The TSA-approved luggage locks were never very high security devices to begin with. "We’re in a day and age when pretty much anything can be reproduced with a photograph, a 3-D printer and some ingenuity."Įven so, the TSA's master key leak doesn't exactly represent a critical security crisis, argues University of Pennsylvania computer science professor and noted lock picker Matt Blaze. "People need to be aware that even though someone says 'use these approved locks,' don't take their word for it," says Shahab Sheikhzadeh, a New Jersey-based security researcher who usually goes by the handle DarkSim905, and who helped Xylitol with his work on Github. The Github release of those printable master key files, according to one of the lockpickers who decoded the master key photo, is meant to prove to anyone who uses the TSA-approved locks that they should no longer expect them to offer much security. Neither the Washington Post nor the TSA immediately responded to a request for comment. Publishing photos of sensitive keys, after all, is a well-understand screwup in the world of physical security, where researchers have shown for years that a key can be decoded and reproduced even from a photo taken from as far away as 200 feet and at an angle. The real security blunder, as Berkeley computer security researcher Nicholas Weaver noted after the key photos were first published, was made by the TSA and the Washington Post, who released the photos on the Post's website. Of course, none of those companies are to blame for following the TSA's master key guidelines. Now those photos have been used to derive exact cuts of the master keys so that anyone can reproduce them in minutes with a 3-D printer or a computer-controlled milling machine. Those photos first began making the rounds online last month, after the Washington Post unwittingly published (and then quickly deleted) a photo of the master keys in an article about the "secret life" of baggage in the hands of the TSA. Within hours, at least one 3-D printer owner had already downloaded the files, printed one of the master keys, and published a video proving that it opened his TSA-approved luggage lock. The TSA is learning a basic lesson of physical security in the age of 3-D printing: If you have sensitive keys-say, a set of master keys that can open locks you've asked millions of Americans to use-don't post pictures of them on the Internet.Ī group of lock-picking and security enthusiasts drove that lesson home Wednesday by publishing a set of CAD files to Github that anyone can use to 3-D print a precisely measured set of the TSA's master keys for its " approved" locks-the ones the agency can open with its own keys during airport inspections.
0 kommentar(er)
