When I broke into my neighbor’s home earlier this week, I didn’t use any cat burglar skills. I don’t know how to pick locks. I’m not even sure how to use a crowbar. It turns out all anyone needs to invade a friend’s apartment is an off switch for their conscience and an iPhone.
This was done politely: I even warned him the day before. My neighbor lives on the second floor of a Brooklyn walk-up, so when I came to his front door he tossed me a pair of keys rather than walk down the stairs to let me in. I opened the door, climbed the stairs, and handed his keys back to him. We chatted about our weekends. I drank a glass of water. Then I let him know that I would be back soon to gain unauthorized access to his home.
Less than an hour later, I owned a key to his front door.
What I didn’t tell my neighbor was that I spent about 30 seconds in the stairwell scanning his keys with software that would let me reproduce them with no specialized skills whatsoever. The iPhone app I used wasn’t intended for anything so nefarious: KeyMe was designed to let anyone photograph their keys and upload them to the company’s servers. From there, they can be 3-D printed and mail-ordered in a variety of novelty shapes, from a bottle opener to Kanye West’s head. Or they can be cut from blanks at one of KeyMe’s five kiosks in the New York City area.
PARKING VALETS SUDDENLY REQUIRE A LUDICROUS LEVEL OF TRUST.
I copied my neighbor’s keys at a KeyMe kiosk about a mile from his house, inside a Rite Aid drugstore. After logging in on a fingerprint scanner and choosing my neighbor’s keys from all the keys I’d uploaded, I watched on the machine’s screen as a grandfatherly cartoon figure with a white mustache and spectacles cut them. Seconds later the keys dropped into a box at the front of the kiosk, still warm to the touch. The next morning I let myself into my neighbor’s apartment and interrupted him reading a book about the German battleship Bismarck.
Services like KeyMe, along with competitors like KeysDuplicated and the Belgian Keysave, promise to forever solve the problem of lockouts and lost keys using clever combinations of smartphone scans, automated key-cutting machines and 3D-printing. Like a “forgot my password” function for physical security, they let you upload your coded chunks of metal to the cloud, where you can access and duplicate them, or even email them to a friend staying at your place.
New York-based KeyMe reassures users on its website that “only you can scan your keys” and its “scanning process is designed to strictly prevent any use of flyby pictures.” It claims keys can only be scanned when removed from the keychain (Not so; I left my neighbor’s on his ring) and must be scanned on both sides against a white background from 4 inches away. None of that posed a problem making my stairwell creep-scans.Such services also enable jerks like me to steal your keys any time they get a moment alone with them. Leave your ring of cut-brass secrets unattended on your desk at work, at a bar table while you buy another round, or in a hotel room, and any stranger—or friend—can upload your keys to their online collection. The trick is far easier than having them copied at a hardware store. KeyMe says it will even duplicate keys marked “do not duplicate,” including some high-security keys sold by Medeco, Mul-T-lock and Schlage. Parking valets suddenly require a ludicrous level of trust: KeyMe already allows some car keys to be scanned and mail-ordered; KeysDuplicated says that feature is on the way.
KeysDuplicated, based in San Francisco, doesn’t make any claims about requiring close-ups for its keyshots. But its CEO Ali Rahimi wrote in a statement to WIRED that “we’re not a convenient service for anyone who wants to copy keys
surreptitiously.” The company’s site argues thieves have always been able to measure keys with a key gauge or imprint them in clay to create duplicates. But I have no idea how to do either of those things, and I nonetheless found breaking into my neighbor’s house with a smartphone scan to be pretty idiot-proof.
When I spoke with KeyMe founder and CEO Greg Marsh, he offered another argument: Digitally reproducing keys is safer than other methods because it leaves a digital trail with KeyMe’s account information, credit card records, and its kiosk fingerprint scanners. “We have all this accountability and data that doesn’t exist when you make keys with traditional methods,” Marsh says. “If a key was found to be used maliciously, we have a clear path to find out who was responsible.”
So if I had actually entered my neighbor’s apartment while he was gone and burgled the place without him knowing, how would that accountability have helped? Marsh says that if my neighbor reported the theft and suspected KeyMe was involved, he could scan his keys into KeyMe and discover who had previously copied them. Marsh hedged that by saying the company would be very cautious about handing user data to the police, but the company “would be very enthusiastic about helping any way we could.”
Even if KeyMe did help the cops, Marsh’s logic is somewhat flawed. My neighbor had never heard of KeyMe or any services like it. If his apartment was robbed, he would have no clue that a little-known app had anything to do with it. “Most of the country has no idea what KeyMe is, and that will hopefully change soon,” says Marsh. “We’re working really hard to build awareness.”
Keep It in Your Pants
Wishful thinking aside, Marsh’s best piece of advice is, “People need to be prudent with where they have their keys and store them, similar to a password.”
That paranoid approach has long been common sense among the lockpicking crowd. “If you lose sight of your keys for the better part of 20 seconds, you should consider them lost,” says Jos Weyers, a Dutch lockpicking guru and security consultant. “If you find them later, consider them a souvenir.”
At the HOPE hacker conference last weekend, Weyers gave a presentation on the insecurity of showing photos of keys on television or allowing them to be photographed. He pointed to examples like the New York Post‘s foolish decision to publish pictures of New York elevator and subway gate keys in a story discussing the danger of letting those keys proliferate. (The Post‘s photo was soon taken down, but not before it spread across the web.) In another slip-up, a local newscast showed a close-up of a “universal gas pump key” that could be used to plant credit-card stealing hardware in the pump station.
“IT ONLY TAKES SECONDS TO DUPLICATE A KEY. WE LOCK NERDS ALREADY KNEW THAT.”
In any of those cases, a skilled lock hacker could recreate the key from the photos alone, using increasingly accessible tools like 3D printers, milling machines, or laser cutters. One group of researchers created a project called Sneakey in 2009 that showed they could reproduce keys photographed from nearly 200 feet away and at an angle. In other words, simply leaving your keys hanging from your belt presents a security problem, not to mention letting someone get ahold of them.
That means apps like KeyMe and KeysDuplicated haven’t exactly created the requirement that our physical keys be kept as secret as our digital ones. But they have democratized the security threat: Now even a lockpicking noob like me can demonstrate the danger of letting keys leave their owner’s control.
In a way, says Weyers, that’s a good thing. “The effect of services like KeyMe will be positive: People are now starting to understand that it only take a couple of seconds to duplicate a key,” he says. “We lock nerds already knew that. Now the normal public is catching on.”