Why Backdoors Always Suck: The TSA Travel Locks Were Hacked And The TSA Doesn't Care

from the locks-with-scare-quotes dept

The TSA, it appears, is just simply bad at everything. The nation's most useless government agency has already made it clear that it is bad at knowing if it groped you, bad at even have a modicum of sense when it comes to keeping the traveling luggage of citizens private, and the TSA is especially super-mega-bad at TSA-ing, failing to catch more than a fraction of illicit material as it passes by agents upturned noses. And now, it appears, the TSA has demonstrated that it is also bad at pretending to give a shit.

In case you missed the recent news, the TSA's specially designed master key to open all of the specially designed TSA-recognized luggage locks were especially super-hacked by someone with access to such privileged information and equipment as a newspaper subscription and a 3D printer. By using a picture in the Washington Post of a TSA agent's master key and some documents from Travel Sentry, a group that generates and enforces TSA protocols, one security researcher was able to create 3D printer files to create his own master key.

Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models. Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA.
So, hey, that's probably bad, right? I mean, here we have the TSA recommending passengers lock their luggage with locks designed with a TSA-backdoor in the form of a master key, and now anyone can make the master key. That would seem to leave thousands (millions?) of passengers' luggage vulnerable to break-in. Not a great look for an agency designed with no other goal beyond security. The TSA response?
“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept. “These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.
Yes, that's correct. Upon being informed of the TSA lock master key hack, the TSA essentially went with the "we don't give a shit" approach. I will say, at the very least, that it's somewhat refreshing to hear a government representative admit that at least some part of aiport and passenger security boils down to the feel-goods, but I'm of the opinion that a security agency unconcerned about security probably shouldn't be allowed to exist any longer. Especially when that same agency has been touting those same useless locks for years to passengers.

The larger point, of course, is that this is inevitable when you build security with backdoor access.
Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are “similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.”

Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. “This is actually the perfect example for why we shouldn’t trust a government with secret backdoor keys (or any kind of other backdoors),” he wrote in an email to The Intercept. “Security with backdoor[s] is not security and inevitably exposes everyone.”
That's an axiom that other government agencies might want to pay attention to. The breaking of TSA locks wasn't even particularly difficult. If the government truly wants security on the networks of the American people, be the computer, phone, or otherwise, building in government backdoors provides the perfect entry point for bad-actors. If they actually want security, leave the backdoors out, or they risk looking every bit as dumb as the TSA.

Filed Under: backdoors, privacy, security, tsa, tsa key


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TheResidentSkeptic (profile), 18 Sep 2015 @ 12:08pm

    So then the TSA is the ONLY entity that can't open the locks..

    IIRC, they have destroyed luggage that was equipped with their special back-door key enabled locks because...why again? Using their special key is too hard for them? They lost it and couldn't find another one? They couldn't be bothered to train their agents to recognize and use them?

    So what's the total expenditure from manufacturers and customers on this gold-plated cow patty?

    I feel SO much safer now...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Sep 2015 @ 2:52pm

      Re: So then the TSA is the ONLY entity that can't open the locks..

      This is the link you were looking for. Cory Doctorow vs the TSA.

      reply to this | link to this | view in chronology ]

    • icon
      Oblate (profile), 21 Sep 2015 @ 8:13am

      Re: So then the TSA is the ONLY entity that can't open the locks..

      The next time I check a bag on a flight, I will be sure to attach a copy of the key right next to my TSA approved lock.

      This will replace my current method of including an extra lock inside my suitcase with a note "For use when some clueless moron cuts the suitcase lock, even though they are already holding the key."

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 2:10pm

    The only thing shocking about this is that it's 2015 and just now reported that someone copied the master key

    reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 18 Sep 2015 @ 3:34pm

      Re:

      The only thing shocking about this is ...

      You wish. The primary shock is that these morons still exist. Everybody and their dog has known there has been no point to TSA's existence forever, yet there are no official calls to shut down and disband it nor to shift the burden back onto airlines which might at least care (they're their airplanes, after all). That's damned near miraculous. How do they do it? They get nothing right, yet still go on and get away with it.

      That's sheer wizardry!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Sep 2015 @ 12:01am

      Re:

      Correction: The news is that someone made the master keys public! Others might have copied the keys way before 2015 and kept it to themselves. Either because they want to use it somehow or because they feared to be sued.

      reply to this | link to this | view in chronology ]

  • icon
    Nick (profile), 18 Sep 2015 @ 2:11pm

    This is, of course, assuming they even use their key. The last time we traveled, they simply decided to cut and remove our TSA-Approved locks on one bag. We never got a reason for ot.

    Though to be fair to the TSA, this doesn't affect the security of the planes. The security of our bags contents are not their concern.

    reply to this | link to this | view in chronology ]

    • identicon
      bobelod, 18 Sep 2015 @ 2:56pm

      Re:

      Their response is appropriate because you are right. The lock was already a part of the luggage process for people concerned with their own private security. The TSA just wanted to have keys so that they could supposedly use them instead of having to break the locks, (old habits die hard I guess)

      TSA could always care less about safeguarding the contents of the bag since that was never their job. Only job they have (doing it badly of course) is to stop unauthorized things from being in the bag.

      I think this article is trying too hard to make something out of this when really there was never anything to it other than a quick look at why backdooring is stupid.

      reply to this | link to this | view in chronology ]

      • icon
        Jeremy Lyman (profile), 21 Sep 2015 @ 6:29am

        Re: Re:

        The relevance here is that the TSA's only concern is unlocking bags, which is why they "don't give a shit" if other people can also unlock bags. It makes their job easier... Actually it would be easier if no one locked their bags at all, but some people want their possessions kept private. So the TSA convinced them this fundamentally unsound alternative was acceptable even though it's not.

        This is all equally true of the FBI/NSA and encrypted communication.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Sep 2015 @ 3:32pm

      Re:

      Security of the bags does very much affect the security of the planes. Imagine, some explosive is found in a bag. What would the owner of such bag say? "Well, since anyone can open the lock, and the bag was not in my control, somebody put it there". And he can try again. Until a day, when his plan works.
      That was a really dumb statement by TSA.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 21 Sep 2015 @ 5:59am

        Re: Re:

        That the folks in charge of security don't agree with you is borne out by the fact that you are not required to use locks at all.

        Although I try to avoid checking baggage ever, when I do I never lock my luggage. It seems pointless to me since TSA employees either have a key or will cut my lock anyway. And yet the TSA has never complained about my lack of locking.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Sep 2015 @ 7:54am

        Re: Re:

        Imagine, some explosive is found in a bag.
        Do we have to imagine? Didn't the TSA plant something in a passenger's bag and forget to remove it once?

        reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 18 Sep 2015 @ 2:15pm

    I will say, at the very least, that it's somewhat refreshing to hear a government representative admit that at least some part of aiport and passenger security boils down to the feel-goods, but I'm of the opinion that a security agency unconcerned about security probably shouldn't be allowed to exist any longer. Especially when that same agency has been touting those same useless locks for years to passengers.

    The bad job they're doing notwithstanding, it doesn't help your case when you twist their words. Luggage locks have nothing to do with "airport and passenger security".

    If someone steals stuff out of your luggage, that's no fun for you, but it does not pose a threat to aviation security (keeping planes from coming down when or where they shouldn't). It just poses a threat to the security of your luggage, which is not the TSA's mandate, which appears to be the point that Mr. England is making.

    reply to this | link to this | view in chronology ]

    • icon
      Dark Helmet (profile), 18 Sep 2015 @ 2:34pm

      Re:

      "If someone steals stuff out of your luggage, that's no fun for you, but it does not pose a threat to aviation security"

      In which case why are the TSA pimping locks that have been made useless? If the TSA is pimping the locks, then it means it involves security. If it doesn't, then the TSA is pimping locks for other reasons, a notion I find extremely tantalizing....

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Sep 2015 @ 7:40am

        Re: Re:

        In which case why are the TSA pimping locks that have been made useless? If the TSA is pimping the locks, then it means it involves security.
        It does. We need to give up our security so they can feel secure.

        This story is overblown anyway. Whether anyone published the keys or not, anyone with the lock could reverse-engineer it by taking it apart and looking at the pins. OK, so they'd have to buy one of each type of lock, but presumably they'll make enough from the theft/smuggling to do it.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Sep 2015 @ 3:15pm

      Re:

      OK: so what about someone opening your luggage, post-screening, to stick something IN it?

      Sure, the locks aren't any more/less safe than a zip strip, but sealed luggage is always safer than unsealed (or undetectably unsealed and resealed) luggage.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Sep 2015 @ 8:10am

        Re: Re:

        Given now that anyone can get a key to the TSA lock the chain of evidence is broken for anything found in a bag. Defense lawyers are gonna love this.

        "My client believed that only he and the TSA could get in that suitcase but now anyone from the bell hop, to the cabdriver to the baggage handler could have placed that contraband in his suitcase."

        The good news is zip ties are better seals to indicate tampering than the locks and cheaper.

        reply to this | link to this | view in chronology ]

    • icon
      walnuttrees (profile), 19 Sep 2015 @ 3:57am

      Re: TSA Locks

      Having a TSA master key and the ability to get into luggage, might allow someone with nefarious intentions to place contraband into that luggage, contraband such as a bomb.

      We have all read of passengers who have opened their suitcases and found items that didn't belong to them.

      reply to this | link to this | view in chronology ]

    • identicon
      Mason Wheeler is still at it, 19 Sep 2015 @ 6:05am

      Re:

      "If someone steals stuff out of your luggage, that's no fun for you, but it does not pose a threat to aviation security (keeping planes from coming down when or where they shouldn't). It just poses a threat to the security of your luggage, which is not the TSA's mandate, which appears to be the point that Mr. England is making."

      Right, because someone couldn't REPLACE stuff in your luggage with something that poses a threat to aviation security.

      reply to this | link to this | view in chronology ]

    • identicon
      duh, 19 Sep 2015 @ 1:34pm

      Re: what about planting evidence or bombs?

      not only EVERYBODY can open your bags and steal your stuff without traces...
      they can put anything like drugs or a freaking bomb, also without a trace
      so YES this totally FUCKS UP the airplane security

      reply to this | link to this | view in chronology ]

    • icon
      TRX (profile), 20 Sep 2015 @ 6:28am

      Re:

      erm. The purpose of the lock isn't to prevent people from taking stuff out of your luggage; it's to prevent people from putting stuff INTO your luggage. Contraband, explosives, that sort of thing.

      As for cutting the locks off instead of using their key... that seems to be an authoritarian thing. When I was in high school 40 years ago, the school issued special school locks to each student, with one key. The lock could be opened by that key or with a master key.

      Every few months, you'd walk into a locker bay and see rows of lockers standing open, cut locks on the ground along with all the lockers' contents, which had been raked out onto the ground. And then your parents had to cough up money for a replacement lock. No explanations were ever made.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Sep 2015 @ 3:39pm

        Re: Re:

        The purpose of the lock isn't to prevent people from taking stuff out of your luggage; it's to prevent people from putting stuff INTO your luggage.

        Well, no. The lock cannot prevent any of that. It can, however, make the tampering evident - the luggage or the lock will be visibly damaged.
        Master key removes this one and only feature.

        reply to this | link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 21 Sep 2015 @ 6:36am

      Re:

      Mason, if people can nick stuff OUT of your bag...

      ... they can put stuff in it, man.


      Think about it.

      reply to this | link to this | view in chronology ]

      • icon
        Jeremy Lyman (profile), 21 Sep 2015 @ 6:41am

        Re: Re:

        If they put something in your bag outside of security, the TSA should catch it, right? If someone did it inside security there are bigger issues than insecure suitcase locks.

        Either way the locks don't compromise airport security, just your personal security and/or culpability that the TSA doesn't care about.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 2:50pm

    Point of Order...

    > the TSA's specially designed master key...

    I recall seeing a ring of keys, perhaps as many as 6, in the "picture of TSA master keys".

    This doesn't change the problem, other than requiring more than just one 3d template for printing them. (Or a single template that creates all of them at the same time, like those plastic model car kits. Break off the key you need.)

    Just a clarification. Or, if I am mistaken, a muddlement.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Sep 2015 @ 4:30pm

      Re: Point of Order...

      They have several, Identified by 000something codes.

      The leading zeroes are great, I suppose they assumed that they could make thousands of different locks?

      Anyhow, you can already buy the keys on ebay.

      reply to this | link to this | view in chronology ]

    • identicon
      t/sat, 18 Sep 2015 @ 9:34pm

      Why not baggage?

      If we spent three months fedex/ups ing our luggage and checking bags full of dog shit wrapped in chains secured by hi-security locks then maybe they'd get the fuckin' idea!!!!!! Our baggage system has been hijacked by a bunch of fuckin' mental patients with a government mandate and all we can say is - thank you sir, may I have another. Somebody in dc deserves the complete anal treatment, and we can't even come up with a fuckin' NAME!!!!!!!!!!! Fuck, fuck fuck fuckety fuck

      reply to this | link to this | view in chronology ]

  • icon
    OGquaker (profile), 18 Sep 2015 @ 3:05pm

    back doors are for wimps

    Like 'electronic vote tallying' in this country, a myriad of gaps in 'security' makes traceability impossible:(

    I.E., the joy of slipping your contraband into someone else's luggage.

    Back Door? We donn't need no stinking back door

    Haven't had a back door on this house since a burglar destroyed it in 1997.
    Haven't locked a door in this house since a burglar separated the bathroom wall from the hall wall, taking out the door jam on someone's 'locked' office in 2008.
    Haven't locked the front door since an office 'renter' (others were present) tried to kill me with our own garden tools and wiped out three internal doors and one window; LAPD said 'no crime, he says he 'lives' here.

    I have never wanted nor needed a back door here in California, NSA has everything that goes through the pipe.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 3:21pm

    Only a government agency would not see this as a problem. Of course they don't have to worry. It's not their valuables locked up in luggage a master key of theirs would open.

    But put it on the other shoe and you find out just how much security matters. Post their secrets on line and suddenly you will find it matters a whole lot to them; as long as it is just your stuff, no big deal.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 3:21pm

    I'm going to 3D print my TSA key in gold

    and then leave it out under my front doormat, along with all my other "golden" keys.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 3:56pm

    Can someone check if they use 123456 as their master password too?

    reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 18 Sep 2015 @ 5:18pm

    This blunder by the Terminal Stupidity Agency is good news for bad guys. If something forbidden is found in a bad guy's piece of luggage, they can now raise reasonable doubt that the item in question was really theirs, since anybody can now have copies of the TSA master keys and could have opened the luggage and left the item and not leave a trace.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 18 Sep 2015 @ 7:31pm

    FTFY

    "Why Backdoors Always Suck: For the ones getting backdoored"

    Just ask the NSA when they become the victims...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 10:34pm

    I hear half the time the TSA just breaks open the locks on luggage without even trying the master keys first. Do you believe it?

    reply to this | link to this | view in chronology ]

    • icon
      TRX (profile), 20 Sep 2015 @ 6:32am

      Re:

      Probably one of their highly trained security experts lost the only key that checkpoint was issued, or doesn't care to walk to where the key is, or is just a jerk who likes the "pop" when the bolt cutters go through the lock.

      You should be glad they don't just use shears to go through the side of your luggage.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2015 @ 11:55pm

    I believe the saying is "that is a design feature not a security flaw"

    The more problems that happen the more they can justify needing more security and fewer rights for citizens in order to protect them from the bad people.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Sep 2015 @ 7:42am

    of COURSE the TSA promotes these locks.
    Those high-up controlling the TSA own shares in the lock manufacturers.....

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Sep 2015 @ 7:43am

    Side effect: did you pack this luggage yourself ..yes..

    Someone must have planted that kilo of coke in my suitcase your honor....afterall the TSA locks have been rendered useless...

    reply to this | link to this | view in chronology ]

  • icon
    Not an Electronic Rodent (profile), 19 Sep 2015 @ 9:10am

    Just me?

    Is it just me, or is anyone else's response to the startling news that TSA locks are insecure;

    "Uh... Well, DUH!"
    ?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Sep 2015 @ 10:15am

    Less a bug, more a feature

    Given how rampant theft is among TSA employees this is more of a feature than a bug. If a corrupt agent uses his master key to open the TSA-approved lock on your back to steal the laptop he saw in your checked bag (replace with other valuable) when screening it the TSA can now point to this security flaw to conjure plausible deniability.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 19 Sep 2015 @ 12:19pm

    Despotic authority

    I don't know why this is such a surprise. Fact is, TSA doesn't give a shit about any aspect of security.

    What it does care about, and always has, is its authority: its ability to impose despotic requirements on citizens, make the citizens jump through hoops, spend lots of taxpayer money (influence buying), and (from time to time) its authority to arrest citizens on trumped-up charges.

    Take that three ounce requirement for liquid containers. How many people seriously think that a limit of three ounces (actually, 3.4 ounces, 100 mL) of nitroglycerin or acetone peroxide is likely to save the plane? Right.

    No, in my estimation, the 100 mL limit was set for one reason alone: because it was not possible to buy a container of mouthwash/whatever of 100 mL or less. In other words, an absolute ban, with a pretense that it's not really absolute because, "We permit 3.4 ounces," and an absolute ban might be seen as "unreasonable".

    Power, despotic authority, that's the only goal. If you get a little pretend security on the side: nobody's perfect.

    reply to this | link to this | view in chronology ]

    • identicon
      GEMont, 20 Sep 2015 @ 2:21pm

      Re: Despotic authority

      Actually, the job of the TSA is preparedness.

      Not the preparedness you might automatically associate with a security agency, as in security from terrorists, but the kind of preparedness that is necessary in a police state for people to become automatically obedient to any uniformed authority and unquestioning when uniformed authority makes demands and asks "Papers please."

      The TSA's job is to get folks used to being frisked by uniformed strangers, having their belongings opened and searched through by uniformed strangers, having their identity and travel papers examined by uniformed strangers, and being detained and questioned by uniformed strangers.

      It takes a some time for a free society to learn how to be prisoners in their own homes, but the TSA is doing a fine job of getting America prepared for the future.

      ---

      reply to this | link to this | view in chronology ]

  • identicon
    George Orwell, 19 Sep 2015 @ 1:28pm

    1984

    perfect Orwellian "everything is fine"- govspeak

    reply to this | link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 20 Sep 2015 @ 8:35am

    And?

    And the potential for bombs being place on US aircraft is?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 7:02am

    TSA is merely a jobs program for the unemployable.

    reply to this | link to this | view in chronology ]

  • identicon
    Reality bites, 22 Sep 2015 @ 2:20pm

    What else could be expected from the most inept in the universe

    Nothing in the universe dumber than a government clown.

    reply to this | link to this | view in chronology ]

  • identicon
    Paul Alastair, 29 Oct 2015 @ 3:52am

    Locking Security

    i think this is surprise.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.