Security researchers have given a whole new meaning to “picking a lock,” demonstrating that they can use audio and signal-processing technology to listen to the sounds a key makes when it opens a lock and then 3D-print a duplicate from a recording.
The attack, called SpiKey, leverages any basic recording technology—such as the one found on any smartphone—and pairs it with signal processing software that can listen to the time difference between audible clicks of a key to determine its particular shape. That shape can then be transformed to a computer model that can be 3D-printed.
A team at the National University of Singapore developed the attack, which is the brainchild of Soundarya Ramesh, a first year Ph.D. student in computer science at the university.
SpiKey “significantly lowers the bar for an attacker” who wants to break into someone’s house or anything else protected by a physical lock, she and her fellow researchers wrote in an abstract for a paper (PDF) on the research. The team presented the work in early March at the 21st International Workshop on Mobile Computing Systems and Applications (HotMobile 2020) in Texas.
“While many of these locks are vulnerable to lock-picking, they are still widely used as lock-picking requires specific training with tailored instruments, and easily raises suspicion,” researchers wrote.
SpiKey creates a more surreptitious alternative to this traditional technique and works in three basic steps.
The first step is for an attacker who is physically approximate to someone opening his or her door to record the sound with a smartphone microphone, from which SpiKey filters the signal using signal-processing technology and detects the timing of the clicks from the sound.
The technology then uses the click timestamps to computer what researchers call “adjacent inter-ride distances”—or how the physical ridges are placed on the part of the key inserted into the lock—given the constant insertion speed.
Those computer distances are then used to infer the relative differences between the bitting depths of the key, which is basically how deeply they are cut into the key shaft, or if they flatten out.
SpiKey then uses all of this information to “ultimately obtain a small subset of candidate keys that includes the victim’s keycode,” researchers wrote.
The paper outlines each step of the technology in depth and also provides scenarios for how SpiKey can handle more locks that have multiple pins or keys that have missing ridges, which provide more complexity for the attack.
The team, perhaps understanding the details of the attack seem not just abstract but that such an attack seems an unlikely proposition, posted a corresponding spectrogram of key insertion recording online so people can listen in for themselves on the audio SpiKey uses to create a duplicate key.
To prove that SpiKey works, the team developed a simulation, based on real-world recordings, in which of SpiKey was able to narrow down a field of 330,000 potential keys to a lock to “three candidate keys for the most frequent case,” researchers wrote. Given this potential success rate, people may want to think twice before they open their front door if there is a nosy neighbor in the vicinity.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.