Duplicating keys from a photograph

Screenshot of Sneakey software that calculates the dimensions of keys in photos for duplicating them.

(Credit: Ben Laxton)

Nowadays you don't need a locksmith or even lock-picking tools to get past a locked door without a key--you can do it using software, a photograph of the key, and a key-cutting machine.

Researchers from the University of California at San Diego have developed software called "Sneakey" that enables anyone to make duplicates of keys without needing a sample key.

At the Association for Computing Machinery's Conference on Computer and Communications Security three weeks ago, the researchers demonstrated the system using photographs from Flickr and photos taken as far away as 200 feet using a high-powered telephoto lens, according to an article in Scientific American.

"There is a five-digit number that represents all of the information in a standard key," said UC San Diego computer science professor Stefan Savage. "You type that code into a key-cutting machine and it makes a perfect replica."

Savage supervised the research conducted by graduate students Kai Wang and Ben Laxton. The software analyzes a photograph of a key and calculates the dimensions of the key's grooves, known as the "bitting." The system works best with keys made from common brands.

Savage said he does not plan on commercializing the technology.

At the Defcon hacker conference in August researchers discussed how they were able to duplicate keys to high-security locks by making a photocopied image of the key and then transferring that image onto a plastic sheet and cutting the shape out.

[karpenterskids]

Wowww...yeah, I'd be scared if they released this commercially.

Any criminal out there could get ahold of it and use it to their advantage...heck, getting photos of someone's house/car keys isn't too hard...I'm sure they'd find a way.

[Spimby]

Interesting concept, but completely impractical. Key bumping accomplishes the same thing for about $1 and doesn't require anything from the original key...not even a photograph.

These types of locks are completely insecure and big money will flow to the lock maker that devises an inexpensive and effective solution to the bumping problem.

[JBSimmons]

The FTC would file suit to prohibit such mechanical copying (without an actual key or code) to duplicate it in software. Key copying is protected by state laws. One must already have a key or key code to get a key made, in the simplest of terms. Let's look where this might take us. What about the 4 sided security keys used in safes? The 4 sided ciruclar twisted key? What about the circular security key used in Kensington locks? As one already knows from going to the hardware store to do it, there are a huge number of blank styles to cut from. Then there's the progression to more complicated keys if it this were commercialized. Somebody is bound to do it sometime. This is certainly a process that deserves a patent. I hope they have done their homework in that area prior to public release.

In most states, locksmiths have to be licensed by the state, and in order to bypass/break a lock, even with the owner present of the lock, be it safe or house, requires 2 pieces of ID and often local law enforcement presence. It's a different situation in getting access to a safe. I have a 4 sided key and a digital combo lock. I can unlock the safe via the digital code, but it's the turn of key that's required to move the bolts holding the door closed. My 4 sided key has a different key code for each side of the key. The more expensive the safe, the better the security layering and types.

Getting a duplicate special key to a safe if you lost yours requires safe S/N, and S/N on a notarized letter to the safe company at the minimum. If you don't have your key S/N (the company knows the key codes if you have the safe S/N), it requires additional legal steps to get into your safe. Law enforcement is concerned that the safe is YOURS. A law enforcement report must be submitted with the notarized letter if a local locksmith is NOT requested and the safe is an expensive one. Often, on expensive safes (> $250), the key is mailed to a certified locksmith or law enforcement or you (depending on state law). Either the locksmith or law enforcement will be present when your safe is opened and before they open it, you have to describe the contents in it in detail to prove you own it. I just went through this nonsense. The more expensive the safe, the more complicated the key, if it is keyed. It does serve a purpose.

I could use my manual bypass unlocker bar, but it requires the disassembly (and possible destruction) and detachment of the digital lock and/or biometric reader to expose the hole to insert the bypass bar to open the door. Some door bolts are motorized and all you need is the security pad code. Mine is higher security and requires a 4 sided key to move the bolts in addition to the security pad moving just the unlock pins. It's less wear and tear on the batteries. A 4 sided key with different key codes for each side is very time consuming for a locksmith to make. Not to mention the costs that may exceed the cost of the safe itself the faster access is required. I don't trust biometric finger slide readers yet.

Software will make it easier to duplicate keys for which an actual key can't be produced, but laws have been put in place to not make this an easy task. That's why this project was closely supervised. The making of a key other than by having an actual physical one to duplicate breaks the law. Software to provide where to make the cuts in a blank without a physical key is not - yet. Physical lock picking requires a state license for most states. Lock picking by software - when I think of that phrase, I think of the RFID cards and the recent cloning of the subway fare cards issue.

A good licensed locksmith can open just about any lock except the high security ones like the 4 sided twisted with 4 different keycodes for each side. I don't know what they do with the circular/keyed Kensington types. And obviously you can forget those keys marked "DO NOT DUPLICATE". stamped on them. The software should have an OCR module to look for any part of on a key as well.

It's digital "situation" would be similar to the keylogger suit filed by the FTC 11/15/2008. The laws for mechanical and physical solutions is already in place. Adding software to do just that is pushing the frontiers a bit. It's an unusual move - taking a picture of a key. This is normally not done, but a novel idea.