Why Backdoors Always Suck: The TSA Travel Locks Were Hacked And The TSA Doesn't Care
from the locks-with-scare-quotes dept
The TSA, it appears, is just simply bad at everything. The nation’s most useless government agency has already made it clear that it is bad at knowing if it groped you, bad at even have a modicum of sense when it comes to keeping the traveling luggage of citizens private, and the TSA is especially super-mega-bad at TSA-ing, failing to catch more than a fraction of illicit material as it passes by agents upturned noses. And now, it appears, the TSA has demonstrated that it is also bad at pretending to give a shit.
In case you missed the recent news, the TSA’s specially designed master key to open all of the specially designed TSA-recognized luggage locks were especially super-hacked by someone with access to such privileged information and equipment as a newspaper subscription and a 3D printer. By using a picture in the Washington Post of a TSA agent’s master key and some documents from Travel Sentry, a group that generates and enforces TSA protocols, one security researcher was able to create 3D printer files to create his own master key.
Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models. Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA.
So, hey, that’s probably bad, right? I mean, here we have the TSA recommending passengers lock their luggage with locks designed with a TSA-backdoor in the form of a master key, and now anyone can make the master key. That would seem to leave thousands (millions?) of passengers’ luggage vulnerable to break-in. Not a great look for an agency designed with no other goal beyond security. The TSA response?
“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept. “These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.
Yes, that’s correct. Upon being informed of the TSA lock master key hack, the TSA essentially went with the “we don’t give a shit” approach. I will say, at the very least, that it’s somewhat refreshing to hear a government representative admit that at least some part of aiport and passenger security boils down to the feel-goods, but I’m of the opinion that a security agency unconcerned about security probably shouldn’t be allowed to exist any longer. Especially when that same agency has been touting those same useless locks for years to passengers.
The larger point, of course, is that this is inevitable when you build security with backdoor access.
Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are “similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.”
Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. “This is actually the perfect example for why we shouldn’t trust a government with secret backdoor keys (or any kind of other backdoors),” he wrote in an email to The Intercept. “Security with backdoor[s] is not security and inevitably exposes everyone.”
That’s an axiom that other government agencies might want to pay attention to. The breaking of TSA locks wasn’t even particularly difficult. If the government truly wants security on the networks of the American people, be the computer, phone, or otherwise, building in government backdoors provides the perfect entry point for bad-actors. If they actually want security, leave the backdoors out, or they risk looking every bit as dumb as the TSA.
Comments on “Why Backdoors Always Suck: The TSA Travel Locks Were Hacked And The TSA Doesn't Care”
So then the TSA is the ONLY entity that can't open the locks..
IIRC, they have destroyed luggage that was equipped with their special back-door key enabled locks because…why again? Using their special key is too hard for them? They lost it and couldn’t find another one? They couldn’t be bothered to train their agents to recognize and use them?
So what’s the total expenditure from manufacturers and customers on this gold-plated cow patty?
I feel SO much safer now…
Re: So then the TSA is the ONLY entity that can't open the locks..
This is the link you were looking for. Cory Doctorow vs the TSA.
Re: So then the TSA is the ONLY entity that can't open the locks..
The next time I check a bag on a flight, I will be sure to attach a copy of the key right next to my TSA approved lock.
This will replace my current method of including an extra lock inside my suitcase with a note “For use when some clueless moron cuts the suitcase lock, even though they are already holding the key.”
The only thing shocking about this is that it’s 2015 and just now reported that someone copied the master key
Re: Re:
You wish. The primary shock is that these morons still exist. Everybody and their dog has known there has been no point to TSA’s existence forever, yet there are no official calls to shut down and disband it nor to shift the burden back onto airlines which might at least care (they’re their airplanes, after all). That’s damned near miraculous. How do they do it? They get nothing right, yet still go on and get away with it.
That’s sheer wizardry!
Re: Re:
Correction: The news is that someone made the master keys public! Others might have copied the keys way before 2015 and kept it to themselves. Either because they want to use it somehow or because they feared to be sued.
This is, of course, assuming they even use their key. The last time we traveled, they simply decided to cut and remove our TSA-Approved locks on one bag. We never got a reason for ot.
Though to be fair to the TSA, this doesn’t affect the security of the planes. The security of our bags contents are not their concern.
Re: Re:
Their response is appropriate because you are right. The lock was already a part of the luggage process for people concerned with their own private security. The TSA just wanted to have keys so that they could supposedly use them instead of having to break the locks, (old habits die hard I guess)
TSA could always care less about safeguarding the contents of the bag since that was never their job. Only job they have (doing it badly of course) is to stop unauthorized things from being in the bag.
I think this article is trying too hard to make something out of this when really there was never anything to it other than a quick look at why backdooring is stupid.
Re: Re: Re:
The relevance here is that the TSA’s only concern is unlocking bags, which is why they “don’t give a shit” if other people can also unlock bags. It makes their job easier… Actually it would be easier if no one locked their bags at all, but some people want their possessions kept private. So the TSA convinced them this fundamentally unsound alternative was acceptable even though it’s not.
This is all equally true of the FBI/NSA and encrypted communication.
Re: Re:
Security of the bags does very much affect the security of the planes. Imagine, some explosive is found in a bag. What would the owner of such bag say? “Well, since anyone can open the lock, and the bag was not in my control, somebody put it there”. And he can try again. Until a day, when his plan works.
That was a really dumb statement by TSA.
Re: Re: Re:
That the folks in charge of security don’t agree with you is borne out by the fact that you are not required to use locks at all.
Although I try to avoid checking baggage ever, when I do I never lock my luggage. It seems pointless to me since TSA employees either have a key or will cut my lock anyway. And yet the TSA has never complained about my lack of locking.
Re: Re: Re:
Do we have to imagine? Didn’t the TSA plant something in a passenger’s bag and forget to remove it once?
The bad job they’re doing notwithstanding, it doesn’t help your case when you twist their words. Luggage locks have nothing to do with “airport and passenger security”.
If someone steals stuff out of your luggage, that’s no fun for you, but it does not pose a threat to aviation security (keeping planes from coming down when or where they shouldn’t). It just poses a threat to the security of your luggage, which is not the TSA’s mandate, which appears to be the point that Mr. England is making.
Re: Re:
“If someone steals stuff out of your luggage, that’s no fun for you, but it does not pose a threat to aviation security”
In which case why are the TSA pimping locks that have been made useless? If the TSA is pimping the locks, then it means it involves security. If it doesn’t, then the TSA is pimping locks for other reasons, a notion I find extremely tantalizing….
Re: Re: Re:
It does. We need to give up our security so they can feel secure.
This story is overblown anyway. Whether anyone published the keys or not, anyone with the lock could reverse-engineer it by taking it apart and looking at the pins. OK, so they’d have to buy one of each type of lock, but presumably they’ll make enough from the theft/smuggling to do it.
Re: Re:
OK: so what about someone opening your luggage, post-screening, to stick something IN it?
Sure, the locks aren’t any more/less safe than a zip strip, but sealed luggage is always safer than unsealed (or undetectably unsealed and resealed) luggage.
Re: Re: Re:
Given now that anyone can get a key to the TSA lock the chain of evidence is broken for anything found in a bag. Defense lawyers are gonna love this.
“My client believed that only he and the TSA could get in that suitcase but now anyone from the bell hop, to the cabdriver to the baggage handler could have placed that contraband in his suitcase.”
The good news is zip ties are better seals to indicate tampering than the locks and cheaper.
Re: TSA Locks
Having a TSA master key and the ability to get into luggage, might allow someone with nefarious intentions to place contraband into that luggage, contraband such as a bomb.
We have all read of passengers who have opened their suitcases and found items that didn’t belong to them.
Re: Re:
“If someone steals stuff out of your luggage, that’s no fun for you, but it does not pose a threat to aviation security (keeping planes from coming down when or where they shouldn’t). It just poses a threat to the security of your luggage, which is not the TSA’s mandate, which appears to be the point that Mr. England is making.”
Right, because someone couldn’t REPLACE stuff in your luggage with something that poses a threat to aviation security.
Re: what about planting evidence or bombs?
not only EVERYBODY can open your bags and steal your stuff without traces…
they can put anything like drugs or a freaking bomb, also without a trace
so YES this totally FUCKS UP the airplane security
Re: Re:
erm. The purpose of the lock isn’t to prevent people from taking stuff out of your luggage; it’s to prevent people from putting stuff INTO your luggage. Contraband, explosives, that sort of thing.
As for cutting the locks off instead of using their key… that seems to be an authoritarian thing. When I was in high school 40 years ago, the school issued special school locks to each student, with one key. The lock could be opened by that key or with a master key.
Every few months, you’d walk into a locker bay and see rows of lockers standing open, cut locks on the ground along with all the lockers’ contents, which had been raked out onto the ground. And then your parents had to cough up money for a replacement lock. No explanations were ever made.
Re: Re: Re:
Well, no. The lock cannot prevent any of that. It can, however, make the tampering evident – the luggage or the lock will be visibly damaged.
Master key removes this one and only feature.
Re: Re:
Mason, if people can nick stuff OUT of your bag…
… they can put stuff in it, man.
Think about it.
Re: Re: Re:
If they put something in your bag outside of security, the TSA should catch it, right? If someone did it inside security there are bigger issues than insecure suitcase locks.
Either way the locks don’t compromise airport security, just your personal security and/or culpability that the TSA doesn’t care about.
Point of Order...
> the TSA’s specially designed master key…
I recall seeing a ring of keys, perhaps as many as 6, in the “picture of TSA master keys”.
This doesn’t change the problem, other than requiring more than just one 3d template for printing them. (Or a single template that creates all of them at the same time, like those plastic model car kits. Break off the key you need.)
Just a clarification. Or, if I am mistaken, a muddlement.
Re: Point of Order...
They have several, Identified by 000something codes.
The leading zeroes are great, I suppose they assumed that they could make thousands of different locks?
Anyhow, you can already buy the keys on ebay.
Re: Why not baggage?
If we spent three months fedex/ups ing our luggage and checking bags full of dog shit wrapped in chains secured by hi-security locks then maybe they’d get the fuckin’ idea!!!!!! Our baggage system has been hijacked by a bunch of fuckin’ mental patients with a government mandate and all we can say is – thank you sir, may I have another. Somebody in dc deserves the complete anal treatment, and we can’t even come up with a fuckin’ NAME!!!!!!!!!!! Fuck, fuck fuck fuckety fuck
Re: Re: Why not baggage?
” Fuck, fuck fuck fuckety fuck”
i believe that about sums it up completely…
back doors are for wimps
Like ‘electronic vote tallying’ in this country, a myriad of gaps in ‘security’ makes traceability impossible:(
I.E., the joy of slipping your contraband into someone else’s luggage.
Back Door? We donn’t need no stinking back door
Haven’t had a back door on this house since a burglar destroyed it in 1997.
Haven’t locked a door in this house since a burglar separated the bathroom wall from the hall wall, taking out the door jam on someone’s ‘locked’ office in 2008.
Haven’t locked the front door since an office ‘renter’ (others were present) tried to kill me with our own garden tools and wiped out three internal doors and one window; LAPD said ‘no crime, he says he ‘lives’ here.
I have never wanted nor needed a back door here in California, NSA has everything that goes through the pipe.
Only a government agency would not see this as a problem. Of course they don’t have to worry. It’s not their valuables locked up in luggage a master key of theirs would open.
But put it on the other shoe and you find out just how much security matters. Post their secrets on line and suddenly you will find it matters a whole lot to them; as long as it is just your stuff, no big deal.
I'm going to 3D print my TSA key in gold
and then leave it out under my front doormat, along with all my other “golden” keys.
Can someone check if they use 123456 as their master password too?
This blunder by the Terminal Stupidity Agency is good news for bad guys. If something forbidden is found in a bad guy’s piece of luggage, they can now raise reasonable doubt that the item in question was really theirs, since anybody can now have copies of the TSA master keys and could have opened the luggage and left the item and not leave a trace.
Re: Re:
Ah, but the bad guy wasn’t the TSA?
FTFY
“Why Backdoors Always Suck: For the ones getting backdoored”
Just ask the NSA when they become the victims…
I hear half the time the TSA just breaks open the locks on luggage without even trying the master keys first. Do you believe it?
Re: Re:
Probably one of their highly trained security experts lost the only key that checkpoint was issued, or doesn’t care to walk to where the key is, or is just a jerk who likes the “pop” when the bolt cutters go through the lock.
You should be glad they don’t just use shears to go through the side of your luggage.
I believe the saying is “that is a design feature not a security flaw”
The more problems that happen the more they can justify needing more security and fewer rights for citizens in order to protect them from the bad people.
of COURSE the TSA promotes these locks.
Those high-up controlling the TSA own shares in the lock manufacturers…..
Side effect: did you pack this luggage yourself ..yes..
Someone must have planted that kilo of coke in my suitcase your honor….afterall the TSA locks have been rendered useless…
Just me?
Is it just me, or is anyone else’s response to the startling news that TSA locks are insecure;
“Uh… Well, DUH!”
?
Less a bug, more a feature
Given how rampant theft is among TSA employees this is more of a feature than a bug. If a corrupt agent uses his master key to open the TSA-approved lock on your back to steal the laptop he saw in your checked bag (replace with other valuable) when screening it the TSA can now point to this security flaw to conjure plausible deniability.
Despotic authority
I don’t know why this is such a surprise. Fact is, TSA doesn’t give a shit about any aspect of security.
What it does care about, and always has, is its authority: its ability to impose despotic requirements on citizens, make the citizens jump through hoops, spend lots of taxpayer money (influence buying), and (from time to time) its authority to arrest citizens on trumped-up charges.
Take that three ounce requirement for liquid containers. How many people seriously think that a limit of three ounces (actually, 3.4 ounces, 100 mL) of nitroglycerin or acetone peroxide is likely to save the plane? Right.
No, in my estimation, the 100 mL limit was set for one reason alone: because it was not possible to buy a container of mouthwash/whatever of 100 mL or less. In other words, an absolute ban, with a pretense that it’s not really absolute because, “We permit 3.4 ounces,” and an absolute ban might be seen as “unreasonable”.
Power, despotic authority, that’s the only goal. If you get a little pretend security on the side: nobody’s perfect.
Re: Despotic authority
Actually, the job of the TSA is preparedness.
Not the preparedness you might automatically associate with a security agency, as in security from terrorists, but the kind of preparedness that is necessary in a police state for people to become automatically obedient to any uniformed authority and unquestioning when uniformed authority makes demands and asks “Papers please.”
The TSA’s job is to get folks used to being frisked by uniformed strangers, having their belongings opened and searched through by uniformed strangers, having their identity and travel papers examined by uniformed strangers, and being detained and questioned by uniformed strangers.
It takes a some time for a free society to learn how to be prisoners in their own homes, but the TSA is doing a fine job of getting America prepared for the future.
—
1984
perfect Orwellian “everything is fine”- govspeak
And?
And the potential for bombs being place on US aircraft is?
TSA is merely a jobs program for the unemployable.
What else could be expected from the most inept in the universe
Nothing in the universe dumber than a government clown.
Locking Security
i think this is surprise.