In a spectacular failure of a “back door” designed to give law enforcement exclusive access to private places, hackers have made the “master keys” for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer.
The TSA-recognized luggage locks were a much-vaunted solution to a post-9/11 conundrum: how to let people lock their luggage, on the one hand, but let the TSA inspect it without resorting to bolt cutters, on the other.
When the locks were first introduced in 2003, TSA official Ken Lauterstein described them as part of the agency’s efforts to develop “practical solutions that contribute toward our goal of providing world-class security and world-class customer service.”
Now that they’ve been hacked, however, TSA says it doesn’t really care one way or another.
“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept.
“These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.
“Carried and checked bags are subject to the TSA’s electronic screening and manual inspection. In addition, the reported availability of keys to unauthorized persons causes no loss of physical security to bags while they are under TSA control. In fact, the vast majority of bags are not locked when checked in prior to flight.”
In other words: not our problem.
How the Keys Were Hacked
Last month, security enthusiasts and members of a lockpicking forum on Reddit began circulating a nearly year-old Washington Post story about “the secret life of baggage,” and how the TSA handles and inspects airport luggage.
What no one had previously noticed was that the article included close-up photos of the “master keys” to TSA-approved luggage locks — which it turns out, are really easy to copy, as long as you can see the pattern of the teeth and have access to a 3D printer.
The photos were removed from the Post’s website, but not before privacy devotees spread the images far and wide.
Then, according to his self-published timeline, Shahab Shawn Sheikhzadeh, a system administrator and lockpicker, obtained an official-looking document with even more detailed imagery. Sheikhzadeh told The Intercept that anonymous hackers inspired by the Washington Post photos found a 2008 “Guide to Travel Sentry Passkeys” posted on Travel Sentry’s website.
Travel Sentry is the organization responsible for generating and enforcing security guidelines for TSA-approved locks, working with both the government and private manufacturers to guarantee its standards are being met. It does not sell or manufacture locks itself.
Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models.
Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA.
The geniuses @TSA require us to use luggage locks for which they have master keys. Now we all have those keys. pic.twitter.com/cdT487Elxj
— J0hnny Xm4s (@J0hnnyXm4s) September 10, 2015
TSA’s Response
TSA’s nonchalant response to the proliferation of master keys is at odds with how the agency has historically advertised the approved locks.
“There’s a difference in how TSA talks about the locks to travelers and the statement they made,” said Chris Soghoian, chief technologist for the American Civil Liberties Union, after hearing the TSA’s statement to The Intercept.
Over the years, TSA has published various blog posts trumpeting the power of the locks to prevent all theft, writing, for instance, that the locks “will prevent anyone from removing items out of your … bags.”
Soghoian described that post as an example of TSA “lying to consumers” in a tweet. “There’s nothing in that blog post about ‘peace of mind’” being the reason for the locks, Soghoian told The Intercept.
Security experts, by comparison, have long recognized that TSA locks do not fully protect your belongings. University of Pennsylvania computer science professor Matt Blaze told Wired that he sometimes picks his own TSA-recognized lock to save time looking for the actual key, because it’s faster.
Chris McGoey, a security consultant specializing in travel safety, told the Intercept that “there are several ways of opening TSA locks short of having a 3D printer.” He explained that “TSA locks on luggage is only one step above having no lock at all especially on soft-sided luggage with zippers.”
The Problem With Backdoors
Although the actual impact remains unclear, the hacking of the master keys is a powerful example of the problem with creating government backdoors to bypass security, physically or digitally.
Most security experts and computer scientists believe backdoors for law enforcement inevitably make systems less secure, and easier for bad actors to break into.
Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are “similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.”
Comey has recently been trying to convince technology companies to design some sort of special way for his agents to access encrypted communications on digital devices. But companies including Apple and Google have resisted this pressure, insisting that developing backdoors will only weaken security that they have worked hard to improve for the sake of average customers around the world.
“In theory, only the Transportation Security Agency or other screeners should be able to open a TSA lock using one of their master keys,” Weaver wrote. “All others, notably baggage handlers and hotel staff, should be unable to surreptitiously open these locks. … Unfortunately for everyone, a TSA agent and the Washington Post revealed the secret. … The TSA backdoor has failed.”
Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. “This is actually the perfect example for why we shouldn’t trust a government with secret backdoor keys (or any kind of other backdoors),” he wrote in an email to The Intercept. “Security with backdoor[s] is not security and inevitably exposes everyone.”
Soghoian tweeted a congratulations to the Post and TSA “for proving the stupidity of key escrow,” the arrangement in which keys needed to decrypt communications are held in escrow to be accessed by a third party if necessary. End-to-end encryption, which the FBI and the Justice Department have continually urged against, only allows for the sender and the recipient of a message to hold onto keys to decrypt the message.
Clarification: An earlier version of this story incorrectly reported that hackers had broken into Travel Sentry’s internal website.
Caption: Master TSA keys for various TSA-approved locks.
At SOME point, Americans will HAVE to take their lives back from the government. Either that, or we’re DONE. This is the last shot. There AREN’T any more elections. If we don’t get this one right, we’ll need a revolution to rid ourselves of the takers and the users and the invaders.
Why should the TSA care about the locks being hacked?
I’ve flown several times in the past few years, and I could tell that they never even used the keys…. they just took a pen, or someother similar object and jammed it in the zippers on my bags, checked the insides, then simply mored the zipper over the opened part to seal it again.
On the other hand, if you’ve locked the bags and taken them to the airport, once checked, isn’t it fair to say the facility is secure enough that the only people who would be able to steal stuff are in fact TSA personnel?
Isn’t a TSA Lock one step *below* having no lock at all? I mean, having no lock is your way of saying there’s nothing valuable in this bag. It’s a sentiment TSA fans should know well: locking your luggage makes it look like you have something to hide!
Key escrow, LOL.
The US of Everything Is Rigged, Illegal (or pending)
The whole premise of locking your bag when the TSA is involved is flawed and it’s not the locks which are the problem. My experience is in 8/10 international trips originating from the USA the TSA unlocked my TSA approved lock then didnt bother relocking it anyway.
I’ve lost items from my luggage (either through the TSA not bothering to put everything back, thieving items, or someone opening my bag at a US transfer point). Of course at my final destination the airline and security have absolutely no care and take absolutely no responsibility. I’ve been told to email the TSA, and this is totally pointless.
The TSA inspection cards do not identify an inspector, and there’s no way of identifying what time, which port or where else the luggage was opened. This is the real issue.
Moving to zip ties (and putting extra zip ties with instructions for the TSA agent inside the bag, assuming they can read and might be bothered to follow the instructions) might work some of the time, in Asia they wrap a 1/4 mile of plastic wrap around the whole bag but I’m sure the TSA would just cut through the plastic wrap (and probably the bag too). Of course this is incredibly wasteful as well.
How can we avoid having bags opened at all? Have them pre-inspected before transit, and remove the requirement for the TSA to open anything airside unless it x-rays as suspicious. As a frequent flyer I’d happily pay a yearly fee to have an approved third party do this, and zip lock my bag with a numbered trackable zip tie if that was the agreeable solution for TSA security.
– international travel around 10-12 trips a year, only had things stolen in the USA
– domestic AU travel around 50 trips a year (I dont lock my bags, never had anything stolen)
Luggage locks, in general, have always been a joke.
I’ve had stuff stolen from my bags. The thieves didn’t bother picking the lock. They just cut right through the luggage body itself. And American Airlines’ response was to do absolutely nothing. They are apparently not authorized to do anything but apologize a lot.
The TSA locks are slightly more secure than the cheap junk locks that come with bags – those can usually be picked with any flat piece of metal, including they keys from any other brand/model of luggage.
Do we know how many different master keys were distributed? The article here shows 7 different ones, but I’ve got locks purchased more recently (than the 2008 article they got the images from) which have numbers much greater than 7. So I’m wondering if master keys for those newer ones are also circulating.
All that being said, the real point (which the article states) is that it demonstrates how any kind of back-door system will always be unacceptable. No matter how honest you think the keepers of the back-door might be, it means that one hack can bring down the entire system. And that’s what happened.
Stupid TSA compounded by stupid travelers. In fact, most zippered luggage can be opened by defeating the zipper with a ball point pen. Valuable stuff goes in carry on with resistant zippers and regular locks that you remove for security.
Even that is not perfect but is much better.
The entire TSA is for “peace of mind” and not part of any “security regime”.
Why is it no one has filed a class action suit yet on these?
TSA / DOJ minions.
FBI STASI crew!
I Watch, InfagGuard, Citizens Coupe….
Even stupider is the TSA’s gleefully triumphant defense that the majority of checked luggage is completely unlocked anyway, so nyaah nyaah!
Not only can TSA luggage handlers continue to steal from passengers, but infiltrators can insert explosives or weapons into luggage any time they want.
They could already do that anyway on one of the unlocked bags, or pick a locked one. More of an issue of background checks on screeners and baggage handlers.
Pfft.
400 TSA fired for stealing items from luggage.
One TSA staff stole an iPad and the device was tracked to their home.
Number of terrorist acts prevented by TSA: 0
Number of Terrorists harrassed: 0
Number of innocent American citizens harrassed groped abused prevented from fly ing and stolen from: millions.
TSA is piece of mind security in its entirety. They failed 95% of security tests.
I have yet to be groped by TSA. Maybe I should dress sexier?
Do you go through the useless bodyscanners?
I used to resist them, but I don’t bother any more.
As a matter of fact, locks on luggage have always been no more than palliative. If someone wants to steal your luggage, they can do so quite readily, and open it at their leisure. The only marginal benefit of luggage locks is in enabling one to detect a surreptitious search, and of course that benefit disappeared as soon as the TSA locks appeared.
There are a number of ways to keep information out of the hands of the TSA, but putting it in your luggage is not one of them.
Well said.
Looks like TSA key #4 will fit the cheesy locks I use on my checked baggage.
It doesn’t matter really, because the TSA will use their master keys to steal your stuff anyway
The trouble with back doors is not only that they make us vurnable, they create the easiest way for governments to place false evidents in your bag, your computer or your mobile phone. We just have to trust that they won’t do such, but they act like heros on hollywood movies, who break the law mindless whenever they think they are the good ones and you the bad one. It does not matter if the evidence is right or wrong as long as they get the suspect jailed, you know… It makes me shiver…
From the TSA’s point of view, anything removed from your luggage is one less item they need to worry about. So of course they’re unconcerned. They probably published the pictures of master keys deliberately, to discourage people from checking any luggage since that will reduce their screening workload. The US government realizes it made a big mistake allowing people freedom to travel in the first place. As the No-Fly lists expand, that will change.
Alas, to the degree that people stop carrying any luggage at all the burden shifts from the TSA to the FBI, because should you attempt to board a flight without any luggage, you will be subject to immediate arrest as a terrorist. That wouldn’t be the case had the 9:11 terrorists shown the courtesy of checking some luggage. But then, you are correct: the US will eliminate its aircraft terrorism threat as soon as the No-Fly list expands sufficiently.
Indeed! Next time I fly, I’ll check a bag containing a homemade electronic clock. I am sure it will be gone by the time I reach my destination, no doubt to be used by ISIS in field operations. And a TSA agent will return my empty bag to me with a sheepish grin on his face.
The TSA ARE the luggage thieves.
This is a very good, real-time and practical example of why back doors are so heinous. One that everyone who travels ought to be able to relate to. Doesn’t hurt that it also piggybacks on all the other heinous crap that TSA subjects travelers to with no proof that any of it actually works at all.
I smell a nasty, messy and probably successful lawsuit in here somewhere. We should be able to lock our luggage because of this.