Researchers Discover SQL Injection Flaw That Could Skirt TSA Security Checks at Airports

Security experts discovered a flaw in a crucial air transport security system. This issue could let unauthorized people skip airport security checks and access aircraft cockpits.

Researchers Ian Carroll and Sam Curry found a security flaw in FlyCASS, a web service used by some airlines to handle the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). The KCM program, run by the Transportation Security Administration (TSA), lets pilots and flight attendants bypass regular security checks. CASS allows approved pilots to occupy jumpseats in the cockpit while traveling.

In today’s world, it’s critical to keep your business secure and compliant. Devolity is here to help with that. We offer tailored solutions for your cyber security and compliance needs. Our expertise in cloud solution architecture and management means top-notch protection for your data. Plus, our cloud management keeps your business current and running smoothly. Rely on Devolity for the tools and support you need to stay safe and succeed. We’re committed to helping you stay ahead of threats and meet compliance standards, so you can concentrate on growing your business.

The KCM system, run by ARINC (part of Collins Aerospace), checks airline workers’ IDs online. Employees scan a KCM barcode or type in their number, and the system matches it with the airline’s records to let them in without a security check. In the same way, the CASS system makes sure pilots can use the cockpit jumpseat for commuting or trips.

The researchers found that FlyCASS’s login system had a weakness: it was open to SQL injection. This issue lets attackers slip in SQL commands to make harmful database queries. By using this gap, they could sign in as an admin for Air Transport International and change employee information in the system.

They created a fake employee profile named “Test TestOnly” and gave it access to KCM and CASS. This move enabled them to bypass security screening and gain entry into the cockpits of commercial airlines.

“Someone with a basic understanding of SQL injection could easily log into this site. They could add people to KCM and CASS, bypassing security checks and gaining access to commercial airliner cockpits,” Carroll explained.

Upon realizing the severity of the issue, the researchers quickly contacted the Department of Homeland Security (DHS) on April 23, 2024. They chose not to reach out directly to FlyCASS, fearing that it might alarm the individual running the site.

The DHS took the situation seriously and confirmed that they disconnected FlyCASS from the KCM/CASS system on May 7, 2024, as a safety measure. The vulnerability in FlyCASS was promptly fixed.

However, when the researchers tried to coordinate a safe disclosure, the DHS stopped replying to their emails. Additionally, the TSA press office provided a statement denying the impact of the vulnerability, asserting that the system’s vetting process would block unauthorized access. Despite this, after the researchers reached out, the TSA discreetly removed information from its website that contradicted its public statements.

After we notified the TSA, they removed the section from their website that discussed manually entering an employee ID and did not reply to our correction. We’ve verified that TSOs can still manually input employee IDs,” Carroll stated.

Carroll also mentioned that this vulnerability could lead to more serious security issues, like changing KCM member profiles to skip vetting for new members.

Devolity offers comprehensive cyber security and compliance solutions tailored for your business, along with expert cloud solution architecture and management. Keep your operations secure, compliant, and running efficiently with our support.

Following the release of the researchers’ findings, another expert, Alesandro Ortiz, found that FlyCASS was likely hit by a MedusaLocker ransomware attack in February 2024. A Joe Sandbox analysis showed encrypted files and a ransom demand.

In April, TSA learned of a potential security issue with a third-party database holding airline crew information. During tests, someone added an unverified name to the crew list. Thankfully, no government data or systems were affected, and this didn’t impact transportation security, TSA spokesperson R. Carter Langston explained to BleepingComputer.

TSA doesn’t just use this database for crew checks. They have other ways to confirm who crew members are, ensuring only approved individuals enter secure airport areas. TSA has been working with partners to address any cybersecurity weaknesses found.

BleepingComputer reached out to DHS today for comments, but we haven’t heard back yet.