Security researchers have released the master key and blueprint to bypass luggage security practices enforced by the US Transportation Security Administration (TSA).
Speaking at the eleventh HOPE conference in New York City last week, reverse engineers DarkSim905, Johnny Xmas, and Nite 0wl revealed that the master keys used by the US agency are now available to anyone who has access to a 3D printer.
The TSA uses these keys to inspect luggage during clearance checks. Designed by Travel Sentry and Safer Skies, the keys are part of the "approved locks" program which grants airport staff the opportunity to open these locks rather than cut locks off if a bag requires inspection at an airport.
This is more convenient for TSA employees as a master key can open all of the locks included in this program. This also potentially prevents wandering hands -- but as the researchers have shown, locks escrows also have security vulnerabilities.
As noted by CSO Online, there are a total of seven Travel Sentry keys currently in use, all of which were compromised due to security vulnerabilities in 2015.
Through the talk, the group released a new master key, the eighth and final one for Safe Skies locks, to highlight how "government backdoors like key escrow are a really bad idea."
The Safe Skies master key was created from scratch with samples and a 3D printer, and now the blueprint has also been released.
Hypothetically, the use of TSA-approved locks which are vulnerable to the master key is less secure than using another lock which is not part of the program -- although you run the risk of the lock being cut away. If someone with sticky fingers prints themselves a master key, traveler luggage secured through locks in the TSA program is at risk.
Government backdoors, whether physical or software-based, are not a good idea. If you hand over a master key -- whether for your luggage or for software, as the FBI and Apple iPhone encryption court case highlights -- you must have complete trust in that third party.
Unfortunately for government agencies, which are constantly targeted by cyberattackers, they do not hit this gold standard. The takeaway, therefore, is just because a security solution is approved by the higher-ups, this does not mean that it is foolproof -- or that your valuables or data are not being placed at risk.