Acoustic Side-Channel Attacks on Pin Tumbler Locks

Introduction

Security and safety are fundamental to daily human life, with physical locks serving as one of the oldest and most trusted means of protection. While traditional attacks such as lock picking require specialized skills and tools, emerging research has revealed new vulnerabilities that exploit the very mechanics of lock and key systems. This white paper, drawing on the work of Ramesh et al. (2020), details how the acoustic signatures generated during key insertion can be leveraged to reconstruct key profiles, posing a novel threat to physical security.

Understanding Pin Tumbler Locks

A pin tumbler lock operates through a series of spring-loaded pin stacks, each consisting of a key pin and a driver pin. These pins are housed within vertical chambers that span both the lock’s housing and its rotating plug. The shear line—the boundary between the plug and housing—must be unobstructed for the plug to rotate and unlock. Figure 1 shows how a pin tumbler lock operates with an inserted key.

Figure 1 Pin Tumbler lock

A physical key is engineered with a unique sequence of ridges and notches, known as bittings. When the correct key is inserted, each ridge elevates its corresponding key pin so that the gap between the key pin and driver pin aligns precisely at the shear line. This simultaneous alignment across all pin stacks allows the lock to open. An incorrect key fails to achieve this alignment, preventing the plug from turning and ensuring security.

Acoustic Signatures During Key Insertion

As a key is inserted into a pin tumbler lock, its ridges interact with the pins, producing a series of audible clicks. Each click corresponds to a pin dropping into a new position as it traverses the slopes between bitting depths. These acoustic events are not random; they encode structural information about the key.

By recording the insertion process using a standard microphone—such as those found on smartphones—and applying a high-pass filter (targeting frequencies above 15 kHz), researchers can extract a click time series from the audio data. Using change point detection algorithms, the precise timing of each click can be identified, allowing for the measurement of inter-click intervals. These intervals are directly related to the distances between key ridges. Figure 2 shows this process.

Figure 2 recording the insertion process of a key

Reconstructing Key Profiles from Audio Data

Although there is no direct one-to-one mapping between inter-ridge distances and bitting depths, a strong correlation exists. Each ridge forms between two adjacent bitting depths, and the horizontal spacing reflects the difference between those depths. By analyzing the sequence of inter-click intervals and applying known constraints from key design—such as Maximum Adjacent Cut Specification (MACS) and standard bit spacing—the search space for possible key codes can be dramatically reduced.

The process involves:

Extracting the inter-bitting sequence from the audio.
Applying key design constraints to filter out invalid key codes.
Deterministically reconstructing possible key codes based on observed ridge spacing and initial bitting pairs.
Discarding candidates that violate MACS or contain invalid bitting values, leaving a small set of likely key codes.

Addressing Overlapping Acoustic Events

In practice, a typical lock contains six pins, each capable of interacting with multiple ridges. This results in a complex click stream with overlapping events. To resolve this, the analysis focuses on isolating clicks generated by a single pin—often the first pin—by identifying the inter-pin time offset (the delay between adjacent pins interacting with the same ridge). This simplification enables more accurate reconstruction of the key’s profile.

The system further refines its analysis by:

Calculating the key insertion speed.
Detecting and compensating for missing ridges, such as plateaus formed by adjacent bitting depths.
Averaging ridge positions observed during both insertion and withdrawal to ensure data integrity.

Finally, an overlap filter ensures that the number of detected clicks matches the expected pattern for a given lock configuration (e.g., 21 clicks for a 6-pin lock). If the pattern does not match, the attack is aborted to prevent false positives.

Conclusion

This white paper highlights a significant and previously underappreciated vulnerability in traditional pin tumbler locks: the potential for acoustic side-channel attacks to compromise key security. As physical security continues to evolve, awareness of such novel attack vectors is essential for both manufacturers and users. The findings underscore the need for ongoing innovation in lock design and the adoption of countermeasures to mitigate emerging threats.