The idea behind KeyMe is very cool: A kiosk that lets you scan, copy, and store a digital version of the keys you use to unlock your house, office, and car. If you lose your keys, you just stop by the nearest KeyMe kiosk and print a new one. No locksmith necessary.
KeyMe recently secured a new round of funding according to Venture Beat, and plans to add 3,500 more kiosks to the small batch of already existing ones that can be found at places like Lowe’s and 7-Eleven.
With countless instances of user data being exposed online via server exploits and hacks, though, the biggest question is, is this safe?
KeyMe requires a fingerprint to retrieve keys, via either their mobile phone app or at their kiosk. They have pretty specific requirements for sending in photos of keys to make sure people aren’t snapping pics of your keys as they walk by and sending those in. If you have an account, they’ll also notify you any time there’s activity on your account.
KeyMe says they don’t store information linking a stored key with a physical location, and that they delete mailing addresses once a key is shipped. The only information linked to your key is your username and password.
There’s a lot of cool stuff going on here – it’s incredibly convenient and could theoretically keep you from spending tons of money on things like a locksmith for your home or heading to your car dealership for a FOB key.
But there are some huge loopholes in their plan that make me wary of not only using the service but the service even existing in the first place.
First, username information is stored with keys. I don’t know about you, but I don’t usually make a new email address for every single login. I have a few, sure, but most users are going to use the same login information they use for everything else when they setup these accounts. Thanks to that, linking a username to a real name and a real name to and address is likely to be trivial for a determined party.
And then there’s the analog loophole.
To submit a key via their app, you have to photograph your key from both sides, on a sheet of white paper, from 4″ away. That keeps people from, as I mentioned before, taking flyby shots. That doesn’t, however, stop someone from popping keys off the keychain and taking a quick shot of it against a piece of paper while someone’s in the bathroom.
There’s also the question of what KeyMe does with deleted user data. Some sites delete data, others simply mark it as deleted and make it “inaccessible,” which doesn’t matter much in the instance of a data breach. The company claims that their system allows a data trail to accompany any key copy, so that if someone copies your key and breaks into your house, you could scan your key and see if it matches any recently scanned keys, suggesting that they keep data around. But what if I suddenly get nervous about having my keys online and want to delete them? Neither option really answers both questions.
The app can do some cool stuff – you can share keys between users – handy for households with multiple roommates or travel situations. You can order a key from the app. Many keys are available in different paint jobs, which could ease sorting through them when you’re trying to get in your front door.
But some of the security holes the very concept presents makes it a dangerous idea. It’s far too easy right now to get a hold of someone’s keys and scan then in, and there’s really nothing KeyMe can do to protect your keys from simply being scanned.
KeyMe is nothing new – they’ve been around for a few years now. But with this new funding, they’re set to explode from less than two hundred locations to more than 3,500 thanks to “explosive retailer demand.” Access to the kiosks will be that much simpler and faster. Even their FAQ says that “KeyMe should only be used for keys that you have the full rights to duplicate.”
Surreptitious key duplication isn’t new to KeyMe – thieves have been doing it for years. But this method is all but idiot-proof, and incredibly convenient in a way previous methods have never been, as Wired demonstrated during the company’s infancy back in 2014.
With email, you can protect yourself simply by staying offline, if you want to go nuclear. You can can set a unique password and change it whenever. The server can notify you when someone logs in. But most doors aren’t smart these days and have no way to notify you if your door has been unlocked without your permission.
Even if there’s never a data breach, there’s enough here to raise both eyebrows.