Security researchers have found a vulnerability in a key air transport security system that allowed unauthorized individuals to potentially bypass airport security screenings and gain access to aircraft cockpits.

Researchers Ian Carroll and Sam Curry discovered the vulnerability in FlyCASS, a third-party web-based service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM is a Transportation Security Administration (TSA) initiative that allows pilots and flight attendants to skip security screening, and CASS enables authorized pilots to use jumpseats in cockpits when traveling.

The KCM system, operated by ARINC (a subsidiary of Collins Aerospace), verifies airline employees' credentials through an online platform. The process involves scanning a KCM barcode or entering an employee number, then cross-checking with the airline's database to grant access without requiring a security screening. Similarly, the CASS system verifies pilots for cockpit jumpseat access when they need to commute or travel. 

The researchers discovered that FlyCASS's login system was susceptible to SQL injection, a vulnerability that enables attackers to insert SQL statements for malicious database queries. By exploiting this flaw, they could log in as an administrator for a participating airline, Air Transport International, and manipulate employee data within the system.

They added a fictitious employee, "Test TestOnly," and granted this account access to KCM and CASS, which effectively allowed them to "skip security screening and then access the cockpits of commercial airliners."

"Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners," Carroll said.

Realizing the severity of the issue, the researchers immediately began a disclosure process, contacting the Department of Homeland Security (DHS) on April 23, 2024. The researchers decided not to contact the FlyCASS site directly as it appeared to be run by a single person and were afraid the disclosure would alarm them.

The DHS responded, acknowledging the seriousness of the vulnerability, and confirmed that FlyCASS was disconnected from the KCM/CASS system on May 7, 2024, as a precautionary measure. Soon after, the vulnerability was fixed on FyCASS.

However, efforts to further coordinate a safe disclosure of the vulnerability were met with resistance after the DHS stopped responding to their emails.

The TSA press office also sent the researchers a statement denying the vulnerability's impact, claiming that the system's vetting process would prevent unauthorized access. After being informed by the researchers, the TSA also quietly removed information from its website that contradicted its statements.

"After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs," Carroll said.

Carroll also said that the flaw could have allowed for more extensive security breaches, such as altering existing KCM member profiles to bypass any vetting processes for new members.

After the researchers' report was released, another researcher named Alesandro Ortiz discovered that FlyCASS appeared to have suffered a MedusaLocker ransomware attack in February 2024, with a Joe Sandbox analysis showing encrypted files and a ransom note.

The vendor's website might have also been ransomware'd back in February 2024? https://t.co/F9yK3I88JH

Great, scary find.

— Alesandro Ortiz 🇵🇷🏳️‍🌈 (@AlesandroOrtizR) August 29, 2024

"In April, TSA became aware of a report that a vulnerability in a third party's database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities," TSA press secretary R. Carter Langston reported.

"TSA does not solely rely on this database to verify the identity of crewmembers. TSA has procedures in place to verify the identity of crewmembers and only verified crewmembers are permitted access to the secure area in airports. TSA worked with stakeholders to mitigate against any identified cyber vulnerabilities."