Security researchers have uncovered a critical vulnerability in a crucial air transport security system, potentially enabling unauthorised individuals to bypass airport security screenings and access aircraft cockpits.
Ian Carroll and Sam Curry identified the flaw in FlyCASS, a third-party web-based service utilised by airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM allows pilots and flight attendants to skip security screening, while CASS permits authorised pilots to use jumpseats in cockpits during travel.
The vulnerability in FlyCASS’s login system allowed for SQL injection, enabling attackers to log in as an administrator for participating airline Air Transport International and manipulate employee data within the system.
Upon realising the gravity of the issue, the researchers initiated a disclosure process, informing the Department of Homeland Security (DHS) on April 23, 2024. Subsequently, FlyCASS was disconnected from the KCM/CASS system as a precaution, and the vulnerability was rectified.
Efforts to coordinate a safe disclosure were met with resistance, with the DHS ceasing to respond to the researchers’ emails. The TSA denied the vulnerability’s impact, asserting that its vetting process would prevent unauthorised access, while quietly removing conflicting information from its website.
Carroll highlighted that the flaw could have facilitated more extensive security breaches, including the bypassing of vetting processes for new KCM members.
Following the researchers’ report, another researcher, Alesandro Ortiz, discovered potential ransomware activity targeting FlyCASS in February 2024.
TSA press secretary R. Carter Langston informed BleepingComputer that the TSA was aware of the vulnerability report, asserting that no government data or systems were compromised, and that TSA procedures were in place to verify crewmembers’ identities.
BleepingComputer’s attempts to reach the DHS for comment were initially unsuccessful.
Original story: https://www.bleepingcomputer.com/news/security/researchers-find-sql-injection-to-bypass-airport-tsa-security-checks/
