Buongiorno Enrico, un amico mi aveva segnalato la notizia e avevo deciso di ignorarla, ma a questo punto :-) Enrico Nardelli <nardelli@mat.uniroma2.it> writes: [...]

https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltex...

Aggiungo che (come citato nell'articolo) si tratta di un POC (proof of concept) di attacco verso le serrature "semplici", quelle di tipo https://en.wikipedia.org/wiki/Pin_tumbler_lock; forse per altre più sofisticate questo attacco non è realizzabile? Ecco i cinque vettori di attacco per acquisire l'audio dell'inserimento della chiave, giudicate voi: --8<---------------cut here---------------start------------->8--- Acquiring the Audio Their first task was to work out how to surreptitiously acquire the audio from a key insertion, and the researchers suggest no less than five ways of going about it. First, in a walk-by attack, a spy simply walks behind somebody just as they unlock a door or locker, holding their phone out to furtively record the sound of the key going into the lock. So far, though, they have only done this with the phone an unrealistic 10cm (nearly four inches) from the lock. "We are still working on making this attack realizable," says Ramesh. Their second method takes another tack entirely: install malware on a victim's smartphone (or smartwatch) so it records and transmits key insertion audio via an Internet or 4G backchannel. Such viruses are already known in the wild. Third, they believe an attacker might hack a product like a domestic Internet of Things (IoT) device that contains a microphone, like a video doorbell, which is next to the lock, and acquire audio over the air. Again, this is a known attack vector. The fourth trick might involve long-distance microphones, the NUS team suggest, while a fifth might involve installing hidden microphones in a corridor of a set of target offices; over time, they suggest, attackers could quietly harvest door key audio for multiple offices. Once they have a key-insertion audio file, SpiKey's inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock's pins [and you can hear those filtered clicks online here]. These clicks are vital to the inference analysis: the time between them allows the SpiKey software to compute the key's inter-ridge distances and what locksmiths call the "bitting depth" of those ridges: basically, how deeply they cut into the key shaft, or where they plateau out. If a key is inserted at a nonconstant speed, the analysis can be ruined, but the software can compensate for small speed variations. The result of all this is that SpiKey software outputs the three most likely key designs that will fit the lock used in the audio file, reducing the potential search space from 330,000 keys to just three. "Given that the profile of the key is publicly available for commonly used [pin-tumbler lock] keys, we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door," says Ramesh. What can be done about the risk this poses to homes, offices, and even your gym locker? Apart from inserting the key in the lock very quietly and slowly, as alluded to earlier, Ramesh suggests the key ridges that generate the clicks could be "smoothed out so that they are not pointed anymore" to reduce the chance of an acoustic attack. --8<---------------cut here---------------end--------------->8--- Ipotesi: e se mentre inseriamo la chiave picchiettassimo sulla porta o sullo sportello per generare sufficiente rumore da mascherare quello prodotto dal meccanismo di apertura? Qualche azienda potrebbe persino vendere un generatore di vibrazioni "a contatto" fatto apposta, no? :-D [...] Saluti, Giovanni -- Giovanni Biscuolo