Duplicating your keys without your knowledge
Some clever computer scientists at UC San Diego (UCSD) have developed a software that can perform key duplication with just a picture of the key -- taken from up to 200 feet. One of the researchers said 'we built our key duplication software system to show people that their keys are not inherently secret.' He added that on sites like Flickr, you can find many photos of people's keys that can be used to easily make duplicates. Apparently, some people are blurring 'numbers on their credit cards and driver's licenses before putting those photos on-line,' but not their keys. This software project is quite interesting, but don't be too afraid. I don't think that many of you put a photo of their keys online -- with their addresses. But read more...
As said the researchers, you can see above "a graphical depiction of the main steps in our algorithm for decoding a key from its image. First, the user provides point locations on the target key with a reference key as a guide. Next, the system warps the target image into the pose of the reference key and overlays markings of where the bite codes are to be found. Finally, the user specifies where the cut falls along each line and the bit depths are decoded by the system into a bitting code." (Credit: UCSD)
This research project has been driven by graduate students Benjamin Laxton and Kai Wang under the supervision of computer science professor Stefan Savage, a computer science professorfrom UC San Diego's Jacobs School of Engineering.
In fact, it's not really research, it's spying. "In one demonstration of the new software system, the computer scientists took pictures of common residential house keys with a cell phone camera, fed the image into their software which then produced the information needed to create identical copies. In another example, they used a five inch telephoto lens to capture images from the roof of a campus building and duplicate keys sitting on a café table about 200 feet away." Wow!
So how does this software work? "The keys used in the most common residential locks in the United States have a series of 5 or 6 cuts, spaced out at regular intervals. The computer scientists created a program in MatLab that can process photos of keys from nearly any angle and measure the depth of each cut. String together the depth of each cut and you have a key's bitting code, which together with basic information on the brand and type of key you have, is what you need to make a duplicate key. The chief challenge for the software system, called 'Sneakey,' is to adjust for a wide range of different angles and distances between the camera and the key being captured. To do so, the researchers relied on a classic computer vision technique for normalizing an object's orientation and size in three dimensions by matching control points from a reference image to equivalent points in the target image."
And are some details about the software. "'The program is simple. You have to click on the photo to tell it where the top of the key is, and a few other control points. From here, it normalizes the key's size and position. Since each pixel then corresponds to a set distance, it can accurately guess the height of each of the key cuts,' explained Laxton. The researchers have not released their code to the public, but they acknowledge that it would not be terribly difficult for someone with basic knowledge of MatLab and computer vision techniques to build a similar system."
This research work is being presented today at the ACM Computer and Communications Security Conference (CCS 2008) held in in Alexandria, Virginia in the "Device Security" session. The title of the presentation is "Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding." Here is a link to this technical paper (PDF format, 9 pages, 3.41 MB), from which the above picture has been extracted.
Here is the text of the abstract. "The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the everincreasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication -- extracting a key’s complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S."
And here is an excerpt from the conclusion. "The security of any system invariably changes over time as technological advances challenge the system’s implicit assumptions. In this paper we have identified just such an inflection point. The increasing resolution of commodity imaging sensors coupled with existing computer vision techniques has made it entirely feasible to duplicate someone’s keys without ever touching them — perhaps without even being able to see them with the unaided eye. What’s more, imaging has become pervasive to the point where surveillance cameras do not even produce notice. X-ray scanners, used routinely on entry to airports and government buildings, have sufficient resolution to decode keys in the same manner as well. [...] Given this situation, the obvious question is "what to do?." An obvious answer is "Leave your keys in your pocket." However, keys must ultimately be used -- and used at known locations.
And this is the key -- no punt intended. If you have a picture of a key, how do you know the address of the owner? So I think this technique of key duplication is more an exercise than a real threat. It's also limited because the vast majority of us don't show their keys in public places.
Sources: UC San Diego Jacobs School of Engineering news release, October 29, 2008; and various websites
You'll find related stories by following the links below.