Home
Internet
Internet Features
Hacking the Real World: How Your Keys Are as Unsafe as Your Password

Hacking the Real World: How Your Keys Are as Unsafe as Your Password

By Gopal Sathe | Updated: 19 January 2015 12:12 IST

The next time someone tells you that they were hacked, they might not be talking about their Facebook or email accounts. The line between real and virtual is getting thinner as smartphones open up our keys and fingerprints hackers. Getting hacked could mean someone breaking into your house or driving off with your car, instead of just hijacking your Twitter profile.

At a cybersecurity convention in Hamburg last month, a German hacking group demonstrated how it could duplicate fingerprints from afar. The group - called Chaos Computer Club - used news photographs to recreate the thumbprint of the German Minister of Defence Ursula von Der Leyen, which was allegedly used to trick Apple's TouchID technology.

For consumers, fingerprints are not typically used much - we're much more reliant on passwords and PINs for security. Fingerprint scanners get used more in government and corporate security. We don't even use too many devices that can check our fingerprints right now, but the iPhone 5s and later iPhones, along with some Android devices including the Samsung Galaxy S5 include fingerprint scanners. On an iPhone, you use the fingerprint scanner to unlock the phone, and to authorise payments to the App Store. If Apple Pay catches on, then the importance of securing your fingerprints can only grow.

Su Gim Goh, Security Advisor for F-secure believes that the intersection of the digital and the real world is inevitable, and that we are accelerating towards a future where you'll want to check that your fingers aren't showing in your Facebook photos.

"People don't understand how quickly security is moving," says Goh. "We're going to see a lot of new problems that no one has ever thought of before."

With everyone you meet carrying around a powerful computer in their pockets that comes with a high quality camera and an always-on Internet connection, the world is already thoroughly interconnected, and Goh says that we are going to see the interconnectedness of devices increase very rapidly over the next couple of years. The only reason, he says, that this has not been a major concern already is because connected household devices are not in widespread use yet, and not due to any technological barriers to hacking.

(Also see: The Internet of Insecure Things)

But as the German hackers prove, it's not just our devices that are at risk. Scanned photographs make fingerprints an insecure measure - biometrics like these are used to verify government documents like the Aadhaar, and could well see widespread adoption in payment systems.

Copying a fingerprint from a bunch of newspaper photographs is tricky, but a much easier hack is duplicating a key from a couple of close up photographs. Anyone who can get a minute alone with your keys - maybe you left them lying around on your desk, or maybe you asked a colleague to grab a file left in your car - can make a copy, using a simple app called KeyMe. In case you're not an iPhone user, you could turn to the Keys Duplicated website for the same service.

Copying a key has always been easy, points out Dr Bijay Panda, a Washington based security consultant.

"You can make an impression using a wax blank, or modelling clay, and any blacksmith can make a copy from that," says Panda.

The difference is that clicking a few pictures on your phone is even simpler. You don't have to acquire a blank, drive to a blacksmith or do anything at all. Just click two pictures with your phone, press a few buttons, and wait for the key to arrive in the mail.

"The barrier to entry gets significantly lower - if you have physical access to the keys and a credit card with which to pay, you don't need anything else at all," says Panda.

We asked Panda how easy it is to make a copy using this system - he told us that he tried out Keys Duplicated, and it took him just half a minute to take pictures of the front and back of a key that met the requirements of the site.

"The good news is that the picture needs to be taken at a flat angle, and it needs to be pretty clear," says Panda, "so if you're worried about a Facebook photo where the keys are dangling in your hands, you can stop worrying."

But he cautions that the technology is only going to improve, and says that people need to be more aware of their behaviour online.

"Right now, I see people who get a new car proudly holding up the keys in selfies they upload," says Panda. "This is now as risky as putting up pictures of your credit card on Instagram. And you know what? Lots of younger people in particular do that too."

According to the Keys Duplicated team, the company can copy "most standard house keys, leaving aside high security patented keys." There's a simple set of requirements for photos to make the duplicates, and that's all the company needs, aside from your email ID and credit card information. A replacement key can be sent as soon as you've paid, and takes only 2-5 days to reach customers.

There are some security precautions in place, according to the Keys Duplicated team: "The key pictures must be high quality, and we need pictures of both the front and back. This way, if your keys are lying on the table, a passerby can't take a quick snapshot."

The company also does not store shipping information - instead, "shipping information is redacted from our system a few days after we ship your key. That way, no one (including us) can associate your key with your address. Other information [such as your email ID and credit card details] about your order is stored under bank-grade cryptography."

Keys Duplicated keeps the credit card information related to the keys it makes, and if one of them was used to break into your house, the company would share this information with the authorities. But that would only work if you even knew about the service. Of course Keys Duplicated isn't the only company in this space - which means you'd have to cross check with several companies to see if someone copied your key.

Despite these concerns, researchers like Goh believe that the average consumer doesn't have to worry about being hacked using these methods right now.

"You can also be worried that someone could hack an app that unlocks your Bluetooth enabled door soon," says Goh, "but more than that, the real issue is that the consumers don't take their security seriously."

"There are thousands of computers with VNCs set up that don't have a password, or use the default passwords," he adds. "A couple of months ago, other researchers found that thousands of VNCs on the Internet were fully accessible. They found around 30,000 without any password, and there would be a lot more with the default passwords."

What Goh points out is correct - people consistently choose convenience over security, as has been demonstrated by the use of default passwords or weak passwords used for multiple accounts. We've gotten used to the idea that our digital world is inherently insecure. But in the real world at least, physical security like a key used to be a reasonable deterrent. This is another thing that might well have changed irrevocably, thanks to the smartphone revolution.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.