A few weeks ago, after returning home from South Africa, I attempted to open my suitcase at home only to find that it had been locked — not by my own hand, but by someone somewhere between Cape Town and New York City. I turned to the old bobby pin lock picking trick, but now, newly released 3D-printable CAD files would have made my life much easier. Just a few weeks after the Washington Post revealed that the TSA keeps a set of master baggage keys that work on just about any lock you could think to put on your suitcase (and accidentally published a photo of said keys), some (un)kind soul has just released all of them to the Internet via GitHub. Now try feeling secure about your luggage.
OMG, it’s actually working!!! pic.twitter.com/rotJPJqjTg
— Bernard Bolduc (@bernard) September 9, 2015
Within hours of the their upload, someone had already downloaded, printed, and successfully tested a key, much to the surprise of Xylitol, the Github user who first published the files. “Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures. I did this for fun and don’t even have a TSA-approved lock to test,” he wrote in an email to Wired. “But if someone reported it that my 3D models are working, well, that’s cool, and it shows…how a simple picture of a set of keys can compromise a whole system.”
Indeed, the relative ease and speed with which the entire baggage key system has unraveled drives home the point that in today’s digital age, security is often little more than an illusion. Locking your bag, when it comes down to it, may make you feel better, but when it comes to protecting its contents, well…let’s just say that’s not a guarantee.
Shahab Sheikhzadeh, a New Jersey-based security researcher who assisted Xylitol with his Github work told Wired, “We’re in a day and age when pretty much anything can be reproduced with a photograph, a 3-D printer, and some ingenuity.” And even though the photograph wasn’t live for very long, when it comes to the Internet, everything is immortal.
It’s a growing problem, but one that is difficult to address. As the Electronic Frontiers Foundation warned: “There is no way to put in a backdoor or magic key for law enforcement that malevolent actors won’t also be able to abuse. Any key, even a golden one, can be stolen by ne’er-do-wells. Simply put, there is no such thing as a key that only law enforcement can use – any universal key creates a new backdoor that becomes a target for criminals, industrial spies, or foreign adversaries.”