How to break into people’s homes with your mobile phone

library
crime | hacking | security

Having a tough time breaking into your neighbor’s house?

No worries. There’s an app for that!

It’s called KeyMe, and it’s actually designed to help people who do things like wander outside to get their newspaper in their slippers, only to hear the decisive “click!” of a door locking shut behind them.

For the improperly shod/suddenly locked-door-challenged, the cloud-based “key management program” lets you scan keys from your phone, creating a digital version of your physical key.

Then the app enables you – or maybe a valet? or some random jerk who’s managed to photograph your key? – to make a copy of the key from a self-service key-cutting kiosk or a hardware store.

KeyMe’s security page assures the burglary-wary that “only you can scan your keys”.

KeyMe aims to secure your key by requiring email verification for mobile registration and fingerprint scans for kiosk registration. Also, you need to verify all transactions with a credit card.

It sends a confirmation mail every time there’s activity on your account. “This keeps you up to date and prevents any fraudulent activity,” it optimistically promises us.

Unfortunately, if you’ve never used KeyMe, aforementioned random jerk or moral-compass-deficient valet could pretend to be the legitimate key holder.

Notification emails would then simply serve to inform the bad guy himself, more or less, that he’s made another copy of that key he used to do nefarious burglar/stalking things with last week.

KeyMe’s security page also says that its scanning process is “designed to strictly prevent any use of flyby pictures.”

Keys have to be off a keychain to be scanned, placed on a white piece of paper, and taken from 4″ away. Furthermore, we require that users scan both sides of the key.

Sounds more secure?

Oh, dang: sorry, it turns out that none of that is guaranteed to actually work.

We know because Wired’s Andy Greenberg gave it a go.

Here’s what he wrote about those anti-creep precautions after he asked for permission to break into his neighbor’s home earlier this week:

It claims keys can only be scanned when removed from the keychain (Not so; I left my neighbor’s on his ring) and must be scanned on both sides against a white background from 4 inches away. None of that posed a problem making my stairwell creep-scans.

KeyMe claims that it’s providing accountability and data that’s lacking when you make keys in the traditional matter.

But as Greenberg points out, the only way that KeyMe would trace the key copier would be if a target – in this case, his obliging neighbor – had known about KeyMe to begin with.

If his neighbor did know about KeyMe, he could scan his key, send it to KeyMe, and follow the electronic trail to determine who’d copied it.

Unsurprisingly, though, Greenberg’s neighbor had never heard of KeyMe:

My neighbor had never heard of KeyMe or any services like it. If his apartment was robbed, he would have no clue that a little-known app had anything to do with it.

KeyMe isn’t the only business out there doing this. In the US, its competitors include KeysDuplicated, and there’s also the Belgian Keysave.

KeysDuplicated CEO Ali Rahimi sent WIRED a statement saying that “we’re not a convenient service for anyone who wants to copy keys surreptitiously.”

Its site reasons that thieves have always been able to duplicate keys, by imprinting them on clay or by measuring them with a key gauge, then copying them at a hardware store.

Those methods are easier than using a mobile phone app, Keys Duplicated argues:

A person with nefarious intent is more likely to choose these methods over Keys Duplicated because:

A credit card is required to ship the key, so in case of fraud, identity can be traced back. We’ll cooperate with law enforcement inquiries in case of fraud (though nothing like that has ever come up).

We don’t accept flyby pictures of keys. The key pictures must be high quality, and we need pictures of both the front and back. This way, if your keys are lying on the table, a passerby can’t take a quick snapshot

Greenberg, in his new-found career as burglar, would argue that clay imprints or key gauges are in fact less convenient tools of the trade:

I have no idea how to do either of those things, and I nonetheless found breaking into my neighbor’s house with a smartphone scan to be pretty idiot-proof.

Of course, on top of all this, since the digital keys are stored ~~in the cloud~~ on somebody else’s computer, you’re, well, storing your keys on somebody else’s computer.

KeyMe says it doesn’t store information that could link a key with a location or a lock:

We don’t know where you live and we don’t want to know.

And as expert lock-pickers told Wired, they’ve always known that locks are easy to bypass. What’s different now is that the public’s beginning to learn that, as well.

The upshot: Keep your keys in your purse or your pocket.

Also, take care when you leave keys lying around on bars or the like, lest you get KeyMe’d.