Jul 25, 2016 | By Alec

Is 3D printing a real threat to our safety and security? Leaving the 3D printed gun debate aside for a moment, 3D printing does certainly reveal some shortcomings in existing security procedures. Just last week, we’ve seen how cargo thieves have adopted 3D printers to break into shipping containers in harbors across the world – necessitating a new generation of security measures. But even our suitcases at airports aren’t necessarily safe. As a team of hackers just revealed at the Eleventh HOPE conference in New York City, they have used 3D printing to reverse engineer the master key used by the Transportation Security Administration (TSA) to check luggage guarded by Safe Skies luggage locks. Even the TSA’s procedures, it seems, need to be reexamined.

This remarkable hack was realized by a trio of hackers going by the names of DarkSim905 (New Jersey chapter of lock picking association TOOOL), Night 0wl (NYC chapter of TOOOL) and Johnny Xmas of RedLegg International's TradeCraft Labs. All three were present at Eleventh HOPE, to underline their good intentions: to highlight security shortcomings and question the power the government has over our privacy.

If this story sounds familiar, it’s because some of these hackers previously made headlines everywhere when they hacked the seven Travel Sentry keys in 2015, also using 3D printing. This means that both brands of TSA approved locks have now been hacked. These types of locks were introduced in 2003, in the wake of new security measures implemented after 9/11. As many passengers used ordinary locks to prevent theft, these needed to be cut off when the TSA wanted to check their luggage. As this created significant overhead, the TSA introduced approved locks that can be opened with master keys.

Just two companies designed these locks: Travel Sentry, which outsources seven lock designs to other manufacturers, and Safe Skies which produces their own lock. While the TSA felt that these locks would give travelers a greater sense of protection and would “prevent anyone from removing items” from their luggage, this has been questioned. At a later date, the TSA even admitted that these locks don’t necessarily protect your property. “These consumer products are convenience products that have nothing to do with TSA's aviation security regime,” an agency spokesperson said. Your suitcase can still be opened with a pen, a knife, or screwdriver in seconds – while lock picking experts have pointed out that both types of approved locks are easily picked.

3D printing, what’s more, makes the criminal’s job so much easier. In late 2015, a hacker named Xylit0l used high-quality public images (published by Travel Sentry) and more data to make 3D printable copies of the Travel Sentry master keys. DarkSim905, Johnny Xmas and another hacker later added to the project with some fixes.

But the Safe Skies master key was more difficult to hack, as no high-resolution images and design specs were available. However, the Safe Skies locks use just a single master key, meaning that the desired data could be found in the locks themselves. “This was done by legally procuring actual locks, comparing the inner workings, and finding the common denominator,” Johnny Xmas explained at the conference. Purchasing as many Safe Skies locks and keys for examination as possible, the possible key blanks were identified and existing keys were modified to match them. “Once I had blank keys that would fit the locks I needed to figure out what the cuts should be,” Nite 0wl added.

This meant looking for patterns in the existing keys, as the master will never exactly match the user keys. Eliminating cuts one by one, a master key pattern was slowly formed. “The big breakthrough was when I acquired several Safe Skies locks that used wafer-tumbler mechanisms instead of pin-tumbler mechanisms, because of the different mechanical design I was able to work out the master key cuts very quickly and then confirm that the key worked on all of the sample locks I had,” Nite 0wl revealed.

Added to these 3D models were some tweaks that made them 3D printable, resulting in keys that can be made at home and can easily overcome TSA policies. In fact, nothing shady or illegal had been done, and no stolen or leaked data was used at all – it’s simply a trial and error 3D printing process. “It's a great metaphor for how weak encryption mechanisms are broken – gather enough data, find the pattern, then just ‘math’ out a universal key (or set of keys). What we're doing here is literally cracking physical encryption, and I fear that metaphor isn't going to be properly delivered to the public," Johnny Xmas commented.

Of course, any lock could theoretically be picked with this 3D printing method, but that would take days and days – eliminating the opportunity for convenient theft. Perhaps it’s time to do away with master key locks altogether. But the hackers feel that it is even more important to look at today’s privacy control. “The point we were trying to make, which everyone involved stated very clearly over and over again, was that this was all an act of civil disobedience in order to create an excellent metaphor for the general public to better understand the inherent dangers of trusting a highly-targeted third-party to have the tools necessary to grant unfettered access to your stuff,” Johnny Xmas said.

Indeed, this latest hack isn’t about showing “how bad men can lick your travel toothbrush,” as Johnny Xmas put it, but about pointing out the dangers of giving the government access to our locks. Just like many people questioned the FBI’s recent insistence on gaining control over Apple’s security measures. “At its best key escrow creates a larger attack surface and places significant, if not complete, control or your security in the hands of a third-party. How much can you trust that third-party? If they're dishonest or greedy, they can steal your property or access your sensitive information without your knowledge or consent,” Nite 0wl explained.

This 3D printing project clearly underlines this. Even if the government will only use their master keys with the best possible intentions, we are only creating one central target for attackers. “Security, encryption and protecting communications that many of us security researchers take for granted, are constantly under threat. Just because the average person was forced to share keys to their things (i.e. luggage), doesn't mean we should accept it for our electronic communications as a result,” DarkSim905 argued. 3D printers are thus not necessarily threatening our security, but our own policies are.

 

 

Posted in 3D Printing Application

 

 

Maybe you also like:


   


bknows wrote at 7/27/2016 5:59:56 PM:

Or the TSA can plant evidence in your suitcase....

RobinLeech wrote at 7/26/2016 12:46:20 AM:

If anything 3D printing enables us to protect ourselves better than ever. Empowering people to make their own more secure locks/keys would be a step in the right direction just as empowering everyone to arm themselves would ensure we aren't a nation of defenseless cattle depending on a third party to protect us after a threat has already claimed lives or property.



Leave a comment:

Your Name:

 


Subscribe us to

3ders.org Feeds 3ders.org twitter 3ders.org facebook   

About 3Ders.org

3Ders.org provides the latest news about 3D printing technology and 3D printers. We are now seven years old and have around 1.5 million unique visitors per month.

News Archive