This is perhaps an unintentional demonstration that "insecure against absurdly complex and specific attacks" does not always mean "insecure."
For a web system that is under attack 24/7 from 255^4 different attack vectors, you need "secure against even absurdly complex attacks" to be "secure."
But for my house? Your average thief isn't going to spend the time to take a high-res photo of my keys. Instead, they're just going to beat me until I give them my keys (the original "rubber-hose crytography") or just take a crowbar to the door. It's just not worth it to use such a complex attack.
(Yes, I can see uses for being able to break in without giving away the fact of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a similar technique, but for everyday life it's just a cool theoretical hack that would make a great plot point in a Neil Stephenson novel.)
This still seems like a valid low-tech hacking technique. Simply take photos of anyones keys (easy to do if you are planning it out) and run some software. This seems like a potentially big problem for any facility secured by only lock and key (schools, homes, safety deposit boxes, PO boxes, cars, storage, etc.).
If it was an iPhone app (anybody?) then its really not so far-fetched. It would be easier and cheaper ($1?) than risking exposure to the homeowner and possible identification.
Maybe there's a hugely male, and young populance here, but I'd like to point out that theft isn't always the intent of home invaders, and that in a lot of cases, the really scary people want to get in without alerting you to it.
This is information I'd want my sister to be aware of, as I can easily see how I'd use it to hypothetically abuse someone.
How often do people leave their keys out in the open like that? Mine are in my pocket until I am at the door (actually, most of my doors are RF or keypad, I use very few metal keys).
This is really nothing new thought if you have studied locks at all. All the common keylocks (eg: standard house locks, most vehicles, etc.) have a fixed/known set of tumblers, and a fixed/known set of pin codes. When I was more interested in physical lock mechanisms about 18 years ago I had the GM tumbler height elevations pretty well memorized, plus a good stock of blanks and templates. I could look at most GM keys, "read" the code (like 5,4,4,3,1) and then go off and make a key that would work 90% of the time. Same thing for Ford locks. It was fun to move a friends vehicle in the high school parking lot, but the novelty wore off quickly. This article seems to be the same thing, except rather than having to say something like "cool keychain, can I see it?", you have to take a high-res pic of their key from 300 feet.
Well, would you notice somebody sitting in a car 100ft away, taking a picture at the moment you put your key into the lock? A picture of a key on a table is useless anyway, since you (most likely) don't know what lock it fits with. With a van with a computer and a small key-making tool in the back, you can sit somewhere until the residents come home, take a picture and have the key made by the time the residents go out again and then you can enter without breaking anything.
Of course the camera can be hidden so that nobody would even see a guy in a van taking pictures, just a guy eating a sandwich who could push a button to take the picture unnoticed.
British television broadcasters now routinely blur images of keys for this reason. If you have access to BBC iPlayer, you can see this in action on BBC Three's "Kids Behind Bars". I have seen a number of locations in London with frosted glass privacy screens from mid-thigh to chest height, whose only obvious purpose is to defend against this attack.
If you've ever seen Barry Wels at work, you'll understand that this is anything but a far-fetched attack. Someone is unlikely to burgle a house using this technique, but it's a very practical method for determined attackers against otherwise hardened targets. With the prevalence of master and sub-master keying systems, the leak of a single key could potentially give access to dozens or hundreds of locks. Unlike a leak due to loss or theft of a key, there is no way of knowing of a breach in security until an attack is attempted. That's just about the worst case scenario.
I was going to say, a weekend studying lock picking (which is definitely a fun thing to learn) and you can probably pick open a great majority of the houses out there in very little time...
however, even if not practical this research is pretty interesting
The quote "We built our key duplication software system to show people that their keys are not inherently secret" is interesting. Do the public and the authorities have a different attitude when you do this with physical security vs. electronic? Sometimes people have been threatened or even arrested for demonstrating vulnerabilities, as we know.
This reminds me of the story from a few years ago when Diebold got itself in trouble for showing pictures of their voting machine keys online: http://www.bradblog.com/?p=4066#more-4066
This also has me thinking about the "Light Field" story from two days ago. ( http://www.hackerne.ws/item?id=2681554 ) If that technology becomes common, and camera resolutions continue to improve, I bet you could lift people's thumbprints from photos of them waving on Flickr. That sucks if you use a biometric thumb lock like they do in the shared office space I work out of.
Your thumbprint is like a password which you can never change. If your thumbprint appears in a single photo of you ever, there's no locksmith that can help you get that JPEG back from Lulzsec! :-)
Thumbprints are for casual identification, NOT for security. Biometrics are a hash, and like your garage-door opener, millions of people have the same thumbprint biometric as you have.
Wow. It doesn't help that 'blanks' are standard and the number of pins in the lock is knowable. It is a nice piece of work, I expect to see it get re-used on all the cop shows :-)
Handy. So I only need to make a pic of the key, and then send it to an online service, wait a day, and go wild in someone's house/company. Which by the way, won't be covered by insurance because there are no signs of burglary.
I speculate that within another generation or two of fabricators, people will have something trivially useful to plug the data into -- if they are of a mind. (Automated lathes and whatnot being pricier and eventually less common.)
they're still pretty expensive, but arguing you're in a fairly high rent neighborhood with basic security systems (no keypad requirements, but alarms blare if you force a lock or break a window...Is that even a system on the market?) Anyhow, if you've a van, that's a good five thousand dollars at least. Grab a printer, say another 10k...I dunno how many robberies you need to pay that off, but assuming you intend to make a go of this life of crime, being a guy with the key helps a lot.
By default, the key will be hidden inside it's case. When the user wishes to open the lock, he can just place the key on the keyhole and start inserting it. :)
Not that this kind of attack is likely unless you leave your keys sitting out in public, but it might be a good case for Lockitron if you're paranoid: https://lockitron.com
As opposed to the standard pin tumbler lock where there's a single row of pins, the pins in this lock surround the key from all sides, therefore the protrusions on the key are also all around it.
[+] [-] slapshot|14 years ago|reply
For a web system that is under attack 24/7 from 255^4 different attack vectors, you need "secure against even absurdly complex attacks" to be "secure."
But for my house? Your average thief isn't going to spend the time to take a high-res photo of my keys. Instead, they're just going to beat me until I give them my keys (the original "rubber-hose crytography") or just take a crowbar to the door. It's just not worth it to use such a complex attack.
(Yes, I can see uses for being able to break in without giving away the fact of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a similar technique, but for everyday life it's just a cool theoretical hack that would make a great plot point in a Neil Stephenson novel.)
[+] [-] wlievens|14 years ago|reply
http://imgs.xkcd.com/comics/security.png
Yes, they'll just bean you until you give the key.
[+] [-] baconface|14 years ago|reply
[+] [-] pvarangot|14 years ago|reply
[+] [-] JoeAltmaier|14 years ago|reply
[+] [-] Unseelie|14 years ago|reply
This is information I'd want my sister to be aware of, as I can easily see how I'd use it to hypothetically abuse someone.
[+] [-] ltamake|14 years ago|reply
[+] [-] brk|14 years ago|reply
This is really nothing new thought if you have studied locks at all. All the common keylocks (eg: standard house locks, most vehicles, etc.) have a fixed/known set of tumblers, and a fixed/known set of pin codes. When I was more interested in physical lock mechanisms about 18 years ago I had the GM tumbler height elevations pretty well memorized, plus a good stock of blanks and templates. I could look at most GM keys, "read" the code (like 5,4,4,3,1) and then go off and make a key that would work 90% of the time. Same thing for Ford locks. It was fun to move a friends vehicle in the high school parking lot, but the novelty wore off quickly. This article seems to be the same thing, except rather than having to say something like "cool keychain, can I see it?", you have to take a high-res pic of their key from 300 feet.
[+] [-] roel_v|14 years ago|reply
Of course the camera can be hidden so that nobody would even see a guy in a van taking pictures, just a guy eating a sandwich who could push a button to take the picture unnoticed.
[+] [-] jdietrich|14 years ago|reply
If you've ever seen Barry Wels at work, you'll understand that this is anything but a far-fetched attack. Someone is unlikely to burgle a house using this technique, but it's a very practical method for determined attackers against otherwise hardened targets. With the prevalence of master and sub-master keying systems, the leak of a single key could potentially give access to dozens or hundreds of locks. Unlike a leak due to loss or theft of a key, there is no way of knowing of a breach in security until an attack is attempted. That's just about the worst case scenario.
[+] [-] InclinedPlane|14 years ago|reply
A lock keeps out casual thieves, nothing more.
[+] [-] Homunculiheaded|14 years ago|reply
[+] [-] JoeAltmaier|14 years ago|reply
[+] [-] kmfrk|14 years ago|reply
Get a good lock and a sturdy door frame. It's usually about making it difficult for burglars, not impossible.
[+] [-] code_duck|14 years ago|reply
[+] [-] pittsburgh|14 years ago|reply
This also has me thinking about the "Light Field" story from two days ago. ( http://www.hackerne.ws/item?id=2681554 ) If that technology becomes common, and camera resolutions continue to improve, I bet you could lift people's thumbprints from photos of them waving on Flickr. That sucks if you use a biometric thumb lock like they do in the shared office space I work out of.
Your thumbprint is like a password which you can never change. If your thumbprint appears in a single photo of you ever, there's no locksmith that can help you get that JPEG back from Lulzsec! :-)
[+] [-] JoeAltmaier|14 years ago|reply
[+] [-] nodata|14 years ago|reply
But how do you not show something online? If it can be seen, it can be photographed. If it can be photographed, anyone can put it online.
[+] [-] Hilyin|14 years ago|reply
[+] [-] ChuckMcM|14 years ago|reply
[+] [-] waitwhatwhoa|14 years ago|reply
a similar technology has been commercialized: http://dittokey.com/
also similar but relatively unrelated: http://eclecti.cc/hardware/physical-keygen-duplicating-house...
These efforts are unaffiliated with the authors but provide a far more tangible result.
[+] [-] Ruudjah|14 years ago|reply
[+] [-] pasbesoin|14 years ago|reply
I speculate that within another generation or two of fabricators, people will have something trivially useful to plug the data into -- if they are of a mind. (Automated lathes and whatnot being pricier and eventually less common.)
[+] [-] Unseelie|14 years ago|reply
they're still pretty expensive, but arguing you're in a fairly high rent neighborhood with basic security systems (no keypad requirements, but alarms blare if you force a lock or break a window...Is that even a system on the market?) Anyhow, if you've a van, that's a good five thousand dollars at least. Grab a printer, say another 10k...I dunno how many robberies you need to pay that off, but assuming you intend to make a go of this life of crime, being a guy with the key helps a lot.
[+] [-] hammock|14 years ago|reply
[+] [-] tagnu_|14 years ago|reply
By default, the key will be hidden inside it's case. When the user wishes to open the lock, he can just place the key on the keyhole and start inserting it. :)
[+] [-] bugsy|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] jarin|14 years ago|reply
[+] [-] trebor|14 years ago|reply
[+] [-] k33l0r|14 years ago|reply
[+] [-] praptak|14 years ago|reply
As opposed to the standard pin tumbler lock where there's a single row of pins, the pins in this lock surround the key from all sides, therefore the protrusions on the key are also all around it.
[+] [-] baconface|14 years ago|reply
[+] [-] ph0rque|14 years ago|reply
[+] [-] ballard|14 years ago|reply
[deleted]
[+] [-] ballard|14 years ago|reply
[deleted]
[+] [-] Arro|14 years ago|reply
I know you're not responsible for other people's actions, but releasing this story may do more harm than good.
[+] [-] owenmarshall|14 years ago|reply
And even back then, they got it right:
(http://en.wikipedia.org/wiki/Full_disclosure#History)