“Security by obscurity” - These TSA locks allow you to lock your bag using a self chosen code, whilst the TSA can use there special keys to open the same lock. (which 3D models can be found online, but that’s a different story)

Since I am able to set my own code, there must be an underlying mechanism that connects your code to the “real” code. Lets open a lock to see how they work.

Next to the ring containing the numbers is a small ring with an opening, like a “c”

Lets zoom in, see this tiny opening?

What if I cut a sharp plastic triangle or soda can. I can feel this opening without opening the enclosure.

Like this. if you align all the openings in a straight line. All it takes is turning every ring 1x position, until the lock is open. So no matter how many rings. 10 time rotating all the rings is all it takes (after alignment)

So this lock opens with 000 (no visible openings)

You are able to feel the opening on the right side of the 8. (or left side of the 7) Meaning if you align the code on the right side increase all numbers 2 positions and the lock will open. Within seconds!!

Same goes for RFID entry systems that use just the UID. Or padlock with just a few simple pins. If you do not know how the mechanism works, it is all black magic and will appear secure. Depending on your threat model, you might want to investigate and choose a different solution.

Lets try to open the lock using the TSA bypass method. Tool of choice just a rake, that all have here, no tension wrench (please don’t don’t do this at home kids, you break your tools)

The lock uses an elevated ring as bypass method. Lets fiddle a bit around.

Oh wow, that was just a few seconds as well. Lock is open - using TSA bypass - even though the code is incorrect

As you see the ring is no longer elevated, allowing the lock to also open.