Researchers Ian Carroll and Sam Curry announced, in late August 2024, that a security vulnerability exists within an application used by airport security systems. Discovered in FlyCASS, a third-party web-based service used for airlines that participate in the Cockpit Access Security System (CASS) and Known Crewmember (KCM), the vulnerability is an SQL injection.
All but the smallest airlines will use FlyCASS in some way; it is an important component to ensuring airline security. KCM allows Transport Security Administration (TSA) officers to confirm the identity and employment status of airline crew members who are then able to bypass standard security screening. At the same time, CASS lets airline gate agents know if a pilot is allowed to sit on board in the cockpit jumpseat.
Mercifully, Carroll and Curry found that via an SQL injection they were able to root the account of one airline actually participating in their research: This would allow them to manipulate the list of airline crew members and they could add additional people aware in short notice. That flaw it has the exposed which allow attackers to pass over some airport security measures.
The cyber vulnerabilities in the FlyCASS application represented a major threat to airport security systems. The researchers also said that the system could be easily manipulated by anyone with even limited knowledge of SQL injection because it allowed them to bypass security screening and enter cockpits. In April 2024, they promptly notified the Federal Aviation Administration (FAA), KCM system operator ARINC3 and the Cybersecurity and Infrastructure Security Agency (CISA) about their findings.
The KCM and CASS systems proactively disabled FlyCASS, while the identified vulnerabilities were quickly shored up. Still, the researchers were critical of it as a whole, particularly on how TSA reacted to what they discovered.
The TSA did confirm that it received the report about FlyCASS, however, they said some of the researchers’ assertions were untrue. The TSA said that “the specific details of the test are classified” but did confirm it is not a hacker’s dream scenario, and added that there was no breach to any government system. TSA officials said the agency does have several measures in place to confirm an airline crewmember’s identity, and that this loophole was not considered a major systemic threat.
A TSA spokesman noted the agency collaborated with stakeholders to fix security weaknesses identified in the report. The TSA said no government data was accessed, and further protocols existed to confirm the identities of crew members.
CISA failed to release a statement initially on the cloud services alert In answer to an inquiry for remark, CISA affirmed it knew about the vulnerabilities influencing the FlyCASS framework. The agency said it is teaming up with researchers, government agencies and vendors to take a closer look at the problem and put in place appropriate security measures.
CISA mentioned it has so far not been able to identify signs of exploitation but is currently watching the case very closely. TSA is still dedicated to protecting the nation’s transportation systems and will continue to work with aviation partners on how best we can mitigate such risks.
FlyCASS vulnerability discovery reveals the need for robust third-party application security to protect critical infrastructure such as airport security systems. Although the problem was quickly rectified, it is a reminder for airlines and security forces to remain vigilant on cyber weaknesses.
Smaller airlines now have a cyber web based solution to verify the crew identity with programs like CASS or KCM It helps to expedite boarding, with the aim of allowing crew members to bypass routine security checks.
A recently disclosed SQL injection vulnerability in FlyCASS could have potentially been exploited by malicious individuals to evade certain security layers at airports.
The finding was recognized by CISA, which collaborated with other agencies and vendors to assess vulnerable versions. They also checked for abuse, but found none.
The TSA emphasized that the flaw did not affect any government systems or data and said it had instituted additional procedures for confirming whether individuals being issued credentials are indeed airline crew members.
Several issues were identified and fixed to prevent exploitation for both the KCM and CASS programs, temporarily disabling the FlyCASS within those systems.