If you are smart, you wouldn’t hand your house key over to a stranger for a few minutes, right? But every time you use your key to unlock your door, you are probably broadcasting everything an attacker needs to make their own copy. Turns out it’s all in the sound of the key going into the lock.
Researchers in Singapore reported that analyzing metallic clicks as the key slides past the pins gives them the data they need to 3D print a working key. The journal published research is behind a paywall, but there is a copy on co-author [Soundarya Ramesh’s] website which outlines the algorithm used to decode the clicks of key teeth on lock pins into usable data.
The attack didn’t require special hardware. The team used audio capture from common smartphones. While pushing your phone close to the lock while the victim inserts a key might be problematic, it isn’t hard to imagine a hacked phone or smart doorbell picking up the audio for an attacker. Long-range mikes or hidden bugs are also possible.
There are practical concerns, of course. Some keys have a plateau that causes some clicks to skip, so the algorithm has to deal with that. It sounds like the final result be a small number of key possibilities and not just converge on one single key, but even if you had to carry three or four keys with you to get in, it is still a very viable vulnerability.
The next step is to find a suitable defense. We’ve heard that softening the pins might reduce the click, but we wondered if it would be as well to put something in that deliberately makes loud clicks as you insert the key to mask the softer clicks of the pins.
While a sound recording is good, sometimes a picture is even better. Of course, if you want to go old school, you can 3D print your lockpicks.
Hacking
Great use of acoustics, but it was hard to judge whether it would really work (did acoustics every result in 3D printed keys? How much acoustic data was recorded? Mostly it seems to be simulation).
All of these home security stories are interesting to a point, but when you couch them in terms of potential attacks it makes me giggle a bit. The entire actual purpose for a lock on the front door is to force the burglar to kick the door in to gain entry thereby showing evidence to the police and insurance company that an effort was made to keep him out.
No, that’s just silly. The entire actual purpose for a lock on the front door is to keep law abiding citizens from walking in on you when you’re “busy”. The police don’t care if the door was locked, “breaking the plane” of the door is sufficient for the crime of burglary and the insurance company only cares about what stuff is gone and how well you kept records.
Most burglars don’t kick the door in. Again, just silly.
I thought the only folks that would actually kick a door in, were the cops.
Locks keep honest people out, guns keep burglars out or get them out (of the house or the world, their choice.)
This research is as another tool in our toolbox. It’s by no means perfect but it’s something new and clever.
It’s the physical equivalent of your keyboard leaking your password as you type.
In the simulations they’ve had 56% success and reduced the key to1 to 15 candidates.
While in practice it shouldn’t matter much if you get 100 to 1000 key candidates as there are other techniques for reducing the numbers further.
I’m excited it’s published as this is the closest thing to SCA we have in physical security.
Me and my friends are looking for other channels we can use to attack locks.
While many will not be practical it furthers our knowledge in this narrow field.
SCA?
Society of Creative Anachronism?
Secret Confusing Acronym
Perfect
Side Channel Attack
Hmmm! wouldn’t tapping lock as you turned key create interferance sound?
The sound is recorded during insertion, not rotation, and tapping probably creates a very different sound which could easily be rejected. In the talk she states how the sound of all pins except the first is removed, but these sounds still contain information, as the tapping wouldn’t correlate to each individual pin. Also, there would be information about the varying insertion speed.
This clearly shows the attack is possible, and probably feasibly in the real world with a little more research.
“The sound is recorded during insertion, not rotation”
That is LITERALLY “what she said.” I agree that this is interesting and fun for the researchers, but “in the real world” wouldn’t it be faster and simpler to just pick the lock? This is similar to using liquid nitrogen to freeze a rose so you can break it instead of just throwing it in the trash.
Faster and quicker? Fast tap with a 3lb engineering sledge.
Dude, it’s not a measuring contest. Put that thing away.
Door locks are so easy to pick, I don’t know why anyone would resort to this method.
https://www.youtube.com/c/lockpickinglawyer/videos
Easy to pick is a relative term anyway – If you have the feel and practice you can make it look trivially easy. If not on the same lock you might get there in the end… Or just put your foot through the door as its easier.
So a ranged passive method to get the correct key would be a useful shortcut for nefarious deed doers. Letting any of them or their stooges just open the door without requiring that skill. That said seems like there are easier ways – telephoto lens of the key before its inserted along with some knowledge of the lock type should let you get exactly the right key every time for instance.
Depends on the door lock. I live in Finland and nearly every lock is a high security ASSA or Abloy lock. Many doors also have very high security lever locks for periods when the occupant is away for an extended period of time. Easier to break in than manipulate the lock to be honest.
Lets not kid ourselves here, LPL is a very talented picker, but without some time with the lock to practise he’s not picking even a medium security lock very quickly. Low security stuff you’d just rake anyway, which requires little skill.
If only it were possible to buy locks to practice with….
Some locks are easy and some are hard. I made a key to fit my VW bus in 15 minutes on the first try after watching a locksmith do it. I later tried the same process with a house door lock. Much harder!
I did pick standard door locks as a teenager, but it’s a lot harder than it looks in the movies. But if a thief can work on the lock unobserved for 15 minutes, they can get in. However, most doors are so badly mounted that a single kick and they are inside and have closed the door before anyone can look outside.
A neighbor was burglarized in that manner 2 blocks from the north Dallas PD station in a condo with an alarm system. The inside door trim was on the other side of the room.
15 minutes? You had access to the bus. Why didn’t you just ask the locksmith for the key?
If it takes you 15 minutes to get through a front door, that career path is not for you.
Again with the kicking and I’m sorry your neighbor faked a break-in.
I wonder if they could predict the key shape of the lock by just racking the pins with a pick?
This is where it gets interesting. The different length pins should differ somehow in their sound. Just thinking what effect possible security pins or master pins would have. Sounds like a project for someone.
Reminds me of the MIT students that used acoustics to hack the sound the roulette ball made in Vegas hitting the wheel to win millions.
Reminds me of the fact that that didn’t happen.
All these comments about attacks on residences. Please. I agree with other posters, if a burglar wanted in your house, bypassing a lock is the LAST thing they would try. Windows, pet door, unlocked doors, they will try anything else before moving on finding easier pickings.
Where this has me worried is in a commercial setting. Large masterkey systems where, with enough data (key bittings), you can decode the entire matrix and go make yourself a top-level master. Technology is trying to stay ahead of such things with dual-credential keys and even full electronic systems, but those are exponentially more expensive than good ol’ fashioned locks and keys.
Office buildings, apartments, plants/factories, schools, universities, hospitals, I can go on. Narrowing down tens of thousands of possibilities to a key-ring’s worth? To gain access to an entire building’s worth of goodies? Frightening from a security standpoint.
Credentials: Locksmith for +10 years serving large commercial and institutional properties.