Deep in the bowels of the labyrinth that is the US’s Transportation Security Administration (TSA), luggage trundling along on conveyor belts gets barcoded, weighed, sniffed for traces of explosives, 3D imaged, and, if it appears suspicious, opened.
As The Washington Post detailed in November 2014, TSA handlers have a set of master keys to open all approved luggage locks, plus shears to snip off the unapproved ones.
Unfortunately, a photo of the master keys, in all their intricate glory, slipped out unintentionally last month when the newspaper posted the story online.
You can see the original photo on various news articles about, well, that photo and the rather alarming repercussions of it having been leaked: here’s one from BoingBoing that Cory Doctorow redacted, covering the keying patterns with black boxes.
It turns out that the photos began getting passed around online last month, after the newspaper unwittingly, and very briefly, published and then deleted a photo of the master keys in the article about the “secret life” of baggage in the hands of the TSA.
Even though it was online just briefly, there was time for lock-pickers (and thieves, of course) to copy the master keys and to thus be prepared to unobtrusively, undetectably open any luggage in the world – at least, any luggage that’s been manufactured in the past decade.
It’s now beyond conjecture: on Wednesday, a set of CAD files was published to Github. Anyone can use the files to 3D print a precisely measured set of the TSA’s master keys for its approved locks.
At least one 3D printer owner – Montreal-based Unix administrator Bernard Bolduc – within hours had downloaded the files, printed one of the master keys, and published a video showing that his printed key had opened his TSA-approved luggage lock.
He told Wired that it took him all of 5 minutes.
Xylitol – that’s the handle for the France-based but otherwise anonymous Github user who published the files – said in an email to Wired that it turned out better than he’d imagined:
Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures. I did this for fun and don’t even have a TSA-approved lock to test. But if someone reported that my 3D models are working, well, that’s cool, and it shows… how a simple picture of a set of keys can compromise a whole system.
Bolduc, for his part, told Wired that Xylitol’s CAD files nailed it:
I didn’t do any modifications. It worked on the first try.
This isn’t a full-blown security catastrophe, mind you.
Even without a set of master keys to duplicate, lock-pickers have been able to pick the TSA-approved locks, which include models made by companies such as Master Lock, Samsonite and American Tourister.
Wired quotes University of Pennsylvania computer science professor and noted lock picker Matt Blaze:
I’m not sure anyone relied on these kinds of locks for serious security purposes. I find it’s actually quicker to pick the TSA’s locks than to look for my key sometimes.
So what about your luggage, staring at you from the back of your closet?
What are you going to do, use zip ties on your luggage rather than TSA-approved locks? Either one can be removed, and that’s nothing new.
But at least you can tell if a zip tie’s been cut.
Your thoughts? Open your brain lock and spill them below!
Image of Luggage with TSA Accepted Combination Lock courtesy of Shutterstock.com
Brad M.
I hate to say it but most TSA locks I have are easily defeated by a simple jiggler key same as you would use on cheap wafer locks.
Add the fact that most are defeated by a pair of wire or bolt cutters they are not what I would call secure locks, at best they are a false sense of security but they are the only lock you can use unless your securing a hard case with firearms inside.
Anonymous
I use a fluorescent orange zip tie, not likely someone who cuts mine would have one on hand to replace it with.
Paul Ducklin
They will now you’ve mentioned it.
(Only kidding. I use cable ties myself. Firstly, locks snag on things and damage the zip. Secondly, I don’t have to worry about fussing for the key if I need to get something out of the case. Thirdly, if someone wants to open my case to steal something, I’d rather have the case left intact. It’s a nice case – a lot nicer than my used clothes at the end of a trip :-)
Anonymous
That reminds me of my old summer job, years ago, working at a cash register in a store. At the end of the day, we were told to leave the cash drawers open overnight. The idea was that most of the cash had already been removed from the registers by then, anyway, and if someone did break in, the cash registers were worth a lot more than the cash inside them, so it would be better not to encourage breaking them open.
But yeah, luggage locks are not made to be unbreakable. If you have something really valuable, carry it on if you can, or arrange for alternate shipping.
Deonast
Years back I worked in retail. Yes we would leave the registers open after cashup the trays of money would go into a safe. Same reason to stop potential damage to the registers.
anaonymous2
I’d like to know how you get the zip tie off since your knife or cutters must be in your luggage. Can’t carry them on board in my experience.
Paul Ducklin
You can cut a cable tie by “sawing” it with another cable tie. The friction melts the static one. (But as another commentator points out, just use nail clippers. They’re allowed in your cabin baggage.)
P.G. (@Glitch1196)
I use zip ties with nail clippers for a key (ever since my “approved” Swiss mini knife was confiscated).
Now, about that backdoor encryption key the NSA promises to keep secret …
Joe
It’s getting hard to tell who is more of a problem — the government, with its boundless snooping and warrant-less searches, or criminals, always looking for ways to pick your locks and compromise your privacy. Doesn’t seem to be much of a difference.
Anonymous
aren’t they one and the same?
Wilderness
To stay within the air travel theme, I would say that there is a big difference between the TSA looking through your bag and a baggage handler opening your bag and taking your camera. One is a search, the other is a crime.
WIlbur
I think government is the bigger problem because there are still many people who believe (wrongly, IMHO) they are the solution. However, most people agree criminals are a problem.
Wilbur
Dave
I haven’t even bothered to lock my luggage when flying for the last decade or so. I never leave anything exceedingly valuable in checked luggage anyway (usually just clothing). If it’s valuable it gets carried on.
Tattooed_Mummy ♥️™ (@tattooed_mummy)
same here – though sometimes I tie ribbon through the zip points – mainly to ensure they don’t come undone by accident.
Damon Schultz
…and this is why a Government “back door” into encyption mechanisms is a non-starter. Replace “TSA master key” with ” encyption master key” and you can figure out the rest.
Deramin
I only use luggage locks to make sure the zipper doesn’t get accidentally opened in transit. Did anyone actually believe they would keep determined people from accessing your stuff?
Paul Ducklin
I guess you can say that the TSA locks are a reasonable convenience, because the inspectors can lock them again afterwards and thus keep them in “won’t easily open by mistake” mode. Admittedly, that doesn’t happen if they cut off a cable tie. And a lock, like a cable tie, does require a little bit of attentive fiddling to open, which may indeed make opportunistic “zip-and-grab” thefts less likely.