The next time you’re grabbing a drink with your friends you might not want to set your keys down on the table, lest they get copied right under your nose. A group of computer scientists at UC San Diego have developed software, called Sneakey, that can copy keys using digital images. This is actually old news, as they published their key duplication software system back in 2008 in the Association for Computing Machinery Digital Library. But we only came across their mischievous little invention just now. And not only is the technology really cool, but if you hadn’t heard about it yet, we thought you might want to know it’s out there.
In one demonstration they duplicated a key using an image captured on a cell phone camera. In another demonstration, with the help of a telephoto lens they were able to duplicate keys sitting on a café table almost 200 feet away. Given all the odd angles they attempted to duplicate every key on the ring (see above image). Incredibly, all of the copies worked when tested out on the relevant locks.
James Bond would be jealous.
The duplication process starts with key normalization. To calibrate measurements they first take a picture of a reference key that is the same brand and type as the target key. Points are established that are the same for both keys, such as the key ring holes and the length. This enables a pixel/mm ratio to be calculated. After a digital image of the target is taken, the user specifies points along the target that correspond to the points on the reference. In addition, the cut distances and depths of the target's teeth are marked. The program then uses a common 2D homographic algorithm to map the 2D planes of the target to those of the reference and calculates the cut positions and cut depths. This mapping allows the key thieves to determine the necessary measurements for the teeth even if the key in view is at an odd angle, as they will most likely be. The teeth measurements–or “bitting code”–on the keys is then fed into a key cutter and, just like that, your home is no longer secure.
The technology behind Sneakey is not new or sophisticated. Pretty much everyone has at least a cell phone camera and the computer code, according to the UCSD scientists, wasn’t all that difficult to write. They didn’t release the code to the public (it wasn’t included in the paper), but they acknowledge that anyone with a basic knowledge of Matlab, a code-writing program used by scientists to create computational algorithms, could come up with their own versions of Sneakey. Dr. Stefan Savage, who led the project, emphasizes a need for people to consider keys visually-sensitive information. “If you go onto a photo-sharing site such as Flickr,” he told UCSD Jacobs School of Engineering News, “you will find many photos of people’s keys that can be used easily to make duplicates. While people generally blur out the numbers on their credit cards and driver’s licenses before putting those photos online, they don’t realize that they should take the same precautions with their keys.”
In fact, using photos to copy keys is an old trick used by locksmiths and lock vendors. But without a program like Sneakey, the key-makers would require high-resolution photos and copying of the keys by hand.
So how does one protect him or herself from key fraud? You might’ve guessed: unless you’re using them, keep them in your pocket.
But companies are already trying to stay ahead of the curve by making keys more sophisticated. Cars were made harder to steal in 1995 when BMW became the first automaker to install radio frequency identification (RFID) immobilizer chips into their keys. The chip sends an encrypted radio signal to a transponder in the car–each car has its own unique signal–that enables the engine to be started. If the key isn’t in the car’s vicinity, as when thieves try to start the car, the engine doesn’t start.
At least that was the idea. It wasn’t long before carjackers got tech-savvy and realized that all you had to do was pop the hood and yank a fuse from the engine’s power relay center. Boom, you’re in.
I’m not aware of any similar technologies that are being developed for house locks, but I’m guessing we’ll see them at some point if only due to the fact that, as RFID-type technologies become the standard for our car keys, we’re going to want them for our house keys too. And it’s probably a matter of time before we hear the first reports of houses being broken into with no signs of forced entry. That may sound a little paranoid, but I generally assume if someone can, they will.
Let me try and add to your paranoia by pointing out that X-ray scanners in use at airports and government buildings have ample resolution to decode keys with Sneakey. And with digital photo taking and sharing becoming ever more ubiquitous (when was the last time you added to your stack of dusty photo albums?), the chances that your keys are going to turn up online are ever increasing. You might want to check that picture for shiny, jingly objects before you 'tag' it up. The authors actually went on Flickr and grabbed several hundred pictures of keys with sufficient resolution for Sneakey to copy. The authors assure us, however: “...we did not do so as we could not find an ethical way to validate our copies.”
Aside from Sneakey being a pretty awesome technological party trick, it illustrates yet another intersection between technology and safety. As stated in the paper, “The security of any system invariably changes over time as technological advances challenge the system’s implicit assumptions.” The assumption here being to copy a key you need to actually touch it.
Well, I'm just going to assume from now on that I can't trust anyone. Especially people with telephoto lenses.