How to break into people's homes with your mobile phone

Filed Under: Featured, Mobile, Security threats

Image of iphone and key imprintHaving a tough time breaking into your neighbor's house?

No worries. There's an app for that!

It's called KeyMe, and it's actually designed to help people who do things like wander outside to get their newspaper in their slippers, only to hear the decisive "click!" of a door locking shut behind them.

For the improperly shod/suddenly locked-door-challenged, the cloud-based "key management program" lets you scan keys from your phone, creating a digital version of your physical key.

Then the app enables you - or maybe a valet? or some random jerk who's managed to photograph your key? - to make a copy of the key from a self-service key-cutting kiosk or a hardware store.

KeyMe's security page assures the burglary-wary that "only you can scan your keys".

KeyMe aims to secure your key by requiring email verification for mobile registration and fingerprint scans for kiosk registration. Also, you need to verify all transactions with a credit card.

It sends a confirmation mail every time there's activity on your account. "This keeps you up to date and prevents any fraudulent activity," it optimistically promises us.

Unfortunately, if you've never used KeyMe, aforementioned random jerk or moral-compass-deficient valet could pretend to be the legitimate key holder.

Notification emails would then simply serve to inform the bad guy himself, more or less, that he's made another copy of that key he used to do nefarious burglar/stalking things with last week.

KeyMe's security page also says that its scanning process is "designed to strictly prevent any use of flyby pictures."

Keys have to be off a keychain to be scanned, placed on a white piece of paper, and taken from 4" away. Furthermore, we require that users scan both sides of the key.

Sounds more secure?

Oh, dang: sorry, it turns out that none of that is guaranteed to actually work.

We know because Wired's Andy Greenberg gave it a go.

Here's what he wrote about those anti-creep precautions after he asked for permission to break into his neighbor's home earlier this week:

It claims keys can only be scanned when removed from the keychain (Not so; I left my neighbor’s on his ring) and must be scanned on both sides against a white background from 4 inches away. None of that posed a problem making my stairwell creep-scans.

KeyMe claims that it's providing accountability and data that's lacking when you make keys in the traditional matter.

But as Greenberg points out, the only way that KeyMe would trace the key copier would be if a target - in this case, his obliging neighbor - had known about KeyMe to begin with.

If his neighbor did know about KeyMe, he could scan his key, send it to KeyMe, and follow the electronic trail to determine who'd copied it.

Unsurprisingly, though, Greenberg's neighbor had never heard of KeyMe:

My neighbor had never heard of KeyMe or any services like it. If his apartment was robbed, he would have no clue that a little-known app had anything to do with it.

KeyMe isn't the only business out there doing this. In the US, its competitors include KeysDuplicated, and there's also the Belgian Keysave.

KeysDuplicated CEO Ali Rahimi sent WIRED a statement saying that "we're not a convenient service for anyone who wants to copy keys surreptitiously."

Its site reasons that thieves have always been able to duplicate keys, by imprinting them on clay or by measuring them with a key gauge, then copying them at a hardware store.

Those methods are easier than using a mobile phone app, Keys Duplicated argues:

A person with nefarious intent is more likely to choose these methods over Keys Duplicated because:

  • A credit card is required to ship the key, so in case of fraud, identity can be traced back. We'll cooperate with law enforcement inquiries in case of fraud (though nothing like that has ever come up).
  • We don't accept flyby pictures of keys. The key pictures must be high quality, and we need pictures of both the front and back. This way, if your keys are lying on the table, a passerby can't take a quick snapshot

Greenberg, in his new-found career as burglar, would argue that clay imprints or key gauges are in fact less convenient tools of the trade:

I have no idea how to do either of those things, and I nonetheless found breaking into my neighbor’s house with a smartphone scan to be pretty idiot-proof.

Of course, on top of all this, since the digital keys are stored in the cloud on somebody else's computer, you're, well, storing your keys on somebody else's computer.

KeyMe says it doesn't store information that could link a key with a location or a lock:

We don't know where you live and we don't want to know.

And as expert lock-pickers told Wired, they've always known that locks are easy to bypass. What's different now is that the public's beginning to learn that, as well.

The upshot: Keep your keys in your purse or your pocket.

Also, take care when you leave keys lying around on bars or the like, lest you get KeyMe'd.

Composite image of key imprint and phone courtesy of Shutterstock.

, , , ,

You might like

5 Responses to How to break into people's homes with your mobile phone

  1. mothew · 438 days ago

    'KeyMe says it doesn't store information that could link a key with a location or a lock'

    But if the images were geotagged, they could at least make a guess ata home location.

  2. AJ · 438 days ago

    Another useless app. It seems to me that if a person locks himself out of his house, then his car keys (and perhaps wallet and phone) are also locked inside.

  3. Freida Gray · 438 days ago

    They don't know where you live & don't want to know?So,how do they ship the key to you & how long will you be locked out before your key copy arrives?

    • Lisa Vaas · 437 days ago

      It's not a question of mailing it. You need to get the digital image to a key-cutting kiosk or a hardware store or the like. I guess that means you need a robe with pockets and never leave home without your phone, or some sort of access to the internet!

  4. Andrew Ludgate · 438 days ago

    "A credit card is required to ship the key, so in case of fraud, identity can be traced back. We'll cooperate with law enforcement inquiries in case of fraud (though nothing like that has ever come up)."

    Funny thing; these days, when you think of fraud, what are the first two words that come to mind?

    Credit Card.

    So unless the key is only shipped to the address on file for the credit card (which would indeed be about the best security they could hope for), a credit card isn't very much security.

    Along with this, this system gives no indication that the company is bonded, so they're collecting key images and bitting information with no evidence of locksmith registration or anything else. Normally, locksmiths and lockmakers are the only one with the bitting details; if you get a key duplicated, nobody knows anything about your key other than what blank you cut for the duplication.

    I do appreciate the bitting section of their app though; if they could store the bitting details on your phone and make the lookup anonymous, that would make duplication and lock repair easier for those with the equipment while not really making it any easier for malicious actors.

    Reminds me of something else I saw this weekend: door lock replacements that use bluetooth, so that if your phone moves in proximity to the door, it unlocks.

    Now, your phone is even more valuable, as it usually contains your home address, and now can also be the key to your door.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.