The US Transportation Security Administration has been left in an awkward position today after a security researcher released plans to its master keys for luggage — allowing anyone to 3D print their own copies.
The plans were put together using photos of a set of master keys accidentally published by The Washington Post in November 2014, and left live on its site for months before anyone noticed.
They were subsequently posted to GitHub by user Xyl2k on Wednesday.
Xyl2k wrote on the GitHub page that he hadn’t actually tested the designs he created — but security researcher Bernard Bolduc subsequently printed them out, and found they worked perfectly.
The existence of master keys — and master key-compatible locks — are intended to make it possible for travellers to secure their luggage while still allowing the TSA easy access when required at airports and borders. But because of the leak, it now means that anyone who owns a master key-compatible lock is vulnerable: Absolutely anyone could print out their own set of keys and access their belongings.
People are already drawing parallels with the ongoing debate over strong encryption software and keys for government access. In recent years, there has been a proliferation of encryption products (for messaging, storage, etc.) that scramble data in such a way that it can’t be accessed and understood apart from its owner or recipient — even governments with a court order.
On the one hand, this is fantastic for users — it keeps their data safe! But authorities worry it means the internet is “going dark,” and they will lose access to information they once had. One mooted solution is a back door, or “golden key” that only law enforcement has access to, and can be used to decrypt data when required.
But as the TSA master key debacle demonstrates, if it’s accidentally leaked (or lost, or cracked, or stolen), then it makes everyone less safe.