In the article "Bypassing airport security via SQL injection," two security researchers recently demonstrated how they executed a simple SQL injection attack on a service that enables pilots and flight attendants to bypass airport security screening. According to the researchers, this vulnerability allowed them to create fictitious users, enabling them to both skip security screening and potentially gain access to the cockpits of commercial airliners.
Security researchers Ian Carroll, founder of Seats.aero, and Sam Curry, a hacker and bug bounty hunter, discovered a vulnerability in FlyCASS, a third-party web-based service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
KCM is a Transportation Security Administration (TSA) initiative that allows pilots and flight attendants to bypass security screening, while CASS enables pilots to use jumpseats in cockpits when traveling. Carroll explains:
The employment status check is the most critical component of these processes. If the individual doesn't currently work for an airline, they have not had a background check and should not be permitted to bypass security screening or access the cockpit.
The researchers were investigating vendors that manage authorization systems and discovered FlyCASS, a site offering a web-based interface to the platform designed for small airlines. Carroll writes:
Intrigued, we noticed every airline had its own login page, such as Air Transport International (8C) being available at /ati. With only a login page exposed, we thought we had hit a dead end. Just to be sure though, we tried a single quote in the username as a SQL injection test, and immediately received a MySQL error.
Since the username was directly interpolated into the login SQL query, the researchers were able to log in to FlyCASS as administrators. Because FlyCASS manages both the KCM and CASS systems for its participating airlines, they could access and manage the list of pilots and flight attendants associated with those airlines. Additionally, they found no further checks or authentication required to add a new employee to the airline. Carroll writes:
As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS.
Source: Carroll's blog
SQL Injection is a common security vulnerability that occurs when attacker-supplied data is executed as SQL code. In a popular Reddit thread, most users discuss the improbability of such an attack on modern web applications, with one user, martijnonreddit, writing:
A visible error-based SQL injection, in a system this critical, in 2024? That’s appalling. This deserves more attention.
In a separate thread, user k-mcm adds:
The fact that SQL injections work on anything in the last 20 years is outright ridiculous... you have to really go out of your way to mess this one up.
A significant portion of Carroll’s article is dedicated to the challenges of disclosure, including the difficulties the security researchers faced in identifying the appropriate point of contact and the reaction of the Department of Homeland Security:
On April 23rd, we were able to disclose the issue to the Department of Homeland Security, who acknowledged the issue and confirmed that they "are taking this very seriously". FlyCASS was subsequently disabled in KCM/CASS and later appears to have remediated the issues (...) After the issue was fixed, we attempted to coordinate the safe disclosure of this issue. Unfortunately, instead of working with us, the Department of Homeland Security stopped responding to us, and the TSA press office issued dangerously incorrect statements about the vulnerability, denying what we had discovered.
While the researchers claim that "the TSA attempted to cover up what we found," the Transportation Security Administration emphasizes that their systems do not rely solely on this database to verify the identity of crewmembers. After the researchers' report was released, Alesandro Ortiz, a software engineer and security researcher, reported that FlyCASS appeared to have suffered a MedusaLocker ransomware attack in February, with an analysis revealing encrypted files and a ransom note.