Security experts discovered a flaw in a critical air transport security system, allowing unauthorised personnel to possibly bypass airport security screenings and get access to aircraft cockpits.
Researchers Ian Carroll and Sam Curry uncovered the security vulnerability in FlyCASS, a third-party web-based service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
KCM is a Transportation Security Administration (TSA) project that lets pilots and flight attendants bypass security screening, whereas CASS allows authorised pilots to use jump seats in cockpits while flying.
ARINC, a Collins Aerospace subsidiary, runs the KCM system, which uses an online platform to authenticate airline personnel' credentials. Access is granted without a security screening by scanning a KCM barcode or inputting an employee number, which is subsequently cross-checked with the airline's database. Likewise, when pilots need to commute or travel, the CASS system authenticates them for access to the cockpit jumpseat.
The researchers observed that FlyCASS's login mechanism was vulnerable to SQL injection, which allows hackers to enter SQL commands into malicious database queries. By leveraging this flaw, they could log in as an administrator for a partnering airline, Air Transport International, and change personnel data in the system.
The attackers also created a fictional employee named "Test TestOnly," and gave this account access to KCM and CASS, allowing them to "skip security screening and then access the cockpits of commercial airliners.”
"Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners," Carroll stated.
The researchers promptly contacted the Department of Homeland Security (DHS) on April 23, 2024, after recognising the gravity of the situation. The researchers chose not to contact the FlyCASS site directly since it appeared to be managed by a single individual, and they were concerned that the disclosure would alarm them.
The DHS responded by acknowledging the severity of the vulnerability and confirming that FlyCASS was unplugged from the KCM/CASS system on May 7, 2024, as a preventative step. Soon after, FyCASS's vulnerability was addressed. However, efforts to organise a safe disclosure of the vulnerability were thwarted when the DHS stopped answering to their emails.
The researchers also received a response from the TSA press office denying the gravity of the vulnerability and claiming that the system's vetting procedure would stop unauthorised access. The TSA also discreetly removed information that contradicted its claims from its website after being notified by the researchers.
"After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs," Carroll added.