Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA Luggage Lock Master Keys Are Compromised

Posted by Soulskill on from the no-one-couldn't-have-seen-this-coming dept.

An anonymous reader writes: As the FBI demand encryption master keys for Apple, Microsoft and Google made devices, photographs of the master keys for the TSA Travel Sentry suitcases have now been published in multiple places online (more links in later articles). Cory Doctorow points out this makes it much easier for thieves to open luggage undetectably, without leaving any signs of lock picking. Whilst many have argued that the locks aren't designed to provide real security, the most important thing is that this shows the risk of backdoors in security systems, especially since the TSA has not given any warning about this compromise, which seems to have occurred in 2014 or earlier.

27 of 220 comments (clear)

  1. I always assumed they were by drinkypoo · · Score: 5, Insightful

    I always assumed that these keys had been figured out long, long ago. If there's people in Afghanistan who can make you an AK-47 by hand, there must be people in China who can just not assemble the locks and take the parts to a smith (where do you think TSA locks are made?) and get a key made. I'd be surprised if you can't just buy the keys on aliexpress.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I always assumed they were by AmiMoJo · · Score: 4, Insightful

      The most annoying part is that luggage sold outside the US often has TSA locks on it. If they put a proper lock on there it would have some value to me, but instead I get to pay for a worthless one that I'll never need or use.

      Once the warranty expires I usually fill the lock with epoxy (the main mechanism is a combination lock, the key is just for the TSA goons).

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:I always assumed they were by Holi · · Score: 3, Interesting

      People will amaze you sometimes. https://www.youtube.com/watch?...

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    3. Re:I always assumed they were by TheCarp · · Score: 4, Informative

      A saw a video recently that took this a setp further. Instead of stopping the bag from opening, he took a cable lock, and attached everything in the bag to the cable lock, either directly, or with zip ties. Then any small things were put in another bag, zip tied, and added to the loop.

      This way the bag could be opened and inspected, and if they cared enough to cut zip ties, they could look inside the smaller bags, but.... nothing would be easy to just grab and toss in a pocket quickly.

      --
      "I opened my eyes, and everything went dark again"
    4. Re:I always assumed they were by bobjr94 · · Score: 4, Informative

      Just like the story a few years ago about the ATM locks. The atm maker had a picture of a key on their website and click here to order keys. Someone just printed the key out, and filed a blank to match the picture and it worked. They posted the actual image of the master real key on their website. A good locksmith can look at a key and say ' thats a G87 blank with a 4,3,6,3,2 cut' .

    5. Re:I always assumed they were by TheGratefulNet · · Score: 4, Insightful

      I used plastic zip-ties the last time I traveled to europe (well over 10 yrs ago). brand new luggage, too.

      fucking bastards used tin snips and cut THRU my zipper in order to remove the plastic wire-tie I used. expensive luggage, ruined, and there was no lock to cut, only some wire ties that I used to keep the bag 'safe' while in my posession (I could also tell if it was opened since I used a bright color of wire tie).

      did not matter, the bag was cut open, I lost a power supply for my camera storage device (PSD, back in the day we used those..) and got a note in my bad saying 'we opened it'. yeah, like I didn't know.

      no way to get them to pay for their damage either.

      I would EASILY see how a more unhinged person than me would flip his lid and go al postal on anyone who did this to them. and I would not cry a tear if any TSA or related person was harmed because they fucked with a passenger's stuff or rights. if a TSA person was bleeding and needing help, I'd step over the body while walking away.

      those people are lower than shark shit.

      --

      --
      "It is now safe to switch off your computer."
    6. Re:I always assumed they were by jandrese · · Score: 4, Informative

      Isn't this exactly why "TSA approved" locks exist? Customs has always said that if they want to inspect your bag, they're going to inspect your bag. Putting a lock on it just means you get a broken lock. Doing something weird and crazy with internal zip ties is just asking for it to be slashed open with a knife. It's not their job to give a crap about your luggage, their job is to find contraband.

      --

      I read the internet for the articles.
    7. Re:I always assumed they were by Spazmania · · Score: 4, Informative

      For anyone who knows how master keys are made, this article is full of "duh." Basically, the tumblers in your lock have two stops: the one that fits your key and the one that fits the master key.

      So cut one key for each position, leaving one position not cut. Try the key. Cut the position by one unit. Try the key again. Continue until you find the unlock for that position which doesn't correspond to your key. That's the master key for that position.

      Anyone with unfettered access to a lock and blank keys can quickly identify all keys capable of opening it.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  2. if "married with children" were made today by Anonymous Coward · · Score: 5, Insightful

    al bundy would be a tsa screener...

    seriously - is there ANY job you'd be more embarrassed to say a spouse, child (they actually BREED?!?), etc had? "hey, joe, did I see your boy in a blue shirt at o'hare the other day" "naw, man, my boy cooks meth! he's the next jesse pinkman!"

  3. Zip tie by FerociousFerret · · Score: 5, Interesting

    I always just "lock" my luggage with a basic zip tie. Not meant to stop the TSA from getting in, but lets me know they did.

    1. Re:Zip tie by pz · · Score: 3, Insightful

      Have you not seen the videos that show how trivial it is to get into most suitcases which have a zipper, bypassing any locks?

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  4. Wow ... by gstoddart · · Score: 4, Insightful

    So this was kind of inevitable with a master key.

    Now we have the choice between having our luggage effectively vandalized as the morons at TSA cut off locks ... or having massively insecure locks to prevent the morons at the TSA from cutting off the locks.

    Thanks a lot, assholes.

    And, now, tell us ... just how much scrutiny are the luggage handlers under while they work? Because between the opportunity for smuggling (which they've done) those guys have a better chance of putting a bomb on a plane than anybody else.

    So much security theater, so little actual benefit.

    --
    Lost at C:>. Found at C.
    1. Re:Wow ... by i.r.id10t · · Score: 5, Informative

      Actually, if you travel with a firearm - and the action from a sub-$100 single shot shotgun qualifies as such - you can use real locks on your luggage, it will be inspected in front of you, and then you can properly secure it. And, the airline can't flag it as having a firearm in it...

      Bonus is if the luggage doesn't make it you get to ask "You gonna call the BATFE or am I?" and stuff gets found really quick.

      https://www.tsa.gov/travel/tra...

      Recommended to print out the policy for whatever airline you are traveling on as well... but this works for lots of folks.

      --
      Don't blame me, I voted for Kodos
    2. Re: Wow ... by qwijibo · · Score: 3, Interesting

      Airsoft pistols are not legally classified as firearms. I would recommend against declaring one and hoping to explain how you're scamming the system if your bag ever disappears. Why give someone (who is probably already annoyed to be dealing with a lost luggage report) a reason to figure out whether or not it's illegal to declare a non-firearm as a firearm?

      There are plenty of options, for anyone who isn't a felon. Blank guns and black powder pistols are available via mail order with no additional paperwork. For anyone who is not adverse to filling out a 4473, there are many options in the ~$100 range, and many worth actually having and using for ~$300. Think of the cost as a one time investment in baggage insurance.

      Every time I've flown with a firearm, it only takes me a few extra minutes to check my bag with one of the ticketing agents, fill out the declaration card, and have my bag x-rayed. Even flying out of California, I've never run into an airline employee that wasn't familiar with the process for checking firearms. East coast could be different, I've never flown there.

    3. Re:Wow ... by swb · · Score: 5, Interesting

      Declaring a firearm in your luggage has always gotten me first-class VIP treatment.

      The last time the counter agent closed the line behind me so she could get her supervisor to make sure everything was handled correctly (and probably to keep the people behind me from flipping out, they want to SEE the firearm).

      Then they usually walk me over to TSA where my bags are hand-inspected by the TSA before letting me apply my own, high-quality locks to my bag. I'd swear its saved line-standing time.

      The only marginal experience was in Laughlin/Bullhead City, which is barely an airport.

      There the gate agent wanted some county sheriff to verify the weapons were unloaded. Since I don't want to make anything easy for a thief, I use trigger locks AND cable lock through the action and/or cylinder, yet Deputy Fife wanted to try to open the cylinder on my revolver AND work the action on my Glock, despite the fact the loading or firing of the guns would have been physically impossible. I actually had to say "Careful, I don't want the action damaged from the locking cables!" before he realized how stupid he was.

      Then I had to argue with the TSA agent who didn't want to let me lock my luggage with a secure lock. Fortunately I also carry a recent, laminated copy of the TSA web pages requiring secure locking of checked firearms. "You can't use your own lock." "Yes, I have to, it's your own TSA requirement. Read this." He was pissed, but less pissed than he would have been telling his future colleagues on the Laughlin casino janitorial squad about his past job as a TSA agent.

      Strangely the Vegas airport seemed less interested in hand-inspecting my gun case and just ran it through the machine. I told the agent "Those firearms will glow like Christmas on the screen" and the TSA guy said "If we had to hand inspect all firearm luggage at this airport, the lines would extend into the parking lot."

      The craziest experience of all traveling with a firearm was trying to check into the Venetian in Vegas. I wanted to check my weapon with security and asked the woman at the desk and she said "Oh, security is just across the casino floor." I wondered how far I would get across the casino floor with a locked aluminum case without being tackled or answering questions from Clark County Sheriffs. As it turns out, I made it with five feet of the entrance before being stopped by two armed guards. They were really nice and took my down to security, checked my weapon, gave me a receipt and let me ride the VIP elevator to my room. On check out, the head of security released my weapon and I asked him if I had broken any laws bringing it on property. He said it wasn't a problem at all, happens all the time but was concerned the check in desk wouldn't page security for me. I thought the armed escort to my cab was a bit much, but again, VIP treatment!

  5. that's what FedEx/UPS are for by turkeydance · · Score: 3, Interesting

    since 2003, i've shipped what i don't carry on. so far, so good.

  6. Government is inherently insecure. by Anonymous Coward · · Score: 5, Interesting

    Every time I hear a government official saying that we should trust them with secrets. I think to myself... but do I trust your 2 million other colleagues. Even in the classified space, there are going to be dozens of people with access to even the most classified information. To lesser classified information that number can be thousands or tens of thousands even. Our adversaries with any intelligence capabilities will almost certainly know a great deal more than the American public will. That doesn't mean secrets aren't important to keep. It just means if your system is relying on keeping secrets for any length of time that is a fundamental security risk and flaw in the system. With luggage you still have to have physical access to the luggage to gain access... which can be mitigated with security cameras in luggage handling areas. With software encryption for communications it is far easier to intercept without being observed.

  7. Evidence of lockpicking by phantomfive · · Score: 4, Insightful

    I didn't know it's hard to pick a lock without leaving evidence of lock-picking.....what kind of evidence are they looking for? Scratch-marks on the pins?

    --
    "First they came for the slanderers and i said nothing."
  8. FedEx's and the airline's shareholders ... by mschaffer · · Score: 3, Interesting

    FedEx's and the airline's shareholders thank you for their increased profit. However this is not a viable option for many people.
    Also, it's not as if FedEx is much better than the airlines. Personally, I have had more problems with FedEx than with the airlines.

  9. Lock enthusiasts have known since day one by Anonymous Coward · · Score: 5, Informative

    These locks or combination bypasses have three pins and just a few possible heights for each. In comparison the cheapest residential locks have five pins with five heights. If that was not easy enough there are a very limited number of combinations used and the TSA was kind enough to require a number indicating which one on every lock face. Finally these locks are of so poor quality just about anything that can apply light torsion and move in the keyway can be used to open them.

    Despite popular belief lockpicking leaves very little trace at all. There are few experts available that even know what evidence looks like and just looking for evidence requires the destruction of the lock. For the curious. Don't be fooled into thinking that a lock returned to a closed state leaves signs of lockpicking that can be readily seen by a layman.

  10. Unless it's The Luggage, by Mascot · · Score: 4, Interesting

    never put anything valuable in checked in luggage.

    I have one of the old "non-TSA" locks on my suitcase. I have a label on it where it states "code is 0000 while in transit", since I want to set the code wheels to something else in order to avoid accidental openings.

    I'd never dream of going on a flight with something of real value to me anywhere but in my carry on. If they want to steal my socks or razor, they're welcome to them.

  11. Sneaky bypass... by QuietLagoon · · Score: 5, Interesting
    One time when I was traveling, I used the lock that had a green flag in a window. The flag was supposed to flip to red if the TSA opened the lock with their pass key.

    .
    When I got home, I looked at the lock and the flag was still green. When I opened the suitcase, there was a sheet of paper left on top of the contents. The paper said something to the effect, "this baggage has been inspected by the TSA".

    So much for the red flag on the lock.

  12. Backup for suitcase latches & zippers by mschaffer · · Score: 3, Interesting

    Of course they are compromised and this is by design. Why else would you purchase a combination lock with a master key?
    The only reason I use these locks is because too many suitcases and travel bags are prone to opening when handled by the airline's gorillas that toss your baggage around. The locks can serve as one more item that needs to fail before the contents of your baggage cascades around the luggage carousel.

    However, if the TSA thinks that the master key system was secure, why didn't they mention the breach earlier. All agencies have policies on handling sensitive information. If the TSA does not follow their own policies, they should be held accountable at the highest levels.

    1. Re:Backup for suitcase latches & zippers by jandrese · · Score: 4, Interesting

      Traveling around South America recently I noticed that the airports down there have these services where they will wrap your luggage in cling wrap and put a giant sticker on it so you can tell if someone has gone through your luggage. It's an interesting take on the problem and also helps people with shitty suitcases that can't survive airport baggage services.

      --

      I read the internet for the articles.
  13. gentlemen start your picking. by nimbius · · Score: 5, Interesting

    for those of us in locksport (the art of lockpicking purely for personal enjoyment and challenge) some of these key masters are just criminally bad...the TSA probably asked for masters because they didnt want to break the lock during picking. for example
    TSA004: Just a tipped ward. you neednt make a master for this, its already in pretty much everyones kit or some old womans hair serving as a bobby pin. handcuffs have better wards.
    TSA003: how many pins is this? who cares, it came off a chinese assembly line and some 7 year old is setting the mechanism. a longing glance is good enough to pop this, but a master is probably an exercise in compliance more than a tool the TSA uses.
    TSA001: rinse and repeat, this pin set was determined by the cost of pot-steel, not the security of someones goods.

    among the winners however we have...
    TSA007: nice...bidirectional pinsets (albeit just 3) will occupy most people for another 2-3 minutes before they pull out a jiggler set/rake and just bitch pick it.
    TSA006: I want this. TSA006 has something very, very nice in their luggage and they take it seriously. transverse (lateral) pins, probably a trap pinset in there somewhere. and those rails along the end? what are those, guides? do i have to pick THOSE too? NEAT!

    then again, the TSA Dont seriously need masters because theyve been using the ballpoint zipper trick for decades now. its traceless, harmless, and quick. demanding masters seems like a power trip designed to test the limits of what consumers and manufacturers were willing to actually tolerate.

    --
    Good people go to bed earlier.
  14. Forget the lock by wickerprints · · Score: 4, Insightful

    I don't understand what the big deal is, considering that the failure point is not the lock, but the zipper itself. Zippers are a fastening device. They were never intended to be secure, and you cannot make one secure by attaching a lock on the pull. The problem is that people think that attaching a lock to anything makes it inherently more secure.

    The answer is to never put anything in your luggage that has any value to those who might want to steal it. No electronic devices or jewelry should go in checked luggage. Anything valuable must fit in your carry-on. If you *must* travel with something valuable that cannot fit in your carry-on, ship and insure the parcel ahead of time.

  15. Re:My Method by Bob+the+Super+Hamste · · Score: 4, Interesting

    We really do need to take a page from Israel and the methods they use.

    So dump all your carry on shit out on the table, look it over for banned items, then shove it all back in your bag, and do it to everyone.

    The last I was over there they had you hold on to your checked luggage for as long as possible. Also there are various stages where various people quickly question you to see if you get nervous or have suspect answers. You only send your bag through the X-Ray machine right before you go through the metal detectors your self and if they do have a question about your bag they would make you take it over to some secondary screeners who make you open your bag dig the item out in question and then they question you about it. In my case it was my old Spotmatic F and lenses. They fired off a bunch of questions to try and trip you up like:
    What is in the middle of your bag?
    How long have you had the camera?
    Did you get the camera from anyone in Israel?
    Where did you get the camera?
    Do they really take better pictures than a digital?
    Also when going through Israeli security they don't have the huge lines of people that the TSA is great at generating. Also all they use are metal detectors and don't make you take your shoes off even if you are wearing safety toe footwear, but in that case they will have you go and step onto a foot X-ray machine for a quick check after the metal detector. Also the Israelis like to say the don't profile but instead reverse profile. That is if you don't fit the profile then you get extra screening.

    --
    Time to offend someone