THE TSA IS learning a basic lesson of physical security in the age of 3-D printing: If you have sensitive keys—say, a set of master keys that can open locks you’ve asked millions of Americans to use—don’t post pictures of them on the Internet.
A group of lock-picking and security enthusiasts drove that lesson home Wednesday by publishing a set of CAD files to Github that anyone can use to 3-D print a precisely measured set of the TSA’s master keys for its “approved” locks—the ones the agency can open with its own keys during airport inspections. Within hours, at least one 3-D printer owner had already downloaded the files, printed one of the master keys, and published a video proving that it opened his TSA-approved luggage lock.
Those photos first began making the rounds online last month, after the Washington Post unwittingly published (and then quickly deleted) a photo of the master keys in an article about the “secret life” of baggage in the hands of the TSA. It was too late. Now those photos have been used to derive exact cuts of the master keys so that anyone can reproduce them in minutes with a 3-D printer or a computer-controlled milling machine.
“Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures. I did this for fun and don’t even have a TSA-approved lock to test,” writes Xylitol, the Github user who published the files, in an email to WIRED. Xylitol, who noted that he was based in France, declined to reveal his real name. “But if someone reported it that my 3D models are working, well, that’s cool, and it shows…how a simple picture of a set of keys can compromise a whole system.”
Though Xylitol had warned Wednesday morning that he hadn’t tested the CAD files, Montreal-based Unix administrator Bernard Bolduc showed just hours later that the printable files worked as advertised. Bolduc says he printed one of keys in five minutes on his PrintrBot Simple Metal printer using cheap PLA plastic and immediately opened one of his TSA-approved luggage locks.
“I didn’t do any modifications,” he said in a phone call with WIRED. “It worked on the first try.”
Despite Bolduc’s successful test, the 3-D printed keys may still require some tweaking. On Friday, another lockpicking enthusiast who goes by J0hnny Xm4s reported on Twitter that he’d also been able to open TSA-approved locks with the 3-D printed keys, but that he’d had to change the scale of the CAD models.1
Bolduc says he doesn’t know the brand of the luggage lock he opened, but based on the “TSA” inscription on the bottom, he can conclude it is on the approved list. The problem likely extends well beyond one brand, anyway; the leaked master keys include those that open every type of TSA-approved lock made by companies such as Master Lock, Samsonite and American Tourister.
Of course, none of those companies are to blame for following the TSA’s master key guidelines. The real security blunder, as Berkeley computer security researcher Nicholas Weaver noted after the key photos were first published, was made by the TSA and the Washington Post, who released the photos on the Post’s website. Publishing photos of sensitive keys, after all, is a well-understand screwup in the world of physical security, where researchers have shown for years that a key can be decoded and reproduced even from a photo taken from as far away as 200 feet and at an angle. Neither the Washington Post nor the TSA immediately responded to a request for comment.
The Github release of those printable master key files, according to one of the lockpickers who decoded the master key photo, is meant to prove to anyone who uses the TSA-approved locks that they should no longer expect them to offer much security. “People need to be aware that even though someone says ‘use these approved locks,’ don’t take their word for it,” says Shahab Sheikhzadeh, a New Jersey-based security researcher who usually goes by the handle DarkSim905, and who helped Xylitol with his work on Github. “We’re in a day and age when pretty much anything can be reproduced with a photograph, a 3-D printer and some ingenuity.”
Even so, the TSA’s master key leak doesn’t exactly represent a critical security crisis, argues University of Pennsylvania computer science professor and noted lock picker Matt Blaze. The TSA-approved luggage locks were never very high security devices to begin with. “I’m not sure anyone relied on these kinds of locks for serious security purposes,” he says. “I find it’s actually quicker to pick the TSA’s locks than to look for my key sometimes.” (Blaze also notes that he believes that a photo of TSA’s master keys leaked earlier than the Post‘s story, though he can’t recall where and doesn’t believe they were actually published as printable CAD files until now.)
But Blaze says that the photo leak and subsequent 3-D printing demonstration does show just how quickly a theoretical slip-up can turn into a real security compromise. And he says that the TSA should have known better than to allow its master keys to be photographed. Prisons, for instance, have long kept cell keys covered on guards’ belts, he points out. “In high-security environments, it’s clear that you want people to not just take photos of your keys, but to not even look at them,” he says. “We would hope the TSA would have taken better care of their keys than they have.”