A critical vulnerability in an airport security system that verifies airline crew members has been uncovered by cybersecurity researchers. The flaw could have potentially allowed unauthorized individuals to bypass security screening and access secure areas of airports, including aircraft cockpits.
The issue was discovered in a system called FlyCASS, which is used by some smaller airlines to participate in the Known Crewmember (KCM) program and Cockpit Access Security System (CASS). These programs allow verified airline crew to bypass regular passenger security screening and access aircraft cockpits when traveling.
According to the researchers' findings, the FlyCASS system contained a basic SQL injection vulnerability in its login page. This flaw allowed the researchers to gain unauthorized administrator access to airline accounts within the system.
Once logged in as an administrator, they found they could add new employees to an airline's roster of authorized KCM and CASS users without any additional verification. The researchers were able to create a test employee account that was then approved for both KCM and CASS access.
"At this point, we realized we had discovered a very serious problem," the researchers stated in their blog post. "Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners."
The vulnerability was responsibly disclosed to the U.S. Department of Homeland Security in April 2024. Officials acknowledged the issue and confirmed they were taking it seriously. The FlyCASS system was subsequently disconnected from KCM/CASS while the vulnerabilities were addressed.
The TSA press office said in a statement that this vulnerability could not be used to access a KCM checkpoint because the TSA initiates a vetting process before issuing a KCM barcode to a new member.
However, the researcher noted, "a KCM barcode is not required to use KCM checkpoints, as the TSO can enter an airline employee ID manually. "
They also noted potential additional attack vectors, such as modifying existing KCM member records to change names and photos.