Wednesday, 13 Nov 2024

Researchers say a bug let them add fake pilots to rosters used for TSA checks

A pair of security researchers say they discovered a vulnerability in login systems for records that the Transportation Security Administration (TSA) uses to verify airline crew members at airport security checkpoints. The bug let anyone with a “basic knowledge of SQL injection” add themselves to airline rosters, potentially letting them breeze through security and into the cockpit of a commercial airplane, researcher Ian Carroll wrote in a blog post in August.Carroll and his partner, Sam Curry, apparently discovered the vulnerability while probing the third-party website of a vendor called FlyCASS that provides smaller airlines access to the TSA’s Known Crewmember (KCM) system and Cockpit Access Security System (CASS). They found that


Researchers say a bug let them add fake pilots to rosters used for TSA checks
1.6 k views

A pair of security researchers say they discovered a vulnerability in login systems for records that the Transportation Security Administration (TSA) uses to verify airline crew members at airport security checkpoints. The bug let anyone with a "basic knowledge of SQL injection" add themselves to airline rosters, potentially letting them breeze through security and into the cockpit of a commercial airplane, researcher Ian Carroll wrote in a blog post in August.

Carroll and his partner, Sam Curry, apparently discovered the vulnerability while probing the third-party website of a vendor called FlyCASS that provides smaller airlines access to the TSA's Known Crewmember (KCM) system and Cockpit Access Security System (CASS). They found that when they put a simple apostrophe into the username field, they got a MySQL error.

This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an administrator of Air Transport International!

Once they were in, Carroll writes that there was "no further check or authentication" preventing them from adding crew records and photos for any airline that uses FlyCASS. Anyone who might have used the vulnerability could present a fake employee number to get through a KCM security checkpoint, the blog says.

TSA press secretary R. Carter Langston denied that, telling Bleeping Computer that the agency "does not solely rely on this database to authenticate flight crew, and that "only verified crewmembers are permitted access to the secure area in airports."

you may also like

First-Ever Emperor Penguin Spotted on Australian Beach: Gus’s 2,200-Mile Journey Highlights Climate Change Challenges for Wildlife Migration and Conservation Efforts
  • by travelandtourworld
  • descember 09, 2016
First-Ever Emperor Penguin Spotted on Australian Beach: Gus's 2,200-Mile Journey Highlights Climate Change Challenges for Wildlife Migration and Conservation Efforts

In a surprising twist for Australia’s wildlife scene, an emperor penguin has been spotted on Ocean Beach in Denmark, Western Australia, marking the first recorded sighting of this Antarctic species on the continent. This lone traveler, affectionately nicknamed Gus, has astonished locals and raised questions about the environmental forces that might have led him so far from his icy home. Discovered on November 1, Gus’s unexpected appearance, 2,200 miles from his native Antarctic habitat, has captivated wildlife enthusiasts, tourists, and scientists alike, highlighting the broader implications of climate change and shifts in marine currents.

read more