In a move to prove a point about security, a group of hackers have released blueprints to 3D print the eighth and last TSA master key this week at a conference in New York.
If you are unfamiliar, TSA approved locks allow luggage security personnel to unlock and inspect your bags without damaging locks, using master keys. There are two companies that design these locks, Travel Sentry, which outsources seven lock designs to other manufacturers, and Safe Skies which produces their own lock.
In 2014, the Washington Post inadvertently published an article which included a high resolution photo of all seven Travel Sentry TSA master keys. The photo has since been removed from the article, but not before someone was able to digitally recreate the keys, and then share the files. Less than a year later, 3D printed copies emerged, making all Travel Sentry locks essentially useless against theft. A hacker named Xylit0l used the high-quality public images and more data to make 3D printable copies of the Travel Sentry master keys. DarkSim905, Johnny Xmas and another hacker later added to the project with some fixes.
The Safe Skies key was more difficult to reproduce, with zero images of it being publicly available. However, because they only make one master key, all their locks contained the data needed.
“This was done by legally procuring actual locks, comparing the inner workings, and finding the common denominator. It’s a great metaphor for how weak encryption mechanisms are broken – gather enough data, find the pattern, then just ‘math’ out a universal key (or set of keys),” Johnny Xmas explained at the Eleventh HOPE conference in New York. “What we’re doing here is literally cracking physical encryption, and I fear that metaphor isn’t going to be properly delivered to the public.”
The talk was given by DarkSim905, a lock enthusiast who heads the New Jersey chapter of TOOOL (The Open Organization of Lockpickers); Nite 0wl, a member of TOOOL from New York City; and Johnny Xmas, of RedLegg International’s TradeCraft Labs.
Image: Johnny Xmas
Purchasing as many Safe Skies locks and keys for examination as possible, the possible key blanks were identified and existing keys were modified to match them. “Once I had blank keys that would fit the locks I needed to figure out what the cuts should be,” Nite 0wl added.
The hackers have said that the purpose of the project was not to scare people with the idea that anyone can use a 3D printed key to break into their luggage – and that wasn’t their goal in releasing the files for the Travel Sentry keys, either. The point, which they say was completely missed in 2015, was to highlight the dangers of government key escrow, a data security measure in which a third party is trusted with a cryptographic key that they may only use with the authorization of the entrusting agency.
Now that anyone with a 3D printed key could have access to your luggage, is it any different to an all powerful agency we blindly hand our bags to on a daily basis? You can watch the full video of the panel below.
Feature and other images courtesy Johnny Xmas.