Friday, September 18, 2015

The Intercept: TSA Doesn't Care That Its Luggage Locks Have Been Hacked

TSA Doesn't Care That Its Luggage Locks Have Been Hacked

In a spectacular failure of a "back door" designed to give law enforcement exclusive access to private places, hackers have made the "master keys" for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer.

The TSA-recognized luggage locks were a much-vaunted solution to a post-9/11 conundrum: how to let people lock their luggage, on the one hand, but let the TSA inspect it without resorting to bolt cutters, on the other.

When the locks were first introduced in 2003, TSA official Ken Lauterstein described them as part of the agency’s efforts to develop "practical solutions that contribute toward our goal of providing world-class security and world-class customer service."

Now that they’ve been hacked, however, TSA says it doesn’t really care one way or another.

This doesn't surprise me very much. I'm actually kind of surprised that it took this long for the TSA master keys to be leaked out to the Internet. It does, however, bother me that TSA's response is that since it "does not create a threat to aviation security" they don't care.

As the article points out, this goes beyond a failure of a luggage-lock system. It underscores the reasons why back-doors into security systems are always a bad idea. Even if you have total trust in the people holding the back-door keys (and in the case of government agencies, I doubt anybody has that kind of trust), it is always possible that some third party will be able to copy or steal those keys, and once that happens, the entire system is compromised.

Luggage locks are (fortunately) a pretty harmless demonstration of the principle. As we all know, those locks don't really secure anything anyway. They can be forced open or cut off with only a trivial amount of effort, zippers can be forced open with any pointed object, and any knife can cut through the side of soft-sided luggage. And we've already seen reports of objects being stolen by baggage handlers and at security checkpoints. But it should be a wake-up call to more serious situations.

For instance, right now, the Federal government is trying to force Google, Microsoft and Apple to install back-doors in their encryption technology used to secure mobile communication. They are upset that they can't wire-tap communication (of suspected criminals only, they assure us) and they claim that we'll all be in danger if they aren't given this ability. What they fail to (or choose not to) understand is that the very presence of such a back-door means that sooner or later (probably sooner), some hacker group (or foreign government or crime syndicate) will figure it out and publish it. And then nobody will have any security, because those organizations don't care about silly things like search warrants and court orders.

This already happened once. The Motion Picture Association of America (MPAA) worked very hard to come up with the Content Scrambling System (CSS)) which encrypts DVDs. They designed it such that every licensed DVD player would be able to get the decryption key, while supposedly keeping out unlicensed players (including software meant to "rip" content to a computer or copy the disc.) When the algorithm was cracked (3 years after its introduction), every single DVD ever produced (and that ever will be produced) was compromised. Today, DVD encryption is little more than a joke (but you can still go to jail for a long time if you decrypt it using unlicensed software.)

This was with a system that, although weak, was kept private and didn't have any back-doors in it. How much easier do you think hacking a system can be when it is designed to allow (authorized only, of course) third parties to access all content worldwide?

This all boils down to a single fact: When encryption is outlawed, bayl bhgynjf jvyy unir cevinpl.

No comments: