
Lockpickers 3-D Print TSA Master Luggage Keys from Leaked Photos - joeyyang
http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/
======
chris_overseas
The only surprising thing here is that the master keys didn't leak sooner.
This is a close physical analogue to why it's a very bad idea to mandate
backdoors in encryption software. Hopefully the UK[1] and other governments
will learn something from this, though I won't hold my breath.

[1]
[https://www.techdirt.com/articles/20150702/00134231524/david...](https://www.techdirt.com/articles/20150702/00134231524/david-
cameron-promises-to-do-away-with-safe-spaces-internet.shtml)

~~~
dzhiurgis
Even more surprising thing is that you'd need some leak to pick this tiny
lock. What protection mechanisms does it have that you can't reverse engineer
within a day or so?

Probably Wired is more inclined to create some FUD around the fact that now
this is freely accessible 'for anyone with 3D printer'.

~~~
rjaco31
Well AFAIK, each lock is unique, and while it's easy to pick each individual
lock, it's harder to guess or derive from a few of those locks the master key
that'll actually open them all.

~~~
pfooti
That's generally not true. For example: you could buy a few copies of the same
lock and take them apart. Unless there's something Really Funky going on, you
can use the master oracle method as well (start with your working key, and
change one pin at a time to derive the master key, as most locks with a master
can be opened with all the pins set to the normal key and any one pin set to
the master keying.

I'd say what this "leak" really did was (a) show the world that real security
is hard to think about, and (b) make it easier for normal folks who don't know
about how locks work to impress their friends with their ninja secret agent
tools.

Really, this is all just a parable for the big fight over encryption. Do you
really want to trust a government agency with any kind of control over how we
lock down our stuff? Newp, nope, and noooope.

------
chippy
This is anecdotal but it gets me thinking. Sometimes in the late 90s I stopped
putting locks on my luggage. Locks were once or twice removed previously - and
once the customs put a note saying they had done it. I was travelling to
Europe, the east of Africa and various Caribbean countries. Nothing was stolen
- but the key thing was me not storing anything too expensive in there.
Generally all my expensive objects are delicate and will be transferred in my
hand luggage.

Perhaps it's safety in numbers. Perhaps it's a kind of camouflage and not
signalling anything of worth. Perhaps it's because the level of risk of theft
is incredibly low.

~~~
suvelx
I don't put locks on my luggage either.

Instead I put an easily breakable cable tie on the zips as a tamper evident
seal. The one time I've had a bag come back with it missing has been the time
the TSA decided to inspect my bags.

vs a lock, which somebody can open and re-lock and I'd be none the wiser.

~~~
RealityVoid
You can easly unlock and re-lock a cable tie. Not really tamper-evident
material.

~~~
okasaki
What about if burn the head a bit?

------
edko
The chain always breaks by the weakest link. Considering that you can very
easily open the zipper with a ballpoint pen
([https://www.youtube.com/watch?v=wpIJVWXsBBI](https://www.youtube.com/watch?v=wpIJVWXsBBI)),
and close it again as if it was never open, that the secret of the lock was
revealed is irrelevant.

------
voidr
I just find it unbelievable that people were naive enough to believe that they
can forever protect a master key that is distributed to thousands of people.
You only need 1 rouge TSA employee, with a photographic memory and this whole
system falls apart.

~~~
rhino369
The locks aren't designed to be flawless. Even a shitty bolt cutter could take
them down in 1 second. They are placed on canvas or plastic bags that can be
cut open with a pocket knife. Or you could spend 20 minutes trying all 1000
combinations.

It's really just to prevent impulse theft from baggage handlers, bell hops,
cab drivers, etc. Even after the leak, these are essentially just as effective
as they've always been.

~~~
hayksaakian
not really. if you casually walk up with a key, you can safely steal property
without a second glance.

if you walk up with a bolt cutter or a knife, you're going to be much more
suspicious.

~~~
jrockway
Perhaps. Here's an old video about stealing bikes in NYC:
[https://www.youtube.com/watch?v=ZbklkFuFk-4](https://www.youtube.com/watch?v=ZbklkFuFk-4)

Note that the guy is hacking away at the lock and the police show up. To tell
him to not sit in an active traffic lane.

~~~
JulianMorrison
Ah, that's simple to explain. He's white.

[https://www.youtube.com/watch?v=ge7i60GuNRg](https://www.youtube.com/watch?v=ge7i60GuNRg)

~~~
tkinom
This kind of remind me of Israel. I traveled and worked with folks there a few
times.

When go to/from/thru the airport, if I was with Hebrew speaking Jewish co-
workers, everything would get thru in a few seconds.

There was one time I (Asian) was with Indian co-workers without the company
issue security letter, we were search for 3 hours at the airport. Both of our
laptop were completely disassembled and Xray multiple times. We were
questioned for a long time separately by multiple people.

They must have our previous trip history base on passport record, etc. But ...

Anyway, later I asked a Jewish co-worker about is there any law in Israel
about anti-discrimination base on race, color of skin, language spoken, etc.
He said we always / must discriminated base on those info!

A different way for thinking compare the "official PC" view of US.

~~~
pki
AFAIK Israel actually attempts airport security instead of security theatre,
which is understandable considering what happens there.

------
Paulods
They have been out for much longer than this...

[http://world.taobao.com/item/40576438073.htm?spm=a312a.77007...](http://world.taobao.com/item/40576438073.htm?spm=a312a.7700714.0.0.4RSh2R#detail)

~~~
gozo
Nice find, I'm not surprised. These "security researchers" on twitter are just
playing into the whole security theater. A TSA lock offers no meaningful
security. It's not physically secure, tamper evident nor prevent loss. It's
not even a requirement for flying, it's a convenience feature so your bag
doesn't open in transit and the TSA doesn't have to cut so many locks open.

------
grogenaut
Good thing no one in the govt is proposing the same thing for crypto.

As a side note, and plz don't flamen as this is a system hack, the only realy
way to keep the TSA out of your bags and stealing stuff is to put a firearm in
there. Even a starter pistol works. TSA can't handle fire ars so it's checked
by local cops and then locked up with whatever locks you want. Tho you may not
want to do this going to NYC.

~~~
shostack
Does this work with realistic airsoft guns? I could imagine this being an
interesting hack without having to purchase and own an actual firearm for
those of us who would rather avoid that.

Also, what is the screening process like with the cops? Does it take
significantly longer? Is it shorter? Do they question why you are bringing it?
Would it be a valid response to say "to make sure people with real security
training are checking my luggage vs. the TSA?"

~~~
grogenaut
No, it's gotta be a real gun.

The process is "it's just business and it's your right". I felt self conscious
the first time I did it as an adult, moving some guns from my mom's house to
Washington. However no one gave a damn, I was expecting a "oh sh*t" from the
checking agent but she didn't even blink.

It's about the same as checking skiis, you go over to the oversized bags area
and you have to wait for a cop to walk over, takes maybe 3-10 minutes extra
over a normal checkin. However you can I think go to the special lane by
asking the person who is filtering around telling folks which lanes to use
when checking in.

The valid reason to have a gun is "Murican". I feel weird saying this but
'it's a constitutional right'. I get more shit for bringing water into TSA
than checking a gun onto a plane.

------
tptacek
None of this matters:

[https://twitter.com/mattblaze/status/641330920251891712](https://twitter.com/mattblaze/status/641330920251891712)

They're terrible, insecure locks.

~~~
vinay427
That really only applies if the user has some degree of skill with picking
simple locks. Experieced locksport enthusiasts could probably pick it quickly,
but for the vast majority of people a key would be easier.

~~~
Zmetta
I promise you that for the most commonly used TSA approved locks, this is not
true. Many models consist of 2-3 pins and can be open in 1 second by jamming
anything that fits into the the channel and wiggling.

------
simoncion
I'm a fan of Schneier's take on it:

> The whole thing neatly illustrates one of the main problems with backdoors,
> whether in cryptographic systems or physical systems: they're fragile. [0]

[0]
[https://www.schneier.com/blog/archives/2015/09/tsa_master_ke...](https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html)

------
bsder
Luggage locks were never really meant to secure your baggage. They were mostly
just to keep the luggage from opening accidentally.

If you want genuine security on your luggage, get a starter gun and go through
the checked firearms procedures.

[https://www.schneier.com/blog/archives/2006/09/expensive_cam...](https://www.schneier.com/blog/archives/2006/09/expensive_camer.html)

[http://www.thetruthaboutguns.com/2013/08/matt-in-fl/more-
on-...](http://www.thetruthaboutguns.com/2013/08/matt-in-fl/more-on-flying-
with-guns/)

~~~
desdiv
The gun trick doesn't really work well for international flights though.

------
chmike
The principle of the classical mechanical key is falling in pieces as well.
Take some pictures of any key and one can make a double of it.

The idea of such a master key is incredibly stupid. It could also have been
reversed engineered with an autopsy of a lock. The people who come up with
such idea don't merit the trust and responsibility given to then.

~~~
superuser2
Most RFID systems are similarly vulnerable. All HID iClass systems (supposedly
smart-card based) use the same cryptographic key, which you can dump out of
the memory of any reader if you are so inclined. The ID numbers of badges are
printed on them, and this is usually enough to program a new badge as a clone
or do some SDR trickery to imitate it.

But let's not forget that tailgating will get you past pretty much anything
that isn't a turnstile. Turnstiles are really only in elevator lobbies, so if
you can find a legitimate reason to be in some other part of the building you
can just follow a legitimate user through any door, no matter how secure its
locking mechanism. And failing that, almost no one properly authenticates
cleaning staff or contractors.

------
bakhy
it's really hard to believe the statistics about ever growing IQs, when you
see what imbeciles lead the world. someone actually thought it would be a good
idea if one key could open all luggage, and then gave that key to thousands of
low paid TSA workers. did the US outsource most of its government work to a
pack of baboons? this 3D printing, Washington Post's "carelessness", it's all
irrelevant. this looks like 2+2=4, and i'm betting many experts would agree.

------
JasuM
Couldn't you reverse-engineer the master key from a lock anyway? Or is there
some clever design preventing that?

~~~
DanBC
Yes. There was a recent thread where this process is explained. I'll try to
find it, but basically:

You have one lock, and one key (not the master) for that lock, and a bunch of
blanks.

You take the first blank. You cut a key that is identical to your key, except
you vary the depth of a single cut. You repeat this until this new key works
in your lock. That gives you the master key cut depth of one part of the key.
You repeat this process forthe rest of the positions. You end up with a master
key.

Edit: MrJones' comment here:
[https://news.ycombinator.com/item?id=10186309](https://news.ycombinator.com/item?id=10186309)

~~~
duskwuff
Slightly different process. The TSA keys aren't "master keys" in the normal
locksmithing sense; they typically go into a separate lock that's only used
for that key. For instance, the lock pictured in the article is normally used
as a combination lock, not a key lock.

~~~
DanBC
You buy one lock and take it apart?

~~~
akira2501
Yep. The "security" is that compromised; leaked photographs or no.

------
sjs382
The 3d-printable files are on Github here: [https://github.com/Xyl2k/TSA-
Travel-Sentry-master-keys](https://github.com/Xyl2k/TSA-Travel-Sentry-master-
keys)

------
driverdan
Can someone give me a rough estimate of how much it costs to 3D print them?

[https://github.com/Xyl2k/TSA-Travel-Sentry-master-
keys](https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys)

If it's cheap enough I'd love to hand them out at airports to travelers as a
demonstration of how terrible the TSA is.

~~~
brk
Seeing as how you're concerned about costs...

The cost of producing the keys will effectively be $0 in relation to your
legal fees if you were to actually pursue doing this.

------
Animats
There's an app for that.[1] Send them a picture of a key, get a key back. But
they recently stopped offering the service to individuals.

[1] [https://keysduplicated.com/](https://keysduplicated.com/)

~~~
logfromblammo
You don't even really need to send off for it. You can cut a temporary key
from an empty 2L bottle and a paper printout, and once you get it just right,
you can duplicate that plastic key onto a metal blank at the hardware store.

An app certainly adds a bit of convenience, but it also takes out most of the
fun.

------
acd
Physical key locks gives people the feeling of security but its not so false
it´s security! People think locks keep their things safe but they don´t except
from amateurs.

Also see 3D printed bump keys
[http://www.dailymail.co.uk/sciencetech/article-2739879/WATCH...](http://www.dailymail.co.uk/sciencetech/article-2739879/WATCH-
The-3D-printed-bump-keys-open-ANY-lock-seconds.html)

~~~
SixSigma
Lock effectiveness is specified in time - how long your lock will prevent
penetration. Just like a firedoor. Every door will burn, just some doors take
longer than others.

------
shostack
I honestly feel like the risk of non-TSA people breaking into my luggage and
stealing stuff is lower than the TSA stealing stuff while they go through my
luggage (as has been proven many times that they do this).

So it seems the real threat I need to protect my luggage and belongings
against is the TSA, yet the law is mandating that if I travel with luggage,
they need to be able to open it.

Would love to see more done to combat that.

------
ck2
Politicians are going to "solve" this by declaring it illegal and setting
mandatory prison terms.

Are people forgetting TSA is entirely for security theater only and serves no
real purpose?

What happened to all the protests at airports only a few years ago, amazing
how everyone just caved in and the media moved on to the next squirrel. Then
again we did the same for the NSA which is a far bigger problem.

~~~
lotu
Honestly I doubt it will become a big deal outside of the tech community. Most
people realize luggage locks aren't really there to protect against a
determined adversary, or a person with a ballpoint pen
[https://youtu.be/wpIJVWXsBBI?t=1m10s](https://youtu.be/wpIJVWXsBBI?t=1m10s)

------
thansharp
What I've always found surprising is the arrogance that America (and maybe
some Americans too, to an extent) displays in this context. In this day and
age how is it right that a single country can mandate a requirement on every
piece of luggage that passes through their airports? It might be a security
concern, but there definitely are better ways to deal with this - all other
'first world' countries in the world do.

I'm pretty sure if India, China or any non-Western country did this, everyone
would be up in arms about misuse, infringement of rights, etc. And yet when
the TSA acts so stupidly (a photo shown to the public) and with multiple
incidents of abuse of power from the TSA's side, the public opinion is still
that the TSA is competent and well-intentioned.

I would call it hubris if they show capability, but this is downright
arrogance.

I'm surprised no one is suing the government over this. Or is it like a EULA
when you enter the United States that you agree not to press charges on such
incompetence?

~~~
JoeAltmaier
Individual countries have had travel requirements for a century now. Everybody
is used to it. This is not a new thing, not by a very long shot.

------
dostick
So what happens now? I have Samsonite luggage with what looks like more
advanced TSA lock, 007.

The keys are not equal, some keys will be more difficult to print, like 006
for example. Or is it the same?

What can I do to disable the lock easily without compromising function of my
luggage and without voiding the warranty?

What about legal aspect of you purchasing the luggage expecting certain lock
security. And later you find out that anybody can produce a key to open your
luggage? can I contact manufacturer of my luggage and ask them to replace the
lock because it is compromised now?

~~~
Someone1234
The luggage was compromised when you purchased it. Heck, they even advertise
it as a "feature." Here's a quote from Samsonite's website:

> TSA Lock - provides additional peace of mind when checking belongings, but
> can still be easily accessed by TSA agents in the event the case needs to be
> searched.

So compromised by design. So nothing has really changed, it was compromised
then, it is compromised now. In either case most luggage can be opened with a
ballpoint pen, by just force separating the zipper.

I myself won't waste money on a TSA lock. I want to discourage casual
criminals, and I want to know if my bag was accessed, so I just purchase
inexpensive zip-ties[0] in unusual colors (i.e. not white, typically orange,
black, or green) and just zip tie up the bag, the TSA can cut it, but at least
I'd know if they had. It is not "secure" but at least I cannot pretend it is.
TSA locks can be opened without leaving any traces.

PS - Although even with a zip tie someone can open the zipper. I just assume
that laziness will win out, and they'll just cut the zip tie instead.

[0] $5 on Amazon: [http://www.amazon.com/TEKTON-6235-Assorted-
Cable-200-Piece/d...](http://www.amazon.com/TEKTON-6235-Assorted-
Cable-200-Piece/dp/B000NQ16NG/)

~~~
cryoshon
Having a ziptie on your luggage will probably get you singled out for
terrorism eventually...

~~~
Someone1234
I've done it on tens of flights, nothing bad happened yet. I've had my bag
searched twice in all that time, and one of those two times I knew exactly WHY
(there was a piece of camera equipment that may have looked odd under x ray, a
"Giottos Rocket Blaster," they did unzip the inner-camera case, and leave a
leaflet in the bag).

I do recommend if people zip tie they cut off the excess/tail so it cannot get
caught in any machinery.

I've seen a lot of international frequent fliers who zip tie when they have to
check bags.

------
microcolonel
Come on, it was very easy to reverse this before. 3D printing has nothing to
do with this.

You could also just as easily carve this by hand.

P.S: What is this, the '80s? why is "3-D" hyphenated?

------
macjohnmcc
I've never feared other passengers getting into my luggage. I have always
feared the baggage handlers doing the robbing and they have the keys so no
worries.

------
oskarth
In the paper _Reconsidering Physical Key Secrecy: Teleduplication via Optical
Decoding_
([http://vision.ucsd.edu/~blaxton/pagePapers/laxton_wang_savag...](http://vision.ucsd.edu/~blaxton/pagePapers/laxton_wang_savage_ccs2008.pdf))
they manage to decode a key from 200 feet away. Pretty cool stuff.

------
kristofferR
Someone uploaded these high res scans of the keys too:
[https://imgur.com/gallery/JQD7l](https://imgur.com/gallery/JQD7l)

It seems likely that the uploader had the master keys in his private
possession for a long time, but only decided to upload the pictures due to the
keys being leaked anyway.

------
ErikRogneby
I expect that this will change nothing and that these locks will continue to
provide the same illusion of privacy and security that they did before.

The other option is to buy s $3 padlock at your hardware store and risk TSA
breaking out the bolt cutters. Cheaper than a beer in coach.

------
k_sze
You don't need any lock-picking skill. Physically bruteforcing through 1000
combinations really doesn't take that long. I did it once for my aunt (who
forgot her combo) in a matter of minutes.

------
cryoshon
Good. Burn the drapes of the security theater. Maybe when people realize that
actual safety isn't the same as bending over for the TSA we'll be in a better
spot.

~~~
caskance
Better how? We don't need the TSA to provide actual safety. We are already
plenty safe. What we need is security theater, and we get it.

------
jbssm
I wonder if I'm entitled for a compensation. Perhaps starting a class action
lawsuit against TSA would be the way to go.

------
astaroth360
The amount of money the TSA has cost the US since it's foundation is
staggering 0_o

------
chayesfss
Now just get a job as a baggage handler and you'll be set.

------
oniony
Wow, that really is a well-understand screwup.

------
linkydinkandyou
The photos weren't really leaked. They were purposefully, proudly, and
affirmatively held up by a senior TSA official so a news reporter could
photograph them.

While these locks are so easily defeated that this really doesn't make anyone
significantly less safe, it does demonstrate that the TSA knows absolutely
nothing about security.

~~~
mikeash
I'm not sure if it tells us anything about what the TSA knows about security.
It was already pretty apparent they didn't know much there. Even just looking
at the locks, the master keys would have been pretty easy to reverse engineer
from the locks themselves, which of course are sold all over the place.

What's interesting to me is that this shows they don't even know about
_pretend_ security. Releasing these pictures doesn't impact real security
much, but it does impact the _impression_ of security they try to give to the
average idiot.

~~~
15155
Have you read the leaked TSA SOP document?

They don't know much.

