Researchers pointed out a serious security threat to airports and cockpits due to a vulnerability in the security system. In particular, they found an SQL injection flaw that attackers could exploit to bypass airport security checkpoints and fraudulently enter unauthorized areas such as cockpits.
Researchers demonstrate how an SQL injection can bypass airport security
Two researchers, Ian Carroll and Sam Curry, recently shared insights about a serious and trivial security threat to airport safety. In particular, they noticed how an adversary could bypass airport security checkpoints via SQL injection attacks in the FlyCASS cockpit security system.
FlyCASS is a special web-based security system for access to the cockpit which allows airlines to verify jumpseat suitability of crew members. This software is typically targeted at small airlines, allowing them to fulfill the Known Crewmember (KCM) program and Cockpit Access Security System (CASS) – a crew verification and pilot authorization initiative of the Transportation Security Administration (TSA).
As explained in their afterthe researchers observed the SQL injection vulnerability affecting the FlyCASS login page. An adversary could inject malicious SQL queries into the crew members’ database. At this point, the researchers noted further authentication checks for adding new employees to the database. To be sure of the problem, they added a “Test” user account, which received immediate permission for KCM and CASS use.
Consequently, an adversary could add any user to the KCM and CASS database to circumvent common airport security practices.
The vulnerability resolved (?)
Following this discovery, investigators responsibly disclosed the matter to the Department of Homeland Security (DHS). DHS acknowledged their bug report and secured the necessary input into the case. As a result, the researchers discovered that FlyCASS was disabled in the KCM/CASS until the error was resolved.
However, after the FlyCASS fix, the researchers had an ironic experience as they heard no further from DHS about the vulnerability disclosure. Additionally, they also received a statement from TSA denying the actual exploit. According to Bleeping Computer, TSA’s statement reads as follows:
In April, TSA became aware of a report that a vulnerability had been discovered in a third-party database of airline crew member information and that testing the vulnerability added an unverified name to a list of airline crew members the database. No government data or systems have been compromised and there are no transportation security impacts associated with the operations.
TSA does not rely solely on this database to verify the identities of crew members. TSA has procedures in place to verify the identity of crew members and only verified crew members are allowed access to the secure area at airports. TSA worked with stakeholders to mitigate any identified cyber vulnerabilities.
Nevertheless, the researchers stand by their findings, in addition to hinting at other attack opportunities that threaten KCM/CASS controls.
Let us know your thoughts in the comments.
