120

My friend just posted a picture of her key to instagram and it occurred to me that with such a high res photo, the dimensions of the key could easily be worked out. Therefore the key could be duplicated. What's to stop someone malicious from abusing this?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
personjerry
  • 1,236
  • 4
  • 11
  • 13
  • 87
    "What's to stop someone malicious from abusing this": Do not post a picture of your key to Instagram. Related: http://www.telegraph.co.uk/news/newstopics/howaboutthat/3375872/Software-can-clone-keys-from-single-photo.html – Jukka Suomela May 18 '14 at 21:22
  • 54
    What stops someone from creating a key the old-school way with a blank-key with a file, just like locksmiths do for centuries? – Philipp May 18 '14 at 23:46
  • 5
    Also, I would dare to say that any lock which has a key which can be recreated from a photo can be picked anyway. Picking most purely-mechanical locks is surprisingly easy when you have the right tools and know how to use them. – Philipp May 18 '14 at 23:50
  • 16
    Just to add to this. Most of the more common house locks (at least in the US) have standard dimensions for the patterns on the keys. This means that your picture doesn't need to be very accurate to recreate. You just need to know what dimension it is closest to. http://www.labpins.com/images/kwikset_bitting.jpg – David Houde May 19 '14 at 00:23
  • 7
    @Philipp: I like odd machinery. For fun I bought a key cutting machine on Craigslist for fifty bucks, and it came with a few hundred key blanks. Simple key cutting machines are cheap; you don't need fancy equipment like 3d printers to make keys, and you don't need primitive equipment like files either. – Eric Lippert May 19 '14 at 03:07
  • 15
    Summarizing and agreeing with everyone else's answers: The problem is the photo of the key, not which of multiple possible approaches could be taken to produce a key from the photo. DON'T DO THAT. – keshlam May 19 '14 at 03:37
  • 1
    @EricLippert different manufacturers require different side grooves but those can be gotten from either the lock you are trying to break or from the key you are trying to copy – ratchet freak May 19 '14 at 08:03
  • @Philipp And [bump keys](http://en.wikipedia.org/wiki/Lock_bumping) make "the right tools" incredibly cheap and easy to acquire and "knowing how to use them" a non-issue. – Doval May 19 '14 at 11:35
  • 2
    Why would you 3D print when you can simply cut the shape in a plastic card: http://www.wired.com/2008/08/medeco-locks-cr/ Also see this presentation at Defcon 16(2008): http://youtu.be/iOIRZnafgQk?t=1h15m30s – alecail May 19 '14 at 13:56
  • 3
    [Already been done.](http://boingboing.net/2007/01/25/diebold-voting-machi.html) – Tim S. May 19 '14 at 14:16
  • Even without a 3d-printer, such a photo could be used as a template to file a key... a 3d-printer just makes the job a bit easier. IMHO making prototypes for keys and locks are just such things 3d-printing would be perfect for. Who is to stop illegal use of keys you print? The police hopefully! It's not the printing of keys that is the problem, but using it to gain illegal access. – Baard Kopperud May 19 '14 at 14:36
  • http://vision.ucsd.edu/~blaxton/sneakey.html is another example – exussum May 19 '14 at 16:33
  • *"What's to stop someone from 3D print cloning a key?"* Stop using mechanical keys. – Adam Davis May 20 '14 at 15:13
  • 3
    There's a reason [Jeff Attwood pixelates his keys on his utility belt photos](http://blog.codinghorror.com/updating-your-utility-belt/). – mikołak May 21 '14 at 06:38
  • 1
    A key lock, in one sense, is just a combination lock and the hills and valleys in the key are the combination. If someone has a reference to that combination and knows what lock it goes to, then they can manufacture a key by various means. – TecBrat May 22 '14 at 10:33
  • 1
    In China, some secure key has a magnetic in the key and it's place can't been seem, while the lock will identify the position of the magnetic. – Zhuo.M May 23 '14 at 07:07
  • I could cut the key from a blank based on the picture by hand. – Kaz May 25 '14 at 18:08
  • 1
    This doesn't seem to have anything at all to do with IT security. – psusi May 25 '14 at 23:09
  • Well, my keys do not just have "teeth" but also little holes bored in all kinds of places, and a magnetic coding (several small rare-earth magnets placed somewhere inside). I'd like to believe that _this_ will prevent someone from 3D printing the key (at least, a functional copy) – Damon May 26 '14 at 18:48
  • psusi - but this site is for Information Security, not just IT Security. This is definitely on-topic here. – Rory Alsop Jun 05 '14 at 10:12

11 Answers11

130

The simple answer is: nothing.

This has already been done for many years, with keys being cast or created from blanks using hand drawn copies, photographs, remembered shapes etc all being successfully used, both by locksmiths and criminals.

A 3D printed key will do just as well, if strong enough, or it could be used to cast a key if necessary, or as pointed out by @EkriirkE - you could use a torque bar to turn the barrel.

You should not ever post picture of keys to a public site, unless it is for something unimportant.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 55
    This is not just a problem since 3d printing. Recreating a key from a photo is something every locksmith can do the old-school way with a blank-key and a metal file. – Philipp May 18 '14 at 23:48
  • 3
    Strength really isn't an issue as you can just use a torque bar to turn the barrel, having the 3d printed – EkriirkE May 19 '14 at 06:05
  • Updated to incorporate EkriirkE's comment, and to clarify for Philipp that I had already included the alternative ways to create keys. – Rory Alsop May 19 '14 at 10:56
  • 13
    I once had a locksmith re-tool a key by putting a blank in the lock and torking it enough to get an impression on it, and then filing it accordingly. Obviously, a photograph just makes it that much easier. The only limitation I can think of with the 3d printer would be resolution, but that might not even be an issue now. – TecBrat May 19 '14 at 14:03
  • IMHO, stuff like making keys (and locks) is exactly such things 3d-printing would be perfect for. – Baard Kopperud May 19 '14 at 14:33
  • 11
    A notable example is [the time Diebold posted a photo of the key that opens their voting machines](http://spiralbound.net/blog/2007/01/25/diebold-voting-machine-key-copied-from-photo/) (although 3D-printing wasn't involved; just some blank keys and a file). – cjm May 20 '14 at 06:02
  • I don't understand how that would work @TecBrat. (The standard type of) locks do not have a hole shaped like the key that the key 'turns into'. They use pins which are moved up and down by the key to the right set of heights. How would an impression of the correct key be left on the blank? –  May 22 '14 at 10:20
  • I have no idea, but I watched him do it. He put in his blank, twisted it left and right a few times, then filed it some, put it back in... until it worked. (This was the door of an old Dodge Omni) – TecBrat May 22 '14 at 10:27
  • Oh ok @TecBrat. It doesn't chime with what I know about standard house keys, but I know nothing about car locks. –  May 22 '14 at 14:23
  • 5
    @jwg: Actually manipulation based impressioning works just fine with standard pin locks. The important concept is trying to twist the key while the pins are not alined with the sheer line causes torque on the pin (a.k.a binding). That torque can make the pin rub against the the "top" of the key, leaving a small mark. If the pin right at the shear line, it does not bind, but twists slightly out of place, much like when you turn a key that fits except to a lesser degree because the other pins are not yet aligned, and therefore leaves no mark. Once all pins stop leaving marks, the key works. – Kevin Cathcart May 22 '14 at 19:57
  • For the most part, keys & locks are not meaningful barriers to even a casual attacker. At best it means the amateur attacker leaves evidence they accessed what was locked, and if someone is watching they might suspect the attacker lacks a key. Unless we are talking about an unusually high security key... – Yakk May 26 '14 at 20:22
  • Maybe it was her public key? ^^ – Mark Mar 14 '17 at 13:18
89

As the guys previously said, nothing!

Even more, I've been working on such a project myself at the university! (albeit I don't say this as an official target, of course)

I am trying to do duplicate a key from a single photo, with some assumptions to make it a realistic problem such as having a coin of a known size next to it for size calibration and rotation, almost symmetry between the two sides of the key etc..

My target is to automate the whole process, i.e you take a single photo and an app will detect the outline of the key and the grooves inside it (which is a really difficult problem since it's a reflective field) then construct a 3D model ready to be printed.

I have uploaded some videos of my progress if you're interested to know how things went so far :)

Extracting a key from photo

Rendering a key

Rendering of a key with its grooves!

This is the outcome 3D printed key in lock

There have been a couple of researches about this in the States and Thailand, but: 1) the states': you take a photo and point out the points of interest 2) Thailand's: a reconstruction from a video-stream of the key. Meaning that none is absolutely automatic, but they're still good nonetheless.

I have also found an app for iDevices in which you can take a photo of the key and send it to a company which will then duplicate it and send it back. I have always laughed at this and said: yeah, the mailman will knock on your door and if you're not home he'll simply enter the house, put the key and leave with everything else.

geo1302
  • 959
  • 5
  • 5
  • 7
    In regards to your project: There's a relatively small number of keyways in play - you might try matching the non-milled area of the photographs against the known types of blanks. If you can match it using the proportions, you could avoid needing an object in frame for sizing comparison. Once you know what blank is needed, your image processing can focus on figuring out the cut for the key in question (there's usually only a few possible depths for each position), then model that ideal key and print it. – Michael Kohne May 19 '14 at 20:42
  • I don't get why this isn't the top ratet answer. You provide even a working example, this is really great work! – Tokk May 25 '14 at 13:25
  • Someone can go one step further and automate the process of getting the photo. Now everyone has a good reason to be cautious about the drones around when they are returning home... – user23013 Jun 19 '16 at 02:10
43

Absolutely nothing.

On one occasion, a convicted killer in Australia actually duplicated a master key of his own prison cell just by looking at the physical keys carried by the guards.

He successfully escaped from prison and was on the run for 12 days before being captured.

So if a prisoner with only raw metal and a good memory can copy a key, I think that an actual photograph and a 3d printer would work flawlessly.

Every single day when "locking up my house" before leaving for work, I chuckle at how pointlessly stupid the whole practice of "keeping things under lock and key" in this day and age of technological expanse.

Community
  • 1
darkAsPitch
  • 613
  • 5
  • 9
  • 1
    Agreed that most locks are just security theatre! However, you might want to check out what the Italians often do with locks, it is eye opening. – Julian Knight May 19 '14 at 13:18
  • 12
    @JulianKnight don't leave me hanging like that! – darkAsPitch May 19 '14 at 23:02
  • 4
    I chuckle at how ridiculously easy it is to knock a door in. I'm not exactly a big guy, but I locked my keys in the house once and it only took one strong hit to open the door. Sure, I had to fix the door casing but seriously, if I'm a burglar, what does that matter? – NotMe May 20 '14 at 00:22
  • @ChrisLively: get a stronger door. It's not that hard to construct doors that nobody is ever going to get through without tools. Also, sounds like this was a noisy endeavor, which wouldn't be ideal to a burglar. – Eamon Nerbonne May 20 '14 at 14:05
  • 2
    @EamonNerbonne: Actually, it wasn't any more noise than someone hitting a nail with a hammer. I seriously doubt anyone heard it much less was bothered enough to look out a window. The concept of home security for us regular people is a joke. The only reason to bother with making a copy of a key is if you are trying to not let them know that anyone was there. – NotMe May 20 '14 at 14:12
  • 4
    @islandlubber64, sorry about that! Try [this article from the Privacy Surgeon Blog](http://www.privacysurgeon.org/blog/incision/what-the-italians-can-teach-us-about-home-security/) for some interesting thoughts. – Julian Knight May 21 '14 at 07:20
  • I know someone who works in a prison, and he once said he knew several prisoners capable of making a working copy of a key from having seen it across a room. – armb May 22 '14 at 15:02
  • It wasn't "just" by looking at the physical keys carried by the guards. The guy used Blu Tack to get a more accurate impression. As per that same article "Heiss filed a rough copy from a piece of metal, smothered it in Blu Tack and put it gently into a cell door to get a more accurate impression. It took him more than three months." Three months is actually a long time for lock-picking. – Stephan Branczyk May 26 '14 at 20:54
41

Here's some academic research on stealing keys from afar with a hi-resolution camera:

System demo

Our SNEAKEY system correctly decoded the keys shown in the above image that was taken from the rooftop of a four floor building. The inlay shows the image that was used for decoding while the background provides a context for the extreme distances that our system can operate from. In this case the image was taken from 195 feet. This demonstration shows that a motivated attacker can covertly steal a victim's keys without fear of detection.

rath
  • 406
  • 4
  • 12
jfoo
  • 511
  • 3
  • 3
33

As other answers say,nothing prevents them...

however...

As a locksmith I can tell you that some locks have tolerances that are measured in the thousandths of inches (tens or hundreds of micrometres), and getting a perfect match isn't always a guarantee.

What would actually stop someone? The fact that picking a lock is easier, and quicker (in most cases) than making a key from an image or 3D scan, even if I have precise measurements.

Regardless of the tolerances, a skilled locksmith can pick a lock in less time an with more certainty than making a key from a photograph***, or even a 3D scan. If the lock has crappy tolerances, it is most likely not a very secure location, and anyone wishing to gain entry is going to kick the door in to minimize the amount of time they are on scene. They aren't going to bother with picking the lock or trying to 3D print a key.

The exception is high-security locks, like Medeco. These are virtually unpickable and are usually in secure locations, but you'd need a very specific set of photographs, a high-res 3D scan, or some other means of finding not only the keyway (shape of the key shaft) and depths of the cuts, but the angles of each cut as well. Simply "jiggling" a wrongly cut Medeco key won't get you anywhere.

Many thieves would just as soon "break in" meaning use force to enter without a key. It's a surer bet, quicker than opening with a legitimate key or picks, and they aren't trying to hide their tracks anyway.

Community
  • 1
David Wilkins
  • 443
  • 4
  • 8
  • 1
    This. Most locks are hackable. The main thing they do is add enough difficulty to keep honest people and half-hearted criminals out. Someone determined to get in will find/use the weak link in your security, which might not be the lock at all. It might be the door itself, an open window, the fact that the security staff is a bit too "helpful" sometimes...etc. – cHao May 22 '14 at 16:43
  • 5
    Adding to cHao's comment: a real eye-opener for some my friends was a real history, where the burglars instead of picking the locks, destroying the door, or breaking the window - simply made a window-sized hole in the outer wall of the building. They did it in the middle of the day when house owners were in work, and they were dressed as construction workers so none of the neighbours paid attention. – quetzalcoatl May 25 '14 at 00:21
  • 1
    I think something you bypass, yet is relevant, is when someone picks a lock, it is *very* apparent under forensic study. Needless to say, so is kicking the door in. If someone *doesn't want to leave any traces*, using such a method as described by the OP could produce a key which would not leave any relevant forensics behind. Just a thought. – Pᴀᴜʟsᴛᴇʀ2 Feb 25 '16 at 11:51
27

This guy shows how he 3D printed a key from a simple photo:

http://3dprintboard.com/showthread.php?3397-I-3D-printed-my-house-key-from-a-photo

From the site:

Hello, I'am new here. I recently bought a replicator 2 and was trying to come up with something interesting things to print after i got tired of making jewelery and toys... I thought it would be cool to see if the resolution would allow me to make a working house key from a picture I took. After finally getting the cross section measured out correctly the tooth pattern was easy. I think I'm going to try a car key next but I'm a bit worried the PLA won't be strong enough. We'll see. here is a video of me making, and using it.
http://youtu.be/tKY3S1-EKZE

Xander
  • 35,525
  • 27
  • 113
  • 141
Bob
  • 271
  • 2
  • 2
9

Nothing, but using a 3D printer for this is usually overkill. All you need is a camera phone, a printer, a Dremel, and of course a blank key:

https://www.youtube.com/watch?v=qpDJC4vK7O0

The 3D printing option might be more attractive for some of the nasty "do not copy" keys commercial landlords, universities, etc. like to use (where blanks are not readily available, or where cutting on the inside of the key would also be needed to make a working copy).

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
8

What's to stop someone from 3D print cloning a key?

  • People without TV/Youtube: nothing at all (as pointed out in other answers/comments).
  • People with TV/Youtube: Cost...

Why waste money and effort, when your average basic bump key set is cheaper, re-usable and works for 80% of the locks? Just hope the target has expensive locks, then it works even better (this is a must see video).

Once you understand this principle, we can understand the 'big guns': the (lock-)pick-gun, as used by law enforcement.

  • Downside: a little bit more expensive and can't pick 360 degree round dimple locks,
  • upside: fits even more average locks because you don't need to pick the right bumpkey from your set.

In the context of printing a key, think of a 2-sided, one-way-fit (non-identical halves) dimple key:

Although these can be bumped too, sets are more rare and printing them from one photo wouldn't work since 4-sided and round models exist as well.

So the real problem/question at hand is:

  • a lock is intended as a time-consuming puzzle (the key is an instant solution).
  • yet in reality the vast majority of locks can be opened just as fast as with a key (without 007 hair-pin 'art').
  • as such we don't need to worry about printing a key (that type of lock already provided 0% time-delay/security); instead we need to worry about creating a lock that once again fulfills it's purpose of taking up time of an unauthorized person (something that clearly both law-enforcement and criminals won't like, what a contradiction haha.)
Community
  • 1
GitaarLAB
  • 321
  • 2
  • 9
7

What's to stop it? Honor, as sense of morality, knowing the difference between right and wrong, respect for other people, and their property, and when that fails, a .357 Magnum and a bad attitude usually suffices. Locks were invented to keep honest people honest. The locks most people use in every day life are considered "privacy locks," i.e., if someone wanted in you couldn't stop them, and they won't need any "fancy-smancy" 3D printer.

Los2000
  • 97
  • 1
2

The best way to stop this from happening (aside from not giving someone key-schematics via an Instagram pic) is to have a key/lock solution with atypical features:

  1. Electronics inside the key that are mandatory - e.g. some car keys have a chip in them, such that the car needs both the physical key and the electronics to start.

  2. The lock requires the key to be a special material that isn't 3D printer friendly. Perhaps the lock requires the key to have specific electric conductivity, strength, light refractivity... just thinking off the top of my head here!

Basically some interactivity that can't be replicated with your standard 3D printer.

andrewb
  • 204
  • 1
  • 6
  • 1
    Just to add to the top of your head: here in the UK we're soon going to start putting fluorescent micro-particles into our coins, http://www.currency-news.com/best-new-coin-innovation-2013-finalist-02. You'd think the same would in principle work for keys, provided that the detector is small enough to add to the lock. – Steve Jessop May 22 '14 at 18:35
  • 2
    How about designing a key with a sliding cover which would slide up the shaft of the key (and over the head) as the key was inserted into a lock? That shouldn't be hard, and it would seem to pretty well defend against these sorts of tricks. – supercat May 23 '14 at 02:19
2

Nothing at all, but a better question is how much does it really matter. Most (effectively all) consumer locks are useless. They can easily be bumped, picked or bypassed entirely (go through a window). Primarily, locks keep honest people honest, but don't do much for preventing criminals from being criminals.

If it was actually a photo of a key for an actual secure, multi-direction lock, then it might be more of a problem, though extracting the exact dimensions for such a key from a picture might be slightly non-trivial as it would involve having to make some guesses about shape and size since the photo is 2d and angles may vary.

Overall, I personally wouldn't be too worried if a picture of my key was posted somewhere. I wouldn't intentionally do it, but the chance of someone specifically finding the photo and using it to break in is pretty minimal. Posting when you are going to be on vacation is a FAR bigger security risk and most people don't think anything of that either.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110