At an annual hackers conference on Saturday night in New York City, the hackers known as DarkSim905, Nite 0wl, and Johnny Xmas, unveiled replicas and blueprints of the eighth and final master key in a set used by Transport Security Administration agents to open and search fliers' locked suitcases.
This was the finished product of a months long project. Since last summer, locksport enthusiasts and hackers have been collaborating online, tweaking blueprints of the master key set, printing 3D versions and sharing their results with one another.
Their interest in the project was two-fold, hacker and lock enthusiast Johnny Xmas told VICE News. They were initially motivated by their fascination with locks, wanting to crack the TSA system like a puzzle. That fascination evolved into their realization that by replicating the master key, they were exposing how the TSA's luggage lock system was fundamentally weak, and that they could use this as a metaphor to explain why the broader concept of master keys and third party security systems can be problematic.
It all started back in 2014, when the Washington Post ran an article about what happens to flyers' luggage after they check in at the airport, and accidentally featured a photo of a TSA agent and their master key set.
This detail picked up a lot of interest on Reddit, eventually piquing the curiosity of Shabab Shawn Sheikhzadeh, an "enterprising lockpicker" Xmas said. Sheikhzadeh started sniffing around on the Travel Sentry website – one of the two companies that manufactures TSA locks – in search of hi-resolution images.
He was surprised to learn that he could find the images simply from logging-in to the Travel sentry site. The site had blacklisted all email addresses from "gmail.com" or "yahoo.com" to avoid outsiders, like Sheikhzadeh, from rifling through their internal documents. Sheikhzadeh set up an alternative email account at firstname.lastname@example.org (an Indian Yahoo address) and was easily able to bypass the blacklist and locate an internal document containing multiple hi-res images of the master keys.
He put the photos online, and eventually a security researcher with the name Xylitol took a crack at making a blueprint from the photos, and shared it on Github, an online platform popular with millions of computer programmers. This attracted the attention of other lock enthusiasts and hackers, who soon realized the bigger issue at play.
Imagine mailboxes in an apartment block. You have a key to access your own mailbox, and the mail person has a master key, which he or she uses to open all the boxes to deliver their mail. It's the same concept for the TSA locks — and also applies to the more nebulous world of digital encryption.
"Digital keys aren't something that the average person understands," Xmas said."They don't know it exists in their life. You can't see it you can't touch it. and that's the great thing about iPhones... they just work and you don't really have to know how."
In spite of not really understanding how digital encryption works, Xmas added, "we trust it implicitly."
The idea behind releasing the keys was to help explain the dangers of allowing a third party access to your data, even if that third party is well-intentioned.
"We were doing this as an act of civil disobedience," Xmas said, "To give the general public a better physical understanding of what it means when government bodies demand to have unrestricted access to everything via the use of master keys."
Digital encryption and master keys became part of the national conversation earlier this year, in the wake of the deadly San Bernardino shooting in which a married couple opened fire on an office party, allegedly on behalf of the Islamic State. The FBI wanted access to one of the shooter's phones, and demanded that Apple produce a master encryption key that would allow investigators to bypass its iPhone security system.
"If you insist on creating a set of locks that have a master key that I have no control over, how can I ensure that my safety is still intact when your security fails," Xmas said. These third party systems often fail to come up with a follow-up solution in the event that their system is breached, he added.
TSA for their part, don't seem particularly concerned about the fact that there are now blueprints of their master keys floating around online.
"The reported ability to create keys to TSA-approved suitcase locks from a digital image poses no threat to aviation security," TSA spokesperson Michael England wrote to VICE News in a statement. "These consumer products are convenience products that have nothing to do with TSA's aviation security regime."
"In addition, the reported accessibility of keys to unauthorized persons does not affect the physical security of bags while being screening (sic) by TSA officers" England added.
While there isn't that much at stake in the example of suitcase locks — underwear, toothbrushes, socks — TSA's response does reinforce Xmas' concern that ultimately, if there's a master key breach that jeopardizes your privacy or security, it's not the third party's problem.
Follow Tess Owen on Twitter: @misstessowen