In a shocking revelation, cybersecurity researchers have uncovered a critical vulnerability in a key air transport security system, potentially allowing unauthorized individuals to bypass airport screenings and access aircraft cockpits. This discovery highlights the ongoing challenges in maintaining robust security measures in the aviation industry.
The Vulnerability: A Breach in FlyCASS
Cybersecurity experts Ian Carroll and Sam Curry identified a significant flaw in FlyCASS, a third-party web service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). These systems are crucial components of the Transportation Security Administration’s (TSA) efforts to streamline security processes for airline crew members.
The KCM program, operated by ARINC (a Collins Aerospace subsidiary), allows pilots and flight attendants to bypass regular security screenings. Similarly, CASS enables licensed pilots to occupy cockpit seats during travel. Both systems rely on a verification process that includes scanning a KCM barcode or entering an employee ID, followed by cross-checking against airline databases.
Exploiting the Weakness: SQL Injection Attack
The researchers discovered that the FlyCASS registration system was vulnerable to SQL injection attacks. This security flaw allowed them to gain administrator-level access for a specific airline (Air Transport International) and manipulate employee data. In a controlled test, they successfully added a fictitious employee named “Test TestOnly” to the system, granting this account access to both KCM and CASS.
“Anyone with basic knowledge of SQL injections could access this site and add anyone they wanted to KCM and CASS, allowing them to bypass security checks and gain access to commercial airliner cockpits,” Carroll explained, underscoring the severity of the vulnerability.
Response and Mitigation
Upon realizing the gravity of the situation, the researchers promptly reported the vulnerability to the Department of Homeland Security (DHS) on April 23, 2024. The DHS acknowledged the seriousness of the issue and confirmed that FlyCASS was disconnected from the KCM/CASS system on May 7, 2024, as a precautionary measure. Shortly after, the vulnerability in FlyCASS was patched.
Conflicting Statements and Concerns
Despite the researchers’ findings, the TSA issued an official statement downplaying the potential consequences of the vulnerability. They claimed that existing checks prevent unauthorized access and quietly removed contradictory information from their website after being notified of the issue.
Carroll emphasized that the vulnerability could have led to large-scale security breaches, such as altering existing KCM member profiles to bypass checks designed for new participants. This discrepancy between the researchers’ findings and the TSA’s response raises concerns about transparency and the effectiveness of current security measures.
Implications for Aviation Security
This incident highlights the critical importance of robust cybersecurity measures in aviation systems. It demonstrates how vulnerabilities in third-party services can potentially compromise the integrity of established security protocols. As cyber threats continue to evolve, it is crucial for aviation authorities and stakeholders to remain vigilant, regularly audit their systems, and maintain open communication channels with security researchers.
While the immediate threat has been addressed, this event serves as a wake-up call for the aviation industry. It underscores the need for continuous improvement in cybersecurity practices, transparent reporting of vulnerabilities, and swift action to address potential risks. As air travel remains a critical part of global infrastructure, ensuring its security must remain a top priority for all involved parties.