Why Backdoors Always Suck: The TSA Travel Locks Were Hacked And The TSA Doesn't Care

(Mis)Uses of Technology

from the locks-with-scare-quotes dept

The TSA, it appears, is just simply bad at everything. The nation’s most useless government agency has already made it clear that it is bad at knowing if it groped you, bad at even have a modicum of sense when it comes to keeping the traveling luggage of citizens private, and the TSA is especially super-mega-bad at TSA-ing, failing to catch more than a fraction of illicit material as it passes by agents upturned noses. And now, it appears, the TSA has demonstrated that it is also bad at pretending to give a shit.

In case you missed the recent news, the TSA’s specially designed master key to open all of the specially designed TSA-recognized luggage locks were especially super-hacked by someone with access to such privileged information and equipment as a newspaper subscription and a 3D printer. By using a picture in the Washington Post of a TSA agent’s master key and some documents from Travel Sentry, a group that generates and enforces TSA protocols, one security researcher was able to create 3D printer files to create his own master key.

Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models. Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA.

So, hey, that’s probably bad, right? I mean, here we have the TSA recommending passengers lock their luggage with locks designed with a TSA-backdoor in the form of a master key, and now anyone can make the master key. That would seem to leave thousands (millions?) of passengers’ luggage vulnerable to break-in. Not a great look for an agency designed with no other goal beyond security. The TSA response?

“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept. “These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.

Yes, that’s correct. Upon being informed of the TSA lock master key hack, the TSA essentially went with the “we don’t give a shit” approach. I will say, at the very least, that it’s somewhat refreshing to hear a government representative admit that at least some part of aiport and passenger security boils down to the feel-goods, but I’m of the opinion that a security agency unconcerned about security probably shouldn’t be allowed to exist any longer. Especially when that same agency has been touting those same useless locks for years to passengers.

The larger point, of course, is that this is inevitable when you build security with backdoor access.

Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are “similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.”

Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. “This is actually the perfect example for why we shouldn’t trust a government with secret backdoor keys (or any kind of other backdoors),” he wrote in an email to The Intercept. “Security with backdoor[s] is not security and inevitably exposes everyone.”

That’s an axiom that other government agencies might want to pay attention to. The breaking of TSA locks wasn’t even particularly difficult. If the government truly wants security on the networks of the American people, be the computer, phone, or otherwise, building in government backdoors provides the perfect entry point for bad-actors. If they actually want security, leave the backdoors out, or they risk looking every bit as dumb as the TSA.

Filed Under: backdoors, privacy, security, tsa, tsa key