
Listen to Your Key: Towards Acoustics-based Physical Key Inference - vo2maxer
https://www.comp.nus.edu.sg/~junhan/papers/SpiKey_HotMobile20_CamReady.pdf
======
justinpombrio
I was a little skeptical, so I followed the link trail to the actual paper:
[https://www.comp.nus.edu.sg/~junhan/papers/SpiKey_HotMobile2...](https://www.comp.nus.edu.sg/~junhan/papers/SpiKey_HotMobile20_CamReady.pdf)

They did not take a recording of an actual key in an actual lock and determine
the shape of the key. Instead they simulated the sound of a key in a lock, and
determined the shape of the key from that simulated sound. And the simulation
assumed that the speed that the key moves at is fixed as it enters the lock,
at 1 inch per second.

So this article is false. It wouldn't have been that hard to read the paper,
and say what they actually did. It bothers me that articles like this don't,
and instead run with an exaggeration.

EDIT: As far as I can tell from the paper, at least. What on earth is a
"simulation, based on real-world recordings"? I don't see anything about an
actual recording in section 4.

~~~
wmichelin
People like you are what keep me coming back to sites like this. Thank you for
actually reading the paper and discussing reality with us.

~~~
justinpombrio
Aww, thank you.

FYI it was very little effort. You can do it too! I followed two links to the
paper, looked for "how did they test this thing" (because I was skeptical
about that bit), then skimmed the three paragraphs in section 4 "Feasibility
Study". I'm hoping that people that care more than I do will read more.

~~~
anjanb
Thanks very much for the encouragement.

------
Polylactic_acid
Is anyone else feeling feeling tired of these security posts that have scary
titles but literally no real world impact?

Ok, maybe you can copy a key from sound but getting a clean recording and then
going home and producing a new key and getting it correct is 100000x harder
than just sticking 2 metal sticks in the lock and opening it in 15 seconds.

To us these posts might provide some light entertainment but then they get
shared around by people who people who don't know better and next thing you
know people are installing sound proof booths on the front of doors or telling
us locks are insecure because they just found out about this trick.

~~~
efficax
It seems like the risk on this one is pretty high, assuming the SpiKey
software is available. Say you have a job where you need to be let in and out
of a locked area by someone who is trusted with a key. The only thing you need
now is a smartphone and to be standing not too far from the person putting the
key in the lock and you have access!

~~~
pishpash
"If a key is inserted at a nonconstant speed, the analysis can be ruined, but
the software can compensate for small speed variations."

(That and noise.) Can we say academic project?

~~~
hughw
This paper demonstrates the principle. You start with the easier cases, then
introduce the complexities. You don't have to wait until you've licked every
problem to publish. And when you eventually do solve the problem in the
presence of noise and varying insertion speed, you may not publish.

------
Alupis
This seems to work on only the most basic of locks, and doesn't seem to
address "Security Pins" or false pins (pins if you move, will seize the
keyway), which will cause false sets, clicks, partial keyway turns, etc.

They can be really nasty for an experienced lockpicker to navigate, and will
make all the same sounds and feel of picking a real pin. Most semi-advanced
locks will have one or more of these anti-picking countermeasures in place.

As it is, it would be far faster to actually pick this lock instead of trying
to reproduce the key.

~~~
nordsieck
> This seems to work on only the most basic of locks, and doesn't seem to
> address "Security Pins" or false pins (pins if you move, will seize the
> keyway), which will cause false sets, clicks, partial keyway turns, etc.

I don't see why either of those are relevant.

A key in normal operation won't interact with false pins, and security pins (I
assume you're talking about spools/mushrooms) act like normal pins to a key.

~~~
Zenst
You would get a different sound from the different types of security pins, but
even then - not that many and as you say, as its the legit key being recorded
- security pins won't do anything than act like a normal pin in operation.

At least have an excuse for leaving the house with the radio blaring out now -
security.

~~~
bszupnick
> You would get a different sound from the different types of security pins

I'm not sure that's true...it _may_ be true, but it hasn't been looked into.
Also 99% of security pins are in the driver pins which aren't the actual pins
that are making the clicking sound against the ridges. Since there is a set of
pins (key pins) between the ridges and the security pins that could also
"dull" the difference security pins change the sound.

In the same vein, though, great locks can also use different springs for each
set of pins which also _may_ effect the sound.

~~~
Zenst
If I had a know security pin lock at hand, I'd check it out as have a few
contact microphones that are perfect to delve into something like this.
Certainly with spectrogram and zoom in after doing high quality recording and
soon see what sticks out. Of course would really need a lock in which you have
each type of security pin and a normal pin and change that one pin and compare
several unlocking. I'd be supprised that there isn't some distinguishing
aspect due to shape changes in the pin altering how it responds to vibration.
Yes the springs will have some influence, a small scratch in the pin barrel
would have a small nuanced effect that with with right measuring, would show
up. I'll put it on my winter project list, more so as it may open up the
possibility of not even needing a working key and just inducing some
sympathetic harmonic with the pin types to induce resonance that can be
measured. Could be a fun winter this year.

------
kazinator
> _we can 3D-print the keys for the inferred bitting codes, one of which will
> unlock the door,” says Ramesh._

If you 2D-print me a piece of paper with a few copies of the key image in
actual size, I will cut that shape into a blank in about 15 minutes with a
file.

~~~
ThePadawan
I think a point of that method is to demonstrate that it can be done by an
amateur.

If you have a skilled professional at hand that can file a blank, you might as
well assume you have a skilled lockpicker at hand.

~~~
jaclaz
You don't need to be a professional locksmith to file down a key, come on.

Anecdotally, it happened to me once that someone forgot to leave the (only)
key to a site laboratory, I had him "transmit" via fax the key, then after
rummaging in a closet full of old keys I found one that had enough material,
filed it down with the high-tech tools I had available (the file of a
Leatherman multi-tool) and opened the lock, I cannot see how the same cannot
be easily done with a 2-D print of the profile of a "virtually generated" key
instead of the fax.

------
flir
This reminds of a story in Hugo Cornwall's The Hacker's Handbook. He mentions
that MI6 had figured out that each striker makes a slightly different sound
when it hits the paper, so they'd started bugging printers.

In retrospect, somebody really should have thought of this three decades ago.
Props to the person that did, though.

------
neckardt
This recent thread covers the same research:
[https://news.ycombinator.com/item?id=24172385](https://news.ycombinator.com/item?id=24172385)

------
anonu
Check out the "lock picking lawyer" on YouTube if you haven't already. The
ease with which he opens a wide variety of locks is pretty impressive. An
amateur lock picker can tackle a large percentage of locks with a few days of
practice.

[https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ](https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ)

------
userbinator
It seems their method works for pin tumbler locks, which are the most common
and also one of the easiest to pick.

I wonder if it would work on something like this, which has no springs:
[https://en.wikipedia.org/wiki/Disc_tumbler_lock](https://en.wikipedia.org/wiki/Disc_tumbler_lock)

~~~
SV_BubbleTime
Not only that it works for extremely simple tumbler locks. This is a very cool
PoC but nothing that a couple hours of picking and the right tools won’t get
you. Specifically a decoder will get you the bitting to make your own key.

~~~
kazinator
A couple hours of standing at the actual door, picking is not comparable to
surreptitiously snapping a few seconds of audio and doing all the work
elsewhere, then showing up with four or five possible keys, one of which
works.

~~~
SV_BubbleTime
That’s fair enough if the concept worked in the real world. When I looked over
the Singapore data on this, I saw locks used were filing cabinet grade or
slightly better. I look forward to seeing this working on a modern tumbler
with spool pins and outside the lab, I’ll be really impressed.

~~~
kazinator
Spool pins have a cutaway midsection that seizes up if the lock is being
picked: i.e. someone is applying rotational pressure while trying to move the
pins. That doesn't seem relevant relevant to the audio technique which just
records the clicks from a correct key. In that situation, the spool pins move
more or less just like flat pins. While there are outside-of-lab challenges
with real door locks, that's probably not one of them.

------
timonoko
Not suprising. Lock-Picking Lawyer or some other Youtube star has shown you
can easily duplicate keys from a photograph. When they are hanging from a
keyring of a security guard forexample. Larger variety of keys too, including
rotating disk type keys.

~~~
CydeWeys
It's been known you can duplicate keys from photographs for decades (way pre-
YouTube). This was standard spy stuff during the Cold War.

~~~
timonoko
Except they did not have HD-cameras readily available. This case was some
random street shot with a phone.

~~~
CydeWeys
You're vastly underestimating how high resolution film is.

------
timonoko
You do not need a key, dammit. You could analyse the sounds the pins make,
when scraped with a pick. Longer pins resonate with lower frequency.

~~~
pishpash
Why even scrape with a pick, at that point, just bang the lock and get the
impulse response.

------
hodgesrm
If "Q" does not roll this out in the next Bond film I'm going to be _really_
disappointed.

------
openasocket
Made me think of
[https://en.wikipedia.org/wiki/Hearing_the_shape_of_a_drum](https://en.wikipedia.org/wiki/Hearing_the_shape_of_a_drum)
, not sure if the mathematics is related or not

------
nmstoker
Would be interesting to see how well their approach coped with the trivial
countermeasure of playing competing recordings of (different) key sounds at
the same time.

Admittedly computers can now easily spilt parallel conversations apart fairly
effectively (eg cocktail party problem) but in this case with the individual
noises being very similar in character it would make it harder to get the
timing between genuine signals, which seems like it would make the attack much
less likely to recreate an accurate key replica.

------
ppod
This reminds me of a paper from a while ago that used the sound of a person
typing to get their password. "acoustic keyboard emanations". It seems to be a
more convincing paper than the OP

[https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf](https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf)

------
JoeAltmaier
Would be significant, if locks were important. Witness the Lock Picking
Lawyer:
[https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ](https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ)

Most locks can be picked (by an expert) in under 60 seconds anyway. Without
having to make a key.

------
elchief
Now do it with a laser microphone on a window!

------
aussieguy1234
I can see how an attacker could potentially use this to break into a server or
other secure room for the purposes of hacking into systems that have physical
locks as security measures

------
NiceWayToDoIT
Nice.

This reminded me that once I have theorized that it would be possible to
extract computer password from the sound of the key strokes on your keyboard.

Simple phone or PC mic listening could take it all...

------
JoeAltmaier
Back in the day, folks demonstrated that a photosensor on that blinky light on
your ethernet port was actually the ethernet data, and could be decoded.

------
czbond
This has to be the most unexpected thing I've heard of in a while.

~~~
mdaniel
I knew when they said they could infer my password based on the sounds of the
keystrokes that the concept of "secret" in the physical world was in for some
changes. It got really, really bad when I heard of research that could
evesdrop on sounds based off a laser on a window pane or lightbulb

~~~
touringa
Don't forget old mate 'hard drive as a microphone'! One of my favourites.

[https://andrewkwong.org/docs/Kwong-HDDphone-IEEE-
SP-2019.pdf](https://andrewkwong.org/docs/Kwong-HDDphone-IEEE-SP-2019.pdf)

------
umvi
Physical (and digital) security in our world is truly laughable. When will
people wake up and start investing the amount of time, money, and attention
real security deserves?

I picked my neighbor's front door when he wasn't home, opened his garage, and
returned his weed eater to him in about 5 minutes. It was the easiest thing in
the world. And yet I'm sure he sleeps soundly at night thinking his locks
offer protection.

This truly basic stuff needs to be instilled in children in elementary school:
At _least_ 50% (maybe even more like 70%) of _all_ resources (time, money,
etc) should be devoted to security whenever you are building something (house,
computer program, etc.). It's not enough to try and "wear all the hats" if you
are working at a startup. You need to have security experts on payroll from
day 1 if you want any hope of creating a secure product, keeping your assets
safe from your own employees (re: Twitter), etc.

~~~
tornato7
There is a certain point where you have to compromise and say the cost of a
security breach will be less than the cost of devoting more resources to
security.

I could spend hundreds of thousands on building my house with redundant locks,
security cameras, steel-reinforced bullet proof doors and windows, OR I can
sleep soundly knowing that if my house is robbed I can make an insurance claim
and replace all my stuff. If someone wanted to actually steal my stuff or kill
me, well they could just wait outside my house and do it then ️

Same with high tech, I could build the most secure system on the planet but a
guy with a knife to my throat is gonna get all the security keys.

~~~
thimkerbell
Conjuring up unnecessarily violent imagery makes readers with something to say
less willing to step up and say it.

~~~
thimkerbell
What I was going to say, is that with many people now working on company
projects remotely, the potential financial damage isn't just loss of the
resident's belongings.

