I travel a lot teaching for Learning Tree. I used to travel even more when I was younger and trips abroad for business or pleasure were frequent and enjoyable. When I travel, I often pack snacks and other goodies in my checked luggage. In the old days, I would lock my bags with a brass lock and be confident nobody would get that beef jerky in the suitcase. (Of course, luggage isn’t secure by any means. Left alone with just about any common piece of luggage a thief can easily destroy the bag to get the contents.)
When the TSA (Transportation Security Administration) came along, they would cut off those cheap little locks if they needed to look inside a bag to make sure it was safe. That happened to me once: how was I to know that a few books stacked together looked suspicious? Then the TSA created a standard: manufacturers could create locks that the TSA could open with special keys. At the time I wondered how long it would be before some manufacturer’s design was stolen and the shapes of the keys would be revealed. As it turned out, that didn’t happen. Images of the keys were published on the web.
The Washington Post published a picture of the keys in an article about baggage handling late in 2014 (the images are no longer on their site, but you can find them on the web). Clever lock pickers quickly used the images to make 3-D printer models of the keys and those models were successful in opening the locks. An article in Wired tells more about the process and has a video of the keys working. If you’d like to learn more details about the process and those who made the keys, please read the article.
For me, this is another important case of information leakage. Nobody probably even thought that people could look at the images of the keys and get enough information to compromise the locks’ security. Someone with a good memory for images could look at those or another key and with a little tweaking probably 3-D print a copy. For years we’ve seen television and movie characters have copied keys using impressions, rubbings and inkpad prints. Of course that happens in real life – it is just that much easier now that the keys can be printed rather than cut from a hard-to-find blank.
Information leakage is hard to manage because it may be difficult to discern where information can be leaked. Companies shred outdated phone lists and other sensitive business documents. Keys are kept concealed from prying eyes. Employees are often prohibited from taking work-related materials home. These are important steps, but we need to keep asking, “What can the bad guys do with this?”
There are many ways information can be leaked including harvesting of RFID pass information and using a laser to record laptop movements as keys are typed. We talk about these and other forms of leakage in Learning Tree’s System and Network Security Introduction. Please share your leakage experiences with us in the comments below.
To your safe computing,