Duplicating keys via distant digital images

Beware of flashing your keys in public.

Computer scientists at the University of California at San Diego have developed software that can make a duplicate of a key from just a distant photo of it using technology available to almost anyone.

Referred to as Sneakey, the system is capable of "teleduplication--extracting a key's complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates," according to Sneakey's Web site.

Part of the project's mission is to make people realize that traditional keys are not really as safe as they might think. Relatively modest technology is now capable of the imaging and computer vision algorithms necessary to duplicate an image precisely, according to the group.

To illustrate the point, they photographed a set of keys they casually placed on the table at a cafe from about 195 feet away using a telephoto lens. From that image (shown), they were able to extract enough data to duplicate the keys on the ring perfectly.

The group was able to duplicate keys from a set photographed at about 195 feet away.

(Credit: University of California at San Diego)

It gets worse. The group's software was also capable of extracting enough visual data to make a duplicate key from an image taken by a cell phone camera.

Not only that, but the keys photographed do not even have to be in profile. Sneakey's software can determine a key's bitting code--its series of unique cuts--from nearly any angle.

Stefan Savage, the computer science professor at UC San Diego's Jacobs School of Engineering who led the project, presented his group's work Thursday at the ACM Conference on Communications and Computer Security in Alexandria, Va.

"There are experts who have been able to copy keys by hand from high-resolution photographs for some time. However, we argue that the threat has turned a corner--cheap image sensors have made digital cameras pervasive and basic computer vision techniques can automatically extract a key's information without requiring any expertise," Savage said in a statement.

While the group is not planning to publicly release the code, it inferred in the project statement that anyone with a basic competence in MatLab, a technical computing language and environment from MathWorks, would be able to duplicate its efforts.

[reidme314]

Ironically, if you go to the MatLab site, the first bullet point in their description of the software is "Introduction and Key Features".

[alegr]

That's almost like a Russian joke: a "Seks for dummies" book. First chapter title: "????????" (Introduction, but sounds for Russians the same as "introitus").

[cyberDJ-2038765336053745013836]

Candice...

What about car keys? They aren't cut the same way residential keys are.
Can this SneaKey dupe those?

This technology proves that residential/commercial locks need to catch up with the automotive locks.

[The_Computer_Man]

Usually car keys are also "chipped" which is why you have to go to the dealer to get one made and they are often quite expensive. Actually duplicating the key is only half of the puzzle, the other half is matching the chip so I would have to say that there is little threat there. Though that's just my 2 cents worth.

[Lerianis]

Don't believe it, The_Computer_Man. There have ALREADY been cases of Honda's that have those chips embedded in their keys being damaged so that the chip doesn't work and it still works in the engine. Let's face facts: would you REALLY want to have an easily damaged chip and leave your customer on the side of the road? I don't think so.
There have also been verified reports of criminals being able to duplicate the chips and stealing cars that way.

[Syndrical.One]

This is no good at all.
Why would you develop something like this?

"There are experts who have been able to copy keys by hand from high-resolution photographs for some time."

That doesn't matter!
With this software they're enabling the everyday hoodlum with the ability to almost break into anyone's home.

No good at all.

[mouserider]

I believe the point of the research was to show that with the technology we have today, it can be quite easily done and the lock industry needs to start waking up to the smell of this new coffee.

There have been several articles that have reported the alleged reluctance of traditional lock-and-bolt manufacturers to adopt and adapt to the equivalent of "Zero-day" exercises.

To their defense, it is much easier to patch a few million copies of software than it is to replace a few million physical locks but the question remains... Is ignorance bliss?

[Lerianis]

The best kind of lock is one with a physical and electronic component, like they have in cars today. However, those cars ALSO have to have a way to disable that electronic component or override it so that if the chip in the key gets damaged, the person in question can still drive their car.

[nutso101]

To avoid the problem of keys, we should just use thumb print readers instead!

[t26l]

Imagine the number of kids dying to break the thumb reader as a prank. Boom! You no longer have access to your house.

[Lerianis]

t26l.... I've NEVER seen a kid that would do that as a prank, all my life. I've never even seen the kid who will stick a metal pin in the door, jam it, and you can't get into your home.... too easy to get caught.

[rdrr_s]

"While the group is not planning to publicly release the code, it inferred in the project statement that anyone with a basic competence in MatLab, a technical computing language and environment from MathWorks, would be able to duplicate its efforts."

Inferring is something that you do. Implying is something that they do. Just because it is CNet, doesn't mean it doesn't matter.

[tek-ed]

Uh...this is a moot point...So what if you can duplicate someone's keys? This isn't necessary.
Here, do yourself a favor (or not) and google the term "bump key" and prepare to be totally depressed. This technique has been around for well over 50 years and it has been held as a secret as best as it can with the web and all...but recently it has made headlines...
Keys are no longer the security factor we have accepted for years (centuries?)
With no more than a blank key anyone can purchase at *ANY* hardware store and a triangle file, I can make a key that will open *ANY* keyed lock! *ANY* (unless you spend the money for one of those "bumpkey resistant" locks....but they go for almost a thousand dollars...
So yeah...someone makes a picture of a key, then uses some kind of cad-cam software to machine the key using thousands of dollars of equipment to do so, or spend $1.98 for a key blank and another 2 bucks for a file (or if you give the key maker a healthy tip, you may be able to convince the keymaker to make a key that is all "9s"...look it up)
Ha...this is really funny...technology making it harder to do something....
Ed
web/gadget guru

[mouserider]

You are totally right but here's one possible reason for doing this versus using a bumpkey...

If you're caught with a bumpkey, there will be questions, but if you're caught with a real key, who's to say you shouldn't be in the room?

[TV James]

We're just lucky that this is being exposed first by a research lab. Because you know if it's being researched in public, it's being researched in private as well.

@tek-ed - Yeah, the technology required costs thousands of dollars now, but as the price of 3D printers drop, this will become easier and easier.

[tek-ed]

@TV James
Sure...the barrier to entry for duplicating keys from remote distances will become less of a deterrant as the associated costs go down...But then there's the skill with MatLab and the "competance of a technical programming language" that most snatch-and-grab criminals will not want to spend time learning. Yet, anyone can go online and for $9 get a set of the most popular (Kwickset, Schlage, Master. etc.) or for $30 get a bumpkey for almost every type of lock. And at that price, it's cheap to use the key then throw it away afterwards...no need to "get caught" with the bumpkey. Average criminals (the kind we all want to protect ourselves from) do not use technology to circumvent security systems. Their technique is get in quick, take what you can and get out. And most is *NOT* premeditated. Most robberies are crimes of convenience. There is little planning and most likely a brick or other hard projectile is involved.
So, this means that there is a very real possibility of a criminal using a bumpkey to gain entry to your home/car/office as opposed to some nerd on a covert reconisense mission to photograph your keys without your knowledge and then spend the time and money to make a perfect copy...nah...only in movies...too inconvenient and too costly in man and money.
And as for electronic keypad or bio fingerprint locks...The ones available to the public always have a key over-ride. Meaning that there is always a key in case the electronic mechanism fails. An affordable lock is made by Black and Decker and resold by Kwikset (about $190 on the street) it's quite nice with an auto lock feature (the system will automatically lock the deadbolt after a programmed period of time has elapsed). But as you can see from this site, it clearly has a keyed lock on it. Making this convenient, but not secure:
http://www.bestkeylesslocks.com/smartscan-biolock-video.html
I suppose you can superglue a keyblank into the lock and break the key off in side the lock to prevent picking and bumpkeys...but you had better have an alternate means of entry...incase the electronic lock fails for whatever reason!
And hey, don't even get me started on home alarm systems!
Ed
web/gadget guru

[inachu]

Also for those who own cars or trucks with pass code entry then should know they all have a default admin pass code lest you forget and that is out in the wild as well.

[t26l]

The really funny part of passcode car entry systems. Most (all I have some across, which admittedly isn't a huge number) do not reset on a bad passcode. Press the buttons randomly and sooner or later you will get the right sequence, as it will not reset after the expected # of keypresses.

Max time to bypass a passcode system (so far): 10 seconds. Sometime you get the doors first, sometimes the truck. Either way, you're in.

Bet that extra $500 for those passcode buttons aren't sounding so cool anymore, eh?

[calix8]

Ironically, this is totally superfluous. Google ?key bumping? to see why. Which do you think a thief is more likely to do ? photo your key, run the software, cut the key ? or simply bump your lock?

[mfisher911]

Hopefully Lowe's licenses this software, as they have failed on two occasions to duplicate the key that I've personally handed them.

[manualfunky]

funny how websites always advertise way for people to do stuff they should be doing... nice work guys.. why dont you put up pictures of key site around the world that a carefully placed bomb would have the most impact? oh wait... Australian newspapers already did that a few years ago...

[askj113]

A) You're somehow trying to link cnet to some unrelated occurence and
B) By reporting on this, people realize how easy it is for their locks to be picked. If someone is tech-skilled enough to do this, I doubt if they're going to find out from a mainstream technews site

[Fil0403]

@ askj113:

A) You're somehow trying to excuse CNET from related occurrence and
B) by reporting on this, anyone gets to know that it is possible to make duplicates of keys from low-resolution photos, fact. If someone is tech-skilled enough to do this, you bet they get to know it from somewhere and that somewhere may very well be CNET.

P. S.: That does not mean I do not think people should be aware of it, because I do.

[Fil0403]

Yeah, it's really easy: you just have to get a photo from several angles of the same key (if not, then make the experiment with a different picture than the one shown here, which obviously has the same key from many different angles), know Matlab, and have a key-making machine. I'm scared. Couldn't be easier.