Threat Management

TSA master key hackers expose dangers of physical and digital key escrow policies


The hackers responsible for reproducing seven master keys used by the Transportation Safety Administration (TSA) to open locks commonly placed on luggage have now been able to duplicate an eighth key. This time, they hope their achievement is the key to unlocking public awareness about the dangers of trusting third parties with master keys, be they of the physical variety or encryption keys used in the digital world.

Three of the individuals involved in this lock-picking project – hackers who go by the handles Johnny Xmas, Nite 0wl and DarkSim905 – openly discussed their findings at the eleventh HOPE (Hackers on Planet Earth) conference last week in New York. Their work first went noticed in September 2015 when the hackers proved they were able to use publicly circulated photos and images of seven TSA-approved baggage lock master keys to reverse-engineer these keys using modeling techniques and 3D printers.

The padlocks, designed by various manufacturers under the guidelines of travel security standards company Travel Sentry, are TSA-approved because agency inspectors are provided master keys to open these locks for the purposes of luggage inspection.

The arrangement between the TSA and Travel Sentry is highly analogous to the digital security practice known as “key escrow,” in which a third party is entrusted with possession of keys needed to decrypt a device's encrypted data. These kind of agreements call to mind recent attempts by the FBI and the U.S. government to force Apple and other technology companies to share encryption backdoors so that investigators can bypass security mechanisms on devices seized during terrorism investigations.

Travel Sentry competitor Safe Skies, which manufacturers its own separate TSA-approved security lock, was left unscathed by the lock-picking hackers – or so it seemed. But at the HOPE conference, the hackers explained that they were able to reproduce a master key using rudimentary tools to mold a key, trial-and-error style.

The hackers hope that news of their latest research will produce a more enlightened reaction from the public which seemed heavily pre-occupied last time with the fear that TSA agents could “lick your toothbrush” or “sniff your panties,” as Johnny Xmas put it. The real concern, he explained, is that third parties can mismanage and ultimately leak security secrets, ultimately endangering the public.

“Let's say we trust the U.S. government. Let's say that we call accept that the U.S. government has all our best interests in mind and only serves to protect us,” Johnny Xmas said with more than a hint of skepticism. “What happens when the bad guys get those keys?”

Similarly, online privacy advocates have argued that if the government has possession of encryption backdoors, these workarounds will eventually fall into the hands of hackers, cybercriminals and nation states who can use these decryption tools to steal intelligence, commit financial crimes and more. And that could do a lot more damage than someone stealing that favorite sweater you packed.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.