We’re used to hearing about hackers accessing our phones, but a new study shows how they could potentially use their phones to access our homes.
The findings come from researchers at the Department of Computer Science at the National University of Singapore. They demonstrate how the attack works by recording the sound of a key being inserted into a lock. The audio is then checked for the time difference between clicks, which is used to map out the size and shape of a key. This allows a hacker to create an accurate physical copy on a 3D printer.
The attack, dubbed SpiKey, was able to use the sounds to narrow down a database of 300,000 keys to just three.
“Physical locks are one of the most prevalent mechanisms for securing objects such as doors. While many of these locks are vulnerable to lock-picking, they are still widely used as lock-picking requires specific training with tailored instruments and easily raises suspicions,” wrote the researchers.
“[SpiKey] significantly lowers the bar for an attacker by requiring only the use of a smartphone microphone to infer the shape of the victim’s key, namely bittings (or cut depths), which form the secret of the key.”
Before you start singing aloud every time you lock or unlock your front door to cover the clicks, there are a few factors to consider, the main one being that the speed of key insertion must remain constant throughout for the attack to work. An attacker must also have knowledge of the type of key and lock that’s used, which would require a physical examination of the latter’s exterior. Moreover, the microphone needs to be close enough to pick up the clicking sounds while dealing with noise interference from other sources, so watch out for any suspicious characters nearby holding a phone when opening your door.
The researchers suggest that the attack could evolve to using malware installed on a victim’s phone or smartwatch to record key sounds. It could also leverage long-distance microphones or door sensors with mics to capture the sounds better and without raising suspicion.
As interesting as SpiKey is, on the list of ‘smartphone-related things to worry about,’ it’s probably about as concerning as Facebook allegedly recording your conversations for targeted ads—not very.