SQL Injection Vulnerability Exposed Airport Security and Cockpit Access
Cybersecurity experts have discovered a critical vulnerability in a key aviation security system that allowed unauthorized individuals to bypass airport screenings and gain access to airplane cockpits. Researchers Ian Carroll and Sam Curry identified the flaw in FlyCASS, a third-party web service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
How the Vulnerability Worked
The KCM program, run by the U.S. Transportation Security Administration (TSA), allows pilots and flight attendants to skip standard security checks, while CASS lets licensed pilots occupy cockpit seats during travel. The KCM system, managed by ARINC (a Collins Aerospace subsidiary), verifies airline employees’ credentials through a dedicated online platform. To bypass screening, employees must scan their KCM barcode or enter their ID number, which is then cross-checked with the airline’s database. Similarly, CASS verifies pilots who want to sit in the cockpit during trips.
The researchers found that the FlyCASS registration system was vulnerable to SQL injection attacks. Using this flaw, they were able to log in as administrators for a specific airline (Air Transport International) and modify employee data. During testing, they added a fake employee named “Test TestOnly” and granted this account access to both KCM and CASS.
Potential Security Risks
“Anyone with basic knowledge of SQL injection could have accessed this site and added anyone they wanted to KCM and CASS, allowing them to bypass security checks and gain access to commercial airliner cockpits,” Carroll explained.
Realizing the severity of the issue, the researchers immediately reported the vulnerability to U.S. authorities, contacting the Department of Homeland Security (DHS) on April 23, 2024. They chose not to contact the FlyCASS site administrator directly, as the site appeared to be managed by a single individual and they feared the information might alarm them.
DHS acknowledged the seriousness of the vulnerability and confirmed that FlyCASS was disconnected from the KCM/CASS system on May 7, 2024, as a precaution. The vulnerability was soon fixed. However, after this, DHS representatives stopped responding to Carroll and Curry’s emails, complicating further disclosure.
TSA’s Response and Ongoing Concerns
The TSA’s press office issued an official statement to the researchers denying any potential consequences from the vulnerability, claiming that existing checks prevent unauthorized access. After receiving the researchers’ report, the TSA quietly removed information from its website that contradicted these statements.
“After we notified the TSA [about the issue], they deleted the section of their website mentioning the need for manual employee ID entry and did not respond to our message. We confirmed that the interface used by TSO still allows manual entry of employee IDs,” Carroll said.
Carroll also emphasized that the vulnerability could have led to large-scale security breaches, such as altering existing KCM member profiles to bypass checks intended for new participants.
Additional Incidents and Industry Reaction
After Carroll and Curry published their report, another cybersecurity expert, Alesandro Ortiz, reported that FlyCASS appeared to have been targeted by the MedusaLocker ransomware group in February 2024.
According to Bleeping Computer, the TSA continues to deny the danger posed by the vulnerability. “In April [2024], the TSA became aware of a vulnerability in a third-party database containing information about airline crew members, and that as a result of testing this vulnerability, an unverified name was added to the crew list. No government data or systems were compromised, and these actions did not affect transportation security,” a TSA spokesperson told the publication. “TSA does not rely solely on this database to verify crew member identities. TSA has procedures in place to verify crew member identities, and only verified crew members are allowed access to secure areas in airports. TSA worked with stakeholders to address all identified cybersecurity vulnerabilities.”