The only surprising thing here is that the master keys didn't leak sooner. This is a close physical analogue to why it's a very bad idea to mandate backdoors in encryption software. Hopefully the UK[1] and other governments will learn something from this, though I won't hold my breath.
Even more surprising thing is that you'd need some leak to pick this tiny lock. What protection mechanisms does it have that you can't reverse engineer within a day or so?
Probably Wired is more inclined to create some FUD around the fact that now this is freely accessible 'for anyone with 3D printer'.
For most TSA approved locks (the 3-digit combination locks) you can pick the rotating wheels to deduce the combo much more reliably than picking the keyhole, and you leave no trace.
I guess what I'm saying is that most TSA approved locks were already quite vulnerable to anybody who really wanted to pick them with or without a 3D printer.
Well AFAIK, each lock is unique, and while it's easy to pick each individual lock, it's harder to guess or derive from a few of those locks the master key that'll actually open them all.
That's generally not true. For example: you could buy a few copies of the same lock and take them apart. Unless there's something Really Funky going on, you can use the master oracle method as well (start with your working key, and change one pin at a time to derive the master key, as most locks with a master can be opened with all the pins set to the normal key and any one pin set to the master keying.
I'd say what this "leak" really did was (a) show the world that real security is hard to think about, and (b) make it easier for normal folks who don't know about how locks work to impress their friends with their ninja secret agent tools.
Really, this is all just a parable for the big fight over encryption. Do you really want to trust a government agency with any kind of control over how we lock down our stuff? Newp, nope, and noooope.
The real problem with these locks isn't the key, to be honest. The vast majority of TSA approved locks use a three digit combo, and I've yet to find a three digit combo lock that doesn't have a glaring weakness that lets you deduce the correct combo with a sheet of printer paper and sensitive fingers.
There's a small number of TSA approved locks that don't use the three digit combo. Those are a bit tougher to crack.
Oh, come on. You don't need a 3D printer for this. All you need is a piece of sheet metal and a CNC milling machine (or heck, even a manual milling machine and some skill at using it), that every moderately equipped machine shop has on hand.
You can't prevent people from having tools that can be used to manufacture things, and no one is seriously going to try.
Goodness, you don't need a milling machine, you can probably do this work with a dremel, or for that matter a file... You know, like locksmiths made keys decades ago.
Actually, 3d printer is a tool that's currently cheaper and more widely available than milling machines - the whole point of this is "hey, of course anyone with access to CNC or the skill to operate a manual milling machine could do it, but that's only a small niche, but now every idiot with access to a 3d printer can do it".
People and shops that are below the range of a moderately equipped machine shop can do 3d printing; a 3d printer that can make such a key from hard plastic costs less as a cheap manual milling machine that can make a similar key from metal and requires less skill to operate.
That would restrict it to locksmith basically (professional or hobbyist), as opposed to anyone that can find out how to run a 3D printer. Being a locksmith isn't scalable, using a 3D printer is.
No, if you can make a 3D printed model of it, you can CNC mill it. Sure, a CNC milling machine is a bit more expensive than the cheapest 3D printers, but anyone who wants can find a machine shop nearby that will mill something for them, or just send it off to some place online like eMachineShop to get it done.
and actually, it's not even that much more expensive. You can get a CNC Sherline mill for something like a $1500. Sure - the work area is small, they're mainly aimed at e.g. model builders, but it's big enough for something like this, and they're real honest to goodness CNC precision machine centers.
I fully expect we'll see some attempt at regulation at some point because the answer to "you wouldn't download a car, would you?" is actually an emphatic yes. That is to say, when the ability to turn information into product becomes easy and decentralized it will absolutely threaten any illusion governments have of control through standardization. Regulations are the clear path, for better or worse...
Why do you think they didn't leak sooner? It's trivial to reverse-engineer the master keys with a few example locks. Also, whenever I see an article about black-market tor sites that lists examples of available contraband, "sets of TSA / (city) master keys" are frequent fliers.
This is anecdotal but it gets me thinking. Sometimes in the late 90s I stopped putting locks on my luggage. Locks were once or twice removed previously - and once the customs put a note saying they had done it. I was travelling to Europe, the east of Africa and various Caribbean countries. Nothing was stolen - but the key thing was me not storing anything too expensive in there. Generally all my expensive objects are delicate and will be transferred in my hand luggage.
Perhaps it's safety in numbers. Perhaps it's a kind of camouflage and not signalling anything of worth. Perhaps it's because the level of risk of theft is incredibly low.
Custom agents in Australia at least have a kind jack-tool that they shove in the side of the zip, and it opens it. They can then go through the bag and just rerun the zippers over it and it zips it back up. Doesn't matter if they are locked or not.
I'll ad to this not to use a designer or even fake designer luggage for your check on. Use a beat up piece of crap so the luggage handlers don't wonder what is in it.
It isn't unrealistic at this point though to put a camera and a battery into luggage and just have it record the entire trip.
Instead I put an easily breakable cable tie on the zips as a tamper evident seal. The one time I've had a bag come back with it missing has been the time the TSA decided to inspect my bags.
vs a lock, which somebody can open and re-lock and I'd be none the wiser.
The tsa checks my snowboard bag every trip, both directions. Sucks for them, as it's full to the gills of sweaty sopping wet gear on the way home and I usually have to have someone sit on it to get it to zip up.
As a joke I would put those notes they leave when they inspect your bag in there. I was up to 22 of them when one stickler agent throw them all away except the new one. I was sad. It was fun to imagine them opening that bag every time I flew.
It is really easy to open a cable tie unharmed, and lock it again with that same tie. Just push the "lock" down with a sharp object.
Besides that the TSA has cable ties too. It's not like you can't buy them off the shelve. In your example case the TSA clearly didn't bother spending the time to make it not look like they opened your bag, but it isn't a very reliable way to see if they opened your bag.
Make sure to fix the zippers in place. Otherwise it is very easy to still open the bag by just prying open the zippers and closing them again by moving the tied-together zippers.
The chain always breaks by the weakest link. Considering that you can very easily open the zipper with a ballpoint pen (https://www.youtube.com/watch?v=wpIJVWXsBBI), and close it again as if it was never open, that the secret of the lock was revealed is irrelevant.
I just find it unbelievable that people were naive enough to believe that they can forever protect a master key that is distributed to thousands of people. You only need 1 rouge TSA employee, with a photographic memory and this whole system falls apart.
The locks aren't designed to be flawless. Even a shitty bolt cutter could take them down in 1 second. They are placed on canvas or plastic bags that can be cut open with a pocket knife. Or you could spend 20 minutes trying all 1000 combinations.
It's really just to prevent impulse theft from baggage handlers, bell hops, cab drivers, etc. Even after the leak, these are essentially just as effective as they've always been.
This kind of remind me of Israel. I traveled and worked with folks there a few times.
When go to/from/thru the airport, if I was with Hebrew speaking Jewish co-workers, everything would get thru in a few seconds.
There was one time I (Asian) was with Indian co-workers without the company issue security letter, we were search for 3 hours at the airport. Both of our laptop were completely disassembled and Xray multiple times. We were questioned for a long time separately by multiple people.
They must have our previous trip history base on passport record, etc. But ...
Anyway, later I asked a Jewish co-worker about is there any law in Israel about anti-discrimination base on race, color of skin, language spoken, etc. He said we always / must discriminated base on those info!
A different way for thinking compare the "official PC" view of US.
Israel doesn't have the Politically Correct police dominating their country because they only use Political Correctness to dominate other countries. https://www.youtube.com/watch?v=MFE0qAiofMQ
Not even an employee. I have a great memory for specific sorts of things—sequences of digits, for example—and I can easily remember the tooth pattern on a key after a good look. There are probably a great many people like me out there, some with ill intent.
Nice find, I'm not surprised. These "security researchers" on twitter are just playing into the whole security theater. A TSA lock offers no meaningful security. It's not physically secure, tamper evident nor prevent loss. It's not even a requirement for flying, it's a convenience feature so your bag doesn't open in transit and the TSA doesn't have to cut so many locks open.
Good thing no one in the govt is proposing the same thing for crypto.
As a side note, and plz don't flamen as this is a system hack, the only realy way to keep the TSA out of your bags and stealing stuff is to put a firearm in there. Even a starter pistol works. TSA can't handle fire ars so it's checked by local cops and then locked up with whatever locks you want. Tho you may not want to do this going to NYC.
Does this work with realistic airsoft guns? I could imagine this being an interesting hack without having to purchase and own an actual firearm for those of us who would rather avoid that.
Also, what is the screening process like with the cops? Does it take significantly longer? Is it shorter? Do they question why you are bringing it? Would it be a valid response to say "to make sure people with real security training are checking my luggage vs. the TSA?"
The process is "it's just business and it's your right". I felt self conscious the first time I did it as an adult, moving some guns from my mom's house to Washington. However no one gave a damn, I was expecting a "oh sh*t" from the checking agent but she didn't even blink.
It's about the same as checking skiis, you go over to the oversized bags area and you have to wait for a cop to walk over, takes maybe 3-10 minutes extra over a normal checkin. However you can I think go to the special lane by asking the person who is filtering around telling folks which lanes to use when checking in.
The valid reason to have a gun is "Murican". I feel weird saying this but 'it's a constitutional right'. I get more shit for bringing water into TSA than checking a gun onto a plane.
That really only applies if the user has some degree of skill with picking simple locks. Experieced locksport enthusiasts could probably pick it quickly, but for the vast majority of people a key would be easier.
I promise you that for the most commonly used TSA approved locks, this is not true. Many models consist of 2-3 pins and can be open in 1 second by jamming anything that fits into the the channel and wiggling.
Well it matters as a real-life not-too-technical example of why governments' desire to require a similar "master key" concept in cryptography is a really bad idea.
So we can say "remember what happened with the TSA master keys?". And even if they argue that nothing real bad happened because of this breach, we can say "well yes, because the locks weren't very secure to begin with, so it really was a pretty bad idea from the start".
BTW, about the locks not being secure, isn't that the case for almost every lock? Like, don't locks become real expensive very quickly once they start approaching some basic notions of actual security that would keep at least an amateur lockpick at bay? (including securing the stuff around the lock, like zippers, cloth, etc)
> The whole thing neatly illustrates one of the main problems with backdoors, whether in cryptographic systems or physical systems: they're fragile. [0]
The principle of the classical mechanical key is falling in pieces as well. Take some pictures of any key and one can make a double of it.
The idea of such a master key is incredibly stupid. It could also have been reversed engineered with an autopsy of a lock. The people who come up with such idea don't merit the trust and responsibility given to then.
Most RFID systems are similarly vulnerable. All HID iClass systems (supposedly smart-card based) use the same cryptographic key, which you can dump out of the memory of any reader if you are so inclined. The ID numbers of badges are printed on them, and this is usually enough to program a new badge as a clone or do some SDR trickery to imitate it.
But let's not forget that tailgating will get you past pretty much anything that isn't a turnstile. Turnstiles are really only in elevator lobbies, so if you can find a legitimate reason to be in some other part of the building you can just follow a legitimate user through any door, no matter how secure its locking mechanism. And failing that, almost no one properly authenticates cleaning staff or contractors.
it's really hard to believe the statistics about ever growing IQs, when you see what imbeciles lead the world. someone actually thought it would be a good idea if one key could open all luggage, and then gave that key to thousands of low paid TSA workers. did the US outsource most of its government work to a pack of baboons? this 3D printing, Washington Post's "carelessness", it's all irrelevant. this looks like 2+2=4, and i'm betting many experts would agree.
Yes. There was a recent thread where this process is explained. I'll try to find it, but basically:
You have one lock, and one key (not the master) for that lock, and a bunch of blanks.
You take the first blank. You cut a key that is identical to your key, except you vary the depth of a single cut. You repeat this until this new key works in your lock. That gives you the master key cut depth of one part of the key. You repeat this process forthe rest of the positions. You end up with a master key.
Slightly different process. The TSA keys aren't "master keys" in the normal locksmithing sense; they typically go into a separate lock that's only used for that key. For instance, the lock pictured in the article is normally used as a combination lock, not a key lock.
>I'd love to hand them out at airports to travelers as a demonstration of how terrible the TSA is.
I can almost guarantee you that you'll face criminal charges if you try to pull this off. Don't fuck with the TSA at the airport. Hand these out at a transit center or shuttle terminal near the airport so you aren't doing this within the TSA's jurisdiction, unless you're a fan of cavity searches.
You don't even really need to send off for it. You can cut a temporary key from an empty 2L bottle and a paper printout, and once you get it just right, you can duplicate that plastic key onto a metal blank at the hardware store.
An app certainly adds a bit of convenience, but it also takes out most of the fun.
Physical key locks gives people the feeling of security but its not so false it´s security! People think locks keep their things safe but they don´t except from amateurs.
Lock effectiveness is specified in time - how long your lock will prevent penetration. Just like a firedoor. Every door will burn, just some doors take longer than others.
I honestly feel like the risk of non-TSA people breaking into my luggage and stealing stuff is lower than the TSA stealing stuff while they go through my luggage (as has been proven many times that they do this).
So it seems the real threat I need to protect my luggage and belongings against is the TSA, yet the law is mandating that if I travel with luggage, they need to be able to open it.
Politicians are going to "solve" this by declaring it illegal and setting mandatory prison terms.
Are people forgetting TSA is entirely for security theater only and serves no real purpose?
What happened to all the protests at airports only a few years ago, amazing how everyone just caved in and the media moved on to the next squirrel. Then again we did the same for the NSA which is a far bigger problem.
Honestly I doubt it will become a big deal outside of the tech community. Most people realize luggage locks aren't really there to protect against a determined adversary, or a person with a ballpoint pen https://youtu.be/wpIJVWXsBBI?t=1m10s
What I've always found surprising is the arrogance that America (and maybe some Americans too, to an extent) displays in this context. In this day and age how is it right that a single country can mandate a requirement on every piece of luggage that passes through their airports? It might be a security concern, but there definitely are better ways to deal with this - all other 'first world' countries in the world do.
I'm pretty sure if India, China or any non-Western country did this, everyone would be up in arms about misuse, infringement of rights, etc. And yet when the TSA acts so stupidly (a photo shown to the public) and with multiple incidents of abuse of power from the TSA's side, the public opinion is still that the TSA is competent and well-intentioned.
I would call it hubris if they show capability, but this is downright arrogance.
I'm surprised no one is suing the government over this. Or is it like a EULA when you enter the United States that you agree not to press charges on such incompetence?
So what happens now? I have Samsonite luggage with what looks like more advanced TSA lock, 007.
The keys are not equal, some keys will be more difficult to print, like 006 for example. Or is it the same?
What can I do to disable the lock easily without compromising function of my luggage and without voiding the warranty?
What about legal aspect of you purchasing the luggage expecting certain lock security. And later you find out that anybody can produce a key to open your luggage? can I contact manufacturer of my luggage and ask them to replace the lock because it is compromised now?
The luggage was compromised when you purchased it. Heck, they even advertise it as a "feature." Here's a quote from Samsonite's website:
> TSA Lock - provides additional peace of mind when checking belongings, but can still be easily accessed by TSA agents in the event the case needs to be searched.
So compromised by design. So nothing has really changed, it was compromised then, it is compromised now. In either case most luggage can be opened with a ballpoint pen, by just force separating the zipper.
I myself won't waste money on a TSA lock. I want to discourage casual criminals, and I want to know if my bag was accessed, so I just purchase inexpensive zip-ties[0] in unusual colors (i.e. not white, typically orange, black, or green) and just zip tie up the bag, the TSA can cut it, but at least I'd know if they had. It is not "secure" but at least I cannot pretend it is. TSA locks can be opened without leaving any traces.
PS - Although even with a zip tie someone can open the zipper. I just assume that laziness will win out, and they'll just cut the zip tie instead.
I've done it on tens of flights, nothing bad happened yet. I've had my bag searched twice in all that time, and one of those two times I knew exactly WHY (there was a piece of camera equipment that may have looked odd under x ray, a "Giottos Rocket Blaster," they did unzip the inner-camera case, and leave a leaflet in the bag).
I do recommend if people zip tie they cut off the excess/tail so it cannot get caught in any machinery.
I've seen a lot of international frequent fliers who zip tie when they have to check bags.
TSA locks by design can be opened by anyone with a master key. Normal luggage with soft walls and a zipper will always be easy to open without touching the lock. You could get a hard case with a normal padlock that has to be cut. Then you would know that whoever opened the case had bolt cutters at least.
I've never feared other passengers getting into my luggage. I have always feared the baggage handlers doing the robbing and they have the keys so no worries.
It seems likely that the uploader had the master keys in his private possession for a long time, but only decided to upload the pictures due to the keys being leaked anyway.
You don't need any lock-picking skill. Physically bruteforcing through 1000 combinations really doesn't take that long. I did it once for my aunt (who forgot her combo) in a matter of minutes.
Good. Burn the drapes of the security theater. Maybe when people realize that actual safety isn't the same as bending over for the TSA we'll be in a better spot.
The photos weren't really leaked. They were purposefully, proudly, and affirmatively held up by a senior TSA official so a news reporter could photograph them.
While these locks are so easily defeated that this really doesn't make anyone significantly less safe, it does demonstrate that the TSA knows absolutely nothing about security.
I'm not sure if it tells us anything about what the TSA knows about security. It was already pretty apparent they didn't know much there. Even just looking at the locks, the master keys would have been pretty easy to reverse engineer from the locks themselves, which of course are sold all over the place.
What's interesting to me is that this shows they don't even know about pretend security. Releasing these pictures doesn't impact real security much, but it does impact the impression of security they try to give to the average idiot.
I am curious if the TSA even uses these keys? I am sure 90% of the time these TSA approved locks are attached to luggage with zippers.
For some reason I have a hunch that TSA agents probably just part the zipper with a bic pen, do whatever inspection is necessary, and re-seal the bag. Seems a bit quicker than fumbling around for the right key.
I read in another article about this topic that guards in (US) prisons wear a cloth casing/cover over the end of their keys, only to take out the security-sensitive part when they actually use them.
[1] https://www.techdirt.com/articles/20150702/00134231524/david...