In a spectacular failure of a “back door” designed to give law enforcement exclusive access to private places, hackers have made the “master keys” for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer.
The TSA-recognized luggage locks were a much-vaunted solution to a post-9/11 conundrum: how to let people lock their luggage, on the one hand, but let the TSA inspect it without resorting to bolt cutters, on the other.
When the locks were first introduced in 2003, TSA official Ken Lauterstein described them as part of the agency’s efforts to develop “practical solutions that contribute toward our goal of providing world-class security and world-class customer service.”
Now that they’ve been hacked, however, TSA says it doesn’t really care one way or another.
“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept.
“These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.
“Carried and checked bags are subject to the TSA’s electronic screening and manual inspection. In addition, the reported availability of keys to unauthorized persons causes no loss of physical security to bags while they are under TSA control. In fact, the vast majority of bags are not locked when checked in prior to flight.”
In other words: not our problem.
How the Keys Were Hacked
Last month, security enthusiasts and members of a lockpicking forum on Reddit began circulating a nearly year-old Washington Post story about “the secret life of baggage,” and how the TSA handles and inspects airport luggage.
What no one had previously noticed was that the article included close-up photos of the “master keys” to TSA-approved luggage locks — which it turns out, are really easy to copy, as long as you can see the pattern of the teeth and have access to a 3D printer.
The photos were removed from the Post’s website, but not before privacy devotees spread the images far and wide.
Then, according to his self-published timeline, Shahab Shawn Sheikhzadeh, a system administrator and lockpicker, obtained an official-looking document with even more detailed imagery. Sheikhzadeh told The Intercept that anonymous hackers inspired by the Washington Post photos found a 2008 “Guide to Travel Sentry Passkeys” posted on Travel Sentry’s website.
Travel Sentry is the organization responsible for generating and enforcing security guidelines for TSA-approved locks, working with both the government and private manufacturers to guarantee its standards are being met. It does not sell or manufacture locks itself.
Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models.
Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA.
TSA’s nonchalant response to the proliferation of master keys is at odds with how the agency has historically advertised the approved locks.
“There’s a difference in how TSA talks about the locks to travelers and the statement they made,” said Chris Soghoian, chief technologist for the American Civil Liberties Union, after hearing the TSA’s statement to The Intercept.
Over the years, TSA has published various blog posts trumpeting the power of the locks to prevent all theft, writing, for instance, that the locks “will prevent anyone from removing items out of your … bags.”
Soghoian described that post as an example of TSA “lying to consumers” in a tweet. “There’s nothing in that blog post about ‘peace of mind’” being the reason for the locks, Soghoian told The Intercept.
Security experts, by comparison, have long recognized that TSA locks do not fully protect your belongings. University of Pennsylvania computer science professor Matt Blaze told Wired that he sometimes picks his own TSA-recognized lock to save time looking for the actual key, because it’s faster.
Chris McGoey, a security consultant specializing in travel safety, told the Intercept that “there are several ways of opening TSA locks short of having a 3D printer.” He explained that “TSA locks on luggage is only one step above having no lock at all especially on soft-sided luggage with zippers.”
The Problem With Backdoors
Although the actual impact remains unclear, the hacking of the master keys is a powerful example of the problem with creating government backdoors to bypass security, physically or digitally.
Most security experts and computer scientists believe backdoors for law enforcement inevitably make systems less secure, and easier for bad actors to break into.
Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are “similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.”
Comey has recently been trying to convince technology companies to design some sort of special way for his agents to access encrypted communications on digital devices. But companies including Apple and Google have resisted this pressure, insisting that developing backdoors will only weaken security that they have worked hard to improve for the sake of average customers around the world.
“In theory, only the Transportation Security Agency or other screeners should be able to open a TSA lock using one of their master keys,” Weaver wrote. “All others, notably baggage handlers and hotel staff, should be unable to surreptitiously open these locks. … Unfortunately for everyone, a TSA agent and the Washington Post revealed the secret. … The TSA backdoor has failed.”
Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. “This is actually the perfect example for why we shouldn’t trust a government with secret backdoor keys (or any kind of other backdoors),” he wrote in an email to The Intercept. “Security with backdoor[s] is not security and inevitably exposes everyone.”
Soghoian tweeted a congratulations to the Post and TSA “for proving the stupidity of key escrow,” the arrangement in which keys needed to decrypt communications are held in escrow to be accessed by a third party if necessary. End-to-end encryption, which the FBI and the Justice Department have continually urged against, only allows for the sender and the recipient of a message to hold onto keys to decrypt the message.
Clarification: An earlier version of this story incorrectly reported that hackers had broken into Travel Sentry’s internal website.
Caption: Master TSA keys for various TSA-approved locks.