All Your Keys Are Belong To KeyDecoder

An illustration of a key sitting on an ID card. The key is light grey and the ID card is a darker grey gradient. The ID card says ID-1 Card 85.60 by 53.98 mm

Physical security is often considered simpler than digital security since safes are heavy and physical keys take more effort to duplicate than those of the digital persuasion. [Maxime Beasse and Quentin Clement] have developed a smartphone app that can duplicate a key from a photo making key copying much easier.

KeyDecoder is an open source Android app that can generate all the necessary bitting info to duplicate a key from just an image. Luckily for the paranoid among us, the image must be taken with the key laying flat without a keyring on an ISO/CEI 7810 ID-1 ID or credit card. A passerby can’t just snap a photo of your keys across the room and go liberate your home furnishings, but it still would be wise to keep a closer eye on your keys now that this particular cat hack is out of the bag.

The project’s GitHub page is awash in warnings that this tool is designed solely for “pentesters and security enthusiasts” to warn their friends and clients about the dangers of leaving their keys exposed. After learning about this tool, we wouldn’t be surprised if some in the audience start rethinking how they carry and store their physical keys from now on.

If you want to see some more hacks to duplicate keys, checkout Copying High Security Keys With OpenSCAD And Light and Methods Of Copying High Security Keys.

55 thoughts on “All Your Keys Are Belong To KeyDecoder

    1. I love LPL because of how he breaks some common assumptions about personal security.

      LPL himself did a demonstration on how to modify a normal Kwikset door lock so it’ll permanently lock if someone tries picking it without knowing about the booby trap. He explained also that he won’t be doing it to his own house because most burglars won’t other trying to pick a lock. If the door’s locked, there’s a glass window next to it.

  1. Good luck using a single photo to replicate the key to a BiLock, a Gerda Titan, an Abloy Protec2 or any number of other high security locks that have complicated bitting. (or bitting in multiple directions)

    1. Obviously this is just meant for simple keys and even more so as a “look sir, all i needed was a quick photo to get in your building, bonus pay for successful non destructive entry please” type ordeal

    2. In my misspent youth, I made copy of the school’s master key by borrowing it and placing it on a piece of photographic paper, then flashing it with light from the enlarger in the school darkroom. Used this as a template when filing a blank.

      I have grown older and wiser since then.

      1. “I have grown older and wiser since then.”

        And now know that a bar of soap in a pocket for physical imprisoning is sufficient, and less likely to rouse suspicion than wandering about with the key and futzing with darkroom equipment for an extended time.

        1. Locksmith here, for simple stuff we can just fit a key via impressioning the lock itself. No need for the key to be present.

          Same can be said for a good chunk of safe deposit box locks. . .

          I have kwikset on my house. And a nice and friendly force multiplier and someone is always home. Locks are just there to keep honest people honest.

          1. Ditto in the quikset.

            Motion detection via pir and dvr begins at 50 yards/100 on pavement. I set up a bash script to pause the Rokus and display cameras when motion is detected outside. All parking is concealed from public via street or air. Someone’s usually home, with multiple loaded force multipliers staged and or carried any time I’m dressed. And we all have state specific legal training and prepaid legal defense insurance should we need to call a coroner to come remove an intruder.

            The most secure brass keys don’t deter unauthorized entry nearly as well as a little lead and living in a US state that values the domicile.

      2. In jr high – (mid ’70s) I just happened to have some keys in my pocket (farm kid here) and while walking by the notebook vending machine, watched my right hand grab a random key from my pocket and put it in the lock. IT OPENED! Surprised the heck out of me! I quickly locked it back up.

        However, I was seen by a teacher and ultimately received three whacks from the Board of Education!

        I too have grown older and wiser since then.

    3. Modern iPhones can just the the key in seconds to 0.5mm accuracy. More than enough to decode any normal key. That combined with a high res photometry at the same time, even high security keys take seconds. Key control is very important, laying the keys on a desk someone can walk up and scan the key.

  2. If an attacker is willing to go through the effort of finding a picture of your keys before breaking in, you never stood a chance in the first place. Resistance time of the highest millitary grade security door: 20 minutes. Regular security door? 3 minutes, and that’s already beyond what most homes have installed. Locks and doors keep honest people honest and cold air out of your home, nothing more.

        1. Things I did in my youth, when sidelineing for a lockout specialist:

          Enter a `secure’ apartment building by removing the door and frame (steel) from the outside, then replaced same. About 15 minutes, no special tools needed. Bars, screwdrivers, and a helper.

          Remove a window and frame then replace. The windows were all inserts. Hardest part was cutting the screws with a hacksaw blade, without damaging the frame of the insert. Modern replacement window inserts are easier. Only two screws for many.

          Enter through unlocked windows

          Unlock windows from the outside. Even today, many window latches are not very good

          open slider doors from the outside. Those bars you drop in the track are not effective, by the way. The best quality doors today are pretty good by comparison

          Open rear sliders windows on truck cabs. Once in a while, a small hole needed to be drilled to directly push the release, but usually just working a wire around the edge of the glass was sufficient. Safer and faster than wedging a door.

          spread door frames with a jack

          I could go on. The purpose of the security isn’t just to keep honest people honest, but to slow down criminals, make them work for it, make them make some noise. Make breaking in more trouble or risk than it is worth.

          1. That sounds like more trouble than just using proper bypass tools.

            Like the under door lever tool, or the latch or bolt tools for Adams Rite, or the thumb turn tool.
            Or a core puller, or the 3/16″ battery powered rotary pick(drill). Hell even airbags to disengage the deadlatch and bypass the latch completely.

            And I say this as a locksmith if I’m damaging stuff other than the lock or cylinder to get into places I’m doing something very wrong. Most of the time you don’t have to damage anything to get in with the right tools.

    1. Except that the bitting of these TSA master keys were known publically long before that.

      Every lock provides the means to decode the key used for unlocking it. Sometimes one might have to get destructive to get the information, but for a master key that can be worth it. Not that the TSA master keys are particularly secure to start with.

      But yes, the report made it easier for Joe average. But look picking enthusiasts didn’t need a picture of the keys.

      To be fair, I wouldn’t be the slightest bit surprised if the bitting info is in a publically available legal document provided by the TSA so that manufacturers of TSA approved travel locks known what to build in the first place. Plenty of other master keys for all sorts of applications are publically documented for anyone to read already.

    1. The key-cutting kiosk at the home improvement store near me already scans keys and has an option to save the data for future use. That’s probably a more reliable backup solution for honest purposes (and also a treasure-trove for hackers with ill purposes)

  3. I deal with Alarm systems and hardly ever a crook is gonna to take the time to 3D print a key. Best bet is to make sure everything is locked, tons of people attend to leave windows unlocked. A Sliding glass door can be accessed by lifting it from the track, even if there is a stick in the track. Best way to secure those doors is a Sliding door pin. Garage doors are easy if it has a electric door opener. Simple fix for that is to put a pool noodle on the door bypass pull cord.

    Crooks don’t care they’re on camera. Most law-enforcement can’t do much if they can’t see the crooks face or markings like tattoos. Also if anything they can just break a window. 80% of crooks go straight to the master suite bedroom. I always recommend people getting a alarm system is to get a glass break sensor in the master and a contact on the bedroom or closet door.

    1. Modern sliding glass doors have latch pins instead of the old hook. They can’t be lifted off the track. Still can just smash it with a rubber band and a broken sparkplug from 20 feet away lol

    1. How about taking a picture of the front door area, printing it life-size, and have an easel hold it up a couple feet in front of the door while you’re working the lock.
      B^)

  4. It seems to me that this isn’t particularly more of a security risk than, say a Lishi Pick/Decoder combo, which requires a modicum of skill (took me about an hour of practice to be able to open most locks without spool pins and about 5 hours to get the hang of spool pins), but once the user learns how to use it, they know.

    This does have the advantage that you can get the key combo without being visible in proximity to the lock doing something suspicious, but that’s a different set of skills. ;-)

  5. ISO/IEC 7810 ID-1: The ID-1 format specifies a size of 85.60 by 53.98 millimeters (3+3⁄8 in × 2+1⁄8 in) and rounded corners with a radius of 2.88–3.48 mm (about 1⁄8 in). It is commonly used for payment cards (ATM cards, credit cards, debit cards, etc.). Today it is also used for driving licenses and personal identity cards in many countries, automated fare collection system cards for public transport, in retail loyalty cards, and even crew member certificates (particularly for aircrew).[1]

    Or you can buy the “ISO/IEC 7810:2019 Identification cards — Physical characteristics” standard in .pdf format for the insanely high price of CHF 61 or $66.45 United States Dollars.[2]

    * References:

    1. ISO/IEC 7810

    https://en.wikipedia.org/wiki/ISO/IEC_7810

    2. ISO/IEC 7810:2019 Identification cards — Physical characteristics

    https://www.iso.org/standard/70483.html

    1. Neat. But it’s too bad the original authors are such time wasting jerks to require an ID card.

      And they’re a little bit late to this game. There was a service I used 10 years ago when I administered corporate office security. It was a mobile-enabled web page with which I could take a photo of a key, without some stupid ID card in the background and it would determine the key type and keying and show me that information immediately. And then I could enter credit card information to order keys and they would show up in the mail a couple days later. It was a great service. Extremely convenient for business. I want to say it was five bucks a key minimum $10

      They said goodbye and went offline right about the time that those key kiosks started showing up at Home Depot on Lowe’s so I imagine one of those companies bought the IP. It’s too bad though. It was handy not having to drive somewhere and the keys just show up on a postcard! Maybe they got in trouble for mailing something as heavy and rigid as a key on postcards or something.

      Point is, this is nothing new. This app is intentionally crippled and it doesn’t even automatically detect the keyings. Looks like you have to manually select them like some sort of trained ape. Yuck.

  6. That Charlie-Four Synthetic stuff we used is pretty efficient at opening locks with extreme security measures… Is a little noisier than a bump key and a 4 lb. hammer… 😁

  7. Very nice idea. The photo is transmitted, with the location, to a thievery corporation. Also, with some luck, they can get personal info, ID cards, o even credit cards numbers. And the not educated User thinks he /she is the clever one.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.