The cybersecurity of your front door key

Cybersecurity is one of my main interests, so when I spotted this article by Davey Winder titled “How Hackers Use Sound To Unlock the Secrets of Your Front Door Key’, I was intrigued, not least because smart houses are something of a passion of mine.

The smart lock is the risk in question, and Winder remarks that when he asked 549 security professionals if they would use a smart lock, 400 of them said ‘No’ and “get in the sea.”

What are the smart lock security issues?

Reports suggest that smart locks have a number if vulnerabilities, from snooping via WiFi to smart hub weaknesses. One expert, Craig Young from tripwire, found that one smart lock could easily be bypassed by a hacker with “a media access control (MAC) address and a smartphone app.” Young himself says that he generally doesn’t advise consumers to use internet-connected locks. “If the risk of strangers finding and opening your lock isn’t enough discouragement,” Young says, “just consider what you will do if you’re locked out because the lock maker got hit with ransomware or simply pushed a bad update.”

Winder poses another question: “what if hackers had figured out a way of unlocking the secrets of your actual, physical, door key just by listening to the sound it makes when being inserted into the lock?”

Hackers show how simple it is to open the door

Thankfully a group of ‘hackers’ at the National University of Singapore have developed an “attack model” they call SpiKey, which determines the key shape that will open any tumbler lock. They say SpiKey “significantly lowers the bar for an attacker,” when compared to a more traditional lock-picking attack. Their methodology is surprisingly simple in that it is a matter of listening for the sound of the key as it moves past tumbler pins when the key is inserted.

The Singapore ‘hackers’ have been using “a simple smartphone to record the sound of the key being inserted, and withdrawn, with a smartphone and then observe the time between each tumbler pin click using their custom key reverse-engineering application,” as reported by Hackster.io. ” The group’s research paper states, “SpiKey infers the shape of the key, it is inherently robust against anti-picking features in modern locks, and grants multiple entries without leaving any traces.”

Of course, the real world presents other challenges, the biggest one being “that the current attack mode requires the threat actor to be within a few inches of the lock to make that recording,” which means they need to be literally outside your front door.

However, if you already use a smart lock, don’t panic. For the moment, a smart lock that isn’t connected to any network, is still doing a job of protecting you and your property.