Security researchers have found a vulnerability in a key air transport security system that allowed unauthorised individuals to potentially bypass airport security screenings and gain access to aircraft cockpits.
Researchers Ian Carroll and Sam Curry discovered the vulnerability in FlyCASS, a third-party web-based service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM is a Transportation Security Administration (TSA) initiative that allows pilots and flight attendants to skip security screening, and CASS enables authorised pilots to use jump seats in cockpits when travelling.
The KCM system, operated by ARINC (a subsidiary of Collins Aerospace), verifies airline employees’ credentials through an online platform. The process involves scanning a KCM barcode or entering an employee number, then cross-checking with the airline’s database to grant access without requiring a security screening. Similarly, the CASS system verifies pilots for cockpit jumpseat access when they need to commute or travel.
The researchers discovered that FlyCASS’s login system was susceptible to SQL injection, a vulnerability that enables attackers to insert SQL statements for malicious database queries. By exploiting this flaw, they could log in as an administrator for a participating airline, Air Transport International, and manipulate employee data within the system.
They added a fictitious employee, “Test TestOnly,” and granted this account access to KCM and CASS, which effectively allowed them to “skip security screening and then access the cockpits of commercial airliners.”
“Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners,” Carroll said.