Breaking Into Your Baggage

Thank you. Thank you to Martin to all the organization for having me here. So um who am I? I'm from Mexico. Uh my name is Sector. Uh I have talked in some security conferences. I have talked twice at Defcon uh summer while fest all that stuff. So I'm going to go a little bit quick because we have just 25 minutes and I have a lot of to talk about. So what we're going to talk about we're going to talk about secure baggage. Uh indeed we're going to talk about the the logs and how it works and what I have found around the research that I did last year. So basically uh we have in the baggage that we have this

organization that is travel. So when we go to through airport we have TSA that TSA is different uh to travel sentry. TSA is just the transportation security administration and travel sentry is going to be this logo that you see here. So uh whenever you see a lock and you see this logo that means that that's travelcentric compliance. And what do we have a lot of type of locks on the suitcases we have padlocks built in combination smart proximity and and key. So this means that for example the padlock is just this regular lock that we have over here. The built-in is that those that we found already in the in in the suitcases. Uh combination that means

that we are going to use a combination from three to four digits. Uh smart for example we now have some uh smartrs that you can use your fingerprint to open it. Uh also there are some erh bugs I if I don't recall incorrectly I guess there are from Samson it uh that use a proximity that you will need to have like attack and when you uh get into it you will be open you will be able to open and obviously you are going to have ones that you are going to use just key. For example this one right here is going to use fingerprint and key. Uh right there we have key indeed that's not key

that's something that I'm going to explain you and we have the combination here we have some retractable and here I have a bad lock so what we are going to talk about here about DSA is that if we found a suitcase that is TSA compliance and that means that if you found a bag a suitcase and you see that logo that means that it's going to have uh one of these type of of of locks that could be badlock or built-in and it's going to be from TSA 1 to TSA 8. Okay. Uh here you have a lot of those and you are going to find in the in the lock the number. For example,

here in the in in the corner of the left you see TSN one here two three this is uh four 8 five six and seven. So all of these locks have a specific mechanism to to be open and how it works. The most common that you're going to find is the seven. So if you have a suitcase or if you travel from somewhere else and you have your suitcase, just try to look for if you have this logo and probably the the most common is going to be TSA 007. Um, from there you will have TSA 2 and TSA 5. And if you just uh have the like the most recent uh suitcase, you're going to have maybe TSA8, but that's is

going to be more expensive. So there are another ones, but for example, this TSA4 um is discontinued. Why? And why we have a lot of um locks. There are over 500 of manufacturers that uh that work with this type of blocks. In the case of TSA uh 4 for example here we are going to see that it's been made by the CCL um corbin carbinet lock uh has been around since 8082. So that's a long long time ago. you are going to find a lot of old um logs and keys that they are like really extravagant. Uh and then they they stop to do um they function they function with another company and they stop to do the TSA 004. That's why

you are not going to find any uh suitcase with that. Um that's what I just told you. I'm going to tell you um a little bit how it works, the mechanisms of all of these uh locks just so we can go straight to to the tax. Um so this is the normal lock picking that we are going to have the pin tumble. That means that we are going to have some springs, some pins and we are what we are going to do with the key is just we're going to insert that is going to push the uh the springs and we are going to try to align all the pins just where there there is the arrow and

when they are aligned you are going to be able to move the cylinder. So uh that's what the key does because of the shape and when you are doing lock picking that's what you are trying to do. You are going to try to with the pick trying to move each of the pin to align and then you are going to use the tensor to move it like if you are turning the key and trying to open. Then we have waffers. Waffers for example doesn't have a springs. And here is the the funny part. Waffers what we are just trying to do here uh and I'm going to say it like a uh in a really really easy way. We are just

trying to uh move the key uh along and then just try to to open it. But here we are not using uh those springs. This is going to be super important because when we see the type of locks and attacks, this is going to be key. Then we have dimpool. The dimple is this type of keys. I don't know if maybe here around you have this type of keys and these type of locks, but these little like balls that are called dimples. What we were trying to do is to move from side to side. Uh, and those are going to um be pushed. Uh, we also have some springs here and when we have like the

correct deepness, you are going to be able to align and then to move the key. And finally we are going to have this detainer. The this detainer um is the the the one that is using in the TSA 8 and we are using some discs. So just imagine like we have uh some disk there are one uh above each other and we are going to try to move them and align them. So uh we are going to try to reach for example in the lower one uh in that little gap that gap in all of those that one it's moved and we are going to try to align them in all of those and then we are

going to be able to open it. So what does that means? Uh when we talk about attacking the this these locks we have four main type of attacks here impressioning lock picking the coding and shaving. So this is not a new thing. Uh indeed you can find this information with some research uh from 2016 I think. uh but they just talk about impressioning and lockpicking and the coding. So I'm going to focus on some of the research that I did about shaving. What is impressioning? Impressioning just uh imagine that it's a copy. You're going to try to get a copy a physical copy just from the shape of the key. So if for example you use this uh green

paste or even from a picture of the key you can do this um like map and then you can print it for example with now all of the 3D printers and you can have a a working key on lock picking as I already told you uh we're going to use just a pick and a tensor and depending on what what is it for example if It's pin tumbler like like this is the case. We're going to use for example a rake. This is the name of the pick and a tensor. Uh if I have a dimple um lock for example maybe I'm going to use a snowman pick and a tensor depending on which type of lock or I'm I am having uh

is the pick that I'm going to pick and I'm going to use it. the coding. This is really really interesting and you can search for videos in Tik Tok or whatever and indeed that works but why it works. So this is the mechanism that we have behind all of the digits and what we are going to try to do is to find that little gap. When we have this gap align it we are going to be able to open it. So that gap is going to be aligned uh in the middle but not in the front part. It's going to be in the backwards. So what we are going to do and you can see on on many videos

is that you can insert something between each digit and you can start to feel on even you can start to see if you just use uh a lamp or something uh you will be able to uh see if you start to just uh scroll the the digit uh and suddenly you are going to see something different that something different is going to be that gap. So if you find that gap in the six, in the five, in the two and the two, that means that now it's aligned, but you will not be able to open it. Why? Because the mechanism it's in the backwards. So what you will need to do is now that it's aligned with all these

combination 6522, you're going to move the the four digits just uh backwards like three to five times normally and then you are going to reach exactly that this gap. it's in the backwards in the middle and at that point you're going to open um uh the combination. It's really simple. And finally, we have shaving. Shaving we can define it like a bypass. It's um simply sliding something between the locking parts to reach something. So we have already some leaks. We have the leaks from TSM1 to TS6 to TSA7 uh 8. It's uh really new and you can just Google that in GitHub uh and you will find like all of the files and you can you can uh print your own keys or

you can oh I remove but you can uh buy yours um in some here is it you can find the master keys but it's going to be super super expensive. So um this this uh key is one that we printed um and it it works. And now the specific attacks. So we're going to have the waffer by pass here. I as I told you already uh on the waffer what I just need to do is like to try to bypass to get into something. And here is the TSA 7. This is the most common as I told you already. And what I need to do is just try to uh insert something into the lock

and then >> Oh, sorry for my voice in Spanish. Um then I can move it. I'm going to explain why this happens, but basically if you found that any suitcase has this logo and you have TSA 007, basically what you need to do is just insert something and turn and you will be able to open. Why? Because when we talk about TSA uh travel sentry, we said that this is compliance. That means that in the airport when you have this uh logo you can open the they can open the the locks with a with master keys. So that's the reason why all of these locks that have this logo is going to have um a lock for a key.

That's not something that you have. You are not going to have a key. You are just going to have the combination or another way to open it. But you're not going to have the key. That lock is for TSA and they are going to be able to open it with the master keys. Nevertheless, this presentation is about all the bypasses that you can find. Here's another example. Now, instead of a pick, I'm going to use just a tensor for example. Just what I'm trying to tell you is that you don't need a specialized uh tool. I this is just bare metal just something that fits and that's it. So some unusual tools these are some

build notes from Mexico. So we have just rolled them and we tried to open it and that work indeed. So you can open it even with paper. Um here uh a friend of mine use it a fork, a knife, whatever you you found, you can just insert if it fits and goes through you you will find some resistance and that's where waffers gets in. When you find resistance, you just have to push a little bit and that's when you bypass waffers and then you will be able to turn. Here is another example. This is a little more difficult. This is TSA 002. Uh here I used it two picss but at the end same I was able to open indeed. This

is my suitcase. I bought this suitcase in Panama 10 years ago and I have trouble with this now. I have done a lot of test with for this talk. Um it's not working anymore but I don't care indeed because I mean so what happens in the back? This is the housing. We have there that circle that is the cam. Uh and in the middle you see there is a um uh a hole and we have there a restrictor that is that little arm and then we have here the pivot arm. So what you can see here is that here in my finger t I have a pick. So what I just did is that I inserted something uh I

bypassed the waffers. I reach the cam and from there uh when I move the the restrictor is going to move allowing that the pivot arm slides and then you can open. Get it? It's not that difficult but it gets me it to to another attack. So that's what happens. Basically I move the the restrictor and I was able to slide the pivot arm. What happens with shipping? I thought what if instead of trying to insert something through the log uh bypassing the cam trying to reach the restrictor to move the pivot arm, what if just through those holes where uh in in the suitcase you are going to to clip like um the zippers. Uh maybe I insert

something to reach directly the restrictor and just pull it and then move the pivot arm. >> That's basically what I'm explaining here to my team. Um I mean that's what I'm trying to do get into the restrictor and move it. And here is on the sweet case. So, I'm just getting trying to fill to get the restrictor. >> Oh, sorry. Uh, I cut the the video, but that's basically what I'm trying to do. I'm trying to >> Yeah, I'm trying to get from from that little hole from the zippers trying to get into the restrictor and then I'm going to be able to move the pivot arm. >> Another one is the decoding That is just

what I'm explaining to you. Um here I'm using um a pick to fill that little gap that that gap there and then when I'm trying to >> yeah in here what I'm saying is that in some point when I'm trying to insert the pick uh I feel the restriction and at some point I feel that I can uh pass a little bit more lag in that digit. I was able to

>> that that's I I said there that that I feel the restriction. Uh, and with the pig, what I'm just trying to do is to fill that little gap. If I can insert more the pig and when I have that, then I'm going to slide and then I'm going be be able to open. And for example, here I have TSA 006. And in TC TSA 06, uh, I have dimples. You can see maybe uh, just under TSA00006 that there's a little ball. Uh, those are the dimples. So what I can do here is trying to uh pick uh use a snowman pick uh and trying to open or I found another bypass that is that when I

correctly open with the master key or I use the combination what it's going to do is that that part is going to uh pull. So, basically, I was thinking, what if I just insert something in in in there and just push it? If I push it, it's going to open just like that. I'm going to try to It's closed. And I'm going to try to reach that part.

And it's open. So this is flat in the surface and as you can see uh it's pretty it's sufficient space to insert something and be able to open um um this is dimple picking with the tools that I told you here you can see the how it works this is a snowman and here it's something that I just did it it's also possible you by shaving by picking or by combination the cutting and this detainers. Uh this is the newest. Uh this is something that I have been being able to pick because my picss are too big to uh get into there. But I found another bypass. And the bypass is exactly here. If I can

reach that hole, uh I can insert through through this um gap something. try to reach that gap and just pull it and if I do that it will be open. So maybe I was not able to pick but I was able to pass it. So basically uh from DSA 1 to 8 uh all of those are pickable even if I don't I I wasn't able to open TSA 8 because I didn't have the tool. I have seen that you can do your your own custom and it's um vable uh by master keys only the TS8 uh I haven't seen any leak of that uh but also uh you can do it by the coding uh you can do it by shaving on all of

the locks. So uh on defcon uh they ask me okay which lock do you use and the truth that I don't uh now I'm just using a padlock with my back uh is not TSA compliance so there is no way to pick it uh there is only way to decode it but uh if somebody tries to open it I think that it's going to take more time than than if you can just bypass it. And finally uh putting that into practice why I'm talking this here in cyber security conference at the lockpicking is something that we all like uh and this take us to some social engineering jeans u to some product security reviews so you are not here to

know and I'm not here to tell supposedly but just like one month ago I performed an ATM security assessment um in Mexico and here indeed What I just see is this uh key and this key uh is for a disk detainer. So uh when you start to do this type of uh of things of this research, you start to develop uh your mindset into huh how can I get into here? How could I bypass there? Um for ATM security obviously I was able to bypass many of the ATM security. uh even for extra safe words. Here I say like, huh, this is not a lock, but this is like in the safe of the ATM. Here I see

a big big gap. What if I just get something there? You just pull it uh down and I will be able to open it. And that worked. And I just came yesterday here. I just arrived here and let's try to do a look around the ATMs and I just saw that like huh pretty standard ATMs locks you are using just um some um pin tumble as I told you before is like the the most common the most easy uh I saw that there was a stand with lock picking those were hard these are really easy indeed maybe you beat some of those you can beat some of them this and I'm not telling you be criminals I'm just

telling you the information. Um, and I have traveled from Asia to Latin America, North America, Europe and I see the same because obviously by the vendor NCR window dall next doorfuse the same pretty standard locks. So at the end uh when I'm get for example here I was passing by a place and I see like oh pretty good that you have like the ATM with the locks and everything but then you see the glass and the wires everything over there and I was like I know this is Europe and I mean this is a lot of Latino blood but what if just smash the the glass and I can get into it and that's but well thank you. Uh

that was it.

Okay. Are there any questions for the speaker?

Hi, thank you very much. Uh, I want to ask I forgot the name of the style of the picking already, but um, the one when you just put stuff in the in the lock uh, and then turn you use the for uh, use force. Uh, does it leave traces? Does it break the lock? Can it be used afterwards? Uh yeah, that that's my question. >> Uh indeed. Uh you mean if there are traces in the log like it was uh locked? >> Uh well what I mean is uh does the uh does the log break? Uh I don't mean of course it can be I don't know uh scratched and stuff like that. That doesn't matter. But um if it can be used

afterwards, if if it's like a visible will people notice that someone broke into their luggage? It is not visible. Um uh after many many attempts uh we normally do a village of lock picking uh in South America with uh I carry with a lot of suitcases to do all of this. uh and after a lot of attempts obviously the logs starts to to break but on normal usage uh I mean normal usage of this uh is not going to break but indeed there is a paper of black hat that it's lockpicking forensics and it's super super interesting because I didn't thought that there will be forensics for lockpicking uh but yeah there are you can see that if there are scratches if

there is some uh like they they count like the normal use and how it will see and with a microscope uh how is it uh maybe that was uh evidence of lockpicking so I recommend that uh I think that the name is lockpicking forensics um you can read that paper very cool thank you very much okay any more questions thank you