Monday, September 24, 2018

[hfzcbieo] Decoding TSA locks

People made a big deal when the Washington Post published a photograph of the master keys for TSA luggage locks, and some people made working keys from the photographs using a 3D printer.  Was a photograph really necessary to make working keys?

It seems not too difficult to have created those master keys by disassembling locks and measuring the lengths of the key pins and distances between the pin stacks: no photograph necessary.  It's surprising that such reverse-engineered keys, or instructions or CAD drawings for making them, weren't widely available even before the picture was published.

Are TSA locks hardened against this kind of disassembly attack?  Maybe they make aggressive use of master wafers, so it's difficult to tell what is the master-key cut from examining just one lock.  However, this could be mitigated by examining multiple locks, perhaps a collaborative worldwide effort that the internet is good for coordinating within the already active lock sport special-interest community.

Were there laws forbidding this kind of activity, or disseminating information about this kind of activity?  If so, they would have also been invoked following the publishing of the photograph and subsequent discussion of making the keys, so we doubt it, unless the government were specifically trying to avoid the Streisand effect.

Skilled lockpickers laugh at 3D printing keys because they can quickly pick TSA locks with traditional lockpicking tools.  However, not everyone is a skilled lockpicker.

It would have been interesting if the TSA hadn't specified a master key backdoor to their locks but instead specified regulations forcing them to be able to be easily picked, for example: no weird keyways (or specifying a standard key blank), no more that 4 pins, no security pins, and all springs must be the same.  The pinning is random, different for every lock, just like normal locks, except a key is not distributed to the customer.  The TSA's "backdoor" would be traditional lockpicking, though with those regulations, very easy traditional lock picking, e.g., raking, lockpick gun, bump key, that could easily be taught to baggage inspectors.

No comments :