A pair of security researchers claim to have discovered a vulnerability in the log-in systems used by the Transportation Security Administration (TSA) to verify airline crew members at airport security checkpoints. The bug allowed anyone with a “basic knowledge of SQL injection” to add themselves to the airline’s lists, potentially allowing them to easily bypass security and enter the cockpit of a commercial aircraft. Researcher Ian Carroll wrote in a blog post in August.
Carroll and his partner, Sam Curry, apparently discovered the vulnerability while investigating the website of a vendor called FlyCASS that provides smaller airlines with access to the TSA’s Known Crew Member (KCM) system and Cabin Access Security System (CASS). They found that when they put a simple apostrophe in the username field, they got a MySQL error.
This was a very bad sign, as it looked like the username had been interpolated directly into the login SQL query. Sure enough, we had discovered an SQL injection and were able to use sqlmap to confirm the problem. By using the username ' or '1'='1 and the password ') or MD5('1')=MD5('1, we were able to log into FlyCASS as an Air Transport International administrator.
Once they got in, Carroll writes, there were “no other controls or authentications” that prevented them from adding crew logs and photos from any airline using FlyCASS. Anyone who might have used the vulnerability could present a fake employee number to get past a KCM security checkpoint, the blog says.
TSA press secretary R. Carter Langston denied this, saying: Computer beeping that the agency “does not rely solely on this database to authenticate flight crew, and that “only verified crew members are permitted access to the secure area of airports.”
