Deep in the bowels of the labyrinth that is the US’s Transportation Security Administration (TSA), luggage trundling along on conveyor belts gets barcoded, weighed, sniffed for traces of explosives, 3D imaged, and, if it appears suspicious, opened.
As The Washington Post detailed in November 2014, TSA handlers have a set of master keys to open all approved luggage locks, plus shears to snip off the unapproved ones.
Unfortunately, a photo of the master keys, in all their intricate glory, slipped out unintentionally last month when the newspaper posted the story online.
You can see the original photo on various news articles about, well, that photo and the rather alarming repercussions of it having been leaked: here’s one from BoingBoing that Cory Doctorow redacted, covering the keying patterns with black boxes.
It turns out that the photos began getting passed around online last month, after the newspaper unwittingly, and very briefly, published and then deleted a photo of the master keys in the article about the “secret life” of baggage in the hands of the TSA.
Even though it was online just briefly, there was time for lock-pickers (and thieves, of course) to copy the master keys and to thus be prepared to unobtrusively, undetectably open any luggage in the world – at least, any luggage that’s been manufactured in the past decade.
It’s now beyond conjecture: on Wednesday, a set of CAD files was published to Github. Anyone can use the files to 3D print a precisely measured set of the TSA’s master keys for its approved locks.
At least one 3D printer owner – Montreal-based Unix administrator Bernard Bolduc – within hours had downloaded the files, printed one of the master keys, and published a video showing that his printed key had opened his TSA-approved luggage lock.
He told Wired that it took him all of 5 minutes.
Xylitol – that’s the handle for the France-based but otherwise anonymous Github user who published the files – said in an email to Wired that it turned out better than he’d imagined:
Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures. I did this for fun and don’t even have a TSA-approved lock to test. But if someone reported that my 3D models are working, well, that’s cool, and it shows… how a simple picture of a set of keys can compromise a whole system.
Bolduc, for his part, told Wired that Xylitol’s CAD files nailed it:
I didn’t do any modifications. It worked on the first try.
This isn’t a full-blown security catastrophe, mind you.
Even without a set of master keys to duplicate, lock-pickers have been able to pick the TSA-approved locks, which include models made by companies such as Master Lock, Samsonite and American Tourister.
Wired quotes University of Pennsylvania computer science professor and noted lock picker Matt Blaze:
I’m not sure anyone relied on these kinds of locks for serious security purposes. I find it’s actually quicker to pick the TSA’s locks than to look for my key sometimes.
So what about your luggage, staring at you from the back of your closet?
What are you going to do, use zip ties on your luggage rather than TSA-approved locks? Either one can be removed, and that’s nothing new.
But at least you can tell if a zip tie’s been cut.
Your thoughts? Open your brain lock and spill them below!