Cybersecurity researchers Ian Carroll and Sam Curry have discovered a vulnerability that allowed them to skip US airport security checks and even fly in the cockpit on some scheduled flights. The issue was found in the Known Crewmember (KCM) queue, which is designed for verified pilots and crew members who can bypass lengthy security queues.
The KCM program allows actual crew members to apply for verification and present a badge that grants them queue-skipping privileges. A similar initiative exists for pilots only, the Cockpit Access Security System (CASS), which allows verified pilots to sit in the spare cockpit seat (jumpseat) during flights.
However, Carroll and Curry found that the system used by FlyCASS, a third-party vendor, was vulnerable to SQL injection attacks. By injecting a single quote into the username field, they were able to bypass the login page and gain access to the system as an administrator.
With this level of access, the researchers claim they were able to create new approved pilots on the CASS program without any additional checks. This would have allowed them to skip security screening and access the cockpits of commercial airliners.
The vulnerability was disclosed to ARINC, the company running the KCM system, as well as the FAA and DHS. However, Carroll claims that the DHS ignored their attempts to disclose the findings in a coordinated way.
Despite the TSA issuing statements denying the vulnerability, the researchers claim that the issue has been mitigated by disconnecting FlyCASS from both the KCM and CASS programs.
Source: https://www.theregister.com/2024/08/30/sql_injection_known_crewmember/