Slashdot Mirror
TSA Luggage Lock Master Keys Are Compromised
An anonymous reader writes: As the FBI demand encryption master keys for Apple, Microsoft and Google made devices, photographs of the master keys for the TSA Travel Sentry suitcases have now been published in multiple places online (more links in later articles). Cory Doctorow points out this makes it much easier for thieves to open luggage undetectably, without leaving any signs of lock picking. Whilst many have argued that the locks aren't designed to provide real security, the most important thing is that this shows the risk of backdoors in security systems, especially since the TSA has not given any warning about this compromise, which seems to have occurred in 2014 or earlier.
Actually, if you travel with a firearm - and the action from a sub-$100 single shot shotgun qualifies as such - you can use real locks on your luggage, it will be inspected in front of you, and then you can properly secure it. And, the airline can't flag it as having a firearm in it...
Bonus is if the luggage doesn't make it you get to ask "You gonna call the BATFE or am I?" and stuff gets found really quick.
https://www.tsa.gov/travel/tra...
Recommended to print out the policy for whatever airline you are traveling on as well... but this works for lots of folks.
Don't blame me, I voted for Kodos
These locks or combination bypasses have three pins and just a few possible heights for each. In comparison the cheapest residential locks have five pins with five heights. If that was not easy enough there are a very limited number of combinations used and the TSA was kind enough to require a number indicating which one on every lock face. Finally these locks are of so poor quality just about anything that can apply light torsion and move in the keyway can be used to open them.
Despite popular belief lockpicking leaves very little trace at all. There are few experts available that even know what evidence looks like and just looking for evidence requires the destruction of the lock. For the curious. Don't be fooled into thinking that a lock returned to a closed state leaves signs of lockpicking that can be readily seen by a layman.
I always assumed all luggage locks were vulnerable, unless you have a hard case with a real lock (e.g. for carrying a firearm... or cheap firearm plus actual valuables). The only reason to use the locks seemed to be as extra protection against the luggage becoming unzipped or or unclipped, and dumping your clothes out. It was a small protection against an inconvenience/minor loss, not a serious protection against potential large losses.
There are good locks and bad locks. Most luggage locks are cheap crap, afterall an attacker can simply split the zip. TSA compliant locks are the worst of the bad locks because its so trivial to break in and leave no trace.
It means, even if you put a good lock on it, its no guarantee your luggage hasn't been tampered with, and you should have a good look at the contents before you walk through customs with it. Zip-Tie man below is probably right, its better to use a market zip-tie rather than a lock now.
You can't trust the lock manufacturers to make good locks when an agency has undermined the whole purpose of a lock.
What next, backdoors in Cisco products? backdoors in HP Storage Servers? Backdoors in IP cameras?.... Oh right, we had those already.
A saw a video recently that took this a setp further. Instead of stopping the bag from opening, he took a cable lock, and attached everything in the bag to the cable lock, either directly, or with zip ties. Then any small things were put in another bag, zip tied, and added to the loop.
This way the bag could be opened and inspected, and if they cared enough to cut zip ties, they could look inside the smaller bags, but.... nothing would be easy to just grab and toss in a pocket quickly.
"I opened my eyes, and everything went dark again"
Just like the story a few years ago about the ATM locks. The atm maker had a picture of a key on their website and click here to order keys. Someone just printed the key out, and filed a blank to match the picture and it worked. They posted the actual image of the master real key on their website. A good locksmith can look at a key and say ' thats a G87 blank with a 4,3,6,3,2 cut' .
Isn't this exactly why "TSA approved" locks exist? Customs has always said that if they want to inspect your bag, they're going to inspect your bag. Putting a lock on it just means you get a broken lock. Doing something weird and crazy with internal zip ties is just asking for it to be slashed open with a knife. It's not their job to give a crap about your luggage, their job is to find contraband.
I read the internet for the articles.
For anyone who knows how master keys are made, this article is full of "duh." Basically, the tumblers in your lock have two stops: the one that fits your key and the one that fits the master key.
So cut one key for each position, leaving one position not cut. Try the key. Cut the position by one unit. Try the key again. Continue until you find the unlock for that position which doesn't correspond to your key. That's the master key for that position.
Anyone with unfettered access to a lock and blank keys can quickly identify all keys capable of opening it.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.