of course, Colditz… I wasn’t going to reread the whole book just to check.

The Girda series is a variant of “cruciform lock” and has a bit of a reputation. It’s actually a round keyhole not a cruciform but close enough. Where picking fails it is engineered to defeat most of the usual brute force attacks.

As impressive as the best lockpickers are and lock retailers having a few good points on their side too I personally find I’m tired of the whole topic. Yes it’s true mostlocks aren’t what they are cracked up to be but then yes it is equally true when you have a lock on your workbench for a few days then it will give up at some point. I’m not actually that impressed by custom lockpicking tools either. It’s the first thing I would do.

Personally, I think it is a lot more difficult navigating systems where jobtitles set traps and mark their own homework.

myliit August 22, 2020 12:37 PM

I wonder if graphite powder or wd-40 might be indicated for this OP challenge? For front doors? For car keys? For mailbox keys?

Clive Robinson August 22, 2020 1:01 PM

@ echo,

I personally find I’m tired of the whole topic. Yes it’s true mostlocks aren’t what they are cracked up to be but then yes it is equally true when you have a lock on your workbench for a few days then it will give up at some point.

Just look on “lockpicking” as a sport, which is the way most of those involved look at it.

My interest in the more popular sports such as football (soccer), angling (fishing) and the likes of all track sports is shall we say minimal at best and zero or less for most (tennis for instance is the pits lower than hell from my point of view). Even when I was actively involved in competative sports such as sailing, archery, target shooting (rifle), cycling and rugby I did not actually take interest in the performance of other competitors unless there was a tactical advantage to do so, which for most sports I was involved with there was not. As for armchair / sports bar supporting I’ve yet to actually do so and at my more advanced age, I’m probably unlikely to ever do so now…

So yes I can understand why people might not be fans of the sport of “lockpicking”, but there are other good reasons to have an interest in it, not the least of which is the technical side to the likes of engineering.

Engineering in most disciplines assumes “the random fault model” as the way to assess the quality of an engineering solution. Whilst this produces moderately “conservative” designs they are fairly usless against an active and directed attacker. Thus it’s this that pushes the design not just of mechanics but materials way in advance of ordinary engineering, and in some respects is the “bleeding edge” in technology development that was once the case with the race for the moon in the 1960’s. Where technological need superseds the dreer capatilist model that is realy a race for the bottom that we are currently forced into.

Thus if a sport gives people valuable life skills and insights then whilst I might not participate the way they do, I would certainly encorage others to do so whole heartedly.

Singular Nodals August 22, 2020 1:39 PM

My take: I record the sound of the key, then add a complement to the lock mechanism that results in a constant featureless total so all the observer gets is a level hum.

echo August 23, 2020 3:57 AM


Just look on “lockpicking” as a sport, which is the way most of those involved look at it.

Yeah. By chance this was one of the next youtubes I watched. I spent most of my time observing the personalities more than paying attention to their lockpicking talk.

As for sorts I have a tennis dress if I need to be somewhere and look like I belong. Formula 1 was never the same after James Hunt expired. Snooker has got too serious. I’m “in” with the local rugby club management and players although they’re a bit bawdy for me and their club meetings ban women which is irritating. I’m fine with yachts if they’re 50 feet plus and the drinks are free. I have a badminton kit for fun to go with the picnic blanket and Trangia not that this is much use at the moment.

I don’t talk about the engineering which interests me althought it goes into maths and materials and structures and can and sometimes does involve security it’s nothing anyone on here wants to listen to. I have books on this too but they’re usually out of print. The only security book I have is full of the usual “duck and roll” bravado and not much which is technical. But yeah I guess I’m in “competition” but there’s a lot of toxicity about too which is best avoided and something I watched another expert talking about. Womens issues innit. Yes I’d like to work with space age materials but have to make do with what I have. A CNC machine would be handy but a bread knife and a lot of finishing work gets me in the ballpark. Basically it’s a money game and some of the top end bespoke work is actually very very good. This week someone called my work “impressive” but in all honesty it’s because everyone elses work is so crap but then I studied the work of the masters and know how good good can get and this is the standard I aspire to. I don’t think anyone cares but me. I think at the end of the day speaking for myself its about self-satisfaction.

j.c. August 23, 2020 12:52 PM

reducing the potential search space from 330,000 keys to just three

I’m trying to guess how that figure is arrived at.


Say seven tumblers (the exponent) with seven possible positions each (the base), with some excluded as “weak keys” — roughly that order of magnitude in any event.

There could only be any borderline uncertainty at all as to the positions of at most three out of the seven tumblers, and even that is stretching it because that leaves at least 23=8 possibilities, not three, unless 5 out of the 8 keys are excluded as above.

So the positions of at least four out of seven tumblers would have to be nailed down exactly by this algorithm to leave three possibilities.

I am not terribly knowledgeable about locksmithing, but I know “doctors” use a stethoscopes and X-ray imagery to crack safes. They call it a black-bag job. Anesthetic gas for the occupants of the house while they complete the job.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.