Hackers reverse engineer Safe Skies master key, publish designs
On Saturday evening, during the Eleventh HOPE conference in New York City, three hackers released the final master key used by the Transportation Security Administration (TSA), which opens Safe Skies luggage locks.
The talk was given by DarkSim905, a lock enthusiast who heads the New Jersey chapter of TOOOL (The Open Organization of Lockpickers); Nite 0wl, a member of TOOOL from New York City; and Johnny Xmas, of RedLegg International’s TradeCraft Labs.
In addition to releasing a 3D-printable model of the Safe Skies master key, the talk also addressed the techniques used to collect the intelligence leading to the compromise of the seven Travel Sentry keys in 2015, as well as vulnerabilities in the Safe Skies lock design.
The public release of this eighth and final key has once again exposed the problems created by key escrow.
TSA approved locks became a common sight at airports in 2003. Passengers were using locks to prevent theft, and the TSA wasn’t thrilled with the overhead required to inspect baggage. Prior to the creation and availability of approved locks, the TSA would simply cut the lock off if a bag needed inspected. These days, under the approved locks program, the TSA can access bags by using a master key.
Two companies are responsible for the majority of the TSA approved luggage locks on the market.
The first is Travel Sentry, but they don’t make their own locks. Travel Sentry authorizes a system of keys that can be used as standards for other lock manufacturers. The second company is Safe Skies. They do make their own locks, and hold the patents for the designs.
When the approved locks program was introduced, some felt the concept was security theater and wouldn’t actually provide additional protection from thieves. But it’s possible some travelers did believe in the concept stronger protection, as the TSA made claims in 2012 that the locks would “prevent anyone from removing items” from locked bags.
A few years later, the TSA reversed their stance in a statement given to the Intercept, saying the approved lock program was implemented to provide “peace of mind.”
When asked for comments concerning the creation of a Safe Skies master key, the TSA sent Salted Hash a similar comment.
“These consumer products are convenience products that have nothing to do with TSA’s aviation security regime,” an agency spokesperson said.
“Carry on and checked bags are subject to the TSA’s electronic screening and manual inspection. In addition, the reported accessibility of keys to unauthorized persons does not affect the physical security of bags while being screening by TSA officers.”
Granted, the locks do serve as a deterrent against opportunistic theft, but that’s about it. Locked or not, your luggage can be opened with a pen, a knife, or screwdriver in seconds – and most of the more common Travel Sentry or Safe Skies locks can be picked with ease.
But, as Johnny Xmas said during a recent interview with Salted Hash, the point being made isn’t about “how bad men can lick your travel toothbrush” after opening your luggage with a printed key.
The point being made by the development and subsequent release of the eighth and final TSA master key centers on the dangers of government key escrow.
Travel Sentry and key escrow:
Testing the security of TSA approved locks is something lock enthusiasts have been working on since 2004.
In late 2015, a hacker who goes by name of Xylit0l, using high-quality public images released by the TSA and published by Travel Sentry, as well as a ton of community-driven research, eventually produced 3D-printable copies of the Travel Sentry master keys.
Later, DarkSim905, Johnny Xmas, and another hacker by the name of MS3FGX, added to the project by fixing a few of the early design flaws and sharing knowledge.
The media coverage related to the Travel Sentry leak primarily focused on the fact that hackers could now break into luggage, which the hackers involved in the leak claimed completely missed the point.
“The point we were trying to make, which everyone involved stated very clearly over and over again, was that this was all an act of civil disobedience in order to create an excellent metaphor for the general public to better understand the inherent dangers of trusting a highly-targeted third-party to have the tools necessary to grant unfettered access to your stuff,” Johnny Xmas said.
Around the time the Travel Sentry keys were released, Apple and the FBI were going to war over the FBI’s demand that Apple develop a backdoor in their software. The backdoor would allow unrestricted access to the encrypted data on a person’s iPhone or iPad, but the FBI claimed they would only use it when legally allowed.
Another way to put it – the FBI wanted Apple to give them a master key that would bypass the security protections on an Apple customer’s device, one that would be held in escrow and only used when the FBI felt it necessary. However, no one trusted the FBI’s ability to protect such golden keys.
“At its best key escrow creates a larger attack surface and places significant, if not complete, control or your security in the hands of a third-party. How much can you trust that third-party? If they’re dishonest or greedy, they can steal your property or access your sensitive information without your knowledge or consent,” explained Nite 0wl during a recent interview with Salted Hash.
Even if the third-party is completely honest, Nite 0wl added, “their security must be at least as good as your own or an attacker can get your keys from them instead of attacking your system directly.”
Yet, at that point in time, those calling out the parallels between the Travel Sentry keys and the backdoors being sought by the FBI were routinely ignored.
“Security, encryption and protecting communications that many of us security researchers take for granted, are constantly under threat. Just because the average person was forced to share keys to their things (i.e. luggage), doesn’t mean we should accept it for our electronic communications as a result,” DarkSim905 said.
“The fact an organization with an already questionable history and existence went so far as put all of our travelers’ belongings at risk for theft is mind boggling. It should shock anyone who has even vaguely private things or thoughts. People have had a great deal of things stolen from their luggage in recent years due to the abuse of key escrow,” DarkSim905 added, referencing reports of valuables being stolen at airports.
As mentioned, when the Travel Sentry story broke, most of the hackers involved felt the media missed the point entirely.
In all fairness, they were right to be frustrated. At no point, did the media contact Johnny Xmas, DarkSim905, Xylit0l, or MS3FGX to get additional details or confirm facts – a major misstep considering there were problems with some of the keys in the first place.
One Tweet made by Johnny Xmas at the time was widely circulated in the media, despite the fact it wasn’t truthful.
“I had printed the keys up, confirmed they looked good, and then took that picture while I was out grabbing some dinner. I came home and began testing them, only to find the sizes were way too small,” he explained.
Xmas posted a second message to Twitter after some testing, saying that he had the correct scale for the TSA keys. However, this wasn’t correct either, as 004 and 006 needed serious work before they could function properly.
“All of this is of particular importance because at no time did anyone publishing these articles ever attempt to get in touch with me. I was making claims lofty enough to attract major media attention, and yet nobody ever attempted to verify the truthfulness of them,” Xmas added.
The Safe Skies master key released during the Eleventh HOPE conference took some effort to engineer.
According to research, Safe Skies only uses a single master key. Previously, Nite 0wl and the others had high-resolution images and design specs to work with on the Travel Sentry project. This time however, they had no such help, so things had to be done manually.
“Unlike the Travel Sentry keys, there is very little information about the exact design of the Safe Skies key floating around. There are no leaked documents, inadvisable publicity photos, or anything like that. Instead, I had to use more traditional locksmithing techniques to create a working key,” Nite 0wl explained.
The first step in his research was to acquire Safe Skies locks for examination and testing. Nite 0wl purchased them from as many different sources as possible to ensure he had a diverse sample set to work with.
The second step was to identify possible key blanks. This stage was helped by examining the user keys that were supplied with some of the Safe Skies locks. Ultimately though, he had to resort to creating his own blanks. While the first set of custom blanks were created with polystyrene sheets, he eventually switched to modifying commercially available key blanks that were similar to actual Safe Skies keys.
“Once I had blank keys that would fit the locks I needed to figure out what the cuts should be,” Nite 0wl said.
This stage involved examining and comparing the user keys supplied with the sample locks, since he knew the master key could never exactly match one of the user keys. By doing so, he was able to eliminate those sets of cuts and look for patterns that would give him a rough idea of the pattern a master key would use.
“The big breakthrough was when I acquired several Safe Skies locks that used wafer-tumbler mechanisms instead of pin-tumbler mechanisms, because of the different mechanical design I was able to work out the master key cuts very quickly and then confirm that the key worked on all of the sample locks I had,” he added.
The 3D model of the master key being released contains some additional work by Nite 0wl and the others, and it might require some additional tweaks due to the nature of consumer 3D printers, but the key itself is fully functional on Safe Skies locks.
There is one point all three of the speakers wanted to stress during their interview. There was nothing shady or illegal going on during their research. Unlike the Travel Sentry keys, the Safe Skies key was not developed due to leaked photographs, files, or any other proprietary data. This was a manual development project, one that was full of trial and error. But their overall point remains the same – key escrow is a bad idea.
“This was done by legally procuring actual locks, comparing the inner workings, and finding the common denominator. It’s a great metaphor for how weak encryption mechanisms are broken – gather enough data, find the pattern, then just “math” out a universal key (or set of keys). What we’re doing here is literally cracking physical encryption, and I fear that metaphor isn’t going to be properly delivered to the public,” Johnny Xmas commented.
Salted Hash reached out to Safe Skies and the TSA for comment. However, only the TSA responded.
Attempts were made to reach Safe Skies prior to publication via phone, email, and LinkedIn, but none were successful.
Salted Hash Rehashed: The weekly news recap for July 22, 2016
Steve Ragan — Senior Staff Writer, CSO
CSO|Jul 23, 2016 9:00 PM PT