Rehashed: Lessons learned from the Safe Skies TSA master key leak

Over the weekend, Salted Hash broke the news that hackers had released the eighth and final TSA master key, which opens locks created by Safe Skies LLC. Today we’ll discuss a key takeaway point from the story, as well as provide a recording of the talk itself.

This isn’t a full Rehashed column, but a follow-up to this weekend’s news. In addition, the Safe Skies master key talk from HOPE has been released, so we’ve embedded it below. 

Okay, let’s recap.

The point of the story this weekend wasn’t that hackers had created a master key and released it.

While that’s an important bit of news for the public to be aware of, there was another reason DarkSim905, Nite 0wl, and Johnny Xmas took the stage: It was to demonstrate why key escrow and government mandated backdoors are a bad idea.

“It’s a great metaphor for how weak encryption mechanisms are broken – gather enough data, find the pattern, then just ‘math’ out a universal key (or set of keys). What we’re doing here is literally cracking physical encryption, and I fear that metaphor isn’t going to be properly delivered to the public,” Johnny Xmas commented.

The TSA has keys for every lock sold under the approved lock program. So by using those locks, and purchasing a ticket to travel, the public agrees to let the TSA search their luggage at any time.

However, those master keys are held in escrow, and the TSA is trusted to use them only when necessary. What Nite 0wl and the others proved on Saturday was that this trust could be exploited and used against the public.

Every security system is only as good as its weakest element. In this case, Travel Sentry had keys that are easily reproduced due to images. Safe Skies had a system that could be reverse engineered because it’s only protected by the concept of security by obscurity.

Look at it another way. Would you trust a stranger to hold the keys to your house, and allow them search it at random each time you paid your electric bill? Of course you wouldn’t. No one would.

At the same time, we trust the TSA with keys to our luggage. We trust the post office with a key that opens every mailbox in an apartment complex. The point though, key escrow is a bad idea. If those trusted keys fall into the wrong hands they can be abused. Again, their protection is only as strong as the weakest element protecting them.

Even the TSA says the approved lock program doesn’t protect anything. It’s a convenience, or a peace of mind offering, not security.

The FBI wanted Apple to give them a backdoor (master key) into existing consumer devices. This backdoor would only be used when needed, so the FBI (or Apple) could hold the “golden key” in escrow. Apple rightfully fought back against that demand, because such a request is too risky.

“Security, encryption and protecting communications that many of us security researchers take for granted, are constantly under threat. Just because the average person was forced to share keys to their things (i.e. luggage), doesn’t mean we should accept it for our electronic communications as a result,” DarkSim905 said during an interview with Salted Hash.

The truth is, unless you’re using a secure case to begin with, no piece of luggage is completely safe. As the video below shows, a criminal can open most bags with a ballpoint pen – locked or not.

The TSA locks on the market today are decent deterrents to opportunistic theft, but it won’t stop a dedicated thief with control of your bag. Thus, you should be locking your luggage when you travel, doing so isn’t a bad thing. It’s just not perfect protection. Those worried about theft should avoid placing sensitive items in checked luggage.

“Recognize that even if you use a really good lock, your security posture is reduced. Because the TSA does not care about your security, the TSA cares about job security,” commented Nite 0wl during the talk on Saturday.

The video below is the full 53 minute talk form HOPE XI. If you’re watching at the office, you should be aware that some of the language is a bit NSFW.