
House Keys copyable from 200 ft away via camera - nl
http://www.jacobsschool.ucsd.edu/news/news_releases/release.sfe?id=791
======
slapshot
This is perhaps an unintentional demonstration that "insecure against absurdly
complex and specific attacks" does not always mean "insecure."

For a web system that is under attack 24/7 from 255^4 different attack
vectors, you need "secure against even absurdly complex attacks" to be
"secure."

But for my house? Your average thief isn't going to spend the time to take a
high-res photo of my keys. Instead, they're just going to beat me until I give
them my keys (the original "rubber-hose crytography") or just take a crowbar
to the door. It's just not worth it to use such a complex attack.

(Yes, I can see uses for being able to break in without giving away the fact
of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a
similar technique, but for everyday life it's just a cool theoretical hack
that would make a great plot point in a Neil Stephenson novel.)

~~~
baconface
This still seems like a valid low-tech hacking technique. Simply take photos
of anyones keys (easy to do if you are planning it out) and run some software.
This seems like a potentially big problem for any facility secured by only
lock and key (schools, homes, safety deposit boxes, PO boxes, cars, storage,
etc.).

~~~
InclinedPlane
Any facility secured by only lock and key is vulnerable to anyone with a
pickgun or a lock pick set and a little skill anyway. Security isn't reliant
on locks, it's reliant on behavior.

~~~
jedbrown
If you make a fake key, then you can walk in with people all around without
looking suspicious. You can even act like the owner whilst in a group of non-
conspirators. Even with a great picking kit, it's going to look different to
anyone looking somewhat closely.

Depending on the level of physical security surrounding the lock itself, this
difference could be as extreme as the difference between knowing the password
and having a great rainbow table. In the former case, you can log in as the
owner without arousing any suspicion. In the latter case, you have to have
some time when nobody is looking (download the hashed password database).

~~~
evilduck
So get a big bright "ABC Locksmithing" shirt printed up and carry a toolbox
while commiting crimes. Odds are good nobody will notice you then. Or just
change the lock and come back later for the theft, now that you have a key.

------
brk
How often do people leave their keys out in the open like that? Mine are in my
pocket until I am at the door (actually, most of my doors are RF or keypad, I
use very few metal keys).

This is really nothing new thought if you have studied locks at all. All the
common keylocks (eg: standard house locks, most vehicles, etc.) have a
fixed/known set of tumblers, and a fixed/known set of pin codes. When I was
more interested in physical lock mechanisms about 18 years ago I had the GM
tumbler height elevations pretty well memorized, plus a good stock of blanks
and templates. I could look at most GM keys, "read" the code (like 5,4,4,3,1)
and then go off and make a key that would work 90% of the time. Same thing for
Ford locks. It was fun to move a friends vehicle in the high school parking
lot, but the novelty wore off quickly. This article seems to be the same
thing, except rather than having to say something like "cool keychain, can I
see it?", you have to take a high-res pic of their key from 300 feet.

~~~
roel_v
Well, would you notice somebody sitting in a car 100ft away, taking a picture
at the moment you put your key into the lock? A picture of a key on a table is
useless anyway, since you (most likely) don't know what lock it fits with.
With a van with a computer and a small key-making tool in the back, you can
sit somewhere until the residents come home, take a picture and have the key
made by the time the residents go out again and then you can enter without
breaking anything.

Of course the camera can be hidden so that nobody would even see a guy in a
van taking pictures, just a guy eating a sandwich who could push a button to
take the picture unnoticed.

------
jdietrich
British television broadcasters now routinely blur images of keys for this
reason. If you have access to BBC iPlayer, you can see this in action on BBC
Three's "Kids Behind Bars". I have seen a number of locations in London with
frosted glass privacy screens from mid-thigh to chest height, whose only
obvious purpose is to defend against this attack.

If you've ever seen Barry Wels at work, you'll understand that this is
anything but a far-fetched attack. Someone is unlikely to burgle a house using
this technique, but it's a very practical method for determined attackers
against otherwise hardened targets. With the prevalence of master and sub-
master keying systems, the leak of a single key could potentially give access
to dozens or hundreds of locks. Unlike a leak due to loss or theft of a key,
there is no way of knowing of a breach in security until an attack is
attempted. That's just about the worst case scenario.

------
InclinedPlane
House locks pickable from 0ft away via $15 lock pick set. Or, you know, a
crowbar.

A lock keeps out casual thieves, nothing more.

~~~
Homunculiheaded
I was going to say, a weekend studying lock picking (which is definitely a fun
thing to learn) and you can probably pick open a great majority of the houses
out there in very little time... however, even if not practical this research
is pretty interesting

~~~
seats
Any recommendation on the best way to learn lock picking?

~~~
Homunculiheaded
Sure! I'm very much a novice but: I started with 'Visual Guide to Lockpicking'
[1] although 'MIT Guide to Lock Picking' [2] is very good and also free. After
you get the basic mechanics of locks and lock-picking down you really just
need to practice. Get yourself a set of lock-picks online (also look at your
state laws for lock-picks, in many states only a licensed locksmith can carry
them around so it may be a good idea to keep them at home, and avoid doing
things like leaving them in your car/pocket. I believe some US states make it
out right illegal to possess them, so just be aware).

Some places will sell practice locks with pins removed, but do not buy them,
they are way overpriced and if you really want to understand the mechanics of
locks it will serve you well to bust one open. So go to a hardware store and
pick up an inexpensive but not cheap lock, crack it open and remove some of
the pins (even all but one), add/remove/reorder the pins until you are really
good, and then buy more locks.

Also do keep the law in mind, when I looked it up it's illegal in most if not
all states to pick locks that you do not own if you are a not a locksmith
(even with the owners permission), which can include obviously the locks on
your apartment and locks of friends. You could probably get away with this,
but the hacker interest in learning things like lock-picking is not
universally seen as benevolent, and it would be stupid to get in legal trouble
for a hobby

[1] [http://www.amazon.com/Visual-Guide-Lock-Picking-
Third/dp/097...](http://www.amazon.com/Visual-Guide-Lock-Picking-
Third/dp/0970978863/)

[2] <http://www.lysator.liu.se/mit-guide/mit-guide.html>

------
code_duck
The quote "We built our key duplication software system to show people that
their keys are not inherently secret" is interesting. Do the public and the
authorities have a different attitude when you do this with physical security
vs. electronic? Sometimes people have been threatened or even arrested for
demonstrating vulnerabilities, as we know.

------
pittsburgh
This reminds me of the story from a few years ago when Diebold got itself in
trouble for showing pictures of their voting machine keys online:
<http://www.bradblog.com/?p=4066#more-4066>

This also has me thinking about the "Light Field" story from two days ago. (
<http://www.hackerne.ws/item?id=2681554> ) If that technology becomes common,
and camera resolutions continue to improve, I bet you could lift people's
thumbprints from photos of them waving on Flickr. That sucks if you use a
biometric thumb lock like they do in the shared office space I work out of.

Your thumbprint is like a password which you can never change. If your
thumbprint appears in a single photo of you ever, there's no locksmith that
can help you get that JPEG back from Lulzsec! :-)

~~~
JoeAltmaier
Thumbprints are for casual identification, NOT for security. Biometrics are a
hash, and like your garage-door opener, millions of people have the same
thumbprint biometric as you have.

------
Hilyin
This is way more complicated than just bumping the lock.
<http://www.youtube.com/watch?v=7xkkS2p7SuQ>

------
ChuckMcM
Wow. It doesn't help that 'blanks' are standard and the number of pins in the
lock is knowable. It is a nice piece of work, I expect to see it get re-used
on all the cop shows :-)

------
waitwhatwhoa
Great to see UC San Diego research on the front page again :)

a similar technology has been commercialized: <http://dittokey.com/>

also similar but relatively unrelated: [http://eclecti.cc/hardware/physical-
keygen-duplicating-house...](http://eclecti.cc/hardware/physical-keygen-
duplicating-house-keys-on-a-3d-printer)

These efforts are unaffiliated with the authors but provide a far more
tangible result.

~~~
Ruudjah
Handy. So I only need to make a pic of the key, and then send it to an online
service, wait a day, and go wild in someone's house/company. Which by the way,
won't be covered by insurance because there are no signs of burglary.

------
pasbesoin
2008 -- I thought this was familiar.

I speculate that within another generation or two of fabricators, people will
have something trivially useful to plug the data into -- if they are of a
mind. (Automated lathes and whatnot being pricier and eventually less common.)

~~~
Unseelie
Plastic printers...

they're still pretty expensive, but arguing you're in a fairly high rent
neighborhood with basic security systems (no keypad requirements, but alarms
blare if you force a lock or break a window...Is that even a system on the
market?) Anyhow, if you've a van, that's a good five thousand dollars at
least. Grab a printer, say another 10k...I dunno how many robberies you need
to pay that off, but assuming you intend to make a go of this life of crime,
being a guy with the key helps a lot.

------
hammock
This is old news (2008 or earlier), but still very interesting and I bet a lot
of HN people still haven't seen it yet.

------
tagnu_
An auto retractable design for a key, like one of those usb flash drives might
help. [http://www.usbmemorysticks.net/wp-content/gallery/sandisk-
cr...](http://www.usbmemorysticks.net/wp-content/gallery/sandisk-cruzer-blade-
and-slice/sandisk-cruzer-edge.jpg)

By default, the key will be hidden inside it's case. When the user wishes to
open the lock, he can just place the key on the keyhole and start inserting
it. :)

------
bugsy
Hrmph. With that sort of house key, it's a lot less trouble just to rake the
lock. You don't need a key at all.

------
jarin
Not that this kind of attack is likely unless you leave your keys sitting out
in public, but it might be a good case for Lockitron if you're paranoid:
<https://lockitron.com>

~~~
trebor
Then guys like LulzSec set up a hack and toggle everyone's locks every 5
seconds. It's safer to roll your own than use a service like this...

~~~
jarin
The answer to potential security vulnerabilities is not to avoid using
technology, it's to improve your security.

------
k33l0r
I wonder if this also works for the Abloy locks which are the most common type
here in Finland: <http://en.m.wikipedia.org/wiki/Disc_tumbler_lock>

~~~
praptak
Not sure about Abloy, but there definitively exist some keys that would
require multiple pics from different sides. One example here:
[http://www.kluczserwis.com.pl/gerda/stars/drzwi_pliki/starsk...](http://www.kluczserwis.com.pl/gerda/stars/drzwi_pliki/starsklucz.jpg)

As opposed to the standard pin tumbler lock where there's a single row of
pins, the pins in this lock surround the key from all sides, therefore the
protrusions on the key are also all around it.

~~~
kiiski
Abloys (newer) keys look like this
<http://www.abloy.fi/Abloy/FI/Products/Images/SENTOavain2.jpg>

------
baconface
Sounds perfect for a RepRap :D

~~~
ph0rque
[http://www.makerbot.com/blog/2011/06/20/3d-printer-key-
dupli...](http://www.makerbot.com/blog/2011/06/20/3d-printer-key-duplication-
with-nrp/)

------
Arro
Hey UCSD, see this:
[http://en.wikipedia.org/wiki/Wikipedia:Don%27t_stuff_beans_u...](http://en.wikipedia.org/wiki/Wikipedia:Don%27t_stuff_beans_up_your_nose)

I know you're not responsible for other people's actions, but releasing this
story may do more harm than good.

~~~
owenmarshall
Amusingly enough, according to Wikipedia, the concept of full disclosure
(<http://en.wikipedia.org/wiki/Full_disclosure>) originated with locksmiths in
the 1800s.

And even back then, _they got it right_ :

    
    
        > It cannot be too earnestly urged that an acquaintance 
        > with real facts will, in the end, be better for all parties. 
    

(<http://en.wikipedia.org/wiki/Full_disclosure#History>)

