Friend
Professional
- Messages
- 2,657
- Reaction score
- 864
- Points
- 113
An error in the system exposes the protection of airlines.
Researchers discovered a vulnerability in the security system of air transport that allowed unauthorized persons to bypass security checks at airports and gain access to cockpits.
In the course of the study, Ian Carroll and Sam Curry identified a vulnerability in FlyCASS, a third-party web service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). The KCM program allows pilots and flight attendants to skip the inspection procedure (identification occurs through the presentation of a barcode or employee number), and the CASS system allows pilots to enter the cockpit of the aircraft.
The KCM system, which is operated by ARINC (a subsidiary of Collins Aerospace), verifies the credentials of airline employees through an online platform. The process involves scanning a barcode or entering an employee number, after which the system checks the data against the airline's database, providing access without the need to go through a security check. Similarly, the CASS system confirms the right of pilots to access the cockpit when they need to fly.
The researchers found that the FlyCASS authorization system was susceptible to an attack using SQL injection. An SQL vulnerability allowed experts to log into the system under the guise of an administrator of one of the partner airlines, Air Transport International, and manipulate employee data in the system.
The specialists added a fictitious employee named "Test TestOnly" and gave this account access to KCM and CASS, which allowed the profile to "skip security checks and access the cockpits of commercial airliners."
Realizing the severity of the discovered vulnerability, the researchers contacted the US Department of Homeland Security (DHS) on April 23. Experts decided not to contact the FlyCASS website directly, since, apparently, it was operated by one person, and they feared that the disclosure of information would alarm representatives of the service.
The Department of Homeland Security acknowledged the severity of the problem and said that the FlyCASS service was disconnected from the KCM/CASS system as a precautionary measure on May 7. The vulnerability was soon fixed.
Further attempts at coordination within the framework of secure vulnerability disclosure ran into difficulties after DHS stopped responding to researchers' emails. A spokesperson for the Transportation Security Administration (TSA) also released a statement denying the impact of the vulnerability, claiming that the system verification process prevents unauthorized access. Subsequently, the TSA removed information from the site that contradicted their claims.
According to Carroll, the vulnerability could have led to larger security breaches, such as modifying existing KCM member profiles to bypass new member checks.
Following the publication of the researchers report, expert Alessandro Ortiz discovered that FlyCASS had also been attacked using the MedusaLocker ransomware in February. This was confirmed by Joe Sandbox's analysis, which showed encrypted files and a ransom note.
The TSA also said that no government data or systems were compromised, and that there were no consequences for transportation security. The TSA stressed that it does not rely solely on the database to verify the identity of crew members and that it has procedures in place to confirm the identity of employees who are allowed access to high-security areas at airports.
Source
Researchers discovered a vulnerability in the security system of air transport that allowed unauthorized persons to bypass security checks at airports and gain access to cockpits.
In the course of the study, Ian Carroll and Sam Curry identified a vulnerability in FlyCASS, a third-party web service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). The KCM program allows pilots and flight attendants to skip the inspection procedure (identification occurs through the presentation of a barcode or employee number), and the CASS system allows pilots to enter the cockpit of the aircraft.
The KCM system, which is operated by ARINC (a subsidiary of Collins Aerospace), verifies the credentials of airline employees through an online platform. The process involves scanning a barcode or entering an employee number, after which the system checks the data against the airline's database, providing access without the need to go through a security check. Similarly, the CASS system confirms the right of pilots to access the cockpit when they need to fly.
The researchers found that the FlyCASS authorization system was susceptible to an attack using SQL injection. An SQL vulnerability allowed experts to log into the system under the guise of an administrator of one of the partner airlines, Air Transport International, and manipulate employee data in the system.
The specialists added a fictitious employee named "Test TestOnly" and gave this account access to KCM and CASS, which allowed the profile to "skip security checks and access the cockpits of commercial airliners."
Realizing the severity of the discovered vulnerability, the researchers contacted the US Department of Homeland Security (DHS) on April 23. Experts decided not to contact the FlyCASS website directly, since, apparently, it was operated by one person, and they feared that the disclosure of information would alarm representatives of the service.
The Department of Homeland Security acknowledged the severity of the problem and said that the FlyCASS service was disconnected from the KCM/CASS system as a precautionary measure on May 7. The vulnerability was soon fixed.
Further attempts at coordination within the framework of secure vulnerability disclosure ran into difficulties after DHS stopped responding to researchers' emails. A spokesperson for the Transportation Security Administration (TSA) also released a statement denying the impact of the vulnerability, claiming that the system verification process prevents unauthorized access. Subsequently, the TSA removed information from the site that contradicted their claims.
According to Carroll, the vulnerability could have led to larger security breaches, such as modifying existing KCM member profiles to bypass new member checks.
Following the publication of the researchers report, expert Alessandro Ortiz discovered that FlyCASS had also been attacked using the MedusaLocker ransomware in February. This was confirmed by Joe Sandbox's analysis, which showed encrypted files and a ransom note.
The TSA also said that no government data or systems were compromised, and that there were no consequences for transportation security. The TSA stressed that it does not rely solely on the database to verify the identity of crew members and that it has procedures in place to confirm the identity of employees who are allowed access to high-security areas at airports.
Source
