Security researchers Sam Curry and Ian Carrol discovered a vulnerability in an air transport security system which could allow unauthorized individuals to bypass airport security screenings and even gain access to flight cockpits!
KCM and CASS
Airport security has a special lane called Known Crewmember(KCM) that allows pilots and flight attendants to bypass security screening. Employees can use this dedicated lane and present their KCM barcode and other identification to a TSA agent who verifies the employment status of the crewmember with their airline. The employee can then jump security screening and get straight to work if successful.
A similar system is in place for cockpit access as well, called the Cockpit Access Security System(CASS). Every aircraft cockpit has a jumpseat, in addition to the pilot and copilot seats, which can be used by pilots who need to commute or travel and can’t use a commercial seat on the plane. CASS allows the gatekeeper of the flight to verify whether or not the jumpseater is an authorised pilot.
The biggest factor in both these systems, determining whether or not an individual bypasses screening, is the employment status check. A person is only allowed to skip security checks and gain cockpit access if they are an employee of an airline. When an employee gets to the KCM or CASS point, their employment status is checked with the respective airline’s database to determine whether or not they can go through.
To ensure seamless communication between various airlines’ employee databases and the KCM/CASS system, ARINC, a TSA-contracted organization, provides two essential components:
- Online Portal: Crew members can check their KCM status on this website.
- API: This interface enables communication between different airlines’ authorization systems and the ARINC hub.
Each airline has its own system to manage employee authorizations for KCM and CASS, but they all connect to ARINC to share and verify information.
The Vulnerability
FlyCASS is a popular authorisation system used by small airlines. It provides a web-based interface to airlines to help them perform their KCM and CASS authorisations.
Sam and Ian discovered that by entering a single quote into the login page of FlyCASS, an error message could be triggered, revealing a weakness known as SQL injection(SQLi). This vulnerability could allow attackers to manipulate the system’s database and potentially gain unauthorized access. The vulnerability was confirmed using SQLmap, a popular tool for detecting and exploiting SQL injection flaws.
SQL is a standard language for accessing and manipulating databases.
SQLmap is a popular open-source penetration testing tool which automates the process of detecting and exploiting SQL injection flaws.
SQLi is a code injection technique used to attack data-driven applications. It involves injecting malicious SQL code into an entry field.
By further exploiting the SQLi vulnerability, the researchers were able to gain admin access to an airline’s database and get a test user approved to use both KCM and CASS.
As a result of this vulnerability, anyone with a basic understanding of SQL injection could have exploited this flaw to:
- Gain unauthorized access: By entering malicious code into the login page, attackers could bypass the system’s security measures and gain administrative privileges.
- Add unauthorized users: Once inside the system, they could add themselves or others to the KCM and CASS databases.
- Bypass security and access cockpits: This would allow them to skip airport security screenings and board flights, posing a significant risk to the safety of passengers and crew.
This issue has since been disclosed to and fixed by the respective authorities.