Lock pickers 3D print TSA master luggage keys from leaked photos of its ‘approved’ locks
Thanks to a security lapse by the American government agency, anyone with a 3D printer can now unlock every single padlock approved by the Transportation Security Administration (TSA).
In the age of 3D printing, the TSA is learning a basic lesson of physical security. For instance, if you have set of master keys that can open locks you have asked millions of Americans to use, do not upload pictures of them on the internet.
On Wednesday, a group of lock-picking and security enthusiasts took that lesson home by publishing a set of CAD files to Github that allows to 3D print a exactly measured set of the TSA’s master keys for its “approved” locks, which are the ones the agency can open with its own keys during airport inspections. At least one 3D printer owner had already downloaded the files within hours, printed one of the master keys, and published a video proving that it had unlocked his TSA-approved luggage lock.
To ensure the safety of travelers into and around the US following the 9/11 attacks, the TSA requires any lock on bags to be labeled as “travel sentry approved”, to allow them to carry out searches without having to break the lock or bag.
The photos of the master keys first began making the rounds online last month, after the Washington Post unintentionally had accompanied an article about the TSA with the photos that was published in November 2014. While the photos remained unnoticed for almost a year, lock pickers were quick to take advantage of the breach on finding it. Though the picture as taken down by the Washington Post in August, but it was too late.
One security researcher with the handle name “Xyl2k” lowered the obstacle to enter to a large extent, as copying a key from a photograph remains crafty. The necessary files to 3D print all seven master keys were posted on code-sharing site Github. Those who have printed them have confirmed that it does work.
Citing a research paper by AT&T’s Matt Blaze, Xyl2k used the breach to publicly proclaim against the use of master keys in general. “Virtually all master keyed mechanical lock systems are at least theoretically vulnerable,” Blaze wrote in 2003. “Unfortunately, at this time there is no simple or completely effective countermeasure that prevents exploitation of this vulnerability short of replacing a master keyed system with a non-mastered one.”
OMG, it's actually working!!! pic.twitter.com/rotJPJqjTg
— Bernard Bolduc (@bernard) September 9, 2015
Emphasizing the breach as a reason, the security researchers have asked to be careful of calls for a similar approach to cyber security. The Washington Post called on tech companies just a month before it published photos of the TSA’s master keys, to “invent a kind of secure golden key they would retain and use only when a court has approved a search warrant”. Following the call, the Electronic Frontiers Foundation warned: “There is no way to put in a backdoor or magic key for law enforcement that malevolent actors won’t also be able to abuse.”
The campaign group continued: “Any key, even a golden one, can be stolen by ne’er-do-wells. Simply put, there is no such thing as a key that only law enforcement can use – any universal key creates a new backdoor that becomes a target for criminals, industrial spies, or foreign adversaries.”