A group of lock-picking and security aficionados posted a set of files on Wednesday that allow 3-D printers to replicate the TSA’s master luggage keys. The file was created after The Washington Post erroneously published an article that included a photograph of the TSA’s master keys.
Although the newspaper has removed the photo from its website, at least one 3-D printer owner has already downloaded the files, printed a master key, and posted a video depicting the printed key opening a TSA-approved luggage lock. The leaked master keys can open every type of TSA recognized locks, including Master Lock, Samsonite, and American Tourister.
In November, The Washington Post published an article titled “The secret life of baggage: Where does your luggage go at the airport?” that mistakenly included a photo of the TSA’s master luggage keys. By simply looking at the photo, lockpickers figured out how to replicate the keys using 3-D printers. Although The Washington Post removed the photo from its site, the notorious picture continues to circulate online.
On Wednesday, a Github user named Xylitol published a set of CAD files that allow anyone with a 3-D printer to replicate the precisely measured set of TSA master keys.
“Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures. I did this for fun and don’t even have a TSA-approved lock to test,” Xylitol wrote in an email to WIRED. “But if someone reported it that my 3D models are working, well, that’s cool, and it shows…how a simple picture of a set of keys can compromise a whole system.”
Within hours, a Montreal-based Unix administrator named Bernard Bolduc downloaded the files and printed one of the TSA’s keys using his PrintrBot Simple Metal printer. The key immediately opened a TSA recognized lock on Bolduc’s luggage. He posted a video on Twitter proving that the 3-D printed key worked on TSA-approved locks.
According to researchers, keys can be decoded and replicated from photographs taken as far as 195ft away. The photo in The Washington Post article depicted a close-up shot of the TSA’s master keys.
By allowing the newspaper to photograph the master keys, the TSA revealed yet another in a series of security failures. On June 1, TSA Acting Administrator Melvin Carraway was demoted after undercover Homeland Security agents successfully smuggled dozens of fake explosives and banned weapons through airport security checkpoints.
In a separate incident in 2013, an undercover DHS agent successfully smuggled a fake bomb through a metal detector at New Jersey’s Newark Liberty Airport. Although TSA screeners administered a pat down, they were unable to detect the mock explosive strapped to his body.
Although the TSA is directly responsible for the current security lapse, The Washington Post also shares the blame for publishing the photo of the master luggage keys.
With the ability to print guns and the TSA’s master luggage keys, the owners of 3-D printers are consistently testing the boundaries of liberty as the TSA scrambles to improve security.