New security concern: Malware that can copy all the physical keys on your keychain!
I hope that you have been following along with the Cadre Information Security series of blogs on the topics of mobile devices and social engineering. We have produced articles and corrective advice on how mobile devices can capture what you type on your keyboard by the sound of the keys tapping, how the Bluetooth service in your phone or tablet can allow burglars to case your home or business and the interesting “spray attacks” that can grab screen shots of your phone and disappear without a trace or even duplicate your entire smartphone including your multifactor authentication without touching your phone or even being in the same country.
In this article we are going to explore another new security concern that has just come to light. Researchers at the National University of Singapore (NUS) have published a paper demonstrating how smart phone malware can copy the physical keys you use for your home, business or any place you have a physical lock that uses a standard key(1).
A standard lock has a series of pins and a tumbler that line up when the key is inserted which allows the lock to be opened. The pins are “programmed” by their size and shape and match your key. When you look at your key you will see ridges and troughs. The shape of these troughs are made to match the location and size of the pins in the lock when the key is cut by the manufacture or locksmith. Some locks only have a few pins, some have many. Only a key with the exact correct cuts should be able to rotate the tumbler and open the lock.
If you watch people picking locks on TV shows you might think all you need is 10 spare seconds of your time and a paperclip to easily open any lock, even one to a jail cell. If you have that kind of talent please forward your resume to me and to the Society of American Magicians (founded by Harry Houdini). If those TV scenes were realistic portals of how vulnerable locks are, why would we even bother installing them? Thanks to a friend at work, a number of years ago I took up the hobby of learning to lock pick and I can tell you that even highly experienced lock pickers can’t make it work like you see on TV.
At this point I hope you are sitting down because reality is about to get worse than fiction. The SpiKey malware demonstrator developed by NUS researchers can make opening locks even easier than TV lock picking. The malware uses the microphone on a compromised phone to listen to a victim inserting a key into a lock, analyzes the tumbler sounds, and can produce instructions almost instantly on how to cut a key to fit that lock.
The ramifications of this demonstration are limited only by your imagination (and ethics). While SpiKey was demonstrated as malware it could also be used as a purposefully installed app with a long-distance microphone. If SpiKey were to hear someone open multiple doors in a hallway or the same building, for instance, it could be used to produce a MASTER KEY for the building.
The app compares the tumbler/pin sounds it hears to a library of more than 330 thousand key designs and even with an incomplete audio scan, it can produce just 3 or 4 candidate keys, one of which will likely open the lock. Since the candidate keys only need to be used once in most scenarios, they could be rapidly 3D printed, cut with a CNC machine or, if it uses a common lock, just filed down from a hardware store blank with a hand file.
How can we defend ourselves from lock-picking malware?
That is a good question! As professionals analyze this new threat, I suspect a number of mitigations may become best practices. In the short term we need to do what we already should be doing and that is making sure that ANY mobile device malware is mitigated through BOTH MDM systems (Mobile Device Management) and good Security Awareness programs. Security Awareness programs need to go beyond canned videos and should be based on the science of adult learning while using scenarios applicable to your organization.
The amount of effort needed to reduce the risk from this kind of malware depends on what kinds of physical assets you are protecting. A good risk analysis updated regularly with an internal or hired Trusted Advisor should provide a means to mitigate this situation.
What about digital locks?
While digital locks should not be hackable with SpiKey malware, we know from many recent successful break-ins and verified hacks that many consumer level and even industrial controls have faults(2). Therefore, we once again fall back on good risk analyses, control design and mitigation through education of users and consumers.
What can I do to protect myself?
The good news is that you are already doing it! Education is (pun intended) the key. Understanding how to keep the mobile devices of yourself, your employees and your family free of malware and how to avoid Social Engineering attacks should reduce your chances of being a victim of these hacks to almost zero.
Lastly, keep doing what you are doing now: educate yourself and others by reading articles like the ones in this series and sharing them with those who can benefit from them.
1. Acoustics-based Physical Key Inference, National University of Singapore https://www.comp.nus.edu.sg/~junhan/papers/SpiKey_HotMobile20_CamReady.pdf
2. “Hackers are getting really good at hacking Ring cameras and the results are terrifying “ https://mashable.com/article/ring-cameras-easily-hacked-and-its-terrifying/