The cybersecurity agency CISA has issued a response following the disclosure of a controversial vulnerability in an application related to airport security systems.
In late August, researchers Ian Carroll and Sam Curry disclosed the details of an SQL injection vulnerability that could allegedly allow threat actors to bypass certain airport security systems.
The security hole was discovered in FlyCASS, a third-party service for airlines participating in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs.
KCM is a program that enables Transportation Security Administration (TSA) security officers to verify the identity and employment status of crewmembers, allowing pilots and flight attendants to bypass security screening. CASS allows airline gate agents to quickly determine whether a pilot is authorized for an aircraft’s cockpit jumpseat, which is an extra seat in the cockpit that can be used by pilots who are commuting or traveling. FlyCASS is a web-based CASS and KCM application for smaller airlines.
Carroll and Curry discovered an SQL injection vulnerability in FlyCASS that gave them administrator access to the account of a participating airline.
According to the researchers, with this access, they were able to manage the list of pilots and flight attendants associated with the targeted airline. They added a new ‘employee’ to the database to verify their findings.
“Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS,” the researchers explained.
“Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners,” they added.
The researchers said they identified “several more serious issues” in the FlyCASS application, but initiated the disclosure process immediately after finding the SQL injection flaw.
The issues were reported to the FAA, ARINC (the operator of the KCM system), and CISA in April 2024. In response to their report, the FlyCASS service was disabled in the KCM and CASS system and the identified issues were patched.
However, the researchers are displeased with how the disclosure process went, claiming that CISA acknowledged the issue, but later stopped responding. In addition, the researchers claim the TSA “issued dangerously incorrect statements about the vulnerability, denying what we had discovered”.
Contacted by SecurityWeek, the TSA suggested that the FlyCASS vulnerability could not have been exploited to bypass security screening in airports as easily as the researchers had indicated.
It highlighted that this was not a vulnerability in a TSA system and that the impacted application did not connect to any government system, and said there was no impact to transportation security.
“In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities,” a TSA spokesperson said in an emailed statement.
“TSA does not solely rely on this database to verify the identity of crewmembers. TSA has procedures in place to verify the identity of crewmembers and only verified crewmembers are permitted access to the secure area in airports. TSA worked with stakeholders to mitigate against any identified cyber vulnerabilities,” the agency added.
When the story broke, CISA did not issue any statement regarding the vulnerabilities.
The agency has now responded to SecurityWeek’s request for comment, but its statement provides little clarification regarding the potential impact of the FlyCASS flaws.
“CISA is aware of vulnerabilities affecting software used in the FlyCASS system. We are working with researchers, government agencies, and vendors to understand the vulnerabilities in the system, as well as appropriate mitigation measures,” a CISA spokesperson said, adding, “We are monitoring for any signs of exploitation but have not seen any to date.”
Related: American Airlines Pilot Union Recovering After Ransomware Attack
Related: CrowdStrike and Delta Fight Over Who’s to Blame for the Airline Canceling Thousands of Flights
