A True “Holy Shit” Moment: Researchers Can Duplicate Keys from a Simple Sound Recording

in GEEKZ6 months ago (edited)

It’s been quite some time since I last had a “Holy Shit” moment in tech. Of course, unless you’re a total luddite — which according to @tarazkp I think everyone is — your tech “Whoa!” senses have most likely dulled in recent decades. After all we’ve been treated with some awesome stuff but most of it arguably rather “Cool” than a true “Holy Shit” moment.

VR? Maybe the most “Whoa!” of all in recent years, only to be dumbed down because the alpha in you — and Wii Sports nerd — wanted to start your VR experience with snowboarding. Rather than thinking “Whoa!” you ended up with your head in a bucket. AR? Cool, but the applications for a long time felt rather “Meh”. Until IKEA came to the iPhone with its AR app. It’s always IKEA, isn’t it?

FaceID? Cool but an evolution, not a novelty. Although got to admit it’s pretty darn fast. TouchID? Dude, Windows has had finger print scanners for decades! Maybe not decades but at least an eternity.


The iPad? It was a cool drinks coaster although it took several iterations before you didn’t have to worry anymore about your drinks sliding of your coaster.

Which takes me back to my last “Holy Shit” moment.

A Holy Shit moment is when you first discover a new idea that drastically and forever changes your perspective. You know when you’re having these moments because you stop, you stare at the new idea or thought with your mouth half open, and you say – out loud – “Holy shit”.
Holy Shit Moments, Michael Lopp.

It was more a decade ago and TechCrunch was still the obvious news site for every internet nerd. Ars Technica relegated to second spot because it required more attention while Michael Arrington over at TC brought us solid and fast paced internet apps coverage. Not to mention Duncan Riley’s occasional regular blunders. TechCrunch was also the hottest location in town for tech gossip Beta invites for upcoming launches. After more than a year of hype initially having been introduced at a TechCrunch event in 2008 and the awesome teaser video from 2009, Dropbox finally opened its doors and TechCrunch was were to get your invite.

Within minutes after the beta launch was announced I had installed the app on my desktop and iPhone. I ended up being user ID 1280. “HOLY SHIT” I saw my phone’s files arrive on my desktop. When I installed Dropbox on my laptop again: “Damn, that shit REALLY works!”

While the seamless syncing technology is ubiquitous in 2020, and many even don’t realize it runs on their device, back then Dropbox was true innovation and simplification. No need anymore to connect your phone with a cable, to use USB sticks or anything like that. Whispernet was a reality for the personal user and all your files. For weeks I would “Holy Shit” my fellow nerds and Luddite friends alike with Dropbox — all while accumulating free storage space which suffices me to this day.

Maybe it was the computer nerd in me who found Dropbox that awesome but it was also the last “Holy Shit” moment I had.

Until recently.

Truth to be told my recent “Holy Shit” moment isn’t a 100% genuine “Holy Shit” moment because I haven’t experienced it personally. When it comes to “Holy Shit” moments, the experience is primordial yet I will make an exception this time because ever since reading about it the thought kept me busy.

In recent years many some of us have switched their door locks to more modern “smart” locks. Connected locks. The beauty of this novel tech is that your door can open automatically as you near it. Of course, because batteries or brown outs, you still need a safety solution which is often a small key you’ve stuffed somewhere very deeply in your wallet. When in need you will realize how much storage deep space there actually is in your wallet. Or be the dork who thought it wouldn’t happen to them.

While my lights are connected and there’s several connected cams in my crib, I never went ahead yet and replaced my lock with a connected one. Internet of Things (IoT) security issues are too big a concern for me to make that switch, although I may reconsider that position now.

Researchers Can Duplicate Keys by Hearing the Sound They Make in the Lock

That’s right, you read that correctly: Researchers can now duplicate door keys by hearing the sound they make when you open the lock.

And they even don’t need a super sophisticated and sensitive microphone for it. A simple recording with a smartphone will do. Just need to get it close enough to the lock to record the sound and attackers can duplicate your key soon after, with a 3D printer even.

Given that the profile of the key is publicly available for commonly used [pin-tumbler lock] keys, we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door.”
— Soundarya Ramesh.

The key to this are the sounds a key produces as it slides through the lock and the lock’s pins tumble in the ridges of the key. That sound can then be deciphered with signal processing software. “SpiKey” software will subsequently return up to 3 most likely key designs. Narrowing the difficulty for attackers down from around 330,000 options to only 3.


Soundarya Ramesh and her team at NUS (National University of Singapore) focused on the common pin-tumbler locks which most homes uses across the world. The research was first presented in spring this year during HotMobile2020 in Austin, TX before large parts of the world would enter lockdown due to the Corona virus (embedded below - 15 minutes video).

Once the Communications Blog of the ACM wrote about Ramesh’s research the topic received widespread coverage in the tech world.

Next time you move home you may want to make sure your front door doesn’t come with a common pin-tumbler lock. And if your front door still uses one of those — like mine does — maybe now’s the time to consider a connected “smart lock”.

And, don’t worry, I’ve since managed to raise my lower chin again and the initial “WTF!?” of this “Holy Shit” moment has dissipated.

Leadpic photo via Unsplash.

Join the Geekz community for all things comics, sci-fi, fantasy, pop-culture, and other random geekery. Great comments are rewarded with @misterengagement #ENGAGE tokens


Wow, way to make everyone paranoid, haha! How many households have microphones turned on all the time for phones, Siri, Alexa, Google Home, etc?

If someone (or something) is always listening 24/7, that makes this scary indeed.

Hmmm I even didn't think of those. But that's probably because I resisted those so far, I don't need that level of privacy intrusion. Although I do have a Droid (with no Lineage OS) and use an older iPad as Home kit hub.


Thank you for your engagement on this post, you have recieved ENGAGE tokens.

That is amazing....!

So basically a thief would need to hide a microphone somewhere near your lock and wait for you to use your key... I wonder if this will lead to an increase of people talking over them unlocking the door. Pretty amazing though, and it totally makes sense, you'd expect the pins to make different sounds as they slide into place.

Well they still need the software and, according to a sound specialist from Cambridge, would need to get the microphone within 5 to 10 centimeters but yeah that’s it.

Luckily pin-tumbler locks are ever less common in modern new builds.

Oh... that's really close.

I don't know how small microphones can get, but I'm sure some thieves could get real sneaky.

A prime risk would be contractors installing locks on new estates and condos.


Thank you for your engagement on this post, you have recieved ENGAGE tokens.

Oh yeah Twittered it.

I suppose you could just talk over the key. Though, unlike online security holes, it is harder to automate the exploitation, so you there needs to be someone who wants to specifically break into your house.