Flaws in a third-party app that allowed smaller airlines to place pilots and crew on pre-approved lists are believed to have allowed “fake pilots” to bypass key safety checks.
The bug would allow attackers to add anyone they wanted to the Known Crewmember program database, which allows the Transportation Security Administration (TSA) to identify airline personnel who can bypass their security checkpoints.
The two cybersecurity researchers, or “bug bounty hunters,” who discovered the flaw said they privately reported the issue last April to both the Federal Aviation Administration and the U.S. Department of Homeland Security, which manages the TSA.
The disturbing discovery follows a report from the TSA that found 300 people have evaded airport security since March 2023, “a higher number than we thought,” the agency said.
Flaws in the third-party app FlyCASS, which allows smaller airlines to upload pilots and crew to pre-approved TSA lists, may have helped “fake pilots” bypass security checkpoints, cybersecurity researchers say. Above, TSA screenings in action at Denver International Airport in 2019
Only the FAA took appropriate action, they said, adding that “the TSA press office made dangerously inaccurate statements about the vulnerability.”
The duo of security researchers, Ian Carroll And Sam Currysaid they had discovered a vulnerability in the login systems of the external website of the supplier FlyCASS.
FlyCASS allows small airlines to upload their crew data to both the TSA’s Known Crewmember (KCM) system and the FAA’s Cockpit Access Security System (CASS).
“Anyone with basic knowledge of SQL injection could log into this site and add anyone they wanted to KCM and CASS,” the duo said. “This allowed them to bypass security and gain access to the cockpits of commercial aircraft.”
“We realized we had discovered a very serious problem,” Carroll and Curry added.
Computer science experts from the University of California at Berkley have described SQL injections as “one of the most common web attack mechanisms used by attackers to steal sensitive data from organizations.”
This technique exploits a common problem with the Structured Query Language (SQL) used to host databases of information on the Web.
This attack allows a hacker to upload usable SQL code into user interfaces such as contact forms on websites or, in this case, the web-based FlyCASS airline app.
Using a series of simple SQL injections, security researchers were the first to gain administrative privileges in FlyCASS for the small Ohio-based cargo airline Air Transport International.
Carroll and Curry reported that they were then able to upload a fake airline employee for Air Transport International, using the name “Test TestOnly” and an ID photo. They were able to authorize “TestOnly” for both KCM and CASS access.
TSA spokesman R. Carter Langston denied that the security investigators’ findings were as serious as the duo claimed.
Using ‘SQL injection’ techniques, security researchers were able to gain administrative privileges in FlyCASS for the small Ohio-based cargo airline Air Transport International
Carrol and Curry reported that they were able to upload a fake airline employee named ‘Test TestOnly’ (above) and authorize the fake employee for both KCM and CASS access
The two cybersecurity researchers have now also accused the TSA of making “dangerously inaccurate statements about the vulnerability,” thereby minimizing the risk it could pose to air travel.
According to Langston, the TSA “does not rely solely on this database to verify the identities of crew members.”
“TSA has procedures in place to verify the identity of crew members,” Langston said Beeping computer‘And only verified crew members are allowed access to secure areas at airports.’
“No government data or systems were compromised and the activities have no impact on the safety of transportation,” the agency spokesman stressed.
In an update Carroll and Curry responded to their report by stating that the administrative privileges they managed to hack also allowed them to edit existing profiles in the known crew member database, not just add new profiles.
“Because our vulnerability allowed us to edit an existing KCM member,” they said, “we could have changed the photo and name of an existing registered user, likely bypassing any vetting process that may be in place for new members.”