Most people know they should not attach anything to their key chains that could be tied to their identity. If your house keys are lost, you certainly don't want the finder to know where you live. But what if a thief could make a copy of your home, office or car keys using nothing more than a picture posted to the photo-sharing Web site Flickr or a social networking site such as Facebook?



Sounds far-fetched, but a team of researchers at the University of California, San Diego, proved it can be done. Using their Sneakey system, comprising a camera, some custom-developed software and a key-cutting machine, the researchers duplicated keys from images pulled off of the Web and photographs of keys taken from as far away as 200 feet (61 meters) using a high-powered telephoto lens.



"There is a five-digit number that represents all of the information in a standard key," says U.C. San Diego computer science professor Stefan Savage, who supervised the research conducted by computer science graduate student Kai Wang and Ben Laxton, a former computer science grad student at the school who now works as a computer scientist for Fair Isaac Corporation, a software company based in Minneapolis. Savage presented their findings last month at the Association for Computing Memory's Conference on Computer and Communications Security in Alexandria, Va. "You type that code into a key-cutting machine and it makes a perfect replica," he says.



During the presentation, Savage visited the Flickr.com Web site and found images of keys to prove just how easy they are to find. "Some people take pictures of all the things in their pockets," he says. (One quick search found a photo entitled, "What's in my bag," a photo that included a set of keys.) The irony: whereas most people will blur items in these photographs that might identify private information, "the keys are there in their full glory," Savage says. "It's a secret that you show in public." This is why, he adds, a lot of high-value items, such as luxury cars, have changed their mode of entry from keys to wireless electronic devices.



Laxton developed software with Wang's help that could analyze a photograph or image of a key and determine the dimensions of its peaks, valleys and plateaus. Sneakey was most effective if the key to be copied was made from a common brand such as Black & Decker's Kwikset or Ingersoll Rand's Schlage. That way, the researchers could find the proper key blank, map the copied key's dimensions to the blank, and grind out a duplicate. If the key was made from a type that the researchers could not obtain, they were less likely to be able to make a usable copy. The software was able to calculate a key's dimensions, also known as its "bitting code".



A locksmith can replicate keys using a trained eye to determine the measurement of the cuts without the aid of software, but Sneakey would make this skill available to the rest of us. Laxton says he is considering tweaking the software so that it can copy more complex keys, but Savage says he has no interest in commercializing the key-duplication technology. "We made the point that we were interested in making," he says. "Relatively few organizations would have a legitimate interest in this." Still, he adds, Sneakey "gets us to think about the impact that computer security has on physical security."