A lock is reliable only insofar as it cannot be defeated by an intruder. Computer technology makes things easier, alas, including for those who hate doors they cannot open (and no, we are not talking about cats). Thanks to 3D printers, copying keys has become much easier. Of course, to print them, you need at least one decent image of the original.
Researchers in Singapore recently published a paper demonstrating SpiKey, a door lock attack that doesn’t require a picture. You simply use your smartphone to record the clicks of the key being inserted into the keyhole.
How the clicks reveal the key
The attack works on pin tumbler locks, the most common type in use today. The mechanism is based on a cylinder that must be turned to lock or open the door. This cylinder houses several pins, which consist of two parts of different lengths and are held in place by springs.
When there is no key in the keyhole, the pins fill the cylinder entirely, and their outer part prevents the cylinder from turning. A suitably shaped key moves the pins so that the boundary between the two parts coincides with the edge of the cylinder; as a result, nothing prevents it from turning. The main secret of a key is the depth of its grooves (pits), which determine the pins’ fit.
When you insert a key into the lock, the pins move based on the shape of the key: They rise when a ridge (the protrusion located between the grooves) passes under them, and then fall again. When the pins fall, they click.
By measuring the time between clicks, scientists were able to determine the distance between the ridges on the key. This method, of course, does not reveal the main variable: how deep the grooves on the key are. But it does provide some idea of the shape of the key. By exploiting this approach, researchers were able to find key variants that corresponded to the original key.
Why the SpiKey attack is dangerous
An attacker cannot use the SpiKey attack to create a detailed portrait of an original key. However, here is another useful fact: Keys aren’t truly random. By combining data on the distance between the ridges and knowledge of the requirements for keys for six-pin locks manufactured by Schlage, the researchers were able to narrow the range of possible keys from 330,000 to just a few. An attacker who wants to copy a key can print just five variants on a 3D printer and try each of them. One of the keys will almost certainly defeat the lock.
Don’t panic
Like most attacks developed in a lab, SpiKey has its drawbacks, and burglars are unlikely to put it into practice anytime soon.
First of all, to perpetrate a successful attack, you need to know the make of the lock. Different manufacturers have different requirements for keys, and for an attacker to craft an effective across-the-board approach would be much more difficult. Also worth noting, not all locks are of the pin-tumbler type; several alternative types are also very popular.
Second, if two or more pins in the lock click at the same time, the attack will not work. That is, even if the lock is the right type, there is no guarantee that a matching key for a certain lock can be found. Researchers have found that more than half of Schlage locks are vulnerable, but the proportion will be different for other manufacturers.
Third, the experiment also assumed that the key’s insertion into the lock occurs at a fixed speed and without any pauses. Although possible, that scenario is unlikely in the real world.
How to protect your home (and other places) from burglary
The SpiKey attack represents a development that could help burglars and other dishonest people in the long run. Here’s what you can do to protect yourself from this attack:
- Use several locks, preferably of different types. Even if a would-be intruder can create a key for one of them, the others will probably stop the culprit;
- Add other types of security. The market is currently full of alarms and other security systems to suit all tastes, from quite simple to very elaborate;
- Protect your devices so that intruders cannot hijack your microphone or camera functions.