Cybersecurity researchers Ian Carroll and Sam Curry discovered a SQL injection vulnerability in FlyCASS, a third-party web service used by airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). The flaw allowed unauthenticated access to administrator-level functions — in a controlled test, the researchers added a fictitious employee to the system, granting the account access to bypass security screenings and enter commercial aircraft cockpits.
The Vulnerability: SQL Injection in FlyCASS
Ian Carroll and Sam Curry identified the flaw in the FlyCASS registration system.
These systems are crucial components of the Transportation Security Administration’s (TSA) efforts to streamline security processes for airline crew members.
The KCM program, operated by ARINC (a Collins Aerospace subsidiary), allows pilots and flight attendants to bypass regular security screenings. Similarly, CASS enables licensed pilots to occupy cockpit seats during travel. Both systems rely on a verification process that includes scanning a KCM barcode or entering an employee ID, followed by cross-checking against airline databases.
Exploiting the Weakness: SQL Injection Attack
The researchers discovered that the FlyCASS registration system was vulnerable to SQL injection attacks. This security flaw allowed them to gain administrator-level access for a specific airline (Air Transport International) and manipulate employee data. In a controlled test, they successfully added a fictitious employee named “Test TestOnly” to the system, granting this account access to both KCM and CASS.
“Anyone with basic knowledge of SQL injections could access this site and add anyone they wanted to KCM and CASS, allowing them to bypass security checks and gain access to commercial airliner cockpits,” Carroll explained, underscoring the severity of the vulnerability.
Response and Mitigation
Upon realizing the gravity of the situation, the researchers promptly reported the vulnerability to the Department of Homeland Security (DHS) on April 23, 2024. The DHS acknowledged the seriousness of the issue and confirmed that FlyCASS was disconnected from the KCM/CASS system on May 7, 2024, as a precautionary measure. Shortly after, the vulnerability in FlyCASS was patched.
Conflicting Statements and Concerns
Despite the researchers’ findings, the TSA issued an official statement downplaying the potential consequences of the vulnerability. They claimed that existing checks prevent unauthorized access and quietly removed contradictory information from their website after being notified of the issue.
Carroll emphasized that the flaw could have enabled large-scale profile manipulation: altering existing KCM member records to bypass verification checks designed for new participants, not just adding fictitious accounts. The TSA’s contradictory public response — downplaying consequences while quietly removing its own conflicting statement from its website — raised transparency questions that Carroll documented publicly.
Third-Party Access and Aviation Security: Systemic Implications
The FlyCASS incident illustrates a structural problem in aviation security: high-trust access decisions (cockpit entry, security bypass) are delegated to third-party web services that are not subject to the same security standards as core TSA infrastructure. The fact that a basic SQL injection against a web form could grant the ability to add arbitrary individuals to a crew-member security bypass program represents a significant gap between physical security design and its digital implementation.
