Cybersecurity researchers discovered a vulnerability in the Known Crewmember (KCM) system, a TSA program that allows airline pilots and flight attendants to bypass security screening.
The flaw, which could potentially compromise the safety of millions of air travelers, was found by researchers Ian Carroll and Sam Curry in a system operated by FlyCASS – a service used by smaller airlines to manage KCM and Cockpit Access Security System (CASS) authorizations.
Gaining Administrative Access
KCM and CASS are crucial security programs that streamline airport security checks for airline personnel. KCM enables pilots and flight attendants to bypass regular security lines by verifying their employment status with the airline, while CASS allows authorized pilots to occupy cockpit jumpseats during flights.
Both programs rely on robust employment verification to ensure only active airline employees can use these privileges.
The researchers discovered the vulnerability in FlyCASS, a web-based service used by smaller airlines to manage KCM and CASS authorizations. Upon inspecting the FlyCASS website, they noticed a critical SQL injection flaw. They gained administrative access to Air Transport International’s (ATI) FlyCASS system by entering a simple SQL query into the login page.
Bypassing Stringent Verification Processes
With administrative privileges, the researchers could add unauthorized individuals to the KCM and CASS systems, bypassing the stringent employment verification process. This meant anyone with basic SQL injection knowledge could gain access to restricted airport areas and even cockpits without undergoing security screening.
To test the system, the researchers created a fake employee profile and successfully authorized it for KCM and CASS access. Using FlyCASS’s query features, they confirmed that their test user was approved to bypass security checkpoints and access aircraft cockpits. This glaring vulnerability exposed a significant risk to aviation security, allowing malicious actors to exploit the system easily.
“We’re Taking this Very Seriously”
The researchers promptly reported the vulnerability to the Department of Homeland Security (DHS). The DHS acknowledged the issue, stating they were “taking this very seriously.” FlyCASS was subsequently disabled from participating in KCM and CASS programs, and the vulnerability has since been addressed.
However, the researchers faced challenges in coordinating the disclosure process. Despite their efforts, the TSA press office issued a statement downplaying the severity of the vulnerability, inaccurately claiming that the flaw could not be used to bypass KCM checkpoints.
The researchers countered this claim, pointing out that TSA personnel can manually enter employee IDs, rendering the TSA’s vetting process ineffective in some instances.
The TSA later deleted a section of its website that mentioned the manual input of employee IDs but did not respond to further inquiries from the researchers. The researchers said the TSA’s lack of transparency and communication has raised concerns within the cybersecurity community.
Protecting Transportation
This incident shines a light on the dire need for stronger security measures in systems that protect sensitive areas of transportation infrastructure. The vulnerability in FlyCASS not only jeopardized the integrity of the KCM and CASS programs but also exposed potential gaps in the TSA’s vetting processes.
As cybersecurity threats continue to evolve, robust defenses and timely disclosures are essential to safeguarding public safety. This incident is a stark reminder that even seemingly secure systems can be vulnerable to exploitation, with potentially devastating consequences.
The discovery of this vulnerability highlights the importance of rigorous security testing and transparent communication between researchers and governmental agencies to ensure the traveling public’s safety.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
