TSA Master Key Duplication & Why “Security Through (Not So) Obscurity” Fails

 

Every lockpicker knows that the TSA approved Travel Sentry/Safe Skies locks are garbage, but if you don’t want your normal checked bags to have their locks cut off, there are only so many options (that said, sometimes they still cut them off). While it’s common knowledge to locksport enthusiasts how weak TSA approved locks are, the average traveler is mostly unaware of it. Recently a lot of news and commotion has been made about photos of the TSA master keys being leaked online by the press. This, along with articles about people duplicating keys from pictures taken of them or 3d printing keys has people concerned. Really, we don’t need photos of the keys to make master keys like the TSA have; all one has to do is just take apart a lock and use what is learned from it to create a key to open all locks using that same master key. Security through obscurity can work if the information being used is truly obscure, like a very long password or encryption key. You could even argue all security is through obscurity, since knowing a password, secret, code, or encryption key will get you into just about anything. However, if all that is keeping something obscure is a thin piece of metal that any adversary can attack in the privacy of their own workshop, it’s not very obscure. First, a little background information.

As a response to the September 11th, 2001 attacks, starting on January 1, 2003 the TSA mandated that all checked bags at airports be openable for screening. This led to a lot of unhappy flyers who had their locks cut off. As a result, people started looking for a solution to make both the TSA and flyers happy(ish). There are two competing “brands” of TSA approved locks, Safe Skies and Travel Sentry. Apparently as far back as the ‘70s customs officers who had to check unclaimed bags would keep a set of the most common luggage keys around. John Vermilye, a baggage consultant for the airline industry, knew this and started collecting the most common keys for the TSA before eventually founding Travel Sentry to come up with lock standards that the TSA would have master keys for. Around the same time in the early 2000’s David Tropp, the creator of Safe Skies who manufactures their own locks, came up with the idea of having a dual action lock that the TSA could open one way, and the user another. On November 12, 2003, Tropp filed for a patent on the idea (7,021,537), but apparently both organizations had been in contact with the TSA about the idea prior to that date. As you would expect, eventually there was a bunch of legal back and forth between Travel Sentry and Safe Skies over whether there was prior art, if a patent involving government use mattered, and who had the right to make the locks. I’ve tried to read the legal documents and they’re pretty dry.

Legal issues aside, lets get to the technical/mechanical details of the locks in question. There are 7 master keys used by the TSA (ok, maybe 8), 001 through 007. The possible 8th one would be the one for Safe Skies, but in my tests the Travel Sentry 007 seems to work on two out of four Safe Skies lock models I have (more testing needed). The TSA 007 is by far the most common, with the TSA 002 being next in my experience. The TSA 004 is used by CCL Presto Lock, but you don’t see it in stores much. The TSA 005 can be found in some Lewis & Clark and Samsonite locks and seems to use a Master Lock M2 blank (I should have a master key for it shortly). I’ve only seen the TSA 006 integrated into luggage from Rimowa, and it appears to be a dimple lock of some sort designed by ABUS August Bremicker Söhne KG (patent). I’ve yet to find a TSA 001 or 003; I’m under the impression they are rarely used anymore. Really, if you make a TSA 002 and 007 master key, that will likely open about 98% of the TSA approved luggage locks you would see.

These locks work on the principle that the end user either uses a combination to open the lock, and the TSA agents inspecting the bag uses the special master key, or there are two keys in existence, one user key and one TSA master key. If you want to get technical, if a lock uses a combination for the end user and a single key for the TSA, it’s not really “mastered” in the normal sense of the word, but that is likely splitting hairs unless you are a locksmith/locknerd. There are multiple ways to do this mastering. One is the traditional way of mastering a lock by having three pins in the shear line between the plug and the cylinder, like fig. 1 (the middle pin is sometimes confusingly called a wafer also, not to be confused with the wafers in a wafer lock).

Figure 1.  Image from http://toool.us/deviant/

The lock in fig. 1 looks a lot like the cores I dissected from some Master Lock TSA approved locks, except the TSA locks only had three pins instead of the five shown. In the ones I remember dissecting, two of the three stacks used the third pin to create multiple shear lines. These multiple shear lines make the locks far easier to rake open the lock since instead of just one possible set of three key bittings working, there are four sets of bittings that would work. The other way of “master” keying, most common in wafer locks, is to have two key ways. A normal wafer lock looks something like fig. 2.

Fig 2. from http://en.wikipedia.org/wiki/Wafer_tumbler_lock

The proper key presses against the wafers and lifts them out of the channels allowing the plug to turn. The TSA master keyway for the 007 looks something like what you can see in fig. 3, which is fine for pin based master key systems or one where the user is expected to use the combination but no key. For TSA wafer locks that have a user key, a double level wafer system similar to what you see in fig. 4 is often used. The keyway on the left in blue is for the user’s keys to go into, and the one on the right is the one for the TSA master key, purple being the part on the bottom they have in common.


Fig. 3. TSA 007 like keyway & normal wafer


Fig 4. Two level keyway and two level wafer


Fig. 5. Side by side of the TSA 007 key holes

There are many destructive ways to break these locks. If you are using luggage with a zipper, someone may try to use the ballpoint pen trick to get in. I’m more interested in non-destructive and non-suspicious ways to open one of these locks. Generally, all these Travel Sentry 007 style locks are easy to rake open; the biggest problem is finding a small enough tension tool. There are also ways to decode the combination using a very thin blade, and on some Travel Sentry locks you can reach through the keyway and move aside the locking pawl. Many are also prone to being opened with jigglers/rockers. Shimming is also a possibility, but with the small openings around the shackle it’s likely not easy, and some TSA locks like the Master Lock 4689Q use a ball bearing instead of a pawl so shimming is not possible. The technique you’re interested in, if you’re reading this article, is making a master key!

All the pics online help, but they’re not needed for duplication. People are concerned that the average person can send the pic to one of the online companies that reproduces keys via a picture, but that is not likely to work as the company probably won’t have the with key blanks to make them from. What we are going to do is reproduce the key by opening the lock up and removing its core.

First we need a wafer lock that is easy to open up by drilling out the rivets. I used a Brinks 165-25107 which has a two sided keyway, but there are other models you could use. Master Lock 4687DNKL, a lock that is also Travel Sentry 007 master keyed, was taken apart in the same way as well so I would have two cores to test my keys with.

Fig. 6 Brink lock, before and after drilling out rivets.

Now that we have the core, we need proper blanks. User keys from the Master Lock 4689Q would probably work in a lot of TSA 007 locks as they are only using a single side of the biting (edge of the key), but technically based on the picture the TSA 007 master key is double sided (not as in two keyways as I mentioned before, but as in both edges of the key have bitting). This is likely done so it is a “convenience” key (it does not matter which way you put it in as both bitting edges are the same), and to double the wear life of the bitting, but there is still the potential for a double sided TSA 007 wafer lock. I’m still searching for commercial key blanks to use, but I found that the Travel Sentry locks by Embark from Target or Travel Smart Conair from Meijer’s were double sided, so I bought those which included keys that had the shallowest cuts in their bitting. I used the key from the Travel Smart one first and tried it in a few locks. It appeared to be too long so I ground down the tip to make it fit more locks. I then inserted it into the core I had extracted and saw how the wafers lined up with the body of the plug. Notice how in fig. 7 when there is no key in the core the wafers are all at the bottom? In this position they would get caught in the bottom channel of the cylinder and the lock would not turn? In fig. 8 you see an unmodified key inserted into the plug; notice how some of the wafers are now over lifted? In this position they would collide with the top channel in the cylinder. We are in a GoldiLOCKs situation here, as the lifting done by the key bitting has to be done “just right”. I simply used a metal file to file down the biting, only a little at a time, where the key was over lifting a given wafer.


Fig. 7 No key


Fig. 8 Wrong key/“blank”

Fig. 9 Close to master

The end result is what you see in fig. 9; all the wafers properly lifted/aligned (well, mostly). It worked in all the TSA 007 master keyed locks I had from Brinks, Master, Samsonite and others, including ones that used pins instead of wafers. It was a little tight for some keyways, so I did the same process with the key from Embark, the one without a plastic handle shown at the bottom of fig. 10.

Fig. 10 finished keys

I even found it to work on the two styles of locks I have from Safe Skies, but in two other Safe Skies locks it was too big to fit in the keyway. Once I have some calipers I plan to measure the biting and publish what the exact cut depths are. I’m also working on finding the proper key blanks and getting a key cutter to make a few for friends. Next in this project I will attempt to master key the TSA 002 once I have proper blanks. The TSA 005 is in the same state. I know it accepts Master Lock M2 blanks which I have on order, I just need to wait for them to come in. The TSA 004 I’ve already made a master “key” for, using a warded key I ground down, as it’s basically just a bulbous screwdriver. I have a longer talk in the works on the whole subject of master keying and bypassing TSA locks that I hope to give this winter. I’m also working on collecting all 7 (8?) TSA keyways. I still need to find locks for the TSA 001, 003 and 006 keyways to dissect, so if you find them please let me know.

 

For more information on TSA/Travel Sentry/Safe Skies keys and locks visit the following URLs:

http://blog.tsa.gov/2014/02/tsa-travel-tips-tuesday-tsa-recognized.html

http://www.safeskieslocks.com/

https://www.travelsentry.org

http://www.securoseal.com/main.php?pg=news&news_id=2017

http://www.safeskieslocks.com/travel-sentry-patent-lawsuit.html

http://documents.jdsupra.com/5bd8e04f-2592-41a5-8b3e-a1b70eb712de.pdf

 

Closing thoughts: If you’re an Apple user, like crypto and own a lock/key having 16 pin depths, you could repin the lock to the MAC on your Mac so long as you don’t exceed the MAC of the keyway, then you can make a text file of the biting numbers that you later protect from being tampered with by using a MAC.

This blog post was written by Adrian Crenshaw (@IronGeek_ADC)

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.