back to article 3D printer blueprints for TSA luggage-unlocking master keys leak online

The integrity of more than 300 million travel locks has been compromised after 3D printing files for a range of master keys were posted online. In other words, if you have a luggage lock with a keyhole for the authorities to use (saving them from smashing open your padlock), people can now print their own keys to open your bags …

Page:

  1. Notas Badoff
    FAIL

    Remember kids ...

    a government-backed security backdoor is an open door sooner or later, but you won't necessarily know when it opens. When your friends ask about security and 'reasonable' government demands, you now have a simple cautionary story to tell them.

    Thank you TSA! (cough, gag, ftbbht, isaidwhat?)

    1. P. Lee

      Re: Remember kids ...

      +1

      Far more dangerous than the compromise is the mindset behind the lock idea.

      1. Wzrd1 Silver badge

        Re: Remember kids ...

        The majority of luggage locks I can pick in 30 seconds. *Real* locks take me a minute or five.

        I'm not really good at picking locks, I just know how and haven't practiced it much.

        1. Tomato42

          Re: Remember kids ...

          @Wzrd1: the point is not about the TSA locks being hard or easy to lockpick before, or the luggage locks being hard or easy to locklpick before.

          The whole deal is that here we have an example of a "front-end door". It clearly shows that it doesn't matter if the technology was compromised knowingly or unknowingly for the end users. If there are alternative ways to get past the security they will leak sooner or later and they will get used by the bad people <insert "hacker" in balaclava here>.

          So indeed, "Thank You TSA!", we couldn't have gotten a better stick to beat NSA/FBI with!

          1. Michael Wojcik Silver badge

            Re: Remember kids ...

            The whole deal is that here we have an example of a "front-end door". It clearly shows that it doesn't matter if the technology was compromised knowingly or unknowingly for the end users.

            Yes. And that's why this latest twist1 - making the master keys more-widely available, and getting that story to the press - is a Good Thing. It exposes this particular bit of foolish and dangerous security theater for what it is.

            Much of the TSA nonsense and similar fear-mongering and false security is difficult to debunk in a manner that's easily comprehensible and interesting to most users. These TSA-approved luggage locks, on the other hand, are purchased by folks who are 1) already worried (about their luggage), and 2) won't have any trouble seeing the problem with "anyone can open that lock easily, in a way that you can't detect".

            Personally, I've never bothered locking my carry-on or checked baggage, because what's the threat model under which that offers enough return to make it worth the cost? Luggage locks were always trivial to defeat. But I know plenty of folks with TSA locks for "peace of mind", and now that's gone.

            1Sorry.

        2. Anonymous Coward
          Anonymous Coward

          Re: Remember kids ...

          Exactly... the things they are printing are nothing more than "jiggler keys", which you can buy from places like UK bump keys... the size of the locks prohibit any qualitative metalwork to actually make the pins precise so any pick or rake set will open them. Not to mention they are also vulnerable to padlock shims and comb picks. Luggage padlocks are nothing more than a delay mechanism, measured in seconds-minutes for someone who wants your stuff.

          1. dotdavid

            Re: Remember kids ...

            Forget picking the locks, you can get into a lot of luggage with just a biro if you want to.

        3. MissingSecurity

          Re: Remember kids ...

          30sec? Damn, them some high quality luggage locks. It seems like two or three scrapes and I can get them to pop.

          Edit:Spelling

  2. Anonymous Coward
    Anonymous Coward

    Well, so how about the brilliant idea of...

    Well, we should ask the FBI if the brilliant idea of backdoor by design agreed with vendors, in for example crypto, still sounds good. Not like we are going to hear any answer different from yet though.

    In any case, I am surprised it did not happen sooner. Most locksmiths will make you a key based on a lock. So the designs of the keys is just the "offical" leak. The keys are likely to have been available to the ones "interested" in them long before that.

    1. Graham 32

      Re: Well, so how about the brilliant idea of...

      Of course the FBI think it's a good idea. They want access to all data. This will give them access to all data. They care about your privacy as much as the TSA cares about keeping your luggage secure.

  3. John Smith 19 Gold badge
    Unhappy

    Looks like the Thieves Support Assocation is going to get some competition.

    Yet another classic example of the "Something must be done" multiplied by Security Theatre memes.

    Yay.

    1. LaeMing

      Re: Looks like the Thieves Support Assocation is going to get some competition.

      Yes, first thing I thought was "But the primary luggage thievery risk already had master keys issued to them!"

      1. Charles 9

        Re: Looks like the Thieves Support Assocation is going to get some competition.

        Well it's not like I bought the locks primarily to deter thieves. I bought them to keep them from accidental opening. But since they insist on those TSA locks...

    2. Franklin

      Re: Looks like the Thieves Support Assocation is going to get some competition.

      I will confess, my first thought was "Oh, look! Now when TSA steals my stuff, they'll have an excuse. 'It wasn't us! It must have been an evil 3D printer owner who made a copy of our key.'"

      I've never been particularly worried about some Random Evildoer(tm) stealing my stuff at an airport, to be honest. I've always been far more concerned about TSA staff doing that. And now, TSA staff have greater plausible deniability.

  4. Dave, Portsmouth

    Does anyone seriously believe crappy little suitcase locks perform any security function? They're more "privacy" locks than anything else - stops a nosey baggage handler at most. If someone wants to steal your stuff, they'll just take a knife to the usually flimsy fabric sides or zip it's attached to.

    1. Farmer Fred

      Exactly...

      This is why I never put anything in my hold luggage of any value/importance - those little locks take about 10 seconds to bypass even on good quality hard cases. Plus there is also the risk of your bag being sent on a round the world trip - especially if you are travelling via LHR T5!

      1. Triggerfish

        Re: Exactly...

        Yep, been to enough places were you have to dump the rucksack on the back or top of some bus or somewhere you can't keep an eye on it, everything valuable goes into the daypack that stays with me. Those locks won't even stop a half determined thief.

    2. stucs201

      Or if they want to be subtle then most cases can be opened with a biro to undo the zip and then closed again by sliding the zip backwards and forwards - leaving no sign it's been opened.

      1. Wzrd1 Silver badge

        "Or if they want to be subtle then most cases can be opened with a biro to undo the zip and then closed again by sliding the zip backwards and forwards - leaving no sign it's been opened."

        As the lock goes through the zip tab, your point is moot.

        It's like saying "I can get through the door after the padlock is removed, then close the door and nobody knows I was there", after replacing the padlock you ignored.

        No, that's not quite right.

        You're saying that you can remove the door hinge pins, open the door and manage to, by closing the door, reinstall the hinge pins.

        1. Lusty

          No, because most cases have two zip tabs which padlock together and still move.

          https://www.youtube.com/watch?v=G5mvvZl6pLI

        2. Anonymous Coward
          Anonymous Coward

          Oh but it is correct. You can force a zip apart. Comparing zips to doors is like comparing apples and oranges.

          Source: Old man has worked in airfreight / airline industry for decades. He has demonstrated this 'trick'. He will also never buy luggage with a zip on it.

          Security staff have been subtley opening luggage for decades. The TSA locks only legitimise it...I suspect it represents some level of legal consent.

          My preferred method of checking in baggage is covered in shrinkwrap and tape. Most airports ive passed through offer this as a service...not sure about Merkin airports though.

          1. Charles 9

            "My preferred method of checking in baggage is covered in shrinkwrap and tape. Most airports ive passed through offer this as a service...not sure about Merkin airports though."

            Try that in America and you'll find the shrinkwrap removed and the tape cut. #1 caveat of passing through America is that your baggage, both checked and carry-on, is subject to arbitrary search.

    3. Voland's right hand Silver badge

      Why knife?

      Side channel attack - pen in the zip, pry the zip open, do whatever you like, move the zipper back and fourth and it looks same as it used to.

      Any suitcase with a plastic zip is as good as wide opened. Metal zips are also susceptible to this attack (albeit a bit more difficult).

    4. MrXavia

      I have hard cases with integrated locks, and from the damage they have encountered, I know they've tried to get in before, but so far no one has managed!

      15 years of travel with the same sets of suitcases, and not one loss!

  5. Mark 85

    I'm not sure a 3D printer is needed or would work since the plastic output isn't all that strong. However, the plans, a mototool (Dremel or Proxxon) with small grinding wheels would work well. Just get a lock for each type to test before running the airport to create mayhem.

    But still, those luggage locks are joke.

    1. Dadmin

      "I'm not sure a 3D printer is needed or would work since the plastic output isn't all that strong."

      I'm thinking it's a template to make a mould to make permanent ones.

      "those luggage locks are joke"

      True, I first saw those and thought "these have backdoor keys to let the people who are most likely to steal my stuff to get to my stuff that much easier. It's h/w for morons. Like IoT.

      The whole business of flying in a post 9/11 world is a joke. TSA creeps feeling up all hotties, pilots too drunk to fly, pilots too angry to fly, shit service, every single item that is extra costs extra even though it used to be free. I hope to never fly ever again. Complete bullshit from beginning to end.

    2. Frumious Bandersnatch

      re: "the plastic output isn't all that strong."

      Well just 3-d print the master in plastic (or get someone else to do it for you) and get a locksmith to clone it onto a proper blank. No need to invest in machine tools when any corner shop will do the job for next to nothing.

    3. Triggerfish

      True, we have made keys using metal shims (admittedly with a lathe and files) for a yale lock, those would be no trouble.

  6. Boris the Cockroach Silver badge
    Flame

    I never

    knew the TSA used master keys

    I always thought they just smashed the locks open, put the note inside and said "tough luck"

    Ps

    I'm still annoyed about the TSA morons cutting the straps on my backpack to get it open despite the fact its only held shut by a plastic clip 2" from where they cut it

    1. Argh

      Re: I never

      I've only had the note in my case once, but I know my case has been looked in multiple times, due to cable ties being cut, contents rearrangement and sometimes internal zips/clips opened, that wouldn't be at all likely even with all the damage bags take. I didn't think they bothered officially letting you know, now.

      1. Alan Brown Silver badge

        Re: I never

        "I know my case has been looked in multiple times"

        I wonder how much trouble you could get in for having a strategically placed rat trap - the kind with serrated teeth on it - in your bag.

        1. Charles 9

          Re: I never

          I wonder how much trouble you could get in for having a strategically placed rat trap - the kind with serrated teeth on it - in your bag."

          You'd be detained tootsweet, I bet. Last I checked, mousetraps and other spring-loaded devices can only go into checked baggage unloaded.

  7. Brent Longborough
    Holmes

    Sorry, got the first sentence wrong

    "The integrity of more than 300 million travel locks has been compromised after 3D printing files for a range of master keys were posted online."

    Should be:

    "The integrity of more than 300 million pieces of luggage has been compromised after some stupid American numpty came up with the idea of backdoor keys, and some even more stupid American management numpty approved his idea instead of firing him, thereby granting access to luggage handlers worldwide."

    1. Anonymous Coward
      Anonymous Coward

      Re: Sorry, got the first sentence wrong

      "The integrity of more than 300 million pieces of luggage has been compromised after some stupid American numpty came up with the idea of backdoor keys, and some even more stupid American management numpty approved his idea instead of firing him, thereby granting access to luggage handlers worldwide."

      Hmm, still too polite, isn't it? It lacks words like "unbelievable f*ckwit" etc.

      1. Brent Longborough

        Re: Sorry, got the first sentence wrong

        Yeah, I had a very good lunch, so I was feeling magnanimous. But I promise, as I was writing, words like "brainfart" and "Mrs. Mimsy" were flowing liberally through my mind.

        1. Frumious Bandersnatch

          Re: Sorry, got the first sentence wrong

          words like "brainfart" and "Mrs. Mimsy" were flowing liberally through my mind

          Careful! Next thing you know, your mome raths will be outgribing ...

    2. Michael Wojcik Silver badge

      Re: Sorry, got the first sentence wrong

      You forgot the adjective "imaginary" before "integrity".

      Luggage locks have never provided any guarantee of integrity. They don't even improve the cost of violating integrity, except under some fairly specific attack modes.

  8. Anonymous Coward
    Anonymous Coward

    CNC machine make better keys

    Looking at those keys... they must be truly flimsy if the plastic from 3d printers works well with them.

    A CNC machine on the other hand, well, keys from that could work pretty well. ;)

    1. Voland's right hand Silver badge

      Re: CNC machine make better keys

      You do not use the plastic key - it is a master to do the metal one using normal key replication tools and a blank at the locksmith.

  9. Anonymous Coward
    Anonymous Coward

    Lock picking with two paperclips...

    For a four-pin filing cabinet lock, my record was about one second.

  10. Kevin McMurtrie Silver badge
    WTF?

    They have master keys?

    I've never seen a TSA approved lock that didn't break when dropped on the ground.

  11. Anonymous Coward
    Anonymous Coward

    This is why I always lock my luggage with

    a cardboard tag with the word 'padlock' written on it

    1. bazza Silver badge

      Re: This is why I always lock my luggage with

      Careful, your case might get replaced by a cardboard box with "Luggage" written on it...

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why I always lock my luggage with

        More likely to read 'Lugaj'. That's OK though as it only contains photocopies of my clothes.

  12. Gerry 3

    Terrorists couldn't deter visitors as well as US officialdom has

    In my experience, the TSA idiots can't be bothered to use their master keys.

    They just cut off the TSA lock or the zip's thingy-with-the-hole, leave the case insecure and / or permanently damaged, seldom bothering even to leave a Damaged? Ha Ha, You Can't Claim Against Us ! note inside.

    And don't get me going about the 'welcome' you get at immigration and the rip-off ESTA fee...

    1. Anonymous Coward
      Anonymous Coward

      Re: Terrorists couldn't deter visitors as well as US officialdom has

      Do you think they'd take it the wrong way if I booby-trapped my luggage with an Alien chest-burster?

    2. Wzrd1 Silver badge

      Re: Terrorists couldn't deter visitors as well as US officialdom has

      "They just cut off the TSA lock or the zip's thingy-with-the-hole, leave the case insecure and / or permanently damaged, seldom bothering even to leave a Damaged? Ha Ha, You Can't Claim Against Us ! note inside."

      Traveling internationally 2005 - 2010, taking holiday at home in the US, I got a few notes on my unlocked baggage "This bag was searched by the TSA and we didn't find shit".

      OK, it didn't read *precisely* that, just close enough for government work.

      In one instance, I received an "enhanced screening" that involved a complimentary scrotum squeeze at the end.

      I stopped coming home on leave.

      My wife understood.

      I didn't go to Shanghai, lest TSA agents there press me into naval service.

  13. Anonymous Coward
    Anonymous Coward

    Oh come on, you can open those locks without a key very easily leaving no trace.

    What's the issue with 3d printers? first guns and now this. Anyone would think they are a potential problem.

  14. Stevie

    Bah!

    Manually operated Portable key fabrication and copying jigs have been around in the automobile dealer world since the 1970s. How do I know? Because the miracle of Netflix brought me the episode of Columbo where such a device was shown in use.

    Why do El Reg geeks always run for the most expensive and complicated solutions when it comes to bending metal in the real world?

    Dremels. 3D printers. Casting paraphernalia.

    Tch!

    1. Mark 85

      Re: Bah!

      Dremels are cheap and relatively easy to use for this. Even cheaper than the copying jigs last time I looked. Print the thing out, trace it on the blank and cut away. Doesn't take too long. I've made duplicates of luggage keys for my lady and it didn't take more than 5 minutes a key.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like