They did not take a recording of an actual key in an actual lock and determine the shape of the key. Instead they simulated the sound of a key in a lock, and determined the shape of the key from that simulated sound. And the simulation assumed that the speed that the key moves at is fixed as it enters the lock, at 1 inch per second.
So this article is false. It wouldn't have been that hard to read the paper, and say what they actually did. It bothers me that articles like this don't, and instead run with an exaggeration.
EDIT: As far as I can tell from the paper, at least. What on earth is a "simulation, based on real-world
recordings"? I don't see anything about an actual recording in section 4.
FYI it was very little effort. You can do it too! I followed two links to the paper, looked for "how did they test this thing" (because I was skeptical about that bit), then skimmed the three paragraphs in section 4 "Feasibility Study". I'm hoping that people that care more than I do will read more.
There is seldom need for praise, that's what makes the praise mean something. Some stranger took the time to thank a person for doing something. Huge high five, probably felt good for both of them. I don't think we should discourage positive human interaction.
All throughout the paper they state they used a phone mic.
They have a section on the filtering they needed on the real world audio to extract the information they needed.
The conclusion even states “ We evaluate SpiKey with a proof-of-concept simulation, based on real-world acoustic data, and demonstrate that SpiKey can reduce the search space from a pool of more than 330 thousand keys to just three candidate keys for the most frequent case.”
Section 4 definitely starts with an actual audio recording. But it ends with Figure 7, which shows the relationship between all possible keys and their simulated sounds. The simulation was "based on real-world acoustic data", but figure 7 is not a property of a single actual recording, it is a property of all simulated recordings.
You could still be right. I've been reading again, and I'm having a hard time telling apart statements about how their tool works in general, vs. statements of a particular test of it.
If they actually tested this thing end-to-end, I would expect to be able to answer (i) how many actual key recordings did they test it on?, and (ii) did it work? Was the actual key found among the 3 (or however many) candidates?
At some point, it may be possible to leverage this, but I agree: at present, it's a purely theoretical compromise, and you'd be better served by either picking the lock -- which might be as simple as just raking some pins -- or by re-creating the key from an image[1].
The image attack offers way more opportunities there, as you just need to be able to see the key (as opposed to the hypothetical sound attack, which requires that you capture the sound of the lock being unlocked).
As an aside, If you're keen to learn more about locks and security, I suggest having a look at LockPickingLawyer on YouTube[2].
What they are saying is to find their target keys, they physically modelled 330,424 candidate keys, generated an acoustic simulation and then ran the acoustic simulation of clicks though the tool described in sections 3.1 to 3.6. They used the insertion speed of 1 inch per second for this physical simulation of candidate keys.
Then they compared the output of the tool on all the candidates to the output from the original real recording to see which ones lined up the best.
Thanks for looking deeper, I was hoping someone would. You're right about the purpose of the simulation.
What I'm confused about is, I would expect them to say that they ran that recording through SpiKey, and it output 3 (or however many) candidates, and the actual key was (or wasn't) one of the three. But instead, that bit.ly link is provided for "better understanding", and the rest of the section it's in is about the tool in general, rather than a specific test of it.
Was it one actual recording they tested, you think? Do they say whether the actual key was among the candidates?
Is anyone else feeling feeling tired of these security posts that have scary titles but literally no real world impact?
Ok, maybe you can copy a key from sound but getting a clean recording and then going home and producing a new key and getting it correct is 100000x harder than just sticking 2 metal sticks in the lock and opening it in 15 seconds.
To us these posts might provide some light entertainment but then they get shared around by people who people who don't know better and next thing you know people are installing sound proof booths on the front of doors or telling us locks are insecure because they just found out about this trick.
> * Is anyone else feeling feeling tired of these security posts that have scary titles but literally no real world impact?*
Researchers, regardless of the discipline, often work at the edge of what's possible, not what's practical. Decade after decade, we have consumed news about researchers finding ways to cure cancer, immunize against HIV, break encryption with quantum computing, etc. It will be a couple more decades before any of these endeavours come to fruition. Just remember how long researchers have been working on quantum computers and how much longer they need to work to create something even remotely useful.
Science news hints how the world might look like half a century or a century in the future, not next year. For that, you need to read corporate announcements.
A thoughtful comment. Much of the research carried now is a part of immediate future, only in research field. For example, suppose we develop a way to encode information as states of electron spin. This opens a huge avenues for quantum computing, although only at the level of labs. To bring out a user product onto a market, that is a whole different story and complicated deal of various factors and fields, independent of research. It makes sense it takes decades or even half a century to roll out considerable paradigm shifts.
Thats fair. I just get the vibe that these articles are less about sharing research and more about drumming up fear to get more eyes on their post/organisation.
Most American locks just aren’t that secure; even I can pick a Masterlock #3 in a few minutes, and I’m a total novice at lock picking. A little bit of practice and there’s a good chance you could pick most front doors in a few minutes.
The simple reality is that if you’re going to get robbed, chances are the robber is going to use a pry bar to ruin the door jam or break your window. Locks are about keeping honest citizens honest.
I've heard that, and I get it, but I don't think that's actually it. Locks are about making it too inconvenient or risky to be worth stealing or breaking into. I guess some people might just all the sudden steal something if given the chance but would never do so otherwise, but usually, it's people who are already willing to steal if the difficulty and stakes are low enough.
I agree that "locks keep honest people honest" is a nice but bogus sentiment. Bike locks are a clear counterexample. While a cheap cable lock will keep honest people honest, your bike will soon get stolen. A Kryptonite-style lock is kind of the minimum. But even those need constant upgrades as bad guys figure out how to pick them or freeze them with canned air. Thus, the goal of a lock is to make it not worth the effort for a thief, not to keep honest people honest.
That and to provide evidence of forcible entry for insurance companies to pay out. It's easier to cut the lock off than to learn to pick most locks, so the victim can easily prove the theft.
I don't know if this is actually true, but I've heard that it's partly about taking away plausible deniability (for people caught on another person's property). If you had to break something/pick a lock/climb through a window, it's hard to argue that you had no malicious intent and were merely trying to pay a visit, or that it was dark and you were a little bit drunk and you opened your neighbour's front door by mistake.
That reminds me of the time growing up that we actually had someone astonishingly drunk who ended up falling asleep in our unlocked minivan because he completely screwed up navigating home and apparently we had the same type of van he did. Mom was not at all amused at the time, but the more I think about the implementation of car locks (most share key cuts), the more I find the entire thing somewhat amusing in hindsight.
I think the saying "locks keep honest people out" means that locks are there to keep out the overzealous girlscout selling cookies, that annoying friend who comes over when you dont text him back, and your neighbor that heard a noise and wants to make sure everything is ok.
It also deters some dishonest people. A while ago my suburb was hit by a drug addict who moved in and would steal change/ipods from unlocked cars and tools from unlocked sheds. He never touched anything that was locked because the extra risk and effort wasn't worth it.
No, locks are about making forcible entry easier than covert entry, so that your insurance company pays out. The primary function of the lock is tamper evidence. The secondary function is deterrence (easier to get into an unlocked place than a locked one). Actually preventing entry isn't the point for any but the strongest locks, and even then they only serve to delay entry.
I don't think most people buy locks for that reason, they buy them because they think the lock is secure enough so that only serious criminals will do anything, and then they hope those criminals don't show up.
Besides, a lot of locks are so easy to pick that you might as well do it instead of making a lot of noise forcing it open.
Dimple locks are exceedingly common here in Japan, and German padlocks (Abus, etc.) are generally considered what you want to buy if you're actually trying to secure something.
The thing is, those locks are more expensive to produce, both in terms of metallurgy and skilled labor. Germany has done a solid job of ensuring that it retains local experience in both areas, through a combination of tariffs, a robust skilled-trade education system, and consumer preference for domestic goods.
American consumers, on the other hand, tend to be very price-sensitive, and Master locks are cheap.
That's not to say that there aren't some rock-solid American locks, but Germany and Japan tend to be the leaders here (and for the same reason)
Most countries/regions tend to "standardize" almost all common locks to one type, which all the local locksmiths learn to work with and sell, and which all the people in that area learn to operate. The actual level of security or cost of the lock type seems to be insignificant, it's all just network effects.
The most common locks in America are all of the pin-tumbler type, which essentially provides "security theater"-level protection. They are very easy to pick with very little skill or specialized tools required, and most of them can be even be bumped in 5 seconds. [1] When people got concerned about the security of pin-tumbler locks, American lock manufacturers generally did not move to more secure lock types (or, if some did, they were probably outcompeted by other companies), they just added various extra "security features" on top of the fundamentally broken mechanism. Some of those "security features" are able to stop a curious 12-year old who spent 4 hours learning lockpicking on youtube, none of them will actually do much to deter a professional. On the positive side, pin-tumbler locks are really cheap and easy to use.
My native Finland has mostly standardized on Abloy's (now part of Assa Abloy) disc-detainer style locks. [2] They are somewhat more expensive than pin-tumbler style locks, but are dramatically more secure. This is because they typically have many orders of magnitude larger key spaces, and are designed in such a way that it is very hard to get feedback by manipulating the lock. They, too, can be picked, but this generally requires hard-to-acquire specialized tools, a very high skill level and a lot more time than weaker locks. They are hard enough to pick that if you lock yourself out, and don't have the coding of the lock stored somewhere, you basically cannot hire a locksmith to pick the lock for you -- you just have to break into your house some other way.
Why have Abloy locks not been a runaway success in America, replacing all the insecure locks? It turns out that the security of a lock really does not matter. Almost all American home locks are comically weak, yet almost no criminals ever pick or bump locks. So the additional security doesn't actually buy you much, if anything. However, Abloy locks have real disadvantages. For one, they require much more fine machining, which makes them more expensive. On top of that, they are somewhat more complex to use, as the locks have no internal springs (which is part of what makes them secure), so the lock has some persistent state or "memory". If the lock has last been normally locked or unlocked, you can just insert the key, turn, and pull it out. However, if I insert the key fully, and then extract it slightly, turn a little, and then fully pull it out, you can only insert the key up to that same point, and you then have to turn it straight before you can insert it further. If I do this individually to every disc with different rotations, it's going to take you a while. This can happen on it's own for, say, a padlock on a container that jostles as it's being transported. Everyone in Finland learns how to open a scrambled Abloy lock with the key right about at the time they get their first key, and most of us probably don't actually think of this as a skill, but do you want to try selling these locks to people who were not just taught how this works by their parents?
So why did Finland standardize on such an expensive, idiosynchratic lock type? It was invented by a Finnish company, their manufacture was domestic, and there were periods when Finland was really starved for foreign currency. It's all network effects from there.
But yeah, every now and then there is a news story or a paper of how you can open an American door lock by 3d-printing a key or by sound or by whatever exotic method. These news are always stupid because you can already open the lock by gently tapping it, so why waste your time with the tech?
It's the only major type of lock I haven't been able to pick within a reasonable timeframe.
Normally once you learn how to pick a certain model of lock, another lock of the same model will fall within 10 min, broadly speaking, and most cheap locks in just seconds.
Disc detainer lock's design just prevents you from freely accessing each of the discs except with specialized tools, and there's no feedback from any spring, so there's no "touch" or "feeling" you can learn.
That leaves to brute force all "combinations" from the innermost to the outermost disc as the only way to pick it.
In a 8 disc, 4 "angle" lock like the one I have to practice, that means 4096 combinations. With a very optimistic 1 sec per combination, on average you need 34 minutes per lock.
At that point it's less suspicious to use a drill or an angle grinder to open what you want to open.
The birthday problem isn't applicable here, because you're trying to match a specific combination rather than looking for any matching pair. So the average number of attempts needed is indeed 4096/2.
This is the same as the difference between a preimage (specific input) attack and a collision (any pair of inputs) attack on a hash algorithm[1].
> The most common locks in America are all of the pin-tumbler type, which essentially provides "security theater"-level protection. They are very easy to pick with very little skill or specialized tools required, and most of them can be even be bumped in 5 seconds.
Original Abloy was incredibly easy to pick. I remember seeing weird-looking generic Abloy-opener in 1957 when a lock-smith opened our door in about 5 seconds. Then Abloy changed the tensioning disk from front to back. And nowadays the tensioning disk is some random disk. But still no problem to Lock-Picking Lawyer or some other Youtube star.
> going home and producing a new key and getting it correct is 100000x harder
Once you get the bitting and know what key it is, this is really not hard at all, provided you have the right tools. There's handheld tools for this [0] stuff, so you can do this pretty quickly in a parking lot, in theory.
Yes, these tools are relatively expensive and you probably don't need to worry about your bike getting stolen that way.
Probably also not about someone breaking into your home like this, they'll just smash a window or something.
But if the attack described here gets to the point where you have an app that outputs the bitting code then I believe this is a legitimate attack that should worry (some) companies. This could let you go from access to a building with a 'visitor' badge to getting easy permanent access.
If you care about security, for starters you don't use pin-tumbler locks. They are pretty much useless as far as stopping a determined attacker is concerned.
I feel sure this technology will have a real world impact. Maybe not on your front door, but many valuable secrets and resources lie behind physical locks. As with 0-days, the owners of the technology (say a three-letter agency) may not want to use it so widely they raise awareness.
With more research the designers can certainly overcome the problems other commenters have posted here regarding noise, or more challenging lock design. Lock makers could build effective countermeasures. But there are so many locks that never will be upgraded.
Yeah, basically all pin based locks suffer from the same problem. Once you tension the cylinder the pins don't reset anymore so just poking all pins to the correct height will open the lock. Of course there are locks with varying difficulty but the most effective locks mostly involve making it hard to put conventional lock picking tools into them.
It's not just that picking a lock is going to be simpler. It's that to use the audio exploit a person needs to know enough about locks to select the correct blank. And setting up a camera to take a picture of the key is likely to be at least as easy as setting up audio recording equipment.
It seems like the risk on this one is pretty high, assuming the SpiKey software is available. Say you have a job where you need to be let in and out of a locked area by someone who is trusted with a key. The only thing you need now is a smartphone and to be standing not too far from the person putting the key in the lock and you have access!
If the area is so high secure that this is a real threat then you should be using nfc tokens and a fingerprint/code scanner. The chance that someone will steal your token and clone your fingerprint before you notice and deactivate the token is nonexistant. And if all that is still not enough security then you need to combine that with a security guard at the door.
Key and lock security is for low security situations where it just has to be more secure than the window.
Even the blog article at the bottom made the more insightful point that just a picture of a key is enough to make a duplicate. It seems a much easier thing to do considering you just need a microcamera pointing sideways at the lock entry.
This paper demonstrates the principle. You start with the easier cases, then introduce the complexities. You don't have to wait until you've licked every problem to publish. And when you eventually do solve the problem in the presence of noise and varying insertion speed, you may not publish.
In which case you need to check out the lockpickinglawyer. Sure, not everyone has that level of skill but it is conceivable to self learn and be competent to a point where lock picking is practical.
However, picking a lock still requires a short period of being unobserved. This may not be the case in for example an office building. Taking out a key and unlocking the door is an absolutely normal act and few people would notice. It even adds an air of legitimacy - that person has a key, they’re likely allowed in there.
This seems to work on only the most basic of locks, and doesn't seem to address "Security Pins" or false pins (pins if you move, will seize the keyway), which will cause false sets, clicks, partial keyway turns, etc.
They can be really nasty for an experienced lockpicker to navigate, and will make all the same sounds and feel of picking a real pin. Most semi-advanced locks will have one or more of these anti-picking countermeasures in place.
As it is, it would be far faster to actually pick this lock instead of trying to reproduce the key.
> This seems to work on only the most basic of locks, and doesn't seem to address "Security Pins" or false pins (pins if you move, will seize the keyway), which will cause false sets, clicks, partial keyway turns, etc.
I don't see why either of those are relevant.
A key in normal operation won't interact with false pins, and security pins (I assume you're talking about spools/mushrooms) act like normal pins to a key.
You would get a different sound from the different types of security pins, but even then - not that many and as you say, as its the legit key being recorded - security pins won't do anything than act like a normal pin in operation.
At least have an excuse for leaving the house with the radio blaring out now - security.
> You would get a different sound from the different types of security pins
I'm not sure that's true...it may be true, but it hasn't been looked into. Also 99% of security pins are in the driver pins which aren't the actual pins that are making the clicking sound against the ridges. Since there is a set of pins (key pins) between the ridges and the security pins that could also "dull" the difference security pins change the sound.
In the same vein, though, great locks can also use different springs for each set of pins which also may effect the sound.
If I had a know security pin lock at hand, I'd check it out as have a few contact microphones that are perfect to delve into something like this. Certainly with spectrogram and zoom in after doing high quality recording and soon see what sticks out. Of course would really need a lock in which you have each type of security pin and a normal pin and change that one pin and compare several unlocking. I'd be supprised that there isn't some distinguishing aspect due to shape changes in the pin altering how it responds to vibration. Yes the springs will have some influence, a small scratch in the pin barrel would have a small nuanced effect that with with right measuring, would show up.
I'll put it on my winter project list, more so as it may open up the possibility of not even needing a working key and just inducing some sympathetic harmonic with the pin types to induce resonance that can be measured. Could be a fun winter this year.
I think his point is that if the method only defeats basic locks, there's no point because basic locks can be reliably picked with $20 of tools and a few hours of YouTube tutorials and practicing.
That's fair, of course, but the method is still interesting and novel, and may even have security implications if it can be evolved to target locks containing features beyond the basics.
> basic locks can be reliably picked with $20 of tools and a few hours of YouTube tutorials and practicing.
Not without spending time at the lock, performing an activity that is obviously criminal to any witness, and having to repeat that every time you want access to those premises.
And, also: a neophyte lock picker will likely leave evidence, like scratches. If you have a key that works, you can open the lock without any traces of picking activity.
I mean, not everyone lives in a city. Someone could spend hours picking the lock on my front door at night and no one would even see them.
Plus, in the majority of break-ins, does knowing how they got in matter? If someone broke into my house and stole my valuables, does the fact that they picked the lock make all that much of a difference? I mean, I'd almost be relieved they did that as opposed to something more destructive.
(For the record, I have security cameras, please don't pick my locks)
And sitting next to the doorknob holding your microphone while someone walks in is totally legit. You aren't going to get a clean recording while hiding behind the fence.
I have an esp32 board with a MEMS microphone embedded in it that's about the size of a quarter, and can be powered for hours with a watch battery. So yeah, I can get a clean recording while hiding behind a fence... I just won't be holding the microphone.
> we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door,” says Ramesh.
If you 2D-print me a piece of paper with a few copies of the key image in actual size, I will cut that shape into a blank in about 15 minutes with a file.
You don't need to be a professional locksmith to file down a key, come on.
Anecdotally, it happened to me once that someone forgot to leave the (only) key to a site laboratory, I had him "transmit" via fax the key, then after rummaging in a closet full of old keys I found one that had enough material, filed it down with the high-tech tools I had available (the file of a Leatherman multi-tool) and opened the lock, I cannot see how the same cannot be easily done with a 2-D print of the profile of a "virtually generated" key instead of the fax.
This reminds of a story in Hugo Cornwall's The Hacker's Handbook. He mentions that MI6 had figured out that each striker makes a slightly different sound when it hits the paper, so they'd started bugging printers.
In retrospect, somebody really should have thought of this three decades ago. Props to the person that did, though.
Check out the "lock picking lawyer" on YouTube if you haven't already. The ease with which he opens a wide variety of locks is pretty impressive. An amateur lock picker can tackle a large percentage of locks with a few days of practice.
Not only that it works for extremely simple tumbler locks. This is a very cool PoC but nothing that a couple
hours of picking and the right tools won’t get you. Specifically a decoder will get you the bitting to make your own key.
A couple hours of standing at the actual door, picking is not comparable to surreptitiously snapping a few seconds of audio and doing all the work elsewhere, then showing up with four or five possible keys, one of which works.
That’s fair enough if the concept worked in the real world. When I looked over the Singapore data on this, I saw locks used were filing cabinet grade or slightly better. I look forward to seeing this working on a modern tumbler with spool pins and outside the lab, I’ll be really impressed.
Spool pins have a cutaway midsection that seizes up if the lock is being picked: i.e. someone is applying rotational pressure while trying to move the pins. That doesn't seem relevant relevant to the audio technique which just records the clicks from a correct key. In that situation, the spool pins move more or less just like flat pins. While there are outside-of-lab challenges with real door locks, that's probably not one of them.
Not suprising. Lock-Picking Lawyer or some other Youtube star has shown you can easily duplicate keys from a photograph. When they are hanging from a keyring of a security guard forexample. Larger variety of keys too, including rotating disk type keys.
Would be interesting to see how well their approach coped with the trivial countermeasure of playing competing recordings of (different) key sounds at the same time.
Admittedly computers can now easily spilt parallel conversations apart fairly effectively (eg cocktail party problem) but in this case with the individual noises being very similar in character it would make it harder to get the timing between genuine signals, which seems like it would make the attack much less likely to recreate an accurate key replica.
This reminds me of a paper from a while ago that used the sound of a person typing to get their password. "acoustic keyboard emanations". It seems to be a more convincing paper than the OP
I can see how an attacker could potentially use this to break into a server or other secure room for the purposes of hacking into systems that have physical locks as security measures
Back in the day, folks demonstrated that a photosensor on that blinky light on your ethernet port was actually the ethernet data, and could be decoded.
I knew when they said they could infer my password based on the sounds of the keystrokes that the concept of "secret" in the physical world was in for some changes. It got really, really bad when I heard of research that could evesdrop on sounds based off a laser on a window pane or lightbulb
Physical (and digital) security in our world is truly laughable. When will people wake up and start investing the amount of time, money, and attention real security deserves?
I picked my neighbor's front door when he wasn't home, opened his garage, and returned his weed eater to him in about 5 minutes. It was the easiest thing in the world. And yet I'm sure he sleeps soundly at night thinking his locks offer protection.
This truly basic stuff needs to be instilled in children in elementary school: At least 50% (maybe even more like 70%) of all resources (time, money, etc) should be devoted to security whenever you are building something (house, computer program, etc.). It's not enough to try and "wear all the hats" if you are working at a startup. You need to have security experts on payroll from day 1 if you want any hope of creating a secure product, keeping your assets safe from your own employees (re: Twitter), etc.
There is a certain point where you have to compromise and say the cost of a security breach will be less than the cost of devoting more resources to security.
I could spend hundreds of thousands on building my house with redundant locks, security cameras, steel-reinforced bullet proof doors and windows, OR I can sleep soundly knowing that if my house is robbed I can make an insurance claim and replace all my stuff. If someone wanted to actually steal my stuff or kill me, well they could just wait outside my house and do it then ️
Same with high tech, I could build the most secure system on the planet but a guy with a knife to my throat is gonna get all the security keys.
What I was going to say, is that with many people now working on company projects remotely, the potential financial damage isn't just loss of the resident's belongings.
They did not take a recording of an actual key in an actual lock and determine the shape of the key. Instead they simulated the sound of a key in a lock, and determined the shape of the key from that simulated sound. And the simulation assumed that the speed that the key moves at is fixed as it enters the lock, at 1 inch per second.
So this article is false. It wouldn't have been that hard to read the paper, and say what they actually did. It bothers me that articles like this don't, and instead run with an exaggeration.
EDIT: As far as I can tell from the paper, at least. What on earth is a "simulation, based on real-world recordings"? I don't see anything about an actual recording in section 4.