Dear TSA: This is Why You Shouldn’t Post Pictures of Your Keys Online

We have to hand it to the Transportation Security Administration (TSA). They seem to have a perfect track record of screwing up – and that’s not an easy thing to accomplish if you think about it. If it’s not reports of TSA agents stealing valuables or inappropriately groping passengers, there is the fun fact that in all the years since it was created in 2001, the agency hasn’t caught a single person seeking to do harm in the friendly skies. We’re actually okay with that if it means nobody is trying to do anything shady.

The most recent TSA folly seemed to practically fall into the Internet’s lap when a reporter for the The Washington Post published a hi-res picture of the entire set of TSA master keys while writing an article about how the TSA handles your bags after checking them at the counter. Well, the lock picking community when nuts and in a short time had 3D printed versions available and working. You can see it in action in the (twitter) video after the break.

For those that are not familiar with travel in the US, you are not allowed to use just any old lock on your bags. It has to be approved by the TSA – and that means that they have to be able to open it. So the TSA agents have a set of master keys that can open any bag if they need to look inside for some reason. If you put a non-TSA approved lock on the bag, that can make them a little angry, and you risk having your bag delayed or even cut open.

Of course, you can get into just about any suitcase with a ball point pen, so maybe this isn’t a real “security” issue, but it sure isn’t what you want to see from the agency that is supposed to protect you. Who knew that you could make keys from a photograph? We did way back in 2009 and way more in depth this May… maybe the TSA should start reading Hackaday?

Continue reading “Dear TSA: This is Why You Shouldn’t Post Pictures of Your Keys Online”

Pictures that Defeat Key Locks

We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.

[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords. And finding a locksmith is easier than findind a 3D printer. But it’s the media gaffs with important keys that intrigues us.

We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key. But these examples are not so covert. One example is a police officer carrying around handcuff keys on a belt clip. Pose for a picture and that key design is now available to all. But news stories about compromised keys are the biggest offenders.

subway-keysA master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed, but the sheer number of them has us thinking that it’s unlikely.

firemans-keysWorse, was the availability of fire-department master keys which open lock boxes outside of every building. (Correction: these are fire department keys but not the actual lock-box keys) A locksmith used to cut the original keys went out of business and sold off all their stock. These keys were being sold for $150, which is bad enough. But the news coverage showed each key on a white background, straight on, with annotations of where each type of key will work.

Other examples include video news stories about credit card skimmers installed in gas pumps — that coverage showed the key used to open the pump housing. There was also an example of speed camera control cabinet keys being shown by a reporter.

key-photo-duplication-layerone[Jos’] example of doing the right thing is to use a “prop” key for news stories. Here he is posing with a key after the talk. Unfortunately this is my own house key, but I’m the one taking pictures and I have blurred the teeth for my own security. However, I was shocked during image editing at the quality of the outline in the image — taken at 6000×4000 with no intent to make something that would serve as a source for a copy. It still came out remarkably clear.

Some locks are stronger than others, but they’re all meaningless if we’re giving away the keys.

Teardown: An Electronic Master Lock

[rohare] has an interesting teardown for us over on the keypicking lock picking forums. It’s a Masterlock combination lock – specifically the Masterlock 1500eXD – and yes, it’s a completely electronic lock with buttons and LEDs. Think that’s the mark of a terrible lock? You might be surprised.

The first impressions of this lock were surprisingly positive. It was heavy, the shackle doesn’t move at all when you pull on it. Even the buttons and LEDs made sense. Once the back of the lock was drilled open, things got even more impressive. This lock might actually be well-built, with a ‘butterfly’ mechanism resembling a legendary padlock, actuated by a small but sufficient motor. Even the electronics are well-designed, with the programming port blocked by the shackle when it’s closed. [rohare] suspects the electronics aren’t made by Masterlock, but they are installed in a very secure enclosure.

The teardown concludes with a fair assessment that could also be interpreted as a challenge: [rohare] couldn’t find any obvious flaws to be exploited, or a simple way to break the lock. He concludes the most probable way of breaking this lock would be, “knowing some trick of logic that bypasses the codes on the electronics”. That sounds like a good enough challenge for us, and we’re eagerly awaiting the first person to digitally unlock this physical lock.

3D Printing Lock Picks

Over at the 23B hackerspace in Fullerton, CA, [Dano] had an interesting idea. He took a zip tie, and trimmed it to have the same profile of a lock pick. It worked. Not well, mind you, but it worked. After a few uses, the pick disintegrated, but still the concept of picks you can take through a TSA checkpoint was proven.

A few days after this demonstration, [C] realized he had a very fancy Objet 3D printer at work, and thought printing some pics out would be an admirable goal. After taking an image of some picks through the autotracer in Solidworks, [C] had an STL that could be printed on a fancy, high-end 3D printer. The printer ultimately used for these picks was a Objet 30 Pro, with .001″ layer thickness and 600dpi resolution. After receiving the picks, [C] dug out an old lock and went to town. The lock quickly yielded to the pick, and once again the concept of plastic lock picks was proven.

Although the picks worked, there were a few problems: only half the picks were sized appropriately to fit inside a lock. Two picks also broke within 15 minutes, something that won’t happen with traditional metal picks.

Still, once the models are figured out, it’s easy to reproduce them time and time again. A perfect lock pick design is then trivial, and making an injection mold becomes possible. They might still break, but they’ll be far easier to manufacture and simple to replace.

Paperclip Lock Picking Sets

Lockpicking has become a trademark skill of hackers all across the world, and is regularly taught at hackerspaces and maker faires. But a lot of the time, the sets have already been made or bought online somewhere. However, [Sean] has demonstrated how to create a lock picking set with ordinary paperclips in the video embedded at the end of this post. Wikihow also has these awesome instructions on how to build them.

What’s great is that the material for these picks are easily found. There are other ways to fashion a set together. For example, street sweeper bristles can be used. And electrical metal tape is a good material as well, but these paperclip sets are, by far, the most accessible. Pretty much anywhere that has office stationary supplies will have mounds of these little metal clips lying around.

But how well do they work? Have you made a paperclip lock picking set before?

If so, let us know in the comments, and tell us how well they did.

Continue reading “Paperclip Lock Picking Sets”

Toorcamp: The Lock Picking Village

The Open Organization Of Lockpickers (TOOOL) ran the lock picking village at Toorcamp. They gave great workshops on how lock picking works, provided a lot of examples of security flaws in popular locks, and let everyone practice with their locks and tools. Lock picking is a bit addictive, and I spent quite a bit of time at the village.

TOOOL is an international organization that aims to advance the general public knowledge about locks and lockpicking. If you’ve ever wanted to know more about locks, you can check out their list of chapters to see if there’s one in your area, or send them an email to see if there’s other lock picking enthusiasts near you. Their detailed slides that were used for the village are also available.

[Eric] from TOOOL worked on building a lock picking installation called the Labyrinth of Locks. The first prototype of this consists of locks enclosed in 3D printed enclosures, and lit by LEDs. The goal was to string them up in the woods and challenge people to find and pick the locks. MakerBot Industries printed the orange and flower shaped enclosures that the LEDs and locks were mounted into.

This is a first prototype, and [Eric] plans to expand on the idea and use it at other lock picking events he attends. It’s a neat way to mix lock picking and an art installation into an interactive activity.