back to article 3D printer blueprints for TSA luggage-unlocking master keys leak online

The integrity of more than 300 million travel locks has been compromised after 3D printing files for a range of master keys were posted online. In other words, if you have a luggage lock with a keyhole for the authorities to use (saving them from smashing open your padlock), people can now print their own keys to open your bags …

  1. Notas Badoff
    FAIL

    Remember kids ...

    a government-backed security backdoor is an open door sooner or later, but you won't necessarily know when it opens. When your friends ask about security and 'reasonable' government demands, you now have a simple cautionary story to tell them.

    Thank you TSA! (cough, gag, ftbbht, isaidwhat?)

    1. P. Lee Silver badge

      Re: Remember kids ...

      +1

      Far more dangerous than the compromise is the mindset behind the lock idea.

      1. Wzrd1

        Re: Remember kids ...

        The majority of luggage locks I can pick in 30 seconds. *Real* locks take me a minute or five.

        I'm not really good at picking locks, I just know how and haven't practiced it much.

        1. Tomato42 Silver badge

          Re: Remember kids ...

          @Wzrd1: the point is not about the TSA locks being hard or easy to lockpick before, or the luggage locks being hard or easy to locklpick before.

          The whole deal is that here we have an example of a "front-end door". It clearly shows that it doesn't matter if the technology was compromised knowingly or unknowingly for the end users. If there are alternative ways to get past the security they will leak sooner or later and they will get used by the bad people <insert "hacker" in balaclava here>.

          So indeed, "Thank You TSA!", we couldn't have gotten a better stick to beat NSA/FBI with!

          1. Michael Wojcik Silver badge

            Re: Remember kids ...

            The whole deal is that here we have an example of a "front-end door". It clearly shows that it doesn't matter if the technology was compromised knowingly or unknowingly for the end users.

            Yes. And that's why this latest twist1 - making the master keys more-widely available, and getting that story to the press - is a Good Thing. It exposes this particular bit of foolish and dangerous security theater for what it is.

            Much of the TSA nonsense and similar fear-mongering and false security is difficult to debunk in a manner that's easily comprehensible and interesting to most users. These TSA-approved luggage locks, on the other hand, are purchased by folks who are 1) already worried (about their luggage), and 2) won't have any trouble seeing the problem with "anyone can open that lock easily, in a way that you can't detect".

            Personally, I've never bothered locking my carry-on or checked baggage, because what's the threat model under which that offers enough return to make it worth the cost? Luggage locks were always trivial to defeat. But I know plenty of folks with TSA locks for "peace of mind", and now that's gone.

            1Sorry.

        2. Anonymous Coward
          Anonymous Coward

          Re: Remember kids ...

          Exactly... the things they are printing are nothing more than "jiggler keys", which you can buy from places like UK bump keys... the size of the locks prohibit any qualitative metalwork to actually make the pins precise so any pick or rake set will open them. Not to mention they are also vulnerable to padlock shims and comb picks. Luggage padlocks are nothing more than a delay mechanism, measured in seconds-minutes for someone who wants your stuff.

          1. dotdavid

            Re: Remember kids ...

            Forget picking the locks, you can get into a lot of luggage with just a biro if you want to.

        3. MissingSecurity

          Re: Remember kids ...

          30sec? Damn, them some high quality luggage locks. It seems like two or three scrapes and I can get them to pop.

          Edit:Spelling

  2. Anonymous Coward
    Anonymous Coward

    Well, so how about the brilliant idea of...

    Well, we should ask the FBI if the brilliant idea of backdoor by design agreed with vendors, in for example crypto, still sounds good. Not like we are going to hear any answer different from yet though.

    In any case, I am surprised it did not happen sooner. Most locksmiths will make you a key based on a lock. So the designs of the keys is just the "offical" leak. The keys are likely to have been available to the ones "interested" in them long before that.

    1. Graham 32

      Re: Well, so how about the brilliant idea of...

      Of course the FBI think it's a good idea. They want access to all data. This will give them access to all data. They care about your privacy as much as the TSA cares about keeping your luggage secure.

  3. John Smith 19 Gold badge
    Unhappy

    Looks like the Thieves Support Assocation is going to get some competition.

    Yet another classic example of the "Something must be done" multiplied by Security Theatre memes.

    Yay.

    1. LaeMing Silver badge

      Re: Looks like the Thieves Support Assocation is going to get some competition.

      Yes, first thing I thought was "But the primary luggage thievery risk already had master keys issued to them!"

      1. Charles 9 Silver badge

        Re: Looks like the Thieves Support Assocation is going to get some competition.

        Well it's not like I bought the locks primarily to deter thieves. I bought them to keep them from accidental opening. But since they insist on those TSA locks...

    2. Franklin

      Re: Looks like the Thieves Support Assocation is going to get some competition.

      I will confess, my first thought was "Oh, look! Now when TSA steals my stuff, they'll have an excuse. 'It wasn't us! It must have been an evil 3D printer owner who made a copy of our key.'"

      I've never been particularly worried about some Random Evildoer(tm) stealing my stuff at an airport, to be honest. I've always been far more concerned about TSA staff doing that. And now, TSA staff have greater plausible deniability.

  4. Dave, Portsmouth

    Does anyone seriously believe crappy little suitcase locks perform any security function? They're more "privacy" locks than anything else - stops a nosey baggage handler at most. If someone wants to steal your stuff, they'll just take a knife to the usually flimsy fabric sides or zip it's attached to.

    1. Farmer Fred

      Exactly...

      This is why I never put anything in my hold luggage of any value/importance - those little locks take about 10 seconds to bypass even on good quality hard cases. Plus there is also the risk of your bag being sent on a round the world trip - especially if you are travelling via LHR T5!

      1. Triggerfish

        Re: Exactly...

        Yep, been to enough places were you have to dump the rucksack on the back or top of some bus or somewhere you can't keep an eye on it, everything valuable goes into the daypack that stays with me. Those locks won't even stop a half determined thief.

    2. stucs201

      Or if they want to be subtle then most cases can be opened with a biro to undo the zip and then closed again by sliding the zip backwards and forwards - leaving no sign it's been opened.

      1. Wzrd1

        "Or if they want to be subtle then most cases can be opened with a biro to undo the zip and then closed again by sliding the zip backwards and forwards - leaving no sign it's been opened."

        As the lock goes through the zip tab, your point is moot.

        It's like saying "I can get through the door after the padlock is removed, then close the door and nobody knows I was there", after replacing the padlock you ignored.

        No, that's not quite right.

        You're saying that you can remove the door hinge pins, open the door and manage to, by closing the door, reinstall the hinge pins.

        1. Lusty Silver badge

          No, because most cases have two zip tabs which padlock together and still move.

          https://www.youtube.com/watch?v=G5mvvZl6pLI

        2. Anonymous Coward
          Anonymous Coward

          Oh but it is correct. You can force a zip apart. Comparing zips to doors is like comparing apples and oranges.

          Source: Old man has worked in airfreight / airline industry for decades. He has demonstrated this 'trick'. He will also never buy luggage with a zip on it.

          Security staff have been subtley opening luggage for decades. The TSA locks only legitimise it...I suspect it represents some level of legal consent.

          My preferred method of checking in baggage is covered in shrinkwrap and tape. Most airports ive passed through offer this as a service...not sure about Merkin airports though.

          1. Charles 9 Silver badge

            "My preferred method of checking in baggage is covered in shrinkwrap and tape. Most airports ive passed through offer this as a service...not sure about Merkin airports though."

            Try that in America and you'll find the shrinkwrap removed and the tape cut. #1 caveat of passing through America is that your baggage, both checked and carry-on, is subject to arbitrary search.

    3. Voland's right hand Silver badge

      Why knife?

      Side channel attack - pen in the zip, pry the zip open, do whatever you like, move the zipper back and fourth and it looks same as it used to.

      Any suitcase with a plastic zip is as good as wide opened. Metal zips are also susceptible to this attack (albeit a bit more difficult).

    4. MrXavia

      I have hard cases with integrated locks, and from the damage they have encountered, I know they've tried to get in before, but so far no one has managed!

      15 years of travel with the same sets of suitcases, and not one loss!

  5. Mark 85 Silver badge

    I'm not sure a 3D printer is needed or would work since the plastic output isn't all that strong. However, the plans, a mototool (Dremel or Proxxon) with small grinding wheels would work well. Just get a lock for each type to test before running the airport to create mayhem.

    But still, those luggage locks are joke.

    1. Dadmin

      "I'm not sure a 3D printer is needed or would work since the plastic output isn't all that strong."

      I'm thinking it's a template to make a mould to make permanent ones.

      "those luggage locks are joke"

      True, I first saw those and thought "these have backdoor keys to let the people who are most likely to steal my stuff to get to my stuff that much easier. It's h/w for morons. Like IoT.

      The whole business of flying in a post 9/11 world is a joke. TSA creeps feeling up all hotties, pilots too drunk to fly, pilots too angry to fly, shit service, every single item that is extra costs extra even though it used to be free. I hope to never fly ever again. Complete bullshit from beginning to end.

    2. Frumious Bandersnatch Silver badge

      re: "the plastic output isn't all that strong."

      Well just 3-d print the master in plastic (or get someone else to do it for you) and get a locksmith to clone it onto a proper blank. No need to invest in machine tools when any corner shop will do the job for next to nothing.

    3. Triggerfish

      True, we have made keys using metal shims (admittedly with a lathe and files) for a yale lock, those would be no trouble.

  6. Boris the Cockroach Silver badge
    Flame

    I never

    knew the TSA used master keys

    I always thought they just smashed the locks open, put the note inside and said "tough luck"

    Ps

    I'm still annoyed about the TSA morons cutting the straps on my backpack to get it open despite the fact its only held shut by a plastic clip 2" from where they cut it

    1. Argh

      Re: I never

      I've only had the note in my case once, but I know my case has been looked in multiple times, due to cable ties being cut, contents rearrangement and sometimes internal zips/clips opened, that wouldn't be at all likely even with all the damage bags take. I didn't think they bothered officially letting you know, now.

      1. Alan Brown Silver badge

        Re: I never

        "I know my case has been looked in multiple times"

        I wonder how much trouble you could get in for having a strategically placed rat trap - the kind with serrated teeth on it - in your bag.

        1. Charles 9 Silver badge

          Re: I never

          I wonder how much trouble you could get in for having a strategically placed rat trap - the kind with serrated teeth on it - in your bag."

          You'd be detained tootsweet, I bet. Last I checked, mousetraps and other spring-loaded devices can only go into checked baggage unloaded.

  7. Brent Longborough
    Holmes

    Sorry, got the first sentence wrong

    "The integrity of more than 300 million travel locks has been compromised after 3D printing files for a range of master keys were posted online."

    Should be:

    "The integrity of more than 300 million pieces of luggage has been compromised after some stupid American numpty came up with the idea of backdoor keys, and some even more stupid American management numpty approved his idea instead of firing him, thereby granting access to luggage handlers worldwide."

    1. Anonymous Coward
      Anonymous Coward

      Re: Sorry, got the first sentence wrong

      "The integrity of more than 300 million pieces of luggage has been compromised after some stupid American numpty came up with the idea of backdoor keys, and some even more stupid American management numpty approved his idea instead of firing him, thereby granting access to luggage handlers worldwide."

      Hmm, still too polite, isn't it? It lacks words like "unbelievable f*ckwit" etc.

      1. Brent Longborough

        Re: Sorry, got the first sentence wrong

        Yeah, I had a very good lunch, so I was feeling magnanimous. But I promise, as I was writing, words like "brainfart" and "Mrs. Mimsy" were flowing liberally through my mind.

        1. Frumious Bandersnatch Silver badge

          Re: Sorry, got the first sentence wrong

          words like "brainfart" and "Mrs. Mimsy" were flowing liberally through my mind

          Careful! Next thing you know, your mome raths will be outgribing ...

    2. Michael Wojcik Silver badge

      Re: Sorry, got the first sentence wrong

      You forgot the adjective "imaginary" before "integrity".

      Luggage locks have never provided any guarantee of integrity. They don't even improve the cost of violating integrity, except under some fairly specific attack modes.

  8. Anonymous Coward
    Anonymous Coward

    CNC machine make better keys

    Looking at those keys... they must be truly flimsy if the plastic from 3d printers works well with them.

    A CNC machine on the other hand, well, keys from that could work pretty well. ;)

    1. Voland's right hand Silver badge

      Re: CNC machine make better keys

      You do not use the plastic key - it is a master to do the metal one using normal key replication tools and a blank at the locksmith.

  9. Anonymous Coward
    Anonymous Coward

    Lock picking with two paperclips...

    For a four-pin filing cabinet lock, my record was about one second.

  10. Kevin McMurtrie Silver badge
    WTF?

    They have master keys?

    I've never seen a TSA approved lock that didn't break when dropped on the ground.

  11. Anonymous Coward
    Anonymous Coward

    This is why I always lock my luggage with

    a cardboard tag with the word 'padlock' written on it

    1. bazza Silver badge

      Re: This is why I always lock my luggage with

      Careful, your case might get replaced by a cardboard box with "Luggage" written on it...

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why I always lock my luggage with

        More likely to read 'Lugaj'. That's OK though as it only contains photocopies of my clothes.

  12. Gerry 3

    Terrorists couldn't deter visitors as well as US officialdom has

    In my experience, the TSA idiots can't be bothered to use their master keys.

    They just cut off the TSA lock or the zip's thingy-with-the-hole, leave the case insecure and / or permanently damaged, seldom bothering even to leave a Damaged? Ha Ha, You Can't Claim Against Us ! note inside.

    And don't get me going about the 'welcome' you get at immigration and the rip-off ESTA fee...

    1. Anonymous Coward
      Anonymous Coward

      Re: Terrorists couldn't deter visitors as well as US officialdom has

      Do you think they'd take it the wrong way if I booby-trapped my luggage with an Alien chest-burster?

    2. Wzrd1

      Re: Terrorists couldn't deter visitors as well as US officialdom has

      "They just cut off the TSA lock or the zip's thingy-with-the-hole, leave the case insecure and / or permanently damaged, seldom bothering even to leave a Damaged? Ha Ha, You Can't Claim Against Us ! note inside."

      Traveling internationally 2005 - 2010, taking holiday at home in the US, I got a few notes on my unlocked baggage "This bag was searched by the TSA and we didn't find shit".

      OK, it didn't read *precisely* that, just close enough for government work.

      In one instance, I received an "enhanced screening" that involved a complimentary scrotum squeeze at the end.

      I stopped coming home on leave.

      My wife understood.

      I didn't go to Shanghai, lest TSA agents there press me into naval service.

  13. Anonymous Coward
    Anonymous Coward

    Oh come on, you can open those locks without a key very easily leaving no trace.

    What's the issue with 3d printers? first guns and now this. Anyone would think they are a potential problem.

  14. Stevie Silver badge

    Bah!

    Manually operated Portable key fabrication and copying jigs have been around in the automobile dealer world since the 1970s. How do I know? Because the miracle of Netflix brought me the episode of Columbo where such a device was shown in use.

    Why do El Reg geeks always run for the most expensive and complicated solutions when it comes to bending metal in the real world?

    Dremels. 3D printers. Casting paraphernalia.

    Tch!

    1. Mark 85 Silver badge

      Re: Bah!

      Dremels are cheap and relatively easy to use for this. Even cheaper than the copying jigs last time I looked. Print the thing out, trace it on the blank and cut away. Doesn't take too long. I've made duplicates of luggage keys for my lady and it didn't take more than 5 minutes a key.

      1. Alan Brown Silver badge

        Re: Bah!

        One of the cheapest and easiest ways to copy keys involves plasticine and superglue.

        Plasticine to make the mould and superglue to fill it.

        Solidified superglue is as tough as steel.

        Various tutorials exist on youtube

  15. Unicornpiss Silver badge
    Meh

    Anyone who is thwarted by a luggage lock...

    ...is probably in need of a keeper and can probably be restrained by placing tape lines on the floor.

  16. Kernel

    On the plus side

    It now gives you a perfectly plausible explanation for those 2 or 3 kgs of heroin that were found in your case - literally anyone could have opened the bag with a key they copied off the internet and inserted the offending article.

  17. Joe Gurman

    Luggage keys? Please.

    If I had just one US dollar for every time a traveler had their TSA friendly lock removed and tossed by (presumably) the TSA while traveling, I could afford at least a private jet timeshare. The only solution is not to check anything you'd really mind losing. I've been traveling that way for years now and it gives a certain peace of mind.

    1. LDS Silver badge

      Re: Luggage keys? Please.

      I start to be more worried about what could be *put* in my luggage, not about what they can steal (like you, I never put anything I can't afford to lose in checked-in luggage)

  18. DrM

    Government Back Doors

    Hmmmm… so we all “secured” our bags that the government had a bypass key for – you might say a backdoor. And to everyone’s astonishment, the master keys have leaked.

    Now, they want us to “secure” our data with encryption that has a master key, a backdoor for just the government to use. They promise to not let the keys get out.

  19. Anonymous Coward
    Anonymous Coward

    After your holiday/trip

    <peg>

    Always leave my most filthy and smelly clothes on top of the pile in your bag.

    Rummage through that!

    </peg>

    1. Wzrd1

      Re: After your holiday/trip

      Bleh.

      Have the lady leave her monthly "clothing protection" available for inspection, wrapped in aluminum foil like a kilo of drugs.

      The BOFH does it.

  20. Hey Nonny Nonny Mouse

    Likely to have reverse engineered them?

    Seriously?

    Occam's razor please.

    Most luggage thieves will just use bolt cutters, destroy the cases or some other *SIMPLE* method to get into your dirty washing in the hope of finding something they can flog down the pub for their next fix or whatever motivates them to steal luggage.

    1. Anonymous Coward
      Anonymous Coward

      Re: Likely to have reverse engineered them?

      It's not so much just opening the lock but the opening of the lock without you knowing.

      1. Charles 9 Silver badge

        Re: Likely to have reverse engineered them?

        Point is, WHO CARES if you know or not? By the time you find out, it's WAY too late.

      2. A Dawson
        Happy

        Re: Likely to have reverse engineered them?

        Thats why the TSA locks I own have a colour indicator that indicates if they have last been opened by the master key or the regular key.

        1. Charles 9 Silver badge

          Re: Likely to have reverse engineered them?

          But they can go all Nineteen Eighty-Four on you and replace the indicator.

  21. imanidiot Silver badge
    FAIL

    TSA luggage decorations are NOT locks!

    I can LITERALLY open one with a blunt pair of scissors. Don't believe me? https://youtu.be/bCT713bmkSk <-- The proof is in the doing!

  22. GlenP Silver badge

    Simples

    Happened to change to another laptop bag this week (the trusty work one that's been through several laptops over the last 10+ years is now an ex-bag). The one I got out of the "come in handy" pile had a luggage lock but no key.

    One screwdriver, 5 seconds and the lock was off with no apparent damage.

    1. LaeMing Silver badge
      Happy

      Re: Simples

      And now you can make a replacement for the missing key, too!

  23. Anonymous Coward
    Anonymous Coward

    I already have a handcuffs key. (Won in a 'Lockpicking village' challenge held by Deviant Ollam at HackCon one year) I probably should add those masters to my collection.

    So, should I print them, cut them in my CnC(home-built from kit) or just wait until they show up on DX.com?

    Aonymous for obvious reasons...

  24. Trygve

    I never bother locking my luggage anyway...

    On the basis that anyone who wants to get into it would be able to get past the locks in seconds anyhow. The person most likely to be inconvenced is me, too jetlagged to remember combinations or find keys.

    I am also honestly surprised that these TSA Master Keys weren't $5 per set commodity items even before this print-your-own thing, because all the lock factories (mostly in china) must have the masterkey specs to make the locks they fit into. Presumably .gov must have leaned on ebay to strip out listings?

  25. simmondp

    Backdoor Encryption Advocates - are you reading this?

    In a very simple way, this neatly sidesteps all the technical arguments about can you put an backdoor into encryption for the "good guys" to use, and provides a really simple example of why ** ITS A REALLY BAD IDEA **

  26. Winkypop Silver badge
    FAIL

    Just security theatre

    Now, look over here.

    No, not over there!.

    Over here.

  27. MrXavia

    Last airline I flew with had the advice to not use TSA approved locks...

    My cases don't have TSA approved locks, and if the X-Ray shows something that is suspicious they can just ask me to open it for them! that is what happens every other place I've travelled...

    1. Anonymous Coward
      Anonymous Coward

      My cases don't have TSA approved locks, and if the X-Ray shows something that is suspicious they can just ask me to open it for them! that is what happens every other place I've travelled...

      The problem is that they won't bother to find you to open checked in-luggage, they take this as permission to f*ck over whatever locks your luggage, and good luck trying to get any compensation. This is what you get when you hand out power without accountability.

  28. Richard Taylor 2 Silver badge

    In other words, if you have a luggage lock with a keyhole for the authorities to use (saving them from smashing open your padlock), people can now print their own keys to open your bags.

    or

    In other words, if you have a luggage lock with a keyhole for the authorities to use (saving them from smashing open your padlock before they steal your possessions, delaying discovery until pyou get home), people can now print their own keys to open your bags.

    TFTY

  29. Crazy Operations Guy Silver badge

    Move baggage claim to a secure area

    I've never understood why baggage claim is in a public area right next to all the transportation. I could understand it 20 years ago when the only things that people put in packed luggage were clothes and toiletries, so there was no interest in grabbing anything from a victim's bag. But now, we have to check pretty much everything due to insane security restrictions, so there is now a lot more valuable stuff that can be grabbed from them. US airports have those "point of no-return" gates, so why not add a second set just after baggage claim? It'd greatly reduce the number of stolen bags and no one could bring a bag back into the "secure" area.

    Although I've always thought that they should set up automated kiosks where you scan your boarding pass and the machine spits out your luggage.

    1. Anonymous Coward
      Anonymous Coward

      Re: Move baggage claim to a secure area

      By the time your luggage makes it that far, the airlines and the FAA aren't concerned with it anymore. What the luggage searching is meant to block is contraband and the prospect of another Lockerbie.

    2. PhoenixRevealed

      Re: Move baggage claim to a secure area

      I'm always at my most nervous when flying while waiting for my bags to come out on the carousel. Not even safe to stop at the restroom between the plane and the luggage area in case your bags come out and you are not there to snag them right away.

  30. Anonymous Coward
    Anonymous Coward

    Amazing

    that it took so long for the weakness to be generally released.

    I'd assume serious thieves had them shortly before the TSA.

  31. s2bu

    Easy fix

    Just check a gun with your bag. Then you're actually required to use a real lock!

    http://deviating.net/firearms/packing/

    1. Charles 9 Silver badge

      Re: Easy fix

      The way I read all that, the firearm itself must be packed in a properly-locked, hard-sided case. HOWEVER, it says nothing about the SUITCASE that would contain the case that would contain said firearm.

  32. Cynic_999 Silver badge

    Essential item

    Always pack a small canvas drawstring bag containing some loose metal coin-sized disks. The bag should be just about big enough to get two fingers into the neck. Securely sewn to the inside of the bag should be a dozen or so small, very sharp barbed fish-hooks.

  33. JustWondering

    I think ...

    ... the plan would be to slap your own lock onto your bag as soon as it comes off the carousel and use it until you are back in the airport. You would still be at the mercy of airport employees but it would inconvenience the maids and bellboys enough that they would go for easier game.

  34. The Vociferous Time Waster

    How kind...

    how kind of you all to label the bags that contain valuables with those handy little padlocks - with thousands of bags going past on a single shift it really helps the thief pick which bags to open

  35. tony2heads

    Tie Wrap

    forget about a lock, use a brightly coloured tie wrap. At least then you can see that your luggage was tampered with.

    1. Charles 9 Silver badge

      Re: Tie Wrap

      Not if they use the ol' "pen in the zip strip" trick, which is reversible.

  36. Zero Sum

    Mome raths...

    <<Careful! Next thing you know, your mome raths will be outgribing ...>>

    Our mome raths were outgribed to the Philippines.

  37. PhoenixRevealed

    The last time I put a TSA lock on a bag it attracted the baggage handler thieves and I lost a digital SLR. Luggage locks are useless, and actually make your bag a more attractive target because the bad guys know there is likely something valuable in it. Just carry anything valuable in your carry on luggage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019