Researchers highlighted a serious security threat posed to airports and flight cockpits due to a vulnerability in the security system. Specifically, they found an SQL injection flaw that attackers could exploit to bypass airport security checks and fraudulently enter unauthorized areas like cockpits.
Researchers Demo How a SQL Injection Could Bypass Airport Security
Two researchers, Ian Carroll and Sam Curry, recently shared insights about a serious and trivial security threat to airport security. Specifically, they noticed how an adversary could bypass airport security checks via SQL injection attacks in the FlyCASS cockpit security system.
FlyCASS is a dedicated web-based cockpit access security system that helps airlines verify crew members’ jumpseat eligibility. This software usually pitches small airlines, letting them fulfill the Known Crewmember (KCM) program and Cockpit Access Security System (CASS) – a crew verification and pilot authorization initiative from the Transportation Security Administration (TSA).
As explained in their post, the researchers observed the SQL injection vulnerability affecting the FlyCASS login page. An adversary could inject malicious SQL queries into the crew members’ database. At this point, the researchers noticed further authentication checks for adding new employees to the database. To be sure of the problem, they added a “Test” user account, which received immediate authorization for KCM and CASS use.
Consequently, an adversary could add any user in the KCM and CASS database to evade the usual airport screening practices.
The Vulnerability Fixed(?)
Following this discovery, the researchers responsibly disclosed the matter to the Department of Homeland Security (DHS). The DHS acknowledged their bug report, assuring necessary input in the matter. Consequently, the researchers found FlyCASS disabled from the KCM/CASS until the flaw was remedied.
However, after the FlyCASS fix, the researchers had an ironic experience as they didn’t hear further from the DHS about the vulnerability disclosure. Moreover, they also received a statement from TSA denying the actual exploit. According to Bleeping Computer, here’s how TSA’s statement reads,
In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities.
TSA does not solely rely on this database to verify the identity of crewmembers. TSA has procedures in place to verify the identity of crewmembers and only verified crewmembers are permitted access to the secure area in airports. TSA worked with stakeholders to mitigate against any identified cyber vulnerabilities.
Nonetheless, the researchers stand by their findings, alongside hinting at other attack probabilities threatening the KCM/CASS checks.
Let us know your thoughts in the comments.