Hackers Replicate TSA Master Luggage Keys

Hackers Replicate TSA Master Luggage Keys

Ever wonder how an airport security screener manages to access the contents of your luggage, even when it’s locked? The answer is a set of skeleton keys that will work on every kind of luggage lock out there.

In the US, the Transportation Security Administration (TSA) has become the target of a kind of digital lock-picking—and now pretty much anyone can make a key that unlocks your luggage.

At a recent conference, hackers known as DarkSim905, Nite 0wl and Johnny Xmas showed that they were able to replicate the eighth master key in a set used by TSA agents to open and search fliers' locked suitcases. The idea is to take blueprints of the master key set and print 3D versions.

In 2014, the Washington Post published a photo of a TSA agent and the eight-key master key set. After a flurry of activity on Reddit, a hacker called Shabab Shawn Sheikhzadeh set out to penetrate the Travel Sentry website—one of the two companies that manufactures TSA locks—to find high-resolution images from which to build blueprints. He was easily able to circumvent the site’s log-in blacklist by using an Indian Yahoo email account, setting up an account and gaining access to the site. Once locating the images, he published them online, where another hacker, known as Xylitol,  made a blueprint and shared it on Github.

The hackers are bent on sport but also, they say, on raising the levels of awareness when it comes to the vulnerability of digital locks.

Xmas told VICE News that they hoped to “use this as a metaphor to explain why the broader concept of master keys and third party security systems can be problematic.”

He said, "Digital keys aren't something that the average person understands. They don't know it exists in their life. You can't see it [;] you can't touch it. and that's the great thing about iPhones… they just work and you don't really have to know how."

He also said that it’s all being done in the name of user privacy.

"We were doing this as an act of civil disobedience," Xmas said, "To give the general public a better physical understanding of what it means when government bodies demand to have unrestricted access to everything via the use of master keys."

TSA pointed out that the stakes in this case are fairly low, and that everyone should keep calm and carry on (no pun intended).

"The reported ability to create keys to TSA-approved suitcase locks from a digital image poses no threat to aviation security," TSA spokesperson Michael England said in a statement. "These consumer products are convenience products that have nothing to do with TSA's aviation security regime. In addition, the reported accessibility of keys to unauthorized persons does not affect the physical security of bags while being screening [sic] by TSA officers.”

Photo © Klaus Hertz-Ladeges

Source: Information Security Magazine