We’ve all seen that moment on TV where someone surreptitiously gets hold of another character’s keys, presses one into a bit of putty, puts the keys back where they belong and heads off to make a copy. Whether it’s in a cop show or one of those 80’s private investigator dramas, the old pressed key trick is a familiar trope. The approach, it turns out, is dated. Copying a metal key has become much easier.
Today, all an adversary needs is a decent photo to make a working duplicate. Unfortunately, photos of important keys have a way of showing up in news stories. People can take those photos, make copies and use them to everyone’s detriment. Fortunately, a bunch of new startups have come along that offer alternatives to metal keys.
We should know better than to publish photos of real keys. In 2008, UC-San Diego researchers showed that keys could be reproduced from pictures, even grainy ones. For their experiment, the researchers used a shot at a distance and enlarged it.
The research team, led by Prof. Benjamin Laxton, wrote in its conclusion, “The increasing resolution of commodity imaging sensors coupled with existing computer vision techniques has made it entirely feasible to duplicate someone’s keys without ever touching them—perhaps without even being able to see them with the unaided eye.”
So it might not be such a great idea to carry keys on a belt or even to leave them out on a desk or table that might be visible from a window. And it’s also not a great idea for reporters to show high quality images of real keys in stories about consumer security vulnerabilities. With the help of multiple security experts and hackers on Twitter, the Observer was able to turn up three stories that both included clear photos of keys and all identified which locks they open. Since all three cover master keys, they opened a lot of locks.
In the screenshots shown below, the key cuts have been smudged in order to not repeat the mistake of the outlets that originally shared them. The photos appeared unaltered in each original report.
One Gas Pump Key Lets Thieves Steal Your ID
NBC Bay Area, November 2012
In a story about credit card skimmers installed into gas pumps, NBC Bay Area explains that the master key system that makes the credit card panel on most gas pumps accessible has been long compromised scammers. In an effort to advocate for consumers, the reporter complains that many gas station owners have knowingly not bothered to replace the locks, while simultaneously making it easy for many more adversaries to exploit the pumps’ weak security.
While an unaltered version of the image above sits on the screen for easy screencapping, the reporter, Vicky Nguyen, explains that it is the very key that opens the credit card panel of pumps across the country, saying, “This universal gas pump key is making it even easier for thieves to install these skimmers.”
She goes on, brandishing the key, and says, “That’s right, one key opens the majority of gas station pumps. Like this one, in San Jose…” then she proceeds to open three pumps at three different gas stations. The key is shown twice in the video, first at 1:12 and at a slightly different angle at 1:51.
Ms. Nguyen was not available yesterday for comment.
The secret life of baggage: Where does your luggage go at the airport?
The Washington Post, November 2014.
This story showed a photo of the Transportation Security Administration’s luggage master keys, for opening all TSA-approved baggage for inspection. Anyone with a copy of such keys could open much of the world’s locked bags. The present version of the story does not include a photo of the keys, but Wired reports the photo was removed after security concerns of posting it became clear. The photos are still up in an online reprint of the story on the website of The Everett Herald.
An AP travel writer has also posted a photo of the keys via Twitter.
Since then, files for reproducing the TSA’s master keys have been available on Github for anyone that would like to reproduce them, as Wired previously reported. Or, a person can just do it by hand, like so:
“I don’t know much about the photos that accompany my stories,” the story’s writer, transportation reporter Ashley Halsey, wrote the Observer in an email.
The TSA was not available for comment on whether or not the master keys have been updated.
The $8 key that can open New York City to terrorists
New York Post, September 2015.
This story reports on a New Jersey lock company that was selling copies of the key that emergency personnel around the city carry to get into elevators and construction sites. It reported that the key shown is the same key for sale. Since publishing the photo, malicious actors with a bit of know-how wouldn’t even need the paper trail of ordering from Ebay to get the key. They could just make it at home.
The story’s author, Susan Edelman, was not available for comment yesterday.
A keyless world
Electronic entry systems work without keys, as we know them. While these systems no doubt introduce new vulnerabilities, at least those haven’t been known to everyone on the internet since 2008.
(In fact, the general insecurity of master key systems has been known since at least 2003)
Several startups have entered the cloud-connected, mobile-enabled hardware space. Kisi and Kiwi are two German startups making major inroads in the New York tech scene and the City of Berlin, respectively, as the Observer previously reported. There’s also Lockitron and Proxce (for hotels).
Which one takes the best approach to keeping what’s been bolted truly secure? We’ll open that question up for you once we’ve locked down an answer.