Flaws in a third-party app that allows smaller airlines to upload pilots and flight crew onto pre-cleared lists could have helped 'fake pilots' skip key security screenings.
The bug would have let malicious actors add anyone they wished to the Known Crewmember program database — which lets the Transportation Security Administration (TSA) identify airline staff who can bypass their security checkpoints.
The two cybersecurity researchers, 'bug bounty hunters,' who found the flaw said that they had privately reported the issue last April to both the Federal Aviation Administration and the US Department of Homeland Security, which runs the TSA.
The troubling discovery follows a TSA report that 300 people have evaded airport security since March 2023: 'a larger number than we realized,' the agency said.
Only the FAA has taken appropriate action, they said, adding 'the TSA press office issued dangerously incorrect statements about the vulnerability.'
The pair of security researchers, Ian Carroll and Sam Curry, said they uncovered the vulnerability in login systems for the third-party website of the vendor FlyCASS.
FlyCASS allows small airline clients the ability to upload their air crews' information to both the TSA's Known Crewmember (KCM) system and FAA's Cockpit Access Security System (CASS).
'Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS,' the duo said, 'allowing themselves to both skip security screening and then access the cockpits of commercial airliners.'
'We realized we had discovered a very serious problem,' Carroll and Curry added.
Computer science experts at the University of California at Berkley have described SQL injections as 'one of the most common web attack mechanisms utilized by attackers to steal sensitive data from organizations.'
The technique leverages a common issue with the Structured Query Language (SQL) used to host databases of information on the web.
The attack allows a hacker to upload actionable SQL code into user interfaces like contact forms on websites or, in this case, the FlyCASS web-based app for airlines.
Using a series of basic SQL injections, the security researchers were first able to gain administration privileges in FlyCASS for the small, Ohio-based cargo airline Air Transport International.
Carroll and Curry reported that they were then able to upload a fake airline employee for Air Transport International, named 'Test TestOnly' with an ID photo and were able to authorize 'TestOnly' for both KCM and CASS access.
TSA press secretary R. Carter Langston denied that the security researchers' findings were as dire as the duo claimed.
TSA, according to Langston, 'does not solely rely on this database to verify the identity of crewmembers.'
'TSA has procedures in place to verify the identity of crewmembers,' Langston told Bleeping Computer, 'and only verified crewmembers are permitted access to the secure area in airports.'
'No government data or systems were compromised and there are no transportation security impacts related to the activities,' the agency spokesperson emphasized.
In an update to their report, Carroll and Curry pushed back, noting that the admin privileges they were able to hack their way into allowed them to also edit already existing profiles in the Known Crewmember database, not just add new ones.
'Since our vulnerability allowed us to edit an existing KCM member,' they said, 'we could have changed the photo and name of an existing enrolled user, which would likely bypass any vetting process that may exist for new members.'
