Skip to content

Nick L

3D printed TSA Travel Sentry keys Open TSA Locks

Quote

Last year, the Washington Post published a story on airport luggage handling that contained unobscured images of the “backdoor” keys of the Transportation Safety Administration, along with many other security agencies around the world, used to gain access to luggage secured with Travel Sentry locks. These locks are designed to allow travelers to secure their suitcases and other baggage items against theft with a key or a combination, while still allowing the secured luggage to be opened for inspection—ostensibly by authorized persons only. The publication of the images effectively undermined the security of the Travel Sentry system, since the images were of sufficient quality to create real-world duplicate keys….

A few enterprising hackers (in the correct sense of the word “hacker”) have put together 3D printable model files of the TSA keys and uploaded them to a GitHub repository. Now, rather than needing specialized skills and tooling to craft a duplicate Travel Sentry key, all you need is a 3D printer that can handle STL files (and that’s basically any 3D printer)….

Is this disheartening news? Not particularly. Locking your luggage has never provided any real additional protection against all but the most casual theft attempts (as evidenced by the fact that almost any piece of luggage with a zipper can be opened with a screwdriver or a pen regardless of how many locks are hanging off of it). The spreading of 3D printable Travel Sentry keys is more of a criticism of any kind of “backdoor” cryptography—be it one that involves physical keys or mathematical. The backdoor itself undermines any and all trust in the system.

Anyone who thinks otherwise is fooling themselves.

Feeling safer yet?

Android 5 lock-screens bypassed by typing in a reeeeally long password.

Quote

If you’ve got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it’s best to use a PIN or pattern to secure your lock-screen – because there’s a trivial bypass for its password protection.

The vulnerability, details of which were published here by University of Texas researchers on Tuesday, allows miscreants to sidestep lock-screens on Android 5 devices, unless they’ve been fully patched to version 5.1.1 including last week’s security updates.

“By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen,” the researchers write.

Yes, by typing in too many characters, you can kill off the security mechanism and gain full access to the device, even if its filesystem is encrypted – miscreants can exploit this to run any application, or enable developer access to the device.