The Transportation Security Administration can bypass almost any luggage lock using a set of master keys. And now, so can anyone with access to a 3D printer.
Connected TravelerA set of CAD files were published this week to Github, making it easy to 3D print perfect plastic replicas of the TSA's master keys for its recognized locks.
The blueprints are based on a photo published in November as part of a Washington Post article about the "secret life of baggage." Long since deleted, the original image (still available elsewhere on the Web) showed an up-close view of seven different keys.
Master-keyed locks—like those employed by schools, offices, and some apartment complexes—are often criticized by security experts. But the TSA appears perfectly happy with its "weak" key system.
"TSA has worked with several companies to develop locks that can be opened by security officers using universal 'master' keys so that the locks may not have to be cut," the agency said in a February 2014 blog post.
Those locks are available at most airports and travel stores nationwide. Just look for the TSA badge of approval on the packaging.
"I made [the keys] for the technical challenge," Steven K, the Github user who published the files, said in an email to PCMag. "I released the CAD files because I'm a partisan of full disclosure, and also because these kind of government backdoors are totally absurd in 2015."
"I don't even have a TSA-approved lock" to test it on, he said.
No worries: Montreal-based Unix administrator Bernard Bolduc took one for the team, printing and testing the files.
"OMG, it's actually working!!!" he wrote in a tweet that included video of him sliding a red plastic key into a secured lock and releasing the bolt.
Bolduc's lock brand was not disclosed, though Wired reported that the leaked master keys open devices from Master Lock, Samsonite, and American Tourister.
"3D printers open a new area for amateur locksmiths, and this can be seen as a proof-of-concept and also for reconsidering physical security," Steven K (who goes by the Github username Xylitol) said. "Imagine what would happen with a jail master key."
The TSA did not immediately respond to a request for comment. Steven K has also not received any response from the agency; "no take down request of the files, nothing," he said.