TSA airport security controls thwarted by SQL injection
Security researchers in the USA have succeeded in deceiving the FlyCASS security system via SQL injection and thus circumventing access blocks.
(Image: Jaromir Chalabala/Shutterstock.com)
The two security experts Ian Caroll and Sam Curry have apparently managed to exploit a vulnerability in the online platform of the FlyCASS control system to gain access to security areas that are normally reserved for crew members. The fraudulent access authorization is even said to have allowed access to areas such as the cockpit of aircraft. The central access system of the US Transportation Security Administration (TSA) called Known Crewmember (KCM) made this possible.
Free access to the cockpit
To gain access, for example, a KCM barcode is scanned or an employee number is entered, which is then compared with the airline's database. If the data matches, the systems grant access to the flight crew on site without further security checks. A similar system also enables access to the cockpit and is called the Cockpit Access Security System (CASS). This controls, for example, pilots who want to use the internal cockpit jump seat (folding seat) for commuting or traveling.
Caroll first reported on this security vulnerability in a blog post. Access to the KCM system was gained via the FlyCASS website, which offers smaller airlines a web interface to the Central Access Security System (CASS). By importing data via SQL injection, it was possible to view and manipulate flight crew data from several airlines in the USA. The researchers were also able to log in as the administrator of the US cargo airline Air Transport International (ATI) via SQL injection. Using this account, it was then easy to view and edit lists of the airline's pilots and flight personnel.
Adding new virtual employees and assigning access rights to these employees was also apparently straightforward. "Anyone with basic knowledge of SQL injections could log into this website and add any user to KCM and CASS, allowing them to bypass security controls and gain access to the cockpit of a commercial airliner," Caroll explained.
According to Caroll, the security gap in the FlyCASS online portal has now been closed. The researchers contacted the Homeland Security Agency in the USA directly. According to the researchers, solving the problem by contacting the FlyCASS portal operators directly seemed too risky, as the service is apparently operated by a single person.
(nie)
