Blog

For a number of years, lockpickers and locksmiths have taken an interest in the Transportation Security Adminstration’s system of master keys used by TSO screeners in airports to open luggage locks that conform to “Travel Sentry” standards. These locks, and their attendant master keys, are produced by a variety of manufacturers who license the designs and specs from Travel Sentry.

However, many of these designs did not come out of whole cloth. The Travel Sentry group (whose founder, John Vermilye, worked with airline baggage ops for most of his professional life… as everything from a baggage handler to baggage security overseer to an administrator responsible for standards relating to airline baggage) created many of the original Travel Sentry master key designs by basing them off of existing popular luggage locks.

This made sense, of course… after all, if you’re going to be creating a set of “master keys” that are used by airport screeners opening modern locks, why not also have those keys functional in as many older locks as possible, as well? This is the reason for many of the TSA locks (and their keys) appearing so “rudimentary” even though these standards were ostensibly established in 2003… some were based on locks dating back into the 90s or even the 80s.

You may have read in the tech press (or even the mainstream press) how these locks and their master keys have become popular targets for research, now even beyond private and closed circles of locksmiths and law enforcement. Due to some rather hilariously bad security practices during reporting pieces, high quality photographs of the TSA’s master key set leaked online.

reported keys 01

 

 

 

 

 

 

 

reported keys 02

 

 

 

 

 

 

 

Security researchers around the world then began analyzing these locks collaboratively and publicly, which was a big change from before. Now, with much research happening in parallel and the results being shared among the tech and security community, progress on decoding them proceeded much more rapidly. Noted researcher and lockpicker Shahab Sheikhzadeh has chronicled much of this endeavor here on his web site.

Both public individuals and anonymous internet users such as Adrian Crenshaw, Johnny Christmas, Xlitol, and more began refining and then testing possible variants of the TSA master keys that could be produced in the researchers’ personal workshops and labs.  Some (such as Crenshaw) focused primarily on filing and grinding metal keys while others (Xylitol and Johnny Christmas, in particular) tried to refine 3D printable versions of the master keys.

Many of the news outlets who had accidentally contributed to the publicizing of the TSA’s master key set either pulled or redacted the imagery in their online news articles in an attempt to put the toothpaste back into the tube on this security blunder.  However, that ultimately proved fruitless… not only because of the fact that it is notoriously hard to delete information from the internet once it has leaked, but also because of a mistake made by Travel Sentry themselves.

Due to Travel Sentry inadvertently leaking internal training documentation on their own web site, the various researchers collaborating on this project could view certain very high-resolution images of the TSA master keys without any authentication or credentials directly from travelsentry.org

key 001

 

key 002

 

key 003

 

key 004

 

key 005

 

key 006

 

key 007

 

 

At present, a number of facts have been discovered due to the massive joint effort that this project has become:

1. Some of the locks are considerably more robust than others.  Notably, the TSA006 lock and key has proven highly pick-resistant as well as difficult to 3D print, due to the intricate warding and small dimple-style cuts on the key blade.

2. Many of these locks provide little to no actual protection against theft or intrusion and are simply best thought of as “peace of mind” devices at best.  In some cases, the extreme age of the lock and key makes them even unsuitable for this level of usage.

3. The government should not typically be thought of as capable of properly handling and protecting “back door” keys or access to the public’s security devices.  A single point of failure means that compromise even one time becomes catastrophic in terms of security going forward.  (see: the argument about encryption key escrow and why it’s a total fallacy)

4. There is considerable variation from one brand or version of a TSA lock to the next.   That is what will be the focus of the research in this post.

 

TSA Lock # 007

While people have seen examples of a good number of the TSA Travel Sentry locks in the field (some are rarer than others, this is true… the TSA 006 only seems to appear on certain European luggage and the TSA 003 is practically a ghost) it’s undeniable that TSA 007 is fast-becoming the standard for most manufacturers, particularly those serving the United States.

TSA locks

 

 

 

 

 

 

TSA locks shown

 

 

 

 

 

 

 

If you purchase a Travel Sentry compliant lock nowadays, either from a retailer or from an online source, odds are strong that it will be a TSA 007.  Naturally, much of the “TSA key research” work that people have done recently has focused on the TSA 007 lock and its master key.  The 3D printing researchers have focused especially hard on this lock system.

3D printing works

 

 

 

 

 

However, even as some locksmiths and hackers have reported success with certain hand-filed or 3D-printed TSA 007 keys, others have reported them to not function well or (in many instances) not even fit into the locks that they try.

So, I opted to purchase a slew of TSA 007 locks, especially focusing on ones that come with user-level keys of their own…

007 collection

 

 

 

 

 

 

 

 

 

 

In the CORE Group offices, I took some high-resolution imagery of their various keyways in order to compare them…

TSA 007 - A

 

 

 

 

 

TSA 007 - C

 

 

 

 

 

TSA 007 - E

 

 

 

 

 

 

 

TSA 007 - I

 

 

 

 

 

 

 

TSA 007 - N

 

 

 

 

 

 

 

As you can see, those are all significantly different keyways.  While they share certain elements, there is much variation in the height and width of the keyways and even the position and size of the warding on the lower-right.  Of course, overall these keyways are all quite simplistic so you can see how a simple “Z” shaped TSA masterkey (“S” shaped if you look at it facing the tip) would still fit and manage to seat itself correctly in any of them.

Some of the locks operate using pins while others employ wafers…

007 internals

 

 

 

…But in either case, the locking mechanism appears to be totally single-sided.  Thus, the TSA 007 master key that we have seen in so many photographs is likely what is known as a “convenience key” and only ever uses the bitting on one side when employed in a lock.

key 007

 

 

I’m willing to bet that someone could produce a totally flat TSA 007 key with no warding whatsoever (see below) and it could be inserted into one edge of the keyway (the upper right most space in the keyway, in the diagrams above) and this would operate the lock.  A turning tool from a lockpick kit could be inserted into the lower left of said keyway to help it along, most likely.

key 007-hacked

 

 

In all this, the key aspect of the situation becomes developing this “adapted” master 007 key to dimensions that are thin enough and short enough so as to always fit into any of the various popular 007 keyways on the market.  Here are diagrams that I created after measuring the keyways of the various TSA 007 locks I had on my workbench right now…

keyways with measurements

 

 

 

 

 

 

 

 

As can be seen, to be truly “universal” a TSA 007 key’s blade (and here I am talking primarily about the working portion of the blade, which inserts in the upper-right of the keway in these diagrams) would have to be thin enough to fit into the “purple” lock and also short enough to fit into the “black” lock.  By my calculations and measurements, that means a blade no more than 3mm tall and .8mm wide would be ideal.

Surprisingly, it appears that most consumer keys provided with TSA 007 locks are much taller than the TSA’s own 007 master key.  While most locksmiths wouldn’t recommend this (no system should include change keys — that is the low-level user keys — which can be filed down to make master keys) it makes some sense that manufacturers would rather give consumers a “larger” (and therefore more “robust”) key which will survive many more duty cycles of use.

Indeed, one of the most significant problems that security researchers have faced in this endeavor has been breaking of prototype keys in the locks when the self-made TSA 007 keys have been examined and used in experiments.

Making an “adapted” 007 key blade and pairing it with a lockpick turner tool will alleviate many of these problems, I expect.  It will also speed 3D printing and even allow for other quicker and easier methods (like laser-cutting plastics or metals) to be attempted.

keys

 

 

 

 

 

 

 

I hope to see Johnny Christmas, Xlitol, IronGeek, Shahab Sheikhzadeh, and others discussing the “007 Adapted” key for 3D printing or other rapid prototyping after that.  In the meantime, I’ll be cutting open some of these 007 locks on my bench to see their pinning arrangements inside.

Keep an eye on this blog and follow @TCGsec or @deviantollam on Twitter for updates!

Follow us: