The End of Security Based on Mechanical Security

There are lots of interesting security models in the lock manufacturing industry, and most of them are based on complicated machining of either keys or pins or both.  This, along with patent protections, prevents illicit key blank production. Somebody could study a key blank and make a production run of them but it would be prohibitively expensive and the lock manufacturer purposely releases blanks that are machined differently before the bitting of the key is even a factor.

A new era has donned.  Now people can replicate a high security key with nothing more than a high resolution picture.  I have offered the service of replicating keys by photograph already, but I am talking about 3d copying a very complicated object for $5 if they have an image of the object that allows them to make relatively precise measurements.  Pictures in a newspaper of a key could mean unlocked doors. If the would-be copier has physical access to the key then it is a much easier problem to solve.

The answer to this problem lies in more factors of authentication.  This will probably take the form of physical and electronic challenge and response.  That is, not only will the key probably have to move some pins into the correct configuration but there will also probably be an encrypted electronic communication between the lock and the key, similar to modern cars.  This will be a stepping stone to using your phone as a key and then some other wearable object or implant if I had to guess.

The point of all of this is that you can’t let your keys fall into the wrong hands if the key protects something really valuable, even for a few minutes. If the key is just to your garden shed then the risks are minimal. If the key is to your collection of gold and diamond jewelry that is publicized, you need to make sure that your stuff is secure.

Making sure that you have good security is more than just having an expensive lock. It also means knowing who has the key, making sure that there is accountability for who has the key, and also making sure that not only the lock but the entire building around the lock is secure. If you are securing something really valuable this may mean a fiberglass door and doorframe, reinforced windows and grates, an alarm system, etc. Modern technologies complicate this further requiring that those with the key do not let it out of their sight for even a few minutes. They can also not display the key in public where it might not be photographed.

The alternative is to switch to expensive electronic access solutions.  I can provide electronic security but there are caveats, it is not without its own vulnerabilities. A combination on a lock can be watched from afar. A fingerprint can be duplicated. An iris scan can be duped through methods that can be seen in horror movies. I don’t recommend locks that use biometric security because a fingerprint or iris, once compromised, cannot be revoked (not to mention that with such requirements there is a great incentive to remove an eye or a finger for bypass of the lock, see horror movies). For the truly paranoid the answer is in careful key control and keeping current with lock technologies (and their vulnerabilities). Knowing is half the battle (-G.I. Joe).

Duplicating a key is much harder if you have to duplicate not only the physical form of the key but also spoof the electronic portion.  This cannot be deduced from a high resolution picture. To replicate such a key would require complicated challenge and response spoofs. If such a method of authentication became common, well-meaning staff of higher education would most likely develop methods of circumventing it, just as WEP was compromised. These people are not to be blamed. Even as they publicize these vulnerabilities, people in the former USSR are developing the same exploits at the same speed because they have more to gain than university researchers making less than $40,000 a year. They should be lauded for publicizing these weaknesses because publication forces the manufacturer to update their product. In this modern era those with expensive property cannot rest on their laurels and trust the last generation of security products and its vulnerabilities, because criminals are now researching exploits as quickly as products are manufactured.

I cannot say what the future holds for security. In the near term I can only offer the prediction of a mechanical key with an electronic component, or a completely electronic component. Either way it is a very interesting time to be in the security industry because it is the first time in history that physical security on its own is in some cases no longer enough.

Published by

Bjørn Madsen

I am the Seattle locksmith you've been looking for. High Quality work at a reasonable price delivered in a timely fashion.