For most people, keys are simple yet magical objects: They grant access to places you belong and keep you out of places you don’t. But did you know that anyone could easily make a copy of a key from a simple picture? Suddenly, something as ordinary as a key becomes a security risk. Through the eyes of a penetration tester, keys represent more than just access; they are vulnerabilities waiting to be exploited.
In today’s blog, we will explain how a malicious actor could physically intrude one of your offices undetected and how you should protect yourself against this unexpected attack vector. The same process could also be used by one of our Ethical Hacking security experts during a physical assessment. More details on this towards the end of the article.
Step 1: OSINT
The first step is to find a picture of a key. A malicious actor would typically look for pictures on the company website and on social media, like Facebook, Twitter, LinkedIn or even YouTube. As we have seen numerous times in the past, people love to post pictures of their keys when they just signed a lease or a mortgage. Keys can also often be found in the background or attached to a belt or a lanyard. Finding pictures like this is, unfortunately, very easy.
In this example, the business had their front door keys shown in a B-roll during the opening of a news report they were interviewed in.
Figure 1. News report clip showing a key being inserted into a lock.
Step 2: Decoding
Once a picture of a key is found, the second step is to identify and decode the key. Decoding a key means measuring the height distance of each “valley,” which are the cuts made to a key, and extracting the corresponding bitting code by looking at the measurement chart applicable to the key. For a typical key, we normally have 5 or 6 positions to look for, which will result in a bitting code of 5 or 6 digits.
Figure 2. Key Close-up Clearly Showcasing 5 Positions.
In this example, the key is an SC1 from Schlage, which is a very common key in North America. Once we have found the measurement chart for SC1 keys, we can start decoding the key. We could also have used one of the several tools found online to help us with the decoding process.
Figure 3. SC1 Key with Decoding Chart Overlayed.
Using the chart, we can decode the key, from bow to tip (right to left in this picture), which yields the code 6-5-4-1-4.
Step 3: Cutting
Once the bitting code is obtained, we can cut the key. We could do it ourselves with a key blank, a file and a caliper. We could also try to 3D print the key ourselves by using one of the several key generator tools. Or, we could simply walk into a locksmith shop and ask them to produce the key instead.
In our example, this is what we decided to do, as it is the simplest and most reliable method. So, we went to visit our local locksmith and left with a freshly cut key ready to be used!
Figure 4. Snazzy New Key!
Step 4: Intruding
Once the new key has been cut, the fourth and last step is to use the key! Our malicious actor is now ready to intrude into the office at a moment’s notice. And since the malicious actor has the key, who will question their presence?
In our example, we tried the newly cut key with the presence of the business owner, which successfully demonstrated this attack vector.
Figure 5. Video clip successfully demonstrating the working key.
Conclusion
You now understand how easy it is to make a copy of a key. If you had one thing that you should remember from this blog post: Do not share pictures keys online! After all, keys are like passwords: They should never be shared with anyone!
Are you worried now that you know how easy it is to copy a key? Our Ethical Hacking team can help you evaluate the physical security posture of your business. Whether you have a store, an office, a warehouse, in one or more locations, our team can help you draw a detailed picture of your current situation and make recommendations that will allow you to improve your security posture. Contact us today!
Author: Patricia Gagnon-Renaud
