Dear TSA: This Is Why You Shouldn’t Post Pictures Of Your Keys Online

We have to hand it to the Transportation Security Administration (TSA). They seem to have a perfect track record of screwing up – and that’s not an easy thing to accomplish if you think about it. If it’s not reports of TSA agents stealing valuables or inappropriately groping passengers, there is the fun fact that in all the years since it was created in 2001, the agency hasn’t caught a single person seeking to do harm in the friendly skies. We’re actually okay with that if it means nobody is trying to do anything shady.

The most recent TSA folly seemed to practically fall into the Internet’s lap when a reporter for the The Washington Post published a hi-res picture of the entire set of TSA master keys while writing an article about how the TSA handles your bags after checking them at the counter. Well, the lock picking community when nuts and in a short time had 3D printed versions available and working. You can see it in action in the (twitter) video after the break.

For those that are not familiar with travel in the US, you are not allowed to use just any old lock on your bags. It has to be approved by the TSA – and that means that they have to be able to open it. So the TSA agents have a set of master keys that can open any bag if they need to look inside for some reason. If you put a non-TSA approved lock on the bag, that can make them a little angry, and you risk having your bag delayed or even cut open.

Of course, you can get into just about any suitcase with a ball point pen, so maybe this isn’t a real “security” issue, but it sure isn’t what you want to see from the agency that is supposed to protect you. Who knew that you could make keys from a photograph? We did way back in 2009 and way more in depth this May… maybe the TSA should start reading Hackaday?

121 thoughts on “Dear TSA: This Is Why You Shouldn’t Post Pictures Of Your Keys Online

  1. Remind me of some French television network, there was a documentary about them in which you could see their Facebook/Youtube user-name and password written on a white board in the background…

      1. People will always be the weak link in security. I keep my less secure passwords like WiFi guest on my whiteboard so everyone can find them when I change them. The trick is to put a note on top of the passwords so they are not visible and of course never leave a video camera pointed at them.


      I don’t get it. They actually bothered to put something over the barcodes but look how much is sticking out. And.. if you zoom in on it that strip of whatever is kinda see through. Or.. you can just read the number directly!

  2. Don’t let common sense cloud your interactions with the TSA, either. I had a lock “on” my bag–it came with the suitcase so I assume it was OK–but I didn’t want to take any chances. I locked it onto one of the zipper pulls (i.e. not through both of them) so it wasn’t actually locking anything. Didn’t stop them, though. They heroically destroyed the zipper to rifle through my clothes anyway rather than pull on the zipper to open the bag.

    1. I closed my suitcase with a bright colored wire tie (nylon, everyone has seen those before) and did not use a lock.

      when I got my suitcase, they had used tin snips to cut THRU the metal of the zipper, making the brand new (bought for that trip) bag unlockable from then onwards.

      I actively avoid plane travel, these days. unless I absolutely must fly, I opt to just say ‘no’. flying is absolutely zero fun, at this point. it was never all that great, but now, any time I think of flying to some destination, I usually rethink it and decide against it.

      I wonder if we’ll ever go back to sanity and the ‘old normal’. the ‘new normal’ stinks!

      1. Fully agree. I’d rather drive for 20 hours than fly for 4. Between the worthless security checks, idiotic “luggage fees” (so that everyone carries on instead) and the shrinking seat space, all the magic I experienced when flying as a youth is gone.

        1. It’s because of budget airlines charging a small fraction of what the major airlines used to get away with. So everybody has to cut costs. In a way it’s good it’s cheaper, environment-wise more flight is worse. Stay at home. And for the gods’ sake, don’t have children! Worst source of pollution in the world is a first-world human.

        2. Amazingly, my home tome is a total of 4 hours flight time, but every time my wife flies, she ends up leaving in the morning, and not arriving until night, due to layovers, then set-backs in maintenance, equaling a near 12-15 hour drive time, which is 5 away from real driving. Direct flights is the only real flying anymore. I really want bullet trains, and Elon’s train to work out. Then security, baggage, cost, etc because a thing of the past.

          1. Hum that must be some craziness in America but in Europe for flight inside EU you just need to arrive 30 min before flight departure for luggage drop off. There is only the security check to pass but no identity check so it goes pretty quick.
            I usually show up 40 min before departure,add 20 minutes to get my luggage back after the flight and get out of the airport so plane is still much faster than travelling by car. Especially on flight longer than 2 or 3 hours…

      2. I’ve vowed that commercial air travel in the States is 100% off limits for me. I’d sooner drive cross country. When we go to Europe, I’m taking a ferry/cruise. I’d sooner take 2 weeks to do so than to put up with the nonsense that the TSA makes you go through.

  3. “maybe the TSA should start reading Hackaday?”

    They can’t. I don’t think very many of them can read. You can tell a TSA intellectual, he’s the one reading the comic books to the rest of them….

    As an aside: they ARE keeping us safe, by keeping a lot of the idiots in one place where they can be watched. By hiring them.

    1. The president asked that clock ‘bomb’ kid to visit him and to bring the clock. Imagine him going through the TSA check. I hope someone manage to make a youtube of the unfortunate event for posterity.
      Anyway, I’m sure the president can visit him at quantanamo at a later date, any later date.

      1. What sort of major event that you image that would bring back sanity rather increase the insanity, such an event escapes my imagination. Legislator continue to use the TSA as a whipping pony, when hey want to wine about something, rather address the abuse.

      1. phreaknik, The article in link you sent doesn’t mention a backdoor with the RSA tokens. It wouldn’t surprise me to learn that the RSA tokens has some sort of backdoor built into them, but this article does not talk to that possibility.

        It mentions only that in the unlikely event that there’s a “…fatal weakness in the cryptographic implementation of the token code generation algorithm…” could someone mount a successful attack against it. Even that isn’t a backdoor however.

    1. Did you hear about that ‘bug’ they recently found in cisco routers which enabled criminals and spies to completely transparently bypass any protection through (corporate) cisco routers? Cisco who is know to be close to the NSA.

      So the solution apparently is to just put in the backdoors and call them ‘software bugs’ when leaked or discovered.

      1. compared to routers, I find “Trust”Zone much more disgusting, nothing prevents the secure world software from reading you private pgp-keys and everything… you can ditch a router, but you can not ditch cryptographically signed firmware…

    1. Because 3d printed plastic keys print in a few minutes and are durable enough to record the proof of concept video. You would only need a durable metal key if you planned to make your living by opening these locks repeatedly.

      1. Even then a sharp eye, a file, and key blanks will do the job for proof of concept, no stinking* 3D printer needed. Although the key with the dimples may take few tries get the depth of the dimples worked out, but that’s going to be true with 3D printing as well I don’t know. However my guess is the people with hand tools will get that one done faster.
        * :P

        1. Oh?


          So, you intend to not use plastic in favor of plastic? Printed nylon or abs is just as good as delrin, or acetal resin since delrin is a brand name.

          But what do I know. I’m only a plastic injection molder by trade. I don’t know why you’re arguing against 3d printers, as if a 3 axis mill is somehow more readily available.

    1. Wow. Except it is. Event the most insecure lock, like many of these are, typically has to be destroyed to bypassed. If you can open the lock without destroying it, you can tamper with (ie, place things in) the bag without the owners knowledge. One of the key features of a good lock is not that it can prevent intrusion, but that it can detect it.

      1. this suggests a weird form of humour, where you know you put someone else in trouble by placing say an alarm clock in their bags. a form of humour where you enjoy the fact that the victim is anonymous, and you are not even interested in witnessing the result, just enjoying the knowledge that it will result…

    2. I’m sorry… as asinine as the TSA is (and its implementation), how can anyone believe that the little lock you might put on your luggage has *anything* to do with aviation security. Only an extremely naive person would ever believe that. The spokesperson was just stating the obvious. So, unfortunately, in this case I have to agree with the statement that the TSA spokesperson said.

      The more interesting point here is he didn’t apologize on the part of TSA for screwing up yet again. He didn’t even come close to that point in his statement and avoided it altogether.

        1. That’s the point though. Luggage locks are there just as much to prevent reverse pilfering as they are pilfering. The kind of reverse pilfering that can result in felony charges for you whether or not you knew you had been reverse pilfered…

  4. “maybe the TSA should start reading Hackaday?”

    Ugh.. It would have to be all pretty pictures and no words. Maybe HaD could have a printed edition. Distribute it as a coloring book. Add an adult sized bib and a packet of cheap crans and you could give them out at the TSA leaders mommys and daddys’ favorite restaurant.

  5. A little humility will go a long way, TSA might behave like overly officious bureaucrats, but typically it’s the baggage handlers that steal.

    Just be obsessively neat. Use a set of “Space Saver Vacuum Seal Storage Bags”. Number them; 1 of X in Large Ugly block Permanent Marker AND Write your Name on the Bags Themselves. Include a copy of the entire inventory of 1 of X two sheets of paper. Put a sheet of paper with the items you have in every single bag. Include a sheet of all the items in the luggage label THAT 1 of 2. Keep the the other sheet on your person. Place anything fragile or electronic in the middle of the folded clothing.

    Basically, The larger the vacu-seal bundle. The harder it is for a person to palm, swipe, snag, gank a small item. Thieves and their dishonest ilk (bosses) will go for low hanging items. The down side is they will abuse the hell out of your bag out of spite.

    Worst offenders My folks and I had in Europe? Change over in Charles De Gaulle airport.

    Whereas if you ARE overseas and passed the x-ray and scan, they will wrap your bags in cellophane at the ticket counter area.

      1. “Something strange and out of the ordinary”

        What part? Saving space on your checked in baggage?

        I’m not talking about carry on. Have you been overseas? Tell me that you haven’t seen the cellophane wrapping station for check-in baggage at foreign airports? Nor seen cellophane wrapped luggage at the airport international terminal.

        If your spare cellphone or prescription medication drops down into a corner of your checked in suitcase and when you arrive at your destination… Well that’s how it goes. I just made a point that it is more unlikely to happen if you make it difficult to do so.

  6. Feel free to insert some sly TSA response here. I haven’t flown since the introduction of TSA.

    Moving along. Aren’t these locks along the same vein as those “school” locks that also have a master key on them? I used to specifically buy the locks without the master key, and yes, got suspended more than once for refusing to use “their” locks. This was in the mid-90’s and a handful of kids have long figured out how to open those lovely Masterlocks. Unfortunately, I wasn’t clued in on that was done until about ten years later.

  7. I fly infrequently, but when I do, I rarely take luggage that isn’t my laptop carryon. Depending on where I’m going, I’ll ship my luggage via UPS or Fedex straight to my hotel:

    Many airlines charge for bags now, so cost isn’t much of an issue, and I don’t have to carry bags through the airport, or wait for them at the baggage claim (a bonus when you travel with kids!). They are at the hotel when I get there, and when I’m headed home, the front desk at the hotel is happy enough to give the bags to the shipping driver on the next pickup. If you plan a few days ahead and ship ground, it is cheap enough, but overnight on a 50lb. bag might kill you.

    I buy the cardboard luggage boxes from the shipper and reuse them several times so I don’t beat up my real luggage either. Just remember to pack some shipping tape so you can secure them for the return trip!

    There are even third party companies that specialize in door to door luggage shipping, but I haven’t tried them.

    1. In a twist of irony in a lot of cases the shipping company likely contracts and uses extra space on the aircraft. Its entirely possible with this method to have your own luggage onboard. As for TSA I have had contraband quite by accident on nearly every flight. I remember one flight to go camping I got a page to see TSA at the desk before my flight, went over and they asked if I knew I had strike anywhere matches in my checked luggage. I apologized told them no, they asked me if I wanted my 2 strike anywhere matches back to go to my car.. lol. Told them toss em.

      I got to my destination and to my shock/horror/amusement I had my cooking stove still in my camping bag, with a can of propane, a bottle of strike anywhere matches (20x) and a lighter all in one container. In all honesty I thought I had left the stove and fuel at my home. Then I got to wondering what matches did they find. Turns out the two wax coated matches I had in my first aid kit clearly visible in zip bags were what they confiscated.

      As for security, I have had TSA agents asking me where they can purchase legal explosives (Tannerite/ Exploding gun targets). And the most amusing, I think back to the day they let a granny on with 1/2″ round 12″ long knitting needles and many other sizes, they took her male traveling companion’s toe clippers but then when granny is at 30,000 feet, out comes the full size scissors. Again TSA for the FAIL

  8. Is this practice (TSA having that lockpicks) considered normal in the US?
    I’m honestly not sure, but I was under impression that in other countries they just ask you to open your luggage and you cant’ say no. Why lockpicks?

    1. Yes it is normal. As the article says, it’s a government mandate that any* locked luggage must use a lock that is approved by the TSA. Though they may look generic those are not picks, those are actual bitted keys.

      *Federal and international law require that hard sided luggage transporting firearms MUST be secured by a lock that only the owner can open. This luggage may only be opened in the presence of it’s owner

        1. In the spirit of fighting incessant pedantry with more pedantry, mandates are not mandatory. Mandates are simply an order from some governing body. As with all laws, ignore them at your own peril.

          Thankfully you saw fit to bring to light this pedantry, securing your immortality amongst the great thinkers of the human race.

          1. In a similar vein, if the Satoshi group had called BitCoin “respect”, would the Federal Trade Commision have any authority over the free public expression of respect?

  9. Of course the TSA hasn’t caught anyone trying to bring harm to the friendly skies. No one even tries anymore because they can’t get passed the high tech but sometimes clumsy agents. I might add that hackers have a bad reputation for stealing things, too. It’s hackers who are the brains behind I.D. theft and other internet break-in activities. It’s hackers who post how-to articles on making and using lock picks, and when it comes to “groping” . . . well, hackers have online porn for that. Not all hackers, you say? The vast majority of hackers are honest and well-meaning, you say? Yes, I’d say, and the same goes for TSA agents and administration.

  10. Most TSA locks can be opened with the pointy end of a pair of scissors anyway, so I wonder why anybody is really outraged over the actual keys being available. It’s not really going to make much of a difference.

    1. Um…. no….. Most folk don’t realize they should treat their keys like they do passwords. All you really need to know to replicate a key is what keyway it uses and the bitting. Both of those can be obtained visually, and you can eyeball the bitting if you’re practiced. If you have a photo then it’s just a short process of trial an error.

      The fact that the TSA representative let a well known, highly visible media outlet take a picture of the master keys that could even remotely be published is an indicator that they don’t understand basic security.

    1. The problem isn’t that their isn’t a challenge. The problem is those who execute the security. You can setup an elaborate system to protect the safety of travelers with minimal intervention. When you hire goons to do the job they over step their authority, give up information they aren’t supposed to and miss things because they aren’t properly trained. Guess what happens when goons get promoted and they start teaching the new hires how to do their jobs.

  11. The problem is that the bad guys may say, “I do not know what it is. Someone opened my bag…”.
    How to prove that the bag has been violated? Using a plastic key, it doesn’t leave a mark for forensics analysis.
    How do we differentiate the bad guys from the good guys?
    That is a serious world wide problem.

    1. I would argue the key does leave forensic evidence. Plastic, especially 3D printed will have flash or rough spots that the vastly harder tumblers will scrape off. Unless you are exceptionally careful some of the key will probably be left in the lock.

      1. But then how do you prevent a bad guy from lockpicking his own lock beforehand for deniability?

        Others claim the only way forward is to have decentralized mass surveillance:
        Let the populace hold public keys according to a treshold (n out of m) encryption scheme, let cameras (everywhere!) encrypt their images towards the populace, sign them, and transmit the encrypted & signed images to a public DHT.

        Whenever the result of a crime is found, the populace (when n are convinced) can decrypt the images, and any fugitive followed to his/her current position, can be arrested and brought to trial, with no mistake of identity. No noticed crime goes unpunished, no innocent people are convicted. Crime no longer pays. No need for watchmen to invade our privacy. The watchmen can not invade your privacy (unless n out of m is chosen too low)…

  12. The TSA was created because Congress and the Executive branches had to ‘do something’. Sometimes, doing nothing is the correct response.

    But hey, they created a lot of jobs and improved my healthcare: I get free x-rays and felt up for bumps without fee. I continue to ask about all those charged Li batteries being carried on to the plane. TSA says they’re not on the list, the list originally laid out by the technophiles in Congress. The Congress of people who post photos of their crotch or entrust diplomatic emails to a home server. But then they probably use the Geek Squad so we, as a nation, are safe. We’ll be even safer when The Donald comes because he’ll ‘do something’.

    The circle returns.

      1. What part AJ?

        – ‘Doing something’ is a tried and true response to show a problem is being addressed. It makes people feel good but is effective only if the response is cogent.
        – If I remember correctly, >50K people ‘had’ to be hired within a year to staff TSA. Not knowing what to staff for made that a problem.
        – Drive a Cross pen through a laptop battery and you have an effective heat source that you don’t want to put out with a sweater. Try it. I did with a phone battery. This is not new stuff.
        – You can get a set of steak knives from a restaurant AFTER you go through security at one airport I’ve been through.
        – I was told by a TSA head at the airport that the steak knives are not their problem and if I think something is not correct, I should, “write to Congress”. And, this is a quote, “It’s not my concern.”
        – If you want your bag trashed, lock it. It’s faster for TSA to cut it open than to use a master key. They can and there’s nothing you can do about it. The simple answer is don’t lock but I know people who had their bag cut open and they didn’t have a lock.
        – The TSA showing off keys is not intelligent but there must be thousands of master sets. The fact that they can be knocked off from a photo just shows how clever HAD people are. I doubt any member from either house of Congress hangs out on HAD. Talk to people who work on the Hill. The level of technical illiteracy is absurd.
        – Geek Squad? Ever talk to them. They know more than most because most know nothing.
        – Or are you mad about The Donald comment. I’m sure things will be ‘Tremendous’ or ‘Terrific’ but that’s hardly a policy statement. In fact, I haven’t heard any policy statement from him that could remotely stand up to a trifling thing like the Constitution of the United States.
        – Check out ‘It Can’t Happen Here’ by Sinclair Lewis. It really does address the need to ‘do something’ but reveals the dark side.
        – Don’t lock your bags. Wear slip on shoes, and know that the Vegas TSA give the only free hand jobs in town.

  13. From all the trolls and butthurt I read from the comments there are three conclusions we should be able to extrapolate:
    1.) TSA employees are envious that people travel (even flight attendants earn miles)
    2.) TSA employees are now able to blame “hacked” keys for our property to be stolen
    3.) TSA employees have ZERO brains and don’t understand that the top 10% use timeshared private jets so they are basically looting from the poor and lower middle class.

    1. I would not be so sure:

      1.) TSA employees are envious that people travel (even flight attendants earn miles)
      I don’t think they are envious of the passengers they play stinky finger with: after all they probably practiced on each other during training, and probably keep in shape in the locker rooms…
      2.) TSA employees are now able to blame “hacked” keys for our property to be stolen
      Since they fail to decrypt a newspaper, their only source of information was probably the superior, who one morning seemed angry about good news, as he was showing around the set of keys they saw for the first time. Apparently the lockmaker had just ‘hacked’ them from a block of 3D plastic key-metal. This is good news, now they no longer have to tear those suitcases a new hole! The keys finally arrived!
      3.) TSA employees have ZERO brains and don’t understand that the top 10% use timeshared private jets so they are basically looting from the poor and lower middle class.
      What is a top-10 per cent??

  14. As others have said before, this needs to be the reference “for dummies” example we use in the future to try to explain to policy makers why backdoors in security are NEVER beneficial or allowable.
    No numbers or big scary words involved! You’d have to be a politician to misunderstand! — oh wait.
    Anyway, this makes me think there’s still hope.

  15. The real issue is not the mandated “back door ” Luggage locks or the TSA having a set of keys for these, the issue is a TSA employee by actions obviously not approved of by the TSA Standard Operating rules, nor cleared with anyone with proper authority to interact with media. I think the TSA folks are very poor at what they do, they remind me of the “patrol boys” in grade school, no training to speak of, no real test to get the position, guys and gals only reason to be a patrol boy or for that matter a TSA stooge a cool “uniform” and a BADGE GOLLY GEE!! sudden sounds of rubber stretching and a crumpled plastic water bottle being blown back into shape,, BANG crackle screech air rushing !!! What was that you say?? Well it was the stooges heads swelling up and inflated ego’s bumping into and blotting out any last shred of common sense or reason!!

    A little power given to a moron with no future and low IQ, who has always been teased (OK no teasing ? PLEASE think again! I have never seen a TSA idiot that looked like anything better than the kid that sat in the coat closet in school and when he wasn’t eating paste supplemented his diet with some real big sticky green boogers, fingers up the nose to the second knuckle! These were the picked on kids !!) So the first time anyone has to do anything they say no matter how idiotic, and if a person treats them “wrong” by their interpretation that twit TSA agent with the thanksgiving day parade balloon head will give the person of his perceived disrespect any grief he can cut bags, embarrassing hand groping , and even delay some so long they miss their flight!!! I think my ideas on the TSA are very close to 100% correct, the whole airport security screening is a big farce, absolutely a first knee jerk reaction our government created very quickly after 9/11, before anyone could think or at least put limits or controls into the laws. sort of rammed down our throats before we could get our breath after that tragic day. They government always trys to appear to be managing and responding to the “needs” of the citizen, they did not know what to do so they created this fiasco we have now!! TSA IS BS SNAFU, FUBARED example of why the govt. cant be allowed to run anything with large public interaction, oh oh look out now we are headed to TSA styled HEALTH CARE! except now we have top pay for getting screwed!!

  16. I worked filling vending machines in a post 9-11 airport. Security told me that it would be a few days till they added my hand-print and code to their system, so in the mean time I should wear a rubber glove and type 1111. Classy

    1. They had propably just scanned a rubber glove and added this under “user id 1111”, so they could tell people that should have access to do this. The whole “Use a rubber glove + the code 1111” was sort of a password. They propably did this because the access Control system was built in a way that it was not possible to add a “code-only” access without a hand print.

      And I Think that the whole “password” was not super-sensitive, because people that should have access to the secure side of a Airport does still need to go through a security checkpoint. Its just that you skip the ticket check.
      Eg, the “rubber glove + 1111” did only give access to the secure side (where customers wait for the plane after passed the security), you would still not be able to board a plane or access high secure facilitys like the landing runway and such with that type of access, because the barding of plane requires a second ticket check, and the access to high-secure facilitys would require subsuquent identification where the “rubber glove” would not be enrolled, and also your real hand-print would not be enrolled either.

      So even if a unauthorized person got hold of this, the only thing they would gain out of this would be to be able to use Airport facilities like the vending Machines, cafés and waiting seats, without posessing a ticket. They would still not be able to board a plane or access any more sensitive, and would still not be able to pass to secure side without passing through a metal detector. Even tax-free shops require a ticket check to ensure that non-authorized indivuals cannot buy tax-free.

      Its very common to do things like that for a low-security entrance that you must pass to reach other high-secure entrances.

      For example I have seen that they put a card reader + keypad on a main entrance door, that gives access to a lobby. On other doors inside the lobby, there was only a cardreader without keypad. Those that were supposed to only have access to the lobby, were given only a code. This was a Group code that was same for everyone.
      But those that had access to the inner facility and thus had a card, instead swiped their card at the lobby entrance, thus the card-owner didnt need to remember of keep track of a Group code.

  17. I never ever lock or secure anything when flying.
    How ever I have made a laminated layout of my tool box on how everything is supposed to be placed.
    Also I got one of the cheap Chinese spy pens that can record video and audio, I epoxied it into the top of the lid of the tool box and added a larger lithium battery that lasts for 8 hrs. I also put in a 32gb micro sim that can record 10 hrs of video and audio.
    And they have no idea that it is recording them them the entire time.
    I had it in video them dropping my Fluke O-scope that is $7,000.00 and cracking the screen.
    When I pulled the video from the DVR and had the TSA supervisor watch it he had little to say.
    Cost me less than $40.00.
    I also use them in my motel room to keep an eye on the house keeping staff.
    I have had them steal my insulin pens. and other meds.

  18. Ultimately I suppose if you steal a suitcase any sort of lock isn’t going to keep you out for long. Maybe it’s a false security. Proportional to the risk of someone stealing your dirty clothes, probably doesn’t matter.

  19. IF you are checking firearms, they must be in a hard sided case and must be locked with NON-TSA approved locks! This is to prevent TSA employees from removing the guns from their cases. Only the owner may have the keys to said locks and IF it becomes necessary for the TSA to look inside, they will call the owner to a secure area where the owner will unlock the cases. Believe it nor not, some TSA employees are unaware of this requirement.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.