A computer scientist at the National University of Singapore claims to have demonstrated how recording the sound of a lock turning can be sufficient to make working replica keys.
In March 2020, Soundarya Ramesh, a third-year PhD candidate at the National University of Singapore, published a paper [PDF] co-authored by security researcher Harini Ramprasad and Professor Jun Han on the topic of "acoustics-based physical key inference".
"Since March, we have heard back from a security company that was interested in converting our research into a product, and also an amateur lockpicker who wanted to improve upon our initial idea," Ramesh told The Register.
The paper presents "SpiKey, a novel attack that utilizes a smartphone microphone to capture the sound of key insertion/withdrawal to infer the shape of the key, i.e., cut depths (referred to as bittings) that form the 'secret' of the key, solely by the captured acoustic signal."
The software works by using the time difference between clicks made as the key contacts the pins in the lock to infer the distance between the ridges of the key. The theory is that it would then be possible to manufacture a replica key using a 3D printer, for example.
The researchers explained that there will be more than one "candidate keys" rather than a single one that fits the pattern, but that in the case of the particular six-pin key analysed, "SpiKey guarantees reducing more than 94 per cent of keys to less than 10 candidate keys" with three candidates being "the most frequent case".
There are several mitigating factors. Some types of key create "overlapping clicks" that are hard to analyse so only around 56 per cent of keys are vulnerable. In addition, the software assumes a constant speed of key turning, which is not the case in the real world – though by recording multiple instances this might be overcome. Future work might include "other approaches of collecting click sounds such as installing malware on a victim's smartphone or smartwatch, or from door sensors that contain microphones," said the researchers.
How close does the microphone have to be to the lock for this to work? "Currently, we are investigating short distances at about 10cm from the lock for scenarios such as smart doorbells where an attack seems plausible," Ramesh told us. "At a farther distance, the attack should be feasible with a parabolic microphone, although we've yet to confirm this."
Is it not easier just to pick a lock with traditional tools – alarmingly easy for an expert to accomplish? "We wanted to explore the possibility of a novel attack on physical lock-key systems that can remove human expertise out of the equation, while also keeping the attack completely surreptitious," Ramesh said. "Lock picking, although quite effective on various lock types, still requires meddling with locks and human expertise. Further, lock picking also leaves traces on the lock's interior that can be identified by forensic experts."
While the research is largely theoretical, it is a reminder that sensors combined with software can overturn assumptions about physical security.
If a physical lock can be cracked with a microphone, are digital locks, such as those operated by cloud-controlled security systems, more secure? Ramesh has little patience with the idea. "There is no reason to believe that digital locks provide better security given the number of cyber attacks we witness. While attacks on physical locks require the attacker to be present, digital attacks allow for remote attacks as well, which is quite horrifying. Inspired by the two-factor authentication of the digital world, maybe a combination of both physical and digital locks for our doors can be a safe way forward."
The purpose of the research? "We hope that our work inspires other security researchers and professionals to pay more attention to the security of our door locks," said Ramesh. ®