Hackers thwart TSA luggage locks, see same problems in backdoors

Hackers thwart TSA luggage locks, see same problems in backdoors
© Getty Images

Researchers who successfully reverse-engineered master keys used by the Transportation Security Authority say their work should be a metaphor for the dangers of encryption backdoors. 

The TSA requires all luggage to be searchable, with all locks able to be opened by one of eight master keys. Anyone with the keys can open any luggage complying with the rules. A trio of hackers presenting at this weekend’s Hope Conference in New York City showed that with widely available supplies, anyone can reproduce as many as seven of those eight keys. 


“Let’s assume that the government has our best interest in mind,” said the hacker Johnny Xmas, who with Nite 0wl and DarkSim905 — each presenting under their nickname — reproduced the TSA keys. Xmas works as a penetration tester for Redlegg Tradecraft labs

“Now that we’ve given government our keys, what happens when the bad guys get them? In security, we assume that networks being compromised is a when, not an if.”

The same is true, he says, of the proposal to provide digital master keys to law enforcement.

The hackers were able to duplicate the TSA keys for two different reasons. TSA agents brought seven keys developed under the Travel Sentry standard to news photo shoots. Six were photographed and published in enough detail for anyone to reproduce a physical copy of it. 

These photographs — and keys made from these photographs — have been available for years. The last key, the one licensed under the SafeSkies standard, had remained secure until Xmas’s team presented specs at the Hope conference. 

The SafeSkies key was reverse-engineered from design flaw in a combination lock that could only accept the master key. 

Similarly, experts note that digital master keys — usually called backdoors or key escrow — can be stolen or circumvented through mishandling by the government officials who use it or by engineering failures. 

“Digital security is so intangible that people get confused,” said Xmas, “but people can understand immediately how the same issue in locks creates a problem.”

--Update 8:28. An earlier version of this story misspelled Johnny Xmas's name.