Key-cloning app lets you (or a stranger) copy your key with a photo

It”s Friday, mere hours away from a well-deserved weekend. In that spirit, let”s take a break from topics such as ransomware and encryption keys, and take a look at the old-fashioned kind of keys. Namely at KeyMe, an app + service that allows you to duplicate physical keys by just photographing them.

Despite being marketed as an answer to frustrating lockouts, KeyMe actually makes it ridiculously easy to steal someone”s house keys. It works like this:

With the free app for iOS and Android, users scan a key and send it to KeyMe to have a new one created and mailed to them. The service can save you a trip to the locksmith and let you customize your key with cool designs.

Users must place the key on a white sheet of paper and shoot it from both sides. On request, KeyMe uses the scans to create an exact duplicate which they mail to you, or anyone else making the request. They even do car keys.

“Avoid repeat trips to the locksmith,” reads the company”s website. “Traditional locksmiths manually trace your keys. Our patented technology digitally scans your key and creates a perfect duplicate aligned to factory specifications, guaranteed to work. Your key, only more accurate.”

The service is simple to conduct because of a thing called key bitting, which refers to how the “teeth” on a key are cut and arranged to lift individual pins to a correct height, at which point the lock is opened. The bitting tells a locksmith how to cut a key to make an additional copy.

Each manufacturer offers its own key bitting with unique properties so as to create a wide variety of possible combinations, ensuring that no other key (or at least not many other keys) can open the same lock.

The company says it offers “the most secure way to copy keys,” claiming it does not store information linking your key with a certain lock or location, and that it deletes mailing access once the order has been shipped. Nothing wrong with that.

But even though all transactions are verified with a credit card and email confirmation, that doesn”t prevent a complete stranger from creating their own account, scanning a key that doesn”t belong to them and requesting a copy be sent to their address. Are we missing something?

We can”t help but recall the Washington Post”s blunder in 2015 when the publication, aided by a similarly heedless TSA staffer, posted a close-up of the entire spread of TSA master keys, which allowed lock-pickers to copy the “teeth” pattern and devise their own duplicates.