TSA Luggage Lock Master Keys Are Compromised

An anonymous reader writes: As the FBI demand encryption master keys for Apple, Microsoft and Google made devices, photographs of the master keys for the TSA Travel Sentry suitcases have now been published in multiple places online (more links in later articles). Cory Doctorow points out this makes it much easier for thieves to open luggage undetectably, without leaving any signs of lock picking. Whilst many have argued that the locks aren't designed to provide real security, the most important thing is that this shows the risk of backdoors in security systems, especially since the TSA has not given any warning about this compromise, which seems to have occurred in 2014 or earlier.

I always assumed they were

[drinkypoo]

I always assumed that these keys had been figured out long, long ago. If there's people in Afghanistan who can make you an AK-47 by hand, there must be people in China who can just not assemble the locks and take the parts to a smith (where do you think TSA locks are made?) and get a key made. I'd be surprised if you can't just buy the keys on aliexpress.

Re:I always assumed they were

I always assumed all luggage locks were vulnerable, unless you have a hard case with a real lock (e.g. for carrying a firearm... or cheap firearm plus actual valuables). The only reason to use the locks seemed to be as extra protection against the luggage becoming unzipped or or unclipped, and dumping your clothes out. It was a small protection against an inconvenience/minor loss, not a serious protection against potential large losses.

Re:I always assumed they were

[AmiMoJo]

The most annoying part is that luggage sold outside the US often has TSA locks on it. If they put a proper lock on there it would have some value to me, but instead I get to pay for a worthless one that I'll never need or use.

Once the warranty expires I usually fill the lock with epoxy (the main mechanism is a combination lock, the key is just for the TSA goons).

Re:I always assumed they were

[Holi]

People will amaze you sometimes. https://www.youtube.com/watch?...

Re:I always assumed they were

[houghi]

I always assume that locks on luggage were to prevent accidental opening of said luggage. Never to keep anybody out, be it thieves or anybody else. Those mini-locks are shit and you can also steal the whole bag. It even has a handle to carry it as if it was made for that purpose.

So what I do is use zip ties. Anybody on this site will have plenty of them (or hand in you know what card). That way the luggage can not be opened by accident and I will know if somebody was in my bags. Not that I will do anything with that info, but still.

Re:I always assumed they were

[TheCarp]

A saw a video recently that took this a setp further. Instead of stopping the bag from opening, he took a cable lock, and attached everything in the bag to the cable lock, either directly, or with zip ties. Then any small things were put in another bag, zip tied, and added to the loop.

This way the bag could be opened and inspected, and if they cared enough to cut zip ties, they could look inside the smaller bags, but.... nothing would be easy to just grab and toss in a pocket quickly.

Re:I always assumed they were

[bobjr94]

Just like the story a few years ago about the ATM locks. The atm maker had a picture of a key on their website and click here to order keys. Someone just printed the key out, and filed a blank to match the picture and it worked. They posted the actual image of the master real key on their website. A good locksmith can look at a key and say ' thats a G87 blank with a 4,3,6,3,2 cut' .

Re:I always assumed they were

[TheGratefulNet]

I used plastic zip-ties the last time I traveled to europe (well over 10 yrs ago). brand new luggage, too.

fucking bastards used tin snips and cut THRU my zipper in order to remove the plastic wire-tie I used. expensive luggage, ruined, and there was no lock to cut, only some wire ties that I used to keep the bag 'safe' while in my posession (I could also tell if it was opened since I used a bright color of wire tie).

did not matter, the bag was cut open, I lost a power supply for my camera storage device (PSD, back in the day we used those..) and got a note in my bad saying 'we opened it'. yeah, like I didn't know.

no way to get them to pay for their damage either.

I would EASILY see how a more unhinged person than me would flip his lid and go al postal on anyone who did this to them. and I would not cry a tear if any TSA or related person was harmed because they fucked with a passenger's stuff or rights. if a TSA person was bleeding and needing help, I'd step over the body while walking away.

those people are lower than shark shit.

Re:I always assumed they were

[jandrese]

Isn't this exactly why "TSA approved" locks exist? Customs has always said that if they want to inspect your bag, they're going to inspect your bag. Putting a lock on it just means you get a broken lock. Doing something weird and crazy with internal zip ties is just asking for it to be slashed open with a knife. It's not their job to give a crap about your luggage, their job is to find contraband.

Re:I always assumed they were

[Spazmania]

For anyone who knows how master keys are made, this article is full of "duh." Basically, the tumblers in your lock have two stops: the one that fits your key and the one that fits the master key.

So cut one key for each position, leaving one position not cut. Try the key. Cut the position by one unit. Try the key again. Continue until you find the unlock for that position which doesn't correspond to your key. That's the master key for that position.

Anyone with unfettered access to a lock and blank keys can quickly identify all keys capable of opening it.

Re:I always assumed they were

[rahvin112]

Their job is NOT to find contraband.

Their job is to find hazardous materials that are not allowed on the flight. They want you to think their job is to find contraband, make it easier for them to cooperate with the DEA and do their job for them while they get to pretend to be law enforcement (which they aren't).

Re:I always assumed they were

[tlhIngan]

The most annoying part is that luggage sold outside the US often has TSA locks on it. If they put a proper lock on there it would have some value to me, but instead I get to pay for a worthless one that I'll never need or use.

Once the warranty expires I usually fill the lock with epoxy (the main mechanism is a combination lock, the key is just for the TSA goons).

The purpose of a TSA lock is so the TSA can open and inspect your baggage. They have the right to do so (and many countries I presume use TSA keys as they have that right).

The reason we have TSA keys is because when they inspect baggage, they'll cut open any lock you have on it. And they will not relock it. So now your suitcase has been inspected, and the lock broken, which is how it will remain for the rest of the flight. Which means if someone else wants to go through your belongings, they're completely free to do so as it's now unlocked and easily unzipped, inspected and re-zipped.

The TSA lock means the TSA can inspect your bag, then re-lock it. On a lot of locks, doing this sets an indicator showing the lock was unlocked by the TSA key.

That's the whole purpose of a luggage lock. If you destroy the TSA unlock, then you're not really in a position to complain when you go to fetch your baggage and find it's basically open and its contents have been spilling all over the airport. If you're lucky, they'll use packaging tape to re-seal your bag, but that tape can easily split open.

if "married with children" were made today

al bundy would be a tsa screener...

seriously - is there ANY job you'd be more embarrassed to say a spouse, child (they actually BREED?!?), etc had? "hey, joe, did I see your boy in a blue shirt at o'hare the other day" "naw, man, my boy cooks meth! he's the next jesse pinkman!"

Zip tie

[FerociousFerret]

I always just "lock" my luggage with a basic zip tie. Not meant to stop the TSA from getting in, but lets me know they did.

Re:Zip tie

[pz]

Have you not seen the videos that show how trivial it is to get into most suitcases which have a zipper, bypassing any locks?

Re: Zip tie

[kuperman]

When i've used zipties, TSA has always left me a note saying they opened the bag. They also used a new zip tie to relock the baggage.(I keep a ziplock bag of zipties in the top compartment of my luggage.)

I've actually used a variation on this. I'll use a green ziptie to close the zipper on my luggage, but the bag of zipties that I have in the luggage are all red. I carry the green zipties in my carryon (along with nail clippers to help remove it if needed) so I can replace it as needed. If the TSA opens it up, they'll either use no zipties or one of the red ones.

Re:Zip tie

[codeButcher]

I always just "lock" my luggage with a basic zip tie. Not meant to stop the TSA from getting in, but lets me know they did.

Earlier this year I had my first visit to the USA since 2001. Not usually having to bother with all things TSA on my side of the ocean, I enquired from an US-based travel agent about the desirability of a TSA-logoed locking device. She also recommended the ziplock/cable tie approach, which I followed without problems (nail clipper to trim, extras in the top of the bag).

The ziplock alone of course does not prevent loss. But it does look cheap (in the derogatory sense of the word), especially if used in combination with some older cheap generic worn-in luggage. Don't make it look worthwhile to see what can be pilfered from it. Lastly of course you don't pack anything in it that will set you back a nontrivial amount to replace or even some serious sentimental heartbreak - you've got carry-on for those items (scanners can see through locked bags after all, so what do you show them?). So it's more an exercise in risk lowering rather than risk elimination.

Where I come from, the saying is that you don't need to run faster than the lion - only faster than the slowest guy in your hunting party. I imagine the slowest guy being the one trying to show off with material possessions, and having that super-expensive TSA lock on his shiny underpants container.

Wow ...

[gstoddart]

So this was kind of inevitable with a master key.

Now we have the choice between having our luggage effectively vandalized as the morons at TSA cut off locks ... or having massively insecure locks to prevent the morons at the TSA from cutting off the locks.

Thanks a lot, assholes.

And, now, tell us ... just how much scrutiny are the luggage handlers under while they work? Because between the opportunity for smuggling (which they've done) those guys have a better chance of putting a bomb on a plane than anybody else.

So much security theater, so little actual benefit.

Re:Wow ...

[MitchDev]

"So much security theater, so little actual benefit."

Nice to see someone else "gets it" instead of just cries "But the terrorists! Think of the children!"

Re:Wow ...

[i.r.id10t]

Actually, if you travel with a firearm - and the action from a sub-$100 single shot shotgun qualifies as such - you can use real locks on your luggage, it will be inspected in front of you, and then you can properly secure it. And, the airline can't flag it as having a firearm in it...

Bonus is if the luggage doesn't make it you get to ask "You gonna call the BATFE or am I?" and stuff gets found really quick.

https://www.tsa.gov/travel/tra...

Recommended to print out the policy for whatever airline you are traveling on as well... but this works for lots of folks.

Re:Wow ...

[Scutter]

I don't think anyone (other than paid-for politicians) is saying anything other than "security theater". In fact, the TSA is pretty widely denounced as being expensive and useless.

Re: Wow ...

[qwijibo]

Airsoft pistols are not legally classified as firearms. I would recommend against declaring one and hoping to explain how you're scamming the system if your bag ever disappears. Why give someone (who is probably already annoyed to be dealing with a lost luggage report) a reason to figure out whether or not it's illegal to declare a non-firearm as a firearm?

There are plenty of options, for anyone who isn't a felon. Blank guns and black powder pistols are available via mail order with no additional paperwork. For anyone who is not adverse to filling out a 4473, there are many options in the ~$100 range, and many worth actually having and using for ~$300. Think of the cost as a one time investment in baggage insurance.

Every time I've flown with a firearm, it only takes me a few extra minutes to check my bag with one of the ticketing agents, fill out the declaration card, and have my bag x-rayed. Even flying out of California, I've never run into an airline employee that wasn't familiar with the process for checking firearms. East coast could be different, I've never flown there.

Re:Wow ...

[gstoddart]

You didn't seriously think a lock provided any security, did you?

Fuck no. You'll notice I said "TSA morons" twice, as well as security theater, and said this was inevitable. I hadn't thought I'd given any suggestion I had any confidence in the whole thing.

I mean, you're locking the ZIPPER, of a CLOTH suitcase...

Mine aren't cloth. ;-)

Do you also padlock paper bags so nobody steals your lunch?

Oh hell yeah, keep those thieving bastards away from my PB&J at all costs ... I even put a rabid squirrel in just in case someone gets past the lock.

I also keep my Lucky Charms in a safe.

Re:Wow ...

[swb]

Declaring a firearm in your luggage has always gotten me first-class VIP treatment.

The last time the counter agent closed the line behind me so she could get her supervisor to make sure everything was handled correctly (and probably to keep the people behind me from flipping out, they want to SEE the firearm).

Then they usually walk me over to TSA where my bags are hand-inspected by the TSA before letting me apply my own, high-quality locks to my bag. I'd swear its saved line-standing time.

The only marginal experience was in Laughlin/Bullhead City, which is barely an airport.

There the gate agent wanted some county sheriff to verify the weapons were unloaded. Since I don't want to make anything easy for a thief, I use trigger locks AND cable lock through the action and/or cylinder, yet Deputy Fife wanted to try to open the cylinder on my revolver AND work the action on my Glock, despite the fact the loading or firing of the guns would have been physically impossible. I actually had to say "Careful, I don't want the action damaged from the locking cables!" before he realized how stupid he was.

Then I had to argue with the TSA agent who didn't want to let me lock my luggage with a secure lock. Fortunately I also carry a recent, laminated copy of the TSA web pages requiring secure locking of checked firearms. "You can't use your own lock." "Yes, I have to, it's your own TSA requirement. Read this." He was pissed, but less pissed than he would have been telling his future colleagues on the Laughlin casino janitorial squad about his past job as a TSA agent.

Strangely the Vegas airport seemed less interested in hand-inspecting my gun case and just ran it through the machine. I told the agent "Those firearms will glow like Christmas on the screen" and the TSA guy said "If we had to hand inspect all firearm luggage at this airport, the lines would extend into the parking lot."

The craziest experience of all traveling with a firearm was trying to check into the Venetian in Vegas. I wanted to check my weapon with security and asked the woman at the desk and she said "Oh, security is just across the casino floor." I wondered how far I would get across the casino floor with a locked aluminum case without being tackled or answering questions from Clark County Sheriffs. As it turns out, I made it with five feet of the entrance before being stopped by two armed guards. They were really nice and took my down to security, checked my weapon, gave me a receipt and let me ride the VIP elevator to my room. On check out, the head of security released my weapon and I asked him if I had broken any laws bringing it on property. He said it wasn't a problem at all, happens all the time but was concerned the check in desk wouldn't page security for me. I thought the armed escort to my cab was a bit much, but again, VIP treatment!

Re: Wow ...

Worse - if you have a stop over in a NY airport, and your flight is canceled, you can and will be arrested immediately upon taking possession of you bag, due to the NY SAFE Act. Which is in violation of the Firearm Owners Protection Act, which allows interstate transport of firearms through firearms unfriendly states.

Of course if you REALLY want to have fun, check an NFA item. Short barrel rifles, short barrel shotguns and suppressors....

that's what FedEx/UPS are for

[turkeydance]

since 2003, i've shipped what i don't carry on. so far, so good.

Government is inherently insecure.

Every time I hear a government official saying that we should trust them with secrets. I think to myself... but do I trust your 2 million other colleagues. Even in the classified space, there are going to be dozens of people with access to even the most classified information. To lesser classified information that number can be thousands or tens of thousands even. Our adversaries with any intelligence capabilities will almost certainly know a great deal more than the American public will. That doesn't mean secrets aren't important to keep. It just means if your system is relying on keeping secrets for any length of time that is a fundamental security risk and flaw in the system. With luggage you still have to have physical access to the luggage to gain access... which can be mitigated with security cameras in luggage handling areas. With software encryption for communications it is far easier to intercept without being observed.

Evidence of lockpicking

[phantomfive]

I didn't know it's hard to pick a lock without leaving evidence of lock-picking.....what kind of evidence are they looking for? Scratch-marks on the pins?

FedEx's and the airline's shareholders ...

[mschaffer]

FedEx's and the airline's shareholders thank you for their increased profit. However this is not a viable option for many people.
Also, it's not as if FedEx is much better than the airlines. Personally, I have had more problems with FedEx than with the airlines.

Lock enthusiasts have known since day one

These locks or combination bypasses have three pins and just a few possible heights for each. In comparison the cheapest residential locks have five pins with five heights. If that was not easy enough there are a very limited number of combinations used and the TSA was kind enough to require a number indicating which one on every lock face. Finally these locks are of so poor quality just about anything that can apply light torsion and move in the keyway can be used to open them.

Despite popular belief lockpicking leaves very little trace at all. There are few experts available that even know what evidence looks like and just looking for evidence requires the destruction of the lock. For the curious. Don't be fooled into thinking that a lock returned to a closed state leaves signs of lockpicking that can be readily seen by a layman.

Unless it's The Luggage,

[Mascot]

never put anything valuable in checked in luggage.

I have one of the old "non-TSA" locks on my suitcase. I have a label on it where it states "code is 0000 while in transit", since I want to set the code wheels to something else in order to avoid accidental openings.

I'd never dream of going on a flight with something of real value to me anywhere but in my carry on. If they want to steal my socks or razor, they're welcome to them.

Sneaky bypass...

[QuietLagoon]

One time when I was traveling, I used the lock that had a green flag in a window. The flag was supposed to flip to red if the TSA opened the lock with their pass key.

.
When I got home, I looked at the lock and the flag was still green. When I opened the suitcase, there was a sheet of paper left on top of the contents. The paper said something to the effect, "this baggage has been inspected by the TSA".

So much for the red flag on the lock.

Backup for suitcase latches & zippers

[mschaffer]

Of course they are compromised and this is by design. Why else would you purchase a combination lock with a master key?
The only reason I use these locks is because too many suitcases and travel bags are prone to opening when handled by the airline's gorillas that toss your baggage around. The locks can serve as one more item that needs to fail before the contents of your baggage cascades around the luggage carousel.

However, if the TSA thinks that the master key system was secure, why didn't they mention the breach earlier. All agencies have policies on handling sensitive information. If the TSA does not follow their own policies, they should be held accountable at the highest levels.

Re:Backup for suitcase latches & zippers

[Holi]

Not sure why you bring just Hillary into it. Shows a very partisan stance. Nixon, Reagan, Bush, Clinton, Bush, Obama.... All have done things equivalent, some far worse.

Re:Backup for suitcase latches & zippers

[jandrese]

Traveling around South America recently I noticed that the airports down there have these services where they will wrap your luggage in cling wrap and put a giant sticker on it so you can tell if someone has gone through your luggage. It's an interesting take on the problem and also helps people with shitty suitcases that can't survive airport baggage services.

Re:Backup for suitcase latches & zippers

[Coren22]

I'm pretty sure that everything the TSA does impedes the freedom of movement of people and commerce, that is kind of their job.

Re:Backup for suitcase latches & zippers

[Coren22]

You might not know this, but those services indicate quite clearly that they rewrap your bag after it is inspected as well, so it really isn't secure in any way.

Recheck your luggage after transit

There are good locks and bad locks. Most luggage locks are cheap crap, afterall an attacker can simply split the zip. TSA compliant locks are the worst of the bad locks because its so trivial to break in and leave no trace.

It means, even if you put a good lock on it, its no guarantee your luggage hasn't been tampered with, and you should have a good look at the contents before you walk through customs with it. Zip-Tie man below is probably right, its better to use a market zip-tie rather than a lock now.

You can't trust the lock manufacturers to make good locks when an agency has undermined the whole purpose of a lock.

What next, backdoors in Cisco products? backdoors in HP Storage Servers? Backdoors in IP cameras?.... Oh right, we had those already.

gentlemen start your picking.

[nimbius]

for those of us in locksport (the art of lockpicking purely for personal enjoyment and challenge) some of these key masters are just criminally bad...the TSA probably asked for masters because they didnt want to break the lock during picking. for example
TSA004: Just a tipped ward. you neednt make a master for this, its already in pretty much everyones kit or some old womans hair serving as a bobby pin. handcuffs have better wards.
TSA003: how many pins is this? who cares, it came off a chinese assembly line and some 7 year old is setting the mechanism. a longing glance is good enough to pop this, but a master is probably an exercise in compliance more than a tool the TSA uses.
TSA001: rinse and repeat, this pin set was determined by the cost of pot-steel, not the security of someones goods.

among the winners however we have...
TSA007: nice...bidirectional pinsets (albeit just 3) will occupy most people for another 2-3 minutes before they pull out a jiggler set/rake and just bitch pick it.
TSA006: I want this. TSA006 has something very, very nice in their luggage and they take it seriously. transverse (lateral) pins, probably a trap pinset in there somewhere. and those rails along the end? what are those, guides? do i have to pick THOSE too? NEAT!

then again, the TSA Dont seriously need masters because theyve been using the ballpoint zipper trick for decades now. its traceless, harmless, and quick. demanding masters seems like a power trip designed to test the limits of what consumers and manufacturers were willing to actually tolerate.

Forget the lock

[wickerprints]

I don't understand what the big deal is, considering that the failure point is not the lock, but the zipper itself. Zippers are a fastening device. They were never intended to be secure, and you cannot make one secure by attaching a lock on the pull. The problem is that people think that attaching a lock to anything makes it inherently more secure.

The answer is to never put anything in your luggage that has any value to those who might want to steal it. No electronic devices or jewelry should go in checked luggage. Anything valuable must fit in your carry-on. If you *must* travel with something valuable that cannot fit in your carry-on, ship and insure the parcel ahead of time.

Re:Forget the lock

[AmiMoJo]

Semi-hard luggage sometimes has a cover that makes it much harder to part the zip in the manner you describe. Not impossible, but difficult enough for any potential thief to simply move on to the next bag. Even just securing the sliders in place can be enough, because it prevents the thief from re-closing the bag and the staff at the airport won't want to leave it open.

A little bit of extra security is usually enough to deter opportunistic thieves.

Well, duh.

[c]

It's pretty much the definition of "master key" that if a master key exists for your lock, then your lock is compromised.

How much of a problem that is in practice depends on a whole whack of risk factors, but in order to make the TSA screening process any riskier, I think you'd have to outsource it to the prison system.

Warnings

[Translation+Error]

To be fair, I don't think we can really blame them for not warning us about the leaks. I mean, this is the TSA we're talking about--they probably still don't know about them.

Re:My Method

[Bob+the+Super+Hamste]

We really do need to take a page from Israel and the methods they use.

So dump all your carry on shit out on the table, look it over for banned items, then shove it all back in your bag, and do it to everyone.

The last I was over there they had you hold on to your checked luggage for as long as possible. Also there are various stages where various people quickly question you to see if you get nervous or have suspect answers. You only send your bag through the X-Ray machine right before you go through the metal detectors your self and if they do have a question about your bag they would make you take it over to some secondary screeners who make you open your bag dig the item out in question and then they question you about it. In my case it was my old Spotmatic F and lenses. They fired off a bunch of questions to try and trip you up like:
What is in the middle of your bag?
How long have you had the camera?
Did you get the camera from anyone in Israel?
Where did you get the camera?
Do they really take better pictures than a digital?
Also when going through Israeli security they don't have the huge lines of people that the TSA is great at generating. Also all they use are metal detectors and don't make you take your shoes off even if you are wearing safety toe footwear, but in that case they will have you go and step onto a foot X-ray machine for a quick check after the metal detector. Also the Israelis like to say the don't profile but instead reverse profile. That is if you don't fit the profile then you get extra screening.