Duplicating your keys without your knowledge

Duplicating your keys without your knowledge

Summary: Some clever computer scientists at UC San Diego (UCSD) have developed a software that can perform key duplication with just a picture of the key -- taken from up to 200 feet. One of the researchers said 'we built our key duplication software system to show people that their keys are not inherently secret.' He added that on sites like Flickr, you can find many photos of people's keys that can be used to easily make duplicates. Apparently, some people are blurring 'numbers on their credit cards and driver's licenses before putting those photos on-line,' but not their keys. This software project is quite interesting, but don't be too afraid. I don't think that many of you put a photo of their keys online -- with their addresses. But read more...

SHARE:

Some clever computer scientists at UC San Diego (UCSD) have developed a software that can perform key duplication with just a picture of the key -- taken from up to 200 feet. One of the researchers said 'we built our key duplication software system to show people that their keys are not inherently secret.' He added that on sites like Flickr, you can find many photos of people's keys that can be used to easily make duplicates. Apparently, some people are blurring 'numbers on their credit cards and driver's licenses before putting those photos on-line,' but not their keys. This software project is quite interesting, but don't be too afraid. I don't think that many of you put a photo of their keys online -- with their addresses. But read more...

Silicon core of an optical fiber

As said the researchers, you can see above "a graphical depiction of the main steps in our algorithm for decoding a key from its image. First, the user provides point locations on the target key with a reference key as a guide. Next, the system warps the target image into the pose of the reference key and overlays markings of where the bite codes are to be found. Finally, the user specifies where the cut falls along each line and the bit depths are decoded by the system into a bitting code." (Credit: UCSD)

This research project has been driven by graduate students Benjamin Laxton and Kai Wang under the supervision of computer science professor Stefan Savage, a computer science professorfrom UC San Diego's Jacobs School of Engineering.

In fact, it's not really research, it's spying. "In one demonstration of the new software system, the computer scientists took pictures of common residential house keys with a cell phone camera, fed the image into their software which then produced the information needed to create identical copies. In another example, they used a five inch telephoto lens to capture images from the roof of a campus building and duplicate keys sitting on a café table about 200 feet away." Wow!

So how does this software work? "The keys used in the most common residential locks in the United States have a series of 5 or 6 cuts, spaced out at regular intervals. The computer scientists created a program in MatLab that can process photos of keys from nearly any angle and measure the depth of each cut. String together the depth of each cut and you have a key's bitting code, which together with basic information on the brand and type of key you have, is what you need to make a duplicate key. The chief challenge for the software system, called 'Sneakey,' is to adjust for a wide range of different angles and distances between the camera and the key being captured. To do so, the researchers relied on a classic computer vision technique for normalizing an object's orientation and size in three dimensions by matching control points from a reference image to equivalent points in the target image."

And are some details about the software. "'The program is simple. You have to click on the photo to tell it where the top of the key is, and a few other control points. From here, it normalizes the key's size and position. Since each pixel then corresponds to a set distance, it can accurately guess the height of each of the key cuts,' explained Laxton. The researchers have not released their code to the public, but they acknowledge that it would not be terribly difficult for someone with basic knowledge of MatLab and computer vision techniques to build a similar system."

This research work is being presented today at the ACM Computer and Communications Security Conference (CCS 2008) held in in Alexandria, Virginia in the "Device Security" session. The title of the presentation is "Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding." Here is a link to this technical paper (PDF format, 9 pages, 3.41 MB), from which the above picture has been extracted.

Here is the text of the abstract. "The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the everincreasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication -- extracting a key’s complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S."

And here is an excerpt from the conclusion. "The security of any system invariably changes over time as technological advances challenge the system’s implicit assumptions. In this paper we have identified just such an inflection point. The increasing resolution of commodity imaging sensors coupled with existing computer vision techniques has made it entirely feasible to duplicate someone’s keys without ever touching them — perhaps without even being able to see them with the unaided eye. What’s more, imaging has become pervasive to the point where surveillance cameras do not even produce notice. X-ray scanners, used routinely on entry to airports and government buildings, have sufficient resolution to decode keys in the same manner as well. [...] Given this situation, the obvious question is "what to do?." An obvious answer is "Leave your keys in your pocket." However, keys must ultimately be used -- and used at known locations.

And this is the key -- no punt intended. If you have a picture of a key, how do you know the address of the owner? So I think this technique of key duplication is more an exercise than a real threat. It's also limited because the vast majority of us don't show their keys in public places.

Sources: UC San Diego Jacobs School of Engineering news release, October 29, 2008; and various websites

You'll find related stories by following the links below.

Topics: CXO, Banking, Data Management, Enterprise Software, Hardware, Software, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • So why on earth...

    ...would ANYONE put pictures of their keys online?

    And pictures of their driver's licenses and credit cards?

    Seems like Darwinism at its best!
    IT_Guy_z
    • They're not

      but lots of people drop their key chains on the table, like they did at the cafe mentioned in the article.

      Duplicate the keys, follow the person to find where they live or what they drive, and presto! instant victim.

      And you can buy key blanks for just about everything at your local hardware store.
      Dr_Zinj
  • And nothing amazing here

    As people could have been duplicating keys from a photo without any special software.
    As long as you know the length of the standard points. the rest is easy with simple math and a caliper.

    I will guess most everyone reading this has that same style key in their pocket, so measuring those points is easy

    Now, how do you actually [i]make[/i] the duplicate key?
    GuidingLight
    • make it? you don't have to really...

      go to any key cutting place, and you could A) give them a template showing the data needed, B) give them the bit data... and then explain how you only had the 1 key, and you lost it... if they ask, you could lie about why you have the data but not the key...
      shryko
    • How to make...

      You need to buy a bit key cutting machine. Only a locksmith would be able to cut a key from data, most other key cutting machines only duplicate. This is more of an "academic exercise" as if the serious minded individual wanted access, they could just pick the lock or knock the door in with much less effort.
      fastboxster
  • Try it with a Medeco

    Then I'll say you have something. Beating a quickset or $7 deadbolt is nothing to publish. Its called a bump key, look it up.
    Rottman3D@...
  • RE: Duplicating your keys without your knowledge

    I agree with Rottman3D If you can figure out all the angles of a Medeco key without a extremely sharp/high quality image I would be impressed. Anyway there are much bigger problems than this such as one Schlage and one Kwikset bump key will open >90% of the residential locks in North America. And this technique takes almost no skill unlike picking locks.
    Security Ace