Why Backdoors Always Suck: The TSA Travel Locks Were Hacked And The TSA Doesn't Care
from the locks-with-scare-quotes dept
The TSA, it appears, is just simply bad at everything. The nation's most useless government agency has already made it clear that it is bad at knowing if it groped you, bad at even have a modicum of sense when it comes to keeping the traveling luggage of citizens private, and the TSA is especially super-mega-bad at TSA-ing, failing to catch more than a fraction of illicit material as it passes by agents upturned noses. And now, it appears, the TSA has demonstrated that it is also bad at pretending to give a shit.
In case you missed the recent news, the TSA's specially designed master key to open all of the specially designed TSA-recognized luggage locks were especially super-hacked by someone with access to such privileged information and equipment as a newspaper subscription and a 3D printer. By using a picture in the Washington Post of a TSA agent's master key and some documents from Travel Sentry, a group that generates and enforces TSA protocols, one security researcher was able to create 3D printer files to create his own master key.
Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models. Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA.So, hey, that's probably bad, right? I mean, here we have the TSA recommending passengers lock their luggage with locks designed with a TSA-backdoor in the form of a master key, and now anyone can make the master key. That would seem to leave thousands (millions?) of passengers' luggage vulnerable to break-in. Not a great look for an agency designed with no other goal beyond security. The TSA response?
“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept. “These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.Yes, that's correct. Upon being informed of the TSA lock master key hack, the TSA essentially went with the "we don't give a shit" approach. I will say, at the very least, that it's somewhat refreshing to hear a government representative admit that at least some part of aiport and passenger security boils down to the feel-goods, but I'm of the opinion that a security agency unconcerned about security probably shouldn't be allowed to exist any longer. Especially when that same agency has been touting those same useless locks for years to passengers.
The larger point, of course, is that this is inevitable when you build security with backdoor access.
Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are “similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.”That's an axiom that other government agencies might want to pay attention to. The breaking of TSA locks wasn't even particularly difficult. If the government truly wants security on the networks of the American people, be the computer, phone, or otherwise, building in government backdoors provides the perfect entry point for bad-actors. If they actually want security, leave the backdoors out, or they risk looking every bit as dumb as the TSA.
Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. “This is actually the perfect example for why we shouldn’t trust a government with secret backdoor keys (or any kind of other backdoors),” he wrote in an email to The Intercept. “Security with backdoor[s] is not security and inevitably exposes everyone.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
So then the TSA is the ONLY entity that can't open the locks..
So what's the total expenditure from manufacturers and customers on this gold-plated cow patty?
I feel SO much safer now...
[ link to this | view in chronology ]
Re: So then the TSA is the ONLY entity that can't open the locks..
[ link to this | view in chronology ]
Re: So then the TSA is the ONLY entity that can't open the locks..
This will replace my current method of including an extra lock inside my suitcase with a note "For use when some clueless moron cuts the suitcase lock, even though they are already holding the key."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
You wish. The primary shock is that these morons still exist. Everybody and their dog has known there has been no point to TSA's existence forever, yet there are no official calls to shut down and disband it nor to shift the burden back onto airlines which might at least care (they're their airplanes, after all). That's damned near miraculous. How do they do it? They get nothing right, yet still go on and get away with it.
That's sheer wizardry!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Though to be fair to the TSA, this doesn't affect the security of the planes. The security of our bags contents are not their concern.
[ link to this | view in chronology ]
Re:
TSA could always care less about safeguarding the contents of the bag since that was never their job. Only job they have (doing it badly of course) is to stop unauthorized things from being in the bag.
I think this article is trying too hard to make something out of this when really there was never anything to it other than a quick look at why backdooring is stupid.
[ link to this | view in chronology ]
Re: Re:
This is all equally true of the FBI/NSA and encrypted communication.
[ link to this | view in chronology ]
Re:
That was a really dumb statement by TSA.
[ link to this | view in chronology ]
Re: Re:
Although I try to avoid checking baggage ever, when I do I never lock my luggage. It seems pointless to me since TSA employees either have a key or will cut my lock anyway. And yet the TSA has never complained about my lack of locking.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The bad job they're doing notwithstanding, it doesn't help your case when you twist their words. Luggage locks have nothing to do with "airport and passenger security".
If someone steals stuff out of your luggage, that's no fun for you, but it does not pose a threat to aviation security (keeping planes from coming down when or where they shouldn't). It just poses a threat to the security of your luggage, which is not the TSA's mandate, which appears to be the point that Mr. England is making.
[ link to this | view in chronology ]
Re:
In which case why are the TSA pimping locks that have been made useless? If the TSA is pimping the locks, then it means it involves security. If it doesn't, then the TSA is pimping locks for other reasons, a notion I find extremely tantalizing....
[ link to this | view in chronology ]
Re: Re:
This story is overblown anyway. Whether anyone published the keys or not, anyone with the lock could reverse-engineer it by taking it apart and looking at the pins. OK, so they'd have to buy one of each type of lock, but presumably they'll make enough from the theft/smuggling to do it.
[ link to this | view in chronology ]
Re:
Sure, the locks aren't any more/less safe than a zip strip, but sealed luggage is always safer than unsealed (or undetectably unsealed and resealed) luggage.
[ link to this | view in chronology ]
Re: Re:
"My client believed that only he and the TSA could get in that suitcase but now anyone from the bell hop, to the cabdriver to the baggage handler could have placed that contraband in his suitcase."
The good news is zip ties are better seals to indicate tampering than the locks and cheaper.
[ link to this | view in chronology ]
Re: TSA Locks
We have all read of passengers who have opened their suitcases and found items that didn't belong to them.
[ link to this | view in chronology ]
Re:
Right, because someone couldn't REPLACE stuff in your luggage with something that poses a threat to aviation security.
[ link to this | view in chronology ]
Re: what about planting evidence or bombs?
they can put anything like drugs or a freaking bomb, also without a trace
so YES this totally FUCKS UP the airplane security
[ link to this | view in chronology ]
Re:
As for cutting the locks off instead of using their key... that seems to be an authoritarian thing. When I was in high school 40 years ago, the school issued special school locks to each student, with one key. The lock could be opened by that key or with a master key.
Every few months, you'd walk into a locker bay and see rows of lockers standing open, cut locks on the ground along with all the lockers' contents, which had been raked out onto the ground. And then your parents had to cough up money for a replacement lock. No explanations were ever made.
[ link to this | view in chronology ]
Re: Re:
Well, no. The lock cannot prevent any of that. It can, however, make the tampering evident - the luggage or the lock will be visibly damaged.
Master key removes this one and only feature.
[ link to this | view in chronology ]
Re:
... they can put stuff in it, man.
Think about it.
[ link to this | view in chronology ]
Re: Re:
Either way the locks don't compromise airport security, just your personal security and/or culpability that the TSA doesn't care about.
[ link to this | view in chronology ]
Point of Order...
I recall seeing a ring of keys, perhaps as many as 6, in the "picture of TSA master keys".
This doesn't change the problem, other than requiring more than just one 3d template for printing them. (Or a single template that creates all of them at the same time, like those plastic model car kits. Break off the key you need.)
Just a clarification. Or, if I am mistaken, a muddlement.
[ link to this | view in chronology ]
Re: Point of Order...
The leading zeroes are great, I suppose they assumed that they could make thousands of different locks?
Anyhow, you can already buy the keys on ebay.
[ link to this | view in chronology ]
Why not baggage?
[ link to this | view in chronology ]
Re: Why not baggage?
i believe that about sums it up completely...
[ link to this | view in chronology ]
back doors are for wimps
I.E., the joy of slipping your contraband into someone else's luggage.
Back Door? We donn't need no stinking back door
Haven't had a back door on this house since a burglar destroyed it in 1997.
Haven't locked a door in this house since a burglar separated the bathroom wall from the hall wall, taking out the door jam on someone's 'locked' office in 2008.
Haven't locked the front door since an office 'renter' (others were present) tried to kill me with our own garden tools and wiped out three internal doors and one window; LAPD said 'no crime, he says he 'lives' here.
I have never wanted nor needed a back door here in California, NSA has everything that goes through the pipe.
[ link to this | view in chronology ]
But put it on the other shoe and you find out just how much security matters. Post their secrets on line and suddenly you will find it matters a whole lot to them; as long as it is just your stuff, no big deal.
[ link to this | view in chronology ]
I'm going to 3D print my TSA key in gold
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
FTFY
Just ask the NSA when they become the victims...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
You should be glad they don't just use shears to go through the side of your luggage.
[ link to this | view in chronology ]
The more problems that happen the more they can justify needing more security and fewer rights for citizens in order to protect them from the bad people.
[ link to this | view in chronology ]
Those high-up controlling the TSA own shares in the lock manufacturers.....
[ link to this | view in chronology ]
Someone must have planted that kilo of coke in my suitcase your honor....afterall the TSA locks have been rendered useless...
[ link to this | view in chronology ]
Just me?
"Uh... Well, DUH!"
?
[ link to this | view in chronology ]
Less a bug, more a feature
[ link to this | view in chronology ]
Despotic authority
What it does care about, and always has, is its authority: its ability to impose despotic requirements on citizens, make the citizens jump through hoops, spend lots of taxpayer money (influence buying), and (from time to time) its authority to arrest citizens on trumped-up charges.
Take that three ounce requirement for liquid containers. How many people seriously think that a limit of three ounces (actually, 3.4 ounces, 100 mL) of nitroglycerin or acetone peroxide is likely to save the plane? Right.
No, in my estimation, the 100 mL limit was set for one reason alone: because it was not possible to buy a container of mouthwash/whatever of 100 mL or less. In other words, an absolute ban, with a pretense that it's not really absolute because, "We permit 3.4 ounces," and an absolute ban might be seen as "unreasonable".
Power, despotic authority, that's the only goal. If you get a little pretend security on the side: nobody's perfect.
[ link to this | view in chronology ]
Re: Despotic authority
Not the preparedness you might automatically associate with a security agency, as in security from terrorists, but the kind of preparedness that is necessary in a police state for people to become automatically obedient to any uniformed authority and unquestioning when uniformed authority makes demands and asks "Papers please."
The TSA's job is to get folks used to being frisked by uniformed strangers, having their belongings opened and searched through by uniformed strangers, having their identity and travel papers examined by uniformed strangers, and being detained and questioned by uniformed strangers.
It takes a some time for a free society to learn how to be prisoners in their own homes, but the TSA is doing a fine job of getting America prepared for the future.
---
[ link to this | view in chronology ]
1984
[ link to this | view in chronology ]
And?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What else could be expected from the most inept in the universe
[ link to this | view in chronology ]
Locking Security
[ link to this | view in chronology ]