2013-08-05

Co.Labs

The One Thing We All Thought Un-Hackable Has Just Been Hacked

That’s right--your house keys. You know, those real-life metal objects that never go out of your sight? Coders can compromise them too, as demonstrated by MIT engineers. But paradoxically, this experiment could help us get our sense of security back. Here’s how.



It's not just digital smart home objects anymore: With a little bit of clever coding, every physical key you own can actually be copied without your knowledge. In fact, one of the world’s most secure keys became little more than a speed bump to a duo of hackers who are barely out of their teens.

At the Def Con hackers conference this past weekend, students at the Massachusetts Institute of Technology previewed code they wrote–-and which they plan to release–-that allows anyone to scan and 3-D print high-security lock keys.

To be sure, this isn’t the first time someone has been able to 3-D print working keys. We previously told you about Outbox’s software that lets the company scan a picture of your mailbox key and reproduce it for their “reverse mailmen” to be able to access your mailbox. But those are just mailbox keys--they’re about as secure as a 13-year-old with braces.

But the MIT kids--David Lawrence, 20, and Eric Van Albert, 21--have successfully duplicated high-tech keys to a Schlage Primus lock, arguably the most secure lock people have invented. As Andy Greenberg writes for Forbes:

Schlage’s Primus models are advertised for use in high-security applications: The company’s marketing materials include references to the locks’ use in government facilities, healthcare settings, and detention centers. That security stems in part from Primus’s unique model, which includes two tracks of teeth–one on the top of the key and another on the side, each of which correspond to a separate set of pins in the lock. Even Marc Weber Tobias, one of the world’s most well-known lockpicking experts, has written that he uses Primus locks in his home and for secure evidence storage in his legal practice.

Think about that for a second. Thanks to simple software and 3-D printing, the most secure physical key in the world can soon be copied without problem by anyone with access to that key. And if the most secure key in the world can be copied by simple code, how easy will it be to copy the keys to your house, office, car, or safe? Very.

But you may say, “Well, I’m not going to be dumb enough to give someone my key to scan,” to which I would say: It doesn’t matter. With this software you don’t need the physical key to scan. A picture will do. As one of the hackers, David Lawrence, told Forbes:

All you need is a friend that works there, or to take a picture of their key, or even a picture of the key hanging off their belt. Pirating keys is becoming like pirating movies. Someone still has to get the information in the first place, but then everyone can get a copy...Our message is that you can do this for any high-security key. It didn’t take that much work. In the future there will be models available online for almost any kind of key you’re looking for.

Now, before the world freaks out and we go back to securing our homes with moats and drawbridges, I’d like to point out that the wonderful thing about software is that, though it can cause problems (which, in this case, it very definitely is a problem), it is also often the solution to those problems as well.

We all know software has enabled us to make our once tangible things intangible (DVDs became streaming video, CDs became MP3s, physical books became e-books). And though most of the things I’ve just listed are recreational objects, that doesn’t mean software is limited to just creating digital things of stuff that keeps us entertained.

The time and technology is now ripe for software to make the physical key–and keyhole–obsolete.

“But how would I get in my house without a key?” my friend asked me when I told him I was writing this story.

“Your phone, of course.”

Using your phone as the key to your home or office isn’t some fanciful far-in-the-future tech. Two companies–-Lockitron and Kwikset–-offer brilliant solutions to turn your old-fashioned locks from a device that requires physical key access to a device that requires only software key access. These solutions work via near-field communications, such as Bluetooth and Wi-Fi, that are built into your phone and use bank-level security encryption to make door locks levels of magnitude more secure. Throw an added layer of biometrics support–-as the next iPhone is rumored to contain–-into the mix and a software key could offer more security redundancies than even the most advanced physical key, which, as the hackers from MIT have proven, don’t hold up so well in the digital age.

Software and 3-D printing created this problem and only software will solve it. After all, if your door doesn’t have a keyhole, it doesn’t matter how many 3-D-printed keys a thief has-–it’s not opening.

[Image: Flickr user Lindsey Turner]




Add New Comment

14 Comments

  • Albert Folch

    Software locks are vulnerable to hackers and viruses if they are online and require electricity (what would happen in New York during another power outage?). The proposed solution is not new -- hotels have been using it for ages, except they use a card instead of a phone. Some people here have suggested a low-tech solution to protect the key from being imaged with a plastic hoodie, but that does not protect the key from being copied when its owner is not nearby. I think a smarter solution would be to design a key with rotating gears or knobs, which create a certain shape of the teeth based on a combination of movements known only to its owner. This solution does not require any electricity and is based on an unbreakable code because the shape is only activated inside the lock, so it can't be photographed (the user would have to hide the motions that activate the knobs/gears if he or she was suspecting any surveillance).

  • Patrick Breshon

    yeah break it off in the keyhole.... why would you be stupid enough to LEAVE THE KEY IN THE KEYHOLE WHERE ANYONE COULD REMOVE IT AND MAKE WORKING COPIES (and yes I have done just that numerous times... you moron)

  • healingshoes

    lol.
    just get a 30 dollar keypad lock.
    I can't believe people still use old school keyhole tumbler locks.
    most keypads do have a keyhole and a key but you just leave it at home, OR break the key off in the lock. voila. no hole. lol.

  • J_Lillz5

    People have been coming up with ways to copy keys for as long as people have been making locks.

  • qvoraw

    Ah.... bank-level security encryption.   I feel safer already.   Biometrics.   Yep.   If it can be stored digitally, seems it is a vulnerability waiting for the proper exploiter.   Of course, when the batteries go on that fancy electronic lock, whatcha going to do?   Hmmm... one does ponder.

  • BlaBla

    Software to get into my house?  And software can't be hacked, can it?  Nope, not at all.

    Easier to envision:  My phone died - I can't get in the door!  The power's out - I can't get in the door!  The battery back up to the door died and the power is out and the cell phone is dead and  while I charged it up again after 10 minutes, the cell tower is out and I have no coverage!

    I could go on for about 20 or so more minutes, but I think I got my point across.

  • not_commenting

    Am I missing something here?  I don't think physical keys are obsolete.

    Can't you just put something like a sword's sheath on your keys to hide the details?  A simple piece of plastic that would cost very little to make.  You could remove the sheath, use your key, and then re-sheath the key.  The opportunity for a photo of the key would be greatly minimized. Or maybe since we spend so much money on iPad and phone cases anyways, we could add further a sturdy case or "lock" for your sheathed keys.  The case could incorporate something high tech like a fingerprint scanner (ala Apple upcoming iPhone?) or even a low tech briefcase combination lock to protect your keys from plain view.  The defences are limitless, in fact now that I think about it, the sheath could just be part of the key and retracts with the key inserted into the keyhole.  For the majority of us this could be more than enough to restore the physical key's current integrity.  

    Seems like a very high tech problem that can be circumvented with quite a low tech approach of just covering the details of the key?  Digital locks need electricity to operate, same with the smartphones to open the digital lock and that makes me feel less secure about it.  I don't want to have to charge up my phone in order to get home.  Even cars with keyless entry still have a physical key backup.  Cars....maybe just add a key immobilizer to our door locks.... 

  • Ibrar

    Really? Are we actually evangelising the use of a purely digital lock over a physical one?

  • nathan burley

    Really? Are we actually evangelising the use of a purely digital lock over a physical one? I agree that apparently the physical key is no longer a mechanism by which things can be secured, but it would seem that anything digital these days is far less secure; If companies like Sony and Microsoft, with their incredible security expenditure cannot provide seamless security for networks like Playstation and Xbox then it seems pretty unlikely that a digital NFC based security key won't be compromised at some point too. For example, since most smart phones are currently without any kind of virus protection at all, what's to stop a rather determined hacked from sending you a virus via email, bluetooth, text or heck most ironically, NFC, and then robbing your key?
     

  • hill

    Interesting that another article on this site details how easy it is for hackers to siphon information off your smart phone using devices and software readily available. So how is Smartphone as Key any better?

  • Le_Post_Monkey

    The problem I see with both solutions you've posted here is that they still use a physical key as a last resort.  So one could go through all the expense of installing either of these and still be at the mercy of a lock pick.

    I haven't been able to determine if the Kwikset allows you to disable the physical key altogether, but if it can, that's the one for me.