26 AUGUST 2020
The sound of a key sliding into a lock could be enough information to potentially create a copy of that key and open the lock – that’s the conclusion of researchers who’ve been investigating “acoustics-based physical key inference“.
It makes sense, if you think about it: the clicks and clacks of a key pushed into a pin tumbler lock actually reveal the mechanism within, if you can slow down, isolate, and analyse the sounds with enough accuracy.
Pulling off a trick like this would need a lot of work and equipment, and would probably end up being more hassle than learning how to pick the lock in the traditional way – but it’s an intriguing and unusual security loophole to ponder.
“Our research group leverages information from the physical environment that is seemingly of no utility, to either develop better applications or compromise existing ones,” computer scientist Soundarya Ramesh from the National University of Singapore told Communications of the ACM.
“So, we began to wonder if we can utilise the sound produced during key insertion, which has no utility of its own, to compromise physical lock security.”
Keys engage pin tumbler locking mechanisms by using bittings (fixed points) to push up a series of pins to varying degrees, so that the pins are all correctly aligned and the lock can turn. As the ridges of the key shift the pins up and down, it creates a series of clicking sounds.
By mapping these audible clicks, the shape of the key can be inferred, the team has demonstrated in their proof-of-concept simulation. The click timings reveal the distances between the bittings, then an additional algorithm uses these distances plus the limitations of the key design – the fixed angles of the key ridges – to narrow down the number of possibilities.
The team’s system is called SpiKey, and while it’s not perfectly accurate, it produces a number of candidate keys that can be tried. In rare cases there can be as many as 15 candidate keys, but the most frequent end result is having three candidate keys, one of which will work.
The maths is a bit complicated, but of the 586,584 possible key combinations for a 6-pin lock, around 56 percent (330,424) are vulnerable to a SpiKey attack, according to the team’s calculations and models. Of those 330,424 possibilities, 94 percent of combinations can be reduced to less than 10 candidate keys.
Pushing their idea further, the researchers point out that making a sound recording of a door being opened can be done without attracting as much attention or suspicion as actually trying to pick the lock. Once the key is made, unlocking the door is quick, and can be done as often as needed.
It’s an impressive trick, though there are limitations to mention: the original key must be inserted into the lock at a steady speed so that the key bittings can be worked out, for example. It also only works with pin tumbler locks, which are just one type of lock, albeit a ubiquitous one.
The researchers also point out that for using a smartphone to record the audio of the unlocking process, the phone needs to be pretty close to the lock – which, uh, is likely to attract suspicion. Hidden microphones or hacking someone’s phone or other gadget to make the recording are alternative possibilities, the team notes.
While the hack is rather complicated in its current form, it is at least plausible – and it’s the ingenuity of security researchers who try to anticipate possible vulnerabilities that ultimately can make us all safer. (Or give potential thieves new ideas.)
“SpiKey inherently provides many advantages over lock-picking attacks, including lowering attacker effort to enable a layperson to launch an attack without raising suspicion,” conclude the researchers in their paper.
The research has yet to be peer-reviewed but has been presented at the International Workshop on Mobile Computing Systems and Applications (HotMobile 2020) in Texas.
You can read a paper on the work here.