Safety researchers have discovered a vulnerability in a key air transport safety system that allowed unauthorized people to doubtlessly bypass airport safety screenings and achieve entry to plane cockpits.
Researchers Ian Carroll and Sam Curry found the vulnerability in FlyCASS, a third-party web-based service that some airways use to handle the Identified Crewmember (KCM) program and the Cockpit Entry Safety System (CASS). KCM is a Transportation Safety Administration (TSA) initiative that enables pilots and flight attendants to skip safety screening, and CASS permits approved pilots to make use of jumpseats in cockpits when touring.
The KCM system, operated by ARINC (a subsidiary of Collins Aerospace), verifies airline workers’ credentials by means of a web-based platform. The method entails scanning a KCM barcode or coming into an worker quantity, then cross-checking with the airline’s database to grant entry with out requiring a safety screening. Equally, the CASS system verifies pilots for cockpit jumpseat entry when they should commute or journey.
The researchers found that FlyCASS’s login system was vulnerable to SQL injection, a vulnerability that allows attackers to insert SQL statements for malicious database queries. By exploiting this flaw, they might log in as an administrator for a collaborating airline, Air Transport Worldwide, and manipulate worker knowledge throughout the system.
They added a fictitious worker, “Take a look at TestOnly,” and granted this account entry to KCM and CASS, which successfully allowed them to “skip safety screening after which entry the cockpits of economic airliners.”
“Anybody with fundamental data of SQL injection may login to this web site and add anybody they needed to KCM and CASS, permitting themselves to each skip safety screening after which entry the cockpits of economic airliners,” Carroll mentioned.
Realizing the severity of the problem, the researchers instantly started a disclosure course of, contacting the Division of Homeland Safety (DHS) on April 23, 2024. The researchers determined to not contact the FlyCASS web site straight because it seemed to be run by a single individual and have been afraid the disclosure would alarm them.
The DHS responded, acknowledging the seriousness of the vulnerability, and confirmed that FlyCASS was disconnected from the KCM/CASS system on Might 7, 2024, as a precautionary measure. Quickly after, the vulnerability was mounted on FyCASS.
Nonetheless, efforts to additional coordinate a protected disclosure of the vulnerability have been met with resistance after the DHS stopped responding to their emails.
The TSA press workplace additionally despatched the researchers a press release denying the vulnerability’s impression, claiming that the system’s vetting course of would stop unauthorized entry. After being knowledgeable by the researchers, the TSA additionally quietly eliminated info from its web site that contradicted its statements.
“After we knowledgeable the TSA of this, they deleted the part of their web site that mentions manually coming into an worker ID, and didn’t reply to our correction. We now have confirmed that the interface utilized by TSOs nonetheless permits guide enter of worker IDs,” Carroll mentioned.
Carroll additionally mentioned that the flaw may have allowed for extra intensive safety breaches, akin to altering current KCM member profiles to bypass any vetting processes for brand spanking new members.
After the researchers’ report was launched, one other researcher named Alesandro Ortiz found that FlyCASS appeared to have suffered a MedusaLocker ransomware assault in February 2024, with a Joe Sandbox evaluation displaying encrypted information and a ransom notice.
”In April, TSA grew to become conscious of a report {that a} vulnerability in a 3rd celebration’s database containing airline crewmember info was found and that by means of testing of the vulnerability, an unverified identify was added to a listing of crewmembers within the database. No authorities knowledge or methods have been compromised and there aren’t any transportation safety impacts associated to the actions,” TSA press secretary R. Carter Langston advised BleepingComputer.
“TSA doesn’t solely depend on this database to confirm the identification of crewmembers. TSA has procedures in place to confirm the identification of crewmembers and solely verified crewmembers are permitted entry to the safe space in airports. TSA labored with stakeholders to mitigate in opposition to any recognized cyber vulnerabilities.”
BleepingComputer additionally contacted the DHS earlier right this moment, however a spokesperson was not instantly accessible for remark.