Though lockdown policies have led to a decline in burglaries of homes in some regions of the world, security researchers from the National University of Singapore have discovered that hackers could make a copy of your front door key using only a smartphone.
The security researchers have come up with a new theoretical attack model, named "SpiKey," which they say "significantly lowers the bar for an attacker as opposed to the lock-picking attack."
While many types of physical locks are vulnerable to burglars, they are still widely used by homeowners as lock-picking requires specific training and practice with tailored instruments.
Researchers from the National University of Singapore have found that audio recordings of a key being inserted in a lock provide enough information for a computer to infer the shape of the key.
In order to do so, they have recorded the sound of a key being inserted, and withdrawn, inside a lock with the microphone of a smartphone.
Although researchers note that "it is extremely challenging to extract information from the sound to infer fine-grained bitting depths," "SpiKey" captures and utilizes the time difference between each tumbler pin click to estimate the correct pattern of ridges found on the key.
"As SpiKey infers the shape of the key, it is inherently robust against anti-picking features in modern locks," the research paper states.
Additionally, the security experts say the "SpyKey" system managed to narrow down the correct key from a pool of more than 330,000 potential keys to just three contenders for the most frequent cases.
"SpiKey inherently provides many advantages over lock picking attacks, including lowering attacker effort to enable a layperson to launch an attack without raising suspicion," they added.
Despite these alarming discoveries, this new attack model presents several challenges outside of the lab. One of them is the speed of the key insertion and withdrawal, which needs to be constant in order to correctly infer the inter-ridge distances.
As recording distance can be an issue, researchers are theoretically studying the possibility of installing malware on a targeted homeowner's smartphone or smartwatch to collect click sounds remotely.