Sometimes It Is The Simple (Or Stupid) Things That Get You

As every traveler knows, if you lock your suitcase, you need to use a TSA approved lock or else they will break your lock if they want in.

That was OK (maybe;  those locks are not very secure anyway) until someone at the TSA allowed the Washington Post to photograph their master key (why, I have no clue) and then the Washington Post put the photograph on their web site.

Someone realized pretty quickly that this was not a good thing to do and removed it, but the damage was already done.

Someone, we think in France, used that picture to create a 3D CAD file of the key so that anyone with a 3D printer could download the CAD file and print a key.

Someone in Canada did just that and the key did, in fact, work.

The CAD file is available on Github to download for free and who knows how many downloads of that file have been made and where else that file lives now.  Taking it off Github at this point won’t fix the problem.

In fact, the only way to fix the problem now is to replace tens of millions of locks.  While the TSA had no comment, I doubt they plan on actually being responsible for their actions.  The government rarely does that.

The lesson here is that while “security by obscurity” (thinking that you can keep a secret private) as your primary means of securing something is not likely to work, “insecurity by publication” (publishing your security practices) is likely not a good plan either.  This is why the government, finally, is removing the blueprints of public federal buildings from the web.  I am sure that thousands of blueprints of state and local government buildings are still available.

The TSA rarely looks in people’s suitcases any more until they see something suspicious in it, so you could use a regular lock and if it has been removed when you retrieve your suitcase, you know someone has been in it at the cost of replacing a $3 lock.

A slightly less expensive and less secure solution is to close the suitcase with a random color zip tie or two.  Again, if the zip tie has been removed, you know that someone has been in the suitcase.  You can buy fancy zip ties with unique numbers on them so they cannot be easily substituted, but the $3 lock is probably easier.

With all the theft by baggage handlers and TSA agents that has been documented – not to mention the theft that has not been documented – sending your checked baggage unlocked is not a good plan.  Now that the TSA master keys are available on the web, those locks are even less secure than they were before.

It will be interesting to see what the TSA does – if anything.



Information for this post came from Wired.

Leave a Reply

Your email address will not be published.