Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Breaks Silence on Controversial ‘Airport Security Bypass’ Vulnerability 

Researchers and the TSA have different views on the impact of vulnerabilities in an airport security application that could allegedly allow the bypass of certain airport security systems.

CISA

The cybersecurity agency CISA has issued a response following the disclosure of a controversial vulnerability in an application related to airport security systems.

In late August, researchers Ian Carroll and Sam Curry disclosed the details of an SQL injection vulnerability that could allegedly allow threat actors to bypass certain airport security systems. 

The security hole was discovered in FlyCASS, a third-party service for airlines participating in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs. 

KCM is a program that enables Transportation Security Administration (TSA) security officers to verify the identity and employment status of crewmembers, allowing pilots and flight attendants to bypass security screening. CASS allows airline gate agents to quickly determine whether a pilot is authorized for an aircraft’s cockpit jumpseat, which is an extra seat in the cockpit that can be used by pilots who are commuting or traveling. FlyCASS is a web-based CASS and KCM application for smaller airlines.

Carroll and Curry discovered an SQL injection vulnerability in FlyCASS that gave them administrator access to the account of a participating airline.

According to the researchers, with this access, they were able to manage the list of pilots and flight attendants associated with the targeted airline. They added a new ‘employee’ to the database to verify their findings. 

“Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS,” the researchers explained. 

“Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners,” they added.

Advertisement. Scroll to continue reading.

The researchers said they identified “several more serious issues” in the FlyCASS application, but initiated the disclosure process immediately after finding the SQL injection flaw.

The issues were reported to the FAA, ARINC (the operator of the KCM system), and CISA in April 2024. In response to their report, the FlyCASS service was disabled in the KCM and CASS system and the identified issues were patched. 

However, the researchers are displeased with how the disclosure process went, claiming that CISA acknowledged the issue, but later stopped responding. In addition, the researchers claim the TSA “issued dangerously incorrect statements about the vulnerability, denying what we had discovered”.

Contacted by SecurityWeek, the TSA suggested that the FlyCASS vulnerability could not have been exploited to bypass security screening in airports as easily as the researchers had indicated. 

It highlighted that this was not a vulnerability in a TSA system and that the impacted application did not connect to any government system, and said there was no impact to transportation security. The TSA said the vulnerability was immediately resolved by the third party managing the impacted software.

“In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities,” a TSA spokesperson said in an emailed statement. 

“TSA does not solely rely on this database to verify the identity of crewmembers. TSA has procedures in place to verify the identity of crewmembers and only verified crewmembers are permitted access to the secure area in airports. TSA worked with stakeholders to mitigate against any identified cyber vulnerabilities,” the agency added.

When the story broke, CISA did not issue any statement regarding the vulnerabilities. 

The agency has now responded to SecurityWeek’s request for comment, but its statement provides little clarification regarding the potential impact of the FlyCASS flaws. 

“CISA is aware of vulnerabilities affecting software used in the FlyCASS system. We are working with researchers, government agencies, and vendors to understand the vulnerabilities in the system, as well as appropriate mitigation measures,” a CISA spokesperson said, adding, “We are monitoring for any signs of exploitation but have not seen any to date.” 

Related: American Airlines Pilot Union Recovering After Ransomware Attack

Related: CrowdStrike and Delta Fight Over Who’s to Blame for the Airline Canceling Thousands of Flights

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.